Good find: http://zulu.zscaler.com/submission/show/ed28a884091e409b89d9a7d425e8303e-1333196327
Hope that Pondus has sent it to virus at avast dot com, else it seems no longer redirecting…
The redirect to fake av seems not only closed, but dead since 2012-03-12 19:05:34
That is how shortlived these threats may be found to exist as from: 2012-03-12 17:30:0 to 2012-03-12 19:05:34 Thats just over 1 1/2 hours.
This one has been closed also: htxp://illoha.jino.ru/index.php So watch out for domains on that IP: 81.177.140.92
and that autonomous system:
Sitevet info:
AS Name: RTCOMM-AS OJSC RTComm.RU
IPs allocated: 463616
Blacklisted URLs: 888
Why does it create new registry keys that hold names of many antivirus processes such as ashQuick. Does rewriting them erase the value thus causing problems?