Analysing Riskware I (Turbo Tool: RegCure Pro)
"It found 18906 problems which it fixed...."

Whenever, wherever you read in forums, blogs or communities about "Tuning Apps", "Boosting Tools" and several other definitions, there is seldom someone who does not mention:
"If you do not have the knowledge about that what you`re doing with that Tool, just leave it, because it is likely that you will damage your System." 
If you trust what those (mostly kind of rogue software, but of course not all) Programs you advise what belongs on your System and what not (especially as a newbie), its your own fault, when your PC gets sicker that promised CURE. I will start with this RegCure Pro(gram), as they claim themselves as a "Microsoft Partner".

Sounds & Looks like theyre old buddies, or kindergarden Pals.

Some Cute Links about its Reputation:

- MyWOT/regcure

- Is Reg Cure Pro a microsoft partner I should use and is it free ?

-  This one is the Best, it kept me ROFLing all Day Long: Disaster with RegCure registry cleaner: It found 18906 problems which it fixed....

I Bet after Fixing almost 19.000 "Problems", that guy in 2007 had to buy a new processor !

However, as i always tend to say: "As long as youre not knowing what the Tool will "do", you should not consider to do it "too" (in acknowledging it).

Sounds like Nike.


Part I: Just One good reason, why fixing (deleting) those Sys32 Keys...?


RegCure Pro







  • OptPCEE3Prop.DLL
  • MD588BB9530ECF82B6901C163696956A839
  • Publisher: Dolby Laboratories, Inc.
  • Product: Dolby PCEE3 Property Page (32 bit)
  • File Location: C:\Windows\System32
  • No Certificate




Story will continue...

#5: Part II


Popular Leicester pub 'The Globe' forced to close after false
anti-military Facebook rumours: Man arrested !

...nothing more important to investigate ( f.ex.: The 3 Slaved Women who have been rescued ) , you have to question this all alone by yourself.

Detectives investigating an offence of malicious communication have arrested a man in connection with the incident. 
The 20-year-old man has been arrested on suspicion of malicious communications against the Globe Public House in Leicester
He has since been released on police bail pending further enquiries. 
In August 2013 police began an investigation after threats were received towards the management at the Globe in Silver Street, Leicester following social media posts claiming the establishment was not allowing military personnel to enter the premises as it was upsetting their customers.
Now this i read a couple of hours ago, and asked myself here, what its all about.

What to the Core is: offence of malicious communication
And what does on suspicion of malicious communications mean

I found out afterwards what its all about:

A popular pub in Leicester was forced to close (in August 2013) amid fears of violent reprisals after its Facebook page was hacked and a message was posted claiming it had banned military personnel.

The false posting, which claimed the pub had enforced the new scheme for fear of upsetting ‘local non British citizens’, was picked up by a nationalist blog and led to the pub being flooded with a storm of allegedly abusive phone calls from people who believed the claim.

The owners of The Globe on Silver Street was forced to shut their doors down on August 17th while security staff were brought in. Leicestershire Police were starting Investigation to an offence of malicious communication.

Everards managing director, Stephen Gould, told the BBC:
"We were placed in a position that throughout the day our staff had to respond to very aggressive people obviously believing that the policy was true.""Ourselves and the manager will have to monitor that very, very carefully over the coming days."
Gould added:
"We have no idea why The Globe was targeted but we will be working with police to find out why this happened."
The pub stated on its Twitter feed:
"The globe has been the victim of a malicious and false news story which states we are no longer servin military personnel. This is false. This pub never has and never will adopt a policy towards the service of either current or ex-military personnel. We understand the delicate nature of this situation and we would sincerely ask for people to stop making threats towards the pub or its staff."
Now, after they arrested a person of interest, i would like to know as well, WHY he did this !

But after the year 2013 will close with all those Leaks, Espionage etc. i guess this could get classified as "TOP SECRET", especially because this Incident was ment against Military Personnel. Lets hope the story continues.


Something for the funny ones.

Some Like it, most don`t. Nutmeg ! The german term is Muskatnuss, MUSKATNUSS ! And if you remember Louis de Funès, you`ll love this one. I Bet Herr Müller !!



(Mrs. Linda Adama from Burkina Faso)

Mrs. Linda Adama from Burkina Faso wrote:

"Dear Friend,
Greetings to you and your family; However, it's just my urgent need for foreign partner that made me to contact you for this transaction. I work in Bank of Africa foreign department. I want to place your name as the beneficiary to Ten Million Five Hundred Thousand United States Dollars (USD10.5M).
The said funds is right here in the bank, it's the balance deposited funds by one of our late customer from France Mr. Paul Louis Halley since then nobody has come up for the claim. Therefore, I solicit for your cooperation to collaboration with me to have this done; it will be transferred into an account you will provide any where of your choice.
If you are interested, please send me your full contact information as below and thereafter I will send to you text of application form to apply for the fund next of kin (Beneficiary). "
Expecting your urgent reply!
1. Full name:.........
2. Current Address:.........
3. Telephone N=B0:...........
4. Occupation:.............
5. Copy of your identity...
6. Age:............
7. Country:........
          Yours trulyMrs. 
          Linda Adama


Malicious IP:
Dictionary Attacker & More

Header Analysis Quick Report
Originating IP:
Originating ISP: Onatel/fasonet's
City: n/a
Country of Origin: Burkina Faso
* For a complete report on this email header goto ipTRACKERonline ! The Internet is Changing Forever...
Will Fraudsters profit from the upcoming revolutionary change ?

Over the next year, the Internet Corporation for Assigned Names and Numbers (ICANN) will introduce over 1000 new, industry-specific Top Level Domains (TLD) to the internet addressing system. The new top-level domain extensions will act as alternative options to .COM or .NET. New domain extensions will be created in many categories including .Brands (.google, .netflix, .gucci), .Cities (.NYC, .London, .Berlin), professions (.doctor, .law, .cpa), interests (.art, .fashion, .cars) and more.

The purpose of is to raise awareness and educate consumers about this revolutionary change to the internet addressing system. Goals are to minimize harm, maximize benefits and help create a smoother transition to a new dot-anything internet environment. The approach is to create an engaging and relatable message to enhance consumer knowledge in the short window of time before new .addresses emerge online.

About New Dot Media

New Dot Media is a Utah, USA company focused on ICANN New Top-Level Domains. New Dot Media principles are to raise awareness, facilitate understanding, minimize confusion, reduce harms, increase benefits, and accelerate adoption and use of New Top Level Domains.

A principle concern for introducing new top-level domains to the world wide web was the potential for consumer confusion and possible harm that may result out of it. Users will be unfamiliar and disorientated with the first new dot-addresses, and will have difficulty identifying and/or recognizing new web addresses as they appear online. There is also an anticipated increase in frequency and variety of methods used by fraudsters that consumers should be on the lookout for.

"The Dot Big Bang is a transformative event that will change how internet users navigate the web and interact with the world around them," states New Dot Media TLD-Vangelist-in Chief Tom 'Not-Com Tom' Gilles. "Our aim is to help make the transition a smooth one."

The approach uses terms and phrasing that most internet users and consumers can relate to and understand today, as opposed to introducing new vocabulary and new views. It is believed this path will assist in reaching the largest audience, and have the most effective bang on user understanding. contains detailed articles explaining aspects of the .address expansion in simple, understandable terms and easy interpretation.

There are also specific user guides tailored specifically for consumers, parents, website owners, small business, professionals and trademark owners. How do you see it.....????? This will make the all complex system of today, more complicated FOR the Future. Some may say later: "Back to the Future"...

Sexiest Man Alive 2013: Secure ? Adam Levine (MAROON 5)

Yes he is (and i am not gay !). Adam Levine (Maroon 5) catched me with his Voice from the very beginning with that first "Bestseller" First Love, recognizable in every aspect.

I`d prognose, that (MAYBE, keeping it left to the Wild) in a few years, Ryan Tedder, Leadsinger of One Republic will possibly end this way as well (as i said: in a few years, and MAYBE, no Very Possibly).

Their latest song (Something i need (Who does not need something) is a predictable forthcoming (just like the last couple of songs), always including Gospel Music alike...

OMG. I realize now, that the older you get, the faster time evades...Just like those old days Music Tapes. When the tape starts, you think "how slowly it (life) turns". The further you come to the end, the quicker it runs.

Sounds like me at l(e)ast. We will see...


Worm:Win32/Boinberg (CnC Botnet)

The IP Address (IP LOCATION: Luxemburg) is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy and/or some other form of botnet. It was last detected on 19th November 2013. It has been relisted following a previous removal on 12th November.

This IP address is infected with, and/or is NATting for a machine infected with the Worm.Boinberg. This Worm:Win32/Boinberg is part of the Malware-family of IRC-controlled worms that may be ordered to spread via Windows Live Messenger (ICQ, AOL Instant Messenger, Yahoo Pager, Skype, etc.) and/or USB drives. It may also spread through USB drives, RAR and ZIP files by adding a copy of itself into the target archive. Its first detection has been made in March 2011, and the threat level almost 4 years later is classified as severe. In order to spread, IM-Worms usually send a link (URL) to a list of message contacts. The link leads to a network resource where a file containing the body of the worm has been placed. This tactic is almost exactly the same as that used by Email-Worms.

This Worms Aliases by AVVendors:
  • Malware.Shadesrat (PCTools)
  • W32.Shadesrat (Symantec)
  • Backdoor.Win32.IRCBot.abgt (Kaspersky Lab)
  • W32/IRCbot.gen.a (McAfee)
  • Mal/VBCheMan-A (Sophos)
  • Worm:Win32/Boinberg (Microsoft)
  • Worm.Win32.Boinberg (Ikarus)
And not to forget that it is packed UPX (Ultimate Packer for eXecutables)

It`s Installation:

When executed, Worm:Win32/Boinberg copies itself with a variable file name to the %APPDATA% directory, then executes this dropped copy.

The malware creates the following registry entries to ensure that its copy executes each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random file name>.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random filename>.exe"

In the background, the worm injects itself into known Windows running processes, such as 'winlogon', 'svchost' and 'Explorer'.

The following mutex indicates the presence of the worm on the affected computer:

"<random string>"
"<empty / blank>"

Spreads via...

Instant messenger

The worm may send messages to the affected user's Windows Live Messenger contacts containing a URL pointing to the worm, or an attachment containing a copy of the worm.

Removable drives

Worm:Win32/Boinberg copies itself to the following locations on removable drives:

<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.ini - detected as Worm:Win32/Boinberg

It attempts to download an updated version from a remote server and spread this latest copy via removable drive.

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system (OS), so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

File infection 

It searches for RAR and ZIP files on the system and, if found, infects them by adding a copy of the worm into the target archive file. This may enable the worm to spread itself through file sharing or emailing.


...allows backdoor access and control

Worm:Win32/Boinberg attempts to connect to an IRC server and join a channel to receive commands.

The following is a list of servers and TCP ports that Worm:Win32/Boinberg has been observed to use in this manner:

For more details on this Worm, visit Microsoft here.
The CBL detection is being made using sinkholing techniques.

To find an infected computer on a NATted network you will have to search through your firewall logs for connections to port 4042 TCP. In additional, evidence can be found in DNS logs by searching for the domain name "", for example:

This was detected by a TCP/IP connection from on port 56501 going to IP address (the sinkhole) on port 4042.

The botnet command and control domain for this connection was "".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address or host name on any port with a network sniffer such as Wireshark.

Equivalently, you can examine your DNS server or proxy server logs to references to or See Advanced Techniques for more detail on how to use Wireshark & ignore the references to port 25/SMTP traffic, the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2013-11-19.

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer, so better stay Awake. ;-)

RELATED POST: Symantec: Blackshades Remote Access Tool still being bargained


Google & Microsoft announce to combat together against Online Child Porn

Google and Microsoft announced today (November 18th 2013) that they will introduce new software controls aimed at reducing the distribution of child pornography online. Eric Schmidt, Executive Chairman of Google, announced today that the Multi-Business-Concern Google in Cooperation with MS will roll out new Control(ed)-Software designed to curb child porn searches on the Google Searchengine(s).

In a joint announcement, both Companies have introduced on the British summit on Internet safety 2013, a software that makes it harder for Pedophiles, Sadists and wannabe`s to search for child abuse material online.

Writing ahead of that British summit on Internet safety, Google's executive chairman Eric Schmidt said his company has fine-tuned Google Search to clean up results for over 100.000 search terms in connection to child porn. When users (Pedophiles) type in queries that may be related to child sexual abuse, they will find no results that link to illegal content.

(My opinion: If this would be possible (and not only a trying promise), this would be one of the biggest breakthrough(s) in this disturbing and growing Internetcrime(s), that "kills" Children emotionally, for the rest of their lives, if they come away without killing after an sexual raping act).

Schmidt wrote in the Daily Mail newspaper: "We will soon roll out these changes in more than 150 languages, so the impact will be truly global". Globalization ?

The restrictions are being launched in the United Kingdom and other English-speaking countries first and similar changes are being brought out on Microsoft's Bing search engine (Where is YAHOO ?). The two companies are sharing picture detection technology to identify child abuse photographs whenever they appear on their systems, and Google is also testing technology to identify and remove illegal videos.

Other measures include warnings shown at the top of Google search for more than 13.000 queries to make it clear that child abuse is not only illegal but a crime indescribable. Schmidt acknowledged that no algorithm is perfect and Google cannot prevent pedophiles adding new images to the web. Maybe someday they will be able, on the long run. Campaigners welcomed the move but doubted how much impact the changes would bring. Pedophiles tend to share images away from the public search engines, they say...

Jim Gamble, the former chief of Britain's Child Exploitation and Online Protection Center said: "They don't go on to Google to search for images, they go on to the dark corners of the Internet on peer-to-peer websites."

Jim Gamble

According to a briefing issued by Mr. Cameron's office, changes to be introduced by the search engines include, but not limited :

- The introduction of new algorithms that will block child abuse images, videos and pathways that lead to illegal content, covering 100.000 unique searches on Google (Worldwide).

Stopping auto-complete features from offering people (...with Pedophilia disorder...), child abuse search terms.

- Google as well as Microsoft will now work with the National Crime Agency and the Internet Watch Foundation to bring forward a plan to tackle peer to peer networks featuring child abuse images.

Google will bring forward new technology that will put a unique identification mark on illegal child abuse videos, which will mean all copies are removed from the web once a single copy is identified or uploaded.



(Interception of a Rogue ad Campaign) with Thanks to Dancho Danchev

Another rogue ad campaign (Not to be confused with Advertising campaign) has been intercepted, attempting to trick users into installing the EzDownloaderpro PUA (Potentially Unwanted Application). Primarily relying on that catchy attitude “Play Instantly, Download Now” banners, the visual social engineering tactic of this campaign is similar to other PUA related campaigns that had previously profiled. Let’s take a look at this new rogue ad campaign, and provide relevant threat intelligence on the infrastructure behind it.

Domain  surveillance of some specific Redirects: 

Location Data: San Francisco
PUA: not-a-virus:Downloader.Win32.AdLoad.fwz
IPs: (Cloudflare)
  • (Cloudflare)

IPs: (Cloudflare)
  • (Cloudflare)



Other Domains connecting to the same IP :


Domains who responded to


Malicious Message Digest Algorithm 5s known to have been downloaded from

MD5: fd4195ef1af7fb49a673633ed57b87ab
MD5: c0d9713acfc46c2a466a9de77292636d
MD5: d3119ed48cb5896d41aeae4b51f2667a
MD5: c6799f5425fbe038778c4c4a22b35a41
MD5: 840fa1e6c0f81f6da1a347ecb3b2db2e
MD5: c27d4537d24aa55df9837479da2ae111
MD5: c77fc69c7b96c53ce762b87c98831327
MD5: dce1c89d7a267b2a4ae925b5a387e5cd
MD5: a868964e1fe66e4a7638f46ba7844b52
MD5: 2acc54f86694e8d7674e8e1afff86aa1
MD5: 5f078de83a9ce3ee2d9d2fe174cd234c
MD5: 0426e6c1fe2aa8681c683428bb3d2dd7
MD5: efcd92d3be23e624bca2db8515f0df20
MD5: 30ac6dd3290ab3c9281e81c2cba2097e
MD5: 9b35dcacd42e6ba1c596a8bc0425d646

Domains who responded to



The following File has been downloaded from :

REFERENCE & Regards to Dancho