Avast WEBforum
Other => Viruses and worms => Topic started by: erlend_sh on December 22, 2013, 03:12:07 PM
-
I had just reinstalled Windows 7 on my computer and immediately opened a browser to download the latest graphics drivers. official-drivers.com got me with a sponsored link using an ati.official-drivers.com sub-domain. I downloaded something called DriverTuner (drivertuner.com) by LionSea software, installed it, and immediately realized my mistake when I recognized the "we'll find drivers for you" type of software. I promptly uninstalled it and found the official driver.
So now I'm feeling paranoid, wondering if they managed to insert a virus somewhere before I'd installed Avast.
Are there any known culprits among the sites and software mentioned here?
-
Url reputation can be tested here www.urlvoid.com / www.virustotal.com .... Select url scan just below the blue button
Suspicious files can be tested here www.virustotal.com / www.metascan-online.com / www.jotti.org
So now I'm feeling paranoid, wondering if they managed to insert a virus somewhere before I'd installed Avast.
If you want a check, follow guide and attach logs. http://forum.avast.com/index.php?topic=53253.0
Og God jul og et godt nytt år. ;)
-
Hi,
It doesn't appear Malicious, however I am suspuicious. You will always be better getting the drivers from the Official Homepage (Logitech, Dell etc). I'd never trust these sites. The file I tried in Comodo isn't working. Most likely due to it being corrupt.
-
Note: the File name should have something to the effect of "DriversForLeogitech Headset XXXX" Type thing, Not setup.exe. I'll run these files inside my Virtual Machine and upload some results. However, don't download those files until deemed Safe. (Which I doubt will happen)
Malwr Report: https://malwr.com/analysis/ZGM5YWU0NTI3NDcwNDk1OGJhNzQ1ZDhkY2YwYzcxMDc/#
VirusTotal: https://www.virustotal.com/en/file/4e09d9006a6b4d57933df47e3b586859b8b790e8cade3869e8ed1eee8ca40ce1/analysis/
(Signed by Norton/Symantec + VeriSign)
Looking into it further w/ my Virtual Machine.
Creates a .tmp (Temp) folder called setup.tmp (.tmp being file extension for Temp). No notable to Startup keys to indicate Malware being present.
Possible Adware: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{520C1D80-935C-42B9-9340-E883849D804F}_is1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{520C1D80-935C-42B9-9340-E883849D804F}_is1
Uninstall should not be present w/ Drivers.
Recommended not to download these file further on that site.
-
Emsisoft is blocking the following link when i click on download: hxxp://www.official-drivers.com/setup.exe
-
Also,
I in order to get drivers, you must Register/Pay @ hxxp://xxx.drivertuner.com/register.php (Don't go there)
I'll ask Polonus to do some Site Scans for you...
-
Emsisoft is blocking the following link when i click on download: hxxp://www.official-drivers.com/setup.exe
Avast! does not block it. I'm going to fetch Polonus to do the Site scanning.
-
Setup.exe and Driver Tuner.exe are trusred by Kaspersky IS 2014
-
Add-driven site with malware according to Quttera scan and various instances of remote file inclusion shell malware now being closed:
http://support.clean-mx.de/clean-mx/viruses.php?ip=173.192.57.82&sort=firstseen%20desc
http://jsunpack.jeek.org/?report=9dc90b473abdc764cdb4ccc69dabae9653d0fc91
http://www.quttera.com/detailed_report/www.drivertuner.com
Site is not the "real McCoy" you searched for, look for better trustworthy alternatives.
IDS for: "ET RBN Known Russian Business Network IP group 27".
See: https://www.mywot.com/en/scorecard/official-drivers.com?utm_source=addon&utm_content=popup-donuts
polonus
-
IDS for: "ET RBN Known Russian Business Network IP group 27".
polonus
=Bad News Bear!
http://en.wikipedia.org/wiki/Russian_Business_Network
-
Hi allan1998,
Right, you are. Well this RBN group is mainly into SEO Spam, clickfraud driven code and other cyber-brigand activities.
An IDS alert like this one via an urlquery dot net scan could therefore be translated as "better stay away"....
polonus
-
Wow, thanks a bunch for all the informative answers!
-
F.Y.I. Asus requires you download and use that software to get updates.
-
It is All BS, you just answered a thread that is nearly 4 months old.... The issue has been resolved.
-
:-[ :-[ :-[ :-[
Worst product I've ever wasted my money on!
Downloaded, installed and "fix drivers" CRASHED MY COMPUTER.... caused it to go to Partition reboot and wiped my drive losing EVERYTHING.
Now... I'm not a super tech, but I do consider myself knowledgeable, at least for a user.
The software was recommended by ASUA (I have a G75)
Needless. to say.. I AM Pissed!
They keep asking me to "give them another try".. REALLY???!?!?
They can kiss my @$$
Good luck to you if you use this software.. don't say you weren't warned.
-
Hi Michigan guy,
You were a victim of an OutBrowse monitizer bundling product with a very poor reputation: https://www.mywot.com/en/scorecard/outbrowse.com?utm_source=addon&utm_content=popup -
Read about your OutBrowse bundled adware variant: http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx
Thanks for sharing your experiences.
As a general warning to those that consider downloading,
see: http://www.herdprotect.com/setup.exe-3851fc1b1715a7052587bd430aa18b9aadad4b1b.aspx
Software comes bundled with PUP: PUP.Optional.Installer.LionSeaSoftwarecoltd.F -> http://www.herdprotect.com/ip-address-72.247.10.24.aspx
See: http://www.herdprotect.com/ip-address-54.235.251.129.aspx and http://www.herdprotect.com/ip-address-23.21.98.30.aspx
Free software to-day comes bundled "at a crap bundled adware price", see: http://www.herdprotect.com/domain-install.optimum-installer.com.aspx
Always look to download a custom software install from the few remaining upfront downloading sites.
But to-day one often finds oneself between a rock and a hard stone.
polonus
-
Any chance Slim Drivers, by SlimWare, could also be a suspect product? After downloading and running once, my Windows Update and Windows Online Help features were disabled. So, not only was I not able to download important updates, but I was prevented from effectively troubleshooting the problem.
-
You may be right, look here what comes bundled: http://www.herdprotect.com/signer-slimware-utilities-inc-396592a759309a28f5d983a5a376da47.aspx
Sality variant, certainly you do not want on your comp or peripherals,
polonus
-
Ugh. Then maybe it is the cause of my problems.
http://forum.avast.com/index.php?topic=150374.0 (http://forum.avast.com/index.php?topic=150374.0)
I got it from Download.com (Cnet) so assumed it would be safe . . .
-
I download a Canon_PIXMA_MX348_XPS_536 driver from www.official-drivers.com successfully.
Although it is a little complicated for me to find the wrong place to download.
I know this website also sells driver update tool. It's much convenient.
-
DrWeb has it listed htxp://www.official-drivers.com/setup.exe contains a potentially dangerous software Program.Unwanted.79
htxp://www.official-drivers.com/setup.exe is present in the Dr.Web database of unwanted sites!
Verdict: htxp://www.official-drivers.com/setup.exe is present in the Dr.Web database of unwanted sites!
Outdated Web Server Apache Found Vulnerabilities on Apache 2.2 Apache/2.2.15
Others give it as potentially harmless, but I would not trust it, as DrWeb sticks with Program.Unwanted.79
Reason HeuristicsPUP.Optional.Installer.F, PUP.Optional.Installer.g, PUP.Optional.Installer.k, PUP.Opt etc.
Trojan/Win32.TSGeneric or PE:Trojan.BHO!1.66E4
polonus
-
Honestly, I think this website is really good! It contains huge driver exe files and zip file to download.
-
There are enough users to doubt that site's web rep: https://www.mywot.com/en/scorecard/www.official-drivers.com?utm_source=addon&utm_content=contextmenu
The WOT reputation status is even officially being supported by a third party listing: http://hosts-file.net/?s=official-drivers.com
IP badness history given here: https://www.virustotal.com/nl/ip-address/173.192.57.82/information/
and here: http://www.herdprotect.com/ip-address-173.192.57.82.aspx
Well if you do not mind Adware, and a lot of users do mind, you can go there.
In a strict sense there is no malicious software, but I would not run the risk of getting some hard to remove bundled goodies with my download and rather go to the official developer site.
As such even the name official-drivers site is misleading.
See the recent reports here what content kick-up alerts here: http://urlquery.net/report.php?id=1411900432032
PHISHING attempt performed connecting to 74.125.232.241 HTTP/1.0 302 Moved Temporarily
Bitdefender'sTrafficLight gives the IP as part opf a PHISHING attempt.
pol