grab urls

[Deozaan]

Now I'm going to guess that Deozaan uses Chrome?

-4wd (April 24, 2018, 03:38 PM)

Yep. I'm using Vivaldi, which is Chrome-based.

But note that it wasn't Chrome/Vivaldi that flagged it for me. It was Windows Defender's real-time protection.

[4wd]

Now I'm going to guess that Deozaan uses Chrome?

-4wd (April 24, 2018, 03:38 PM)

Yep. I'm using Vivaldi, which is Chrome-based.

But note that it wasn't Chrome/Vivaldi that flagged it for me. It was Windows Defender's real-time protection.

-Deozaan (April 24, 2018, 04:43 PM)

There goes that idea, was hoping you'd say Chrome.

Now it's even stranger since we're both using Vivaldi and Defender on the same file and yet I don't get any hit from Defender, even when I scan it after download.

Makes absolutely no sense ...

[Deozaan]

Now it's even stranger since we're both using Vivaldi and Defender on the same file and yet I don't get any hit from Defender, even when I scan it after download.

-4wd (April 24, 2018, 06:50 PM)

Are you using Windows 10? Maybe we're running different OSes or different versions of Defender/definitions. I'm on Windows 10 Version 1709 (OS Build 16299.402). My Windows Defender threat definitions are on 1.267.306.0.

[wraith808]

Now I'm going to guess that Deozaan uses Chrome?

-4wd (April 24, 2018, 03:38 PM)

Yep. I'm using Vivaldi, which is Chrome-based.

But note that it wasn't Chrome/Vivaldi that flagged it for me. It was Windows Defender's real-time protection.

-Deozaan (April 24, 2018, 04:43 PM)

There goes that idea, was hoping you'd say Chrome.

Now it's even stranger since we're both using Vivaldi and Defender on the same file and yet I don't get any hit from Defender, even when I scan it after download.

Makes absolutely no sense ...

-4wd (April 24, 2018, 06:50 PM)

If it makes you feel better, I'm using Chrome, Windows Defender, and Malwarebytes, and none of them gave any indication.

[KynloStephen66515]

I'm on Windows 10 version 1709 (Build: 16299.371) Defender Definitions v1.267.267.0 (so below Deo for both, but mines showing no updates available on either - I wonder if those are regional or something.).

Just redownloaded and Chrome (or Windows Defender...I don't actually know which is murdering it...I just know that Chrome says "Virus" but the more info button opens Defender...so....yeah) caught it again.

[skwire]

Are you guys all positive you're downloading the same file?  How about posting some checksums?

[4wd]

Are you guys all positive you're downloading the same file?  How about posting some checksums?

-skwire (April 24, 2018, 09:50 PM)

Using the link given in this post, (downloading the Windows installer but I have downloaded the Other Java installer and still nothing).



The .exe is also signed off with a Digital Certificate assigned to Appwork GmbH by Comodo.
sha256: 4c87501159a97e0fa43cf04a705381fc
Revocation Status : OK. Effective Date <‎2018 ‎April ‎24, ‎Tue 16:03:27> Next Update <‎2018 ‎May ‎01, ‎Tue 16:03:27>
Thumbprint: 5f884266c8541f4eff424e805176d6dca8ae048f

I've got six Windows 10 Pro systems here, (x86, x64, including a new install VM), not one of them has detected a problem with the .rar, .exe, or the extracted NSIS installer files.

Windows 10 Pro Build 16299.371 or Build 16299.309 all Defender definitions are 1.267.267.0, (apparently the latest defs available for me).

Two of the systems have MBAM Premium on them, (mine with v2, another with v3), not a peep from it either.

Defender on WHS2011 system also doesn't find a problem.

If it makes you feel better, I'm using Chrome, Windows Defender, and Malwarebytes, and none of them gave any indication.

-wraith808 (April 24, 2018, 07:36 PM)

Not really, was kind of hoping Chrome was doing something which caused a fingerprint match but there goes that idea.

[KynloStephen66515]

Are you guys all positive you're downloading the same file?  How about posting some checksums?

-skwire (April 24, 2018, 09:50 PM)

I'm not overly willing to allow the file to stay on my system (IE Force Chrome to allow it through even with the warnings).

However, I can run the route that I get the file from:

1. http://jdownloader.org/download/index
2. Click "Windows"
3. Get redirected around the internet for awhile:
   - http://jdownloader.org/dl?v=101
   - https://firsturl.de/02d38da?
   - https://mega.nz/#!DQUSDS4Q!3oCI6KwWTivL3PSTcTAv4YDQxKfkgxMEsehkdTLumP0
4. Prompted to download the file from Mega

Install JDownloader .rar
243 KB

I am then met with this:

[wraith808]

I only get the rar (never tried to extract it), but get the same results as 4wd.

[Deozaan]

Like Stephen, I can't post a checksum of a file that gets immediately removed by Defender.

Defender Definitions v1.267.267.0 (so below Deo for both, but mines showing no updates available on either - I wonder if those are regional or something.).

-Stephen66515 (April 24, 2018, 07:39 PM)

I was on that version of the definitions when I started making the post but decided to check for updates just in case a newer version would result in the file not being flagged. The file was still flagged on the newer version. So I put down the newer version as what I was currently running.

[KynloStephen66515]

Like Stephen, I can't post a checksum of a file that gets immediately removed by Defender.

Defender Definitions v1.267.267.0 (so below Deo for both, but mines showing no updates available on either - I wonder if those are regional or something.).

-Stephen66515 (April 24, 2018, 07:39 PM)

I was on that version of the definitions when I started making the post but decided to check for updates just in case a newer version would result in the file not being flagged. The file was still flagged on the newer version. So I put down the newer version as what I was currently running.

-Deozaan (April 25, 2018, 01:48 PM)

Yep, also just updated to the latest and it still flags.

[wraith808]

I'm on 1.267.306.0

[4wd]

Just updated:



Still no hit.

   - https://mega.nz/#!DQUSDS4Q!3oCI6KwWTivL3PSTcTAv4YDQxKfkgxMEsehkdTLumP0

-Stephen66515 (April 25, 2018, 10:16 AM)

Downloaded from that link, (in case there was some weird geo-specific packaging), exact binary equivalent as the one I have.

@Deo, @Stephen - you guys have weird systems 

Honestly, can't think of what else it can be unless something you guys are running is interacting with Defender.  I'm leaning towards you guys simply due to the numbers:

Wraith, Kalos don't indicate anything on their systems, I've got six systems (five Win10Pro + WHS2011) plus one completely brand new Win10Pro VM with no other programs and yet ... nothing ...

Not even MBAM mentions anything until I scan the files after installation, (I'm guessing it's because it didn't try to do anything bad, eg install PUP, even though it's set to treat it as malware).

And yet no one detects it as anything listed on VirusTotal ... so WTF?

VirusTotal
Jotti
VirSCAN

About the only thing I'm getting out of this is it's the AV that can't be trusted.

[wraith808]

Wraith, Kalos don't indicate anything on their systems, I've got six systems (five Win10Pro + WHS2011) plus one completely brand new Win10Pro VM with no other programs and yet ... nothing ...

-4wd (April 25, 2018, 08:33 PM)

Windows 10 on both, with MBAM/Defender running.

About the only thing I'm getting out of this is it's the AV that can't be trusted.

-4wd (April 25, 2018, 08:33 PM)

I thought we'd already established that 

[4wd]

About the only thing I'm getting out of this is it's the AV that can't be trusted.

-4wd (April 25, 2018, 08:33 PM)

I thought we'd already established that 

-wraith808 (April 25, 2018, 11:06 PM)

The technician in me wants to know

(Damn stupid inner voice)

[kalos]

I got told by these ridiculous people from JDownloader, that actually the adware downloaded is different for each user! Depending on its system, region, etc!

So has anyone figured out what the virus is and how to get rid of it?
It still messes up my Firefox Google results with fake results.

[wraith808]

Why don't you ask them if you're already in contact with them...?

[tomos]

I got told by these ridiculous people from JDownloader, that actually the adware downloaded is different for each user! Depending on its system, region, etc!

So has anyone figured out what the virus is and how to get rid of it?
It still messes up my Firefox Google results with fake results.

-kalos (April 28, 2018, 11:14 AM)

if you still have the original download, you could try resinstalling it, but this time look closely at whatever is ticked to install with it (and untick them and/or interrupt the install). I presume it's open candy, so everything should be visible. Or do what wraith says.

[kalos]

Why don't you ask them if you're already in contact with them...?

-wraith808 (April 28, 2018, 01:26 PM)

They said they don't know because another company bundles the adware and it's chosen depending on the user.

Has anyone figured out where the downloads of the JDownloader installer end up? Which folder? I may be lucky that they are still there.

[kalos]

I tried some more installations of this hideous JDownloader and some times it creates an entry in Add/Remove Programs called 'BingSearchby...' something.
Unfortunately I couldn't write down the exact name. I think that's the virus. The uniinstallation of it is completely silent and I believe it doesn't work well as it leaves your system infected.
The fake google results, all have BING as their referral.

It's such as shame that Microsoft approves this.

[tomos]

There are lots of forums to help you remove viruses / adware. I've used a couple over the years, probably mentioned them here somewhere.
Or try instructions as per multiple sites that tell you how to "remove BingSearchby". One I found was on malwaretips.com, appeared to give fairly sensible advice.

[wraith808]

There are lots of forums to help you remove viruses / adware. I've used a couple over the years, probably mentioned them here somewhere.
Or try instructions as per multiple sites that tell you how to "remove BingSearchby". One I found was on malwaretips.com, appeared to give fairly sensible advice.

-tomos (April 28, 2018, 03:56 PM)

 

[4wd]

They use the installCore^w installer.

The fake google results, all have BING as their referral.

-kalos (April 28, 2018, 03:44 PM)

grab urls

JDownloader2 Ad-ware Free Installers from here and here.

[kalos]

They use the installCore^w installer.

The fake google results, all have BING as their referral.

-kalos (April 28, 2018, 03:44 PM)

[ Invalid Attachment ]

JDownloader2 Ad-ware Free Installers from here and here.

-4wd (April 28, 2018, 11:15 PM)

Yeah, ofcourse I tried that with no luck.

[kalos]

It is strange that when I download JDownloader with IE or Chrome, Windows Defender intervenes and blocks the file.
When I download with Firefox, nothing happens!