Jump to content


Photo

Malware from CNET, how is this possible?


  • Please log in to reply
3 replies to this topic

#1 m3equals333

m3equals333

    Member

  • Helper Trainee
  • Pip
  • 76 posts

Posted 20 November 2011 - 12:14 AM

I ran ESET online scanner the other day and it also found about 4 or 5 instances of A VARIANT OF WIN32/INSTALLCORE.D APPLICATION, most (if not all) of them related to downloaded installation files from download.cnet.com (ESET Online Scanner log in my 2nd post)

cnm - how is this possible from a trusted site like CNET (unless the trojan specifically masks itself to look like it is originating from CNET downloads)?

EDIT: Also important to add, none of my other anti-virus programs found this malware, including Malwarebytes, MSFT Security Essentials....I don't even think combofix found it as I ran combofix right before I ran the ESET online scanner.

The first instance of malware that triggered me to run all these scans was Malwarebytes which found the below although I don't think it is related to the WIN32/INSTALLCORE.D APPLICATION trojan....

Files Infected:
c:\Windows.old\Derek\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\XR1AX8G6\oi_limewirewin.exe (Adware.OpenInstall) -> Quarantined and deleted successfully.

Edited by m3equals333, 20 November 2011 - 01:28 AM.


#2 m3equals333

m3equals333

    Member

  • Helper Trainee
  • Pip
  • 76 posts

Posted 20 November 2011 - 01:19 AM

C:\Users\D\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\111107214245323.rsc a variant of Win32/InstallCore.D application deleted - quarantined
C:\Users\D\Downloads\cnet2_Nero_BurnLite-10_0_10500_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Users\D\Downloads\cnet_MemTest_zip.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Windows.old\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5UJUQG1S\cnet_PowerISO48_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Windows.old\Derek\AppData\Local\Temp\ICReinstall\cnet_PowerISO48_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Windows.old\Derek\AppData\Local\Temp\is271270771\WhiteSmokeTrial.exe multiple threats deleted - quarantined
C:\Windows.old\Derek\AppData\Local\Temp\is271270771\WSZugo.exe Win32/Toolbar.Zugo application deleted - quarantined

#3 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,260 posts

Posted 20 November 2011 - 10:45 AM

Well, first of all these could be false positives. Got to http:\\www.virustotal.com and submit the files one at a time.

Secondly, just because CNET offers software doesn't mean it is guaranteed safe or desirable. It is always best to download from the developer's site if there is one. Why get Nero from CNET when you can get it from the Nero site? http://www.nero.com/...ds-nbl-free.php

And third, if you believe your PC is infected then you should post in your own thread. Never post in the thread of another member. Only trained helpers are allowed to do that.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,260 posts

Posted 20 November 2011 - 04:17 PM

See CNET TechTracker forum: Win32/InstallCore.D + Win32/OpenCandy. That user is perhaps overexcited. But again, it is always best to install programs from the developer's site and not from CNET. If you do have to install from CNET, scan your download before running it.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button