It’s one of those days when you have a bit of nostalgia for the stuff you used to do. Back a year or so ago, I used to hunt down fake AV and the like. It involved fake YouTube sites, porn and more porn.
Out of curiosity, I started some searches, the same that I used to do to find the bad stuff.
Like I said, this is quite old (Feb 2011). I clearly remember redspacetube.com, it used to do redirections to various sites using Dynamic DNS.
Guess what? It’s still working!
seonetwizard.com/in.cgi?16¶meter=%3ftube-videos
seonetwizard.com/in.cgi?4
seonetwizard.com/in.cgi?14
directredirection.com/LI8wbTB8ycreCciKd26F8mpTD70hFJDu.php?sid=3
ygafigyuhigi.mrface.com/land/?n=loli&id=1
The DNS service is provided by changeIP.com (click to enlarge):
This page is quite familiar but looks ancient by now…
The file takes forever and a day to download…:
ygafigyuhigi.mrface.com/land/maindirectory/adobeflashplayerv10.2.152.32.exe
The very low detection rate on VirusTotal makes me wonder whether this file is really old or just too new… (2/41).
Next, I checked whether the file was half broken… but clearly it was working just fine:
It installs a fake AV called “Windows Trouble Taker” (should have been called Trouble Maker IMHO 
)
A quick search confirms this is not an old rogue AV, but rather the new kid on the block:
This is one tenacious fake porn tube… Can someone unplug redspacetube.com for good?
Jerome Segura