Maybe a false positive from Avast!

When I opened Microsoft Word the firs time, Avast blocked an item:

hxxp://113.171.224.166/videoplayer/MuCatalogWebControl.cab?ich_u_r_i=142a3e282dbcaff8fd10a3828395ae3c&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1645058930750863212401&ich_t_y_p_e=7786&ich_d_i_s_k_i_d=1&ich_u_n_i_t=1

I run Fabar scan tool and I found it on:

Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-1376529215-2312862276-3070222701-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKU\S-1-5-21-1376529215-2312862276-3070222701-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation) BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-05-30] (AVAST Software) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation) BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation) BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation) BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-05-30] (AVAST Software) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation) BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation) DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxp://113.171.224.166/videoplayer/MuCatalogWebControl.cab?ich_u_r_i=142a3e282dbcaff8fd10a3828395ae3c&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1645058930750863212401&ich_t_y_p_e=7786&ich_d_i_s_k_i_d=1&ich_u_n_i_t=1 Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)

I use WHOIS tool and the IP is pretty legit. Also googling returns that Mu Catalog Web Control is a normal thing.

Update: I download Movie Maker from here http://windows.microsoft.com/en-us/windows/movie-maker

The download tool could not download because Avast blocked this:

http://113.171.224.169/videoplayer/catalog-web.cab?ich_u_r_i=08b9c5cabe85f342337fe93ef0909621&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1645058931750063032400&ich_t_y_p_e=7785&ich_d_i_s_k_i_d=7&ich_u_n_i_t=1

so I’m pretty sure this is a false detection.

the links IP seems to be from “VietNam Post and Telecom Corporation” and i dont know what that company would have to do with microsoft movie maker as that download would come from a microsoft owned IP.

it would be a good idea to post the full log files https://forum.avast.com/index.php?topic=53253.0

VNPT is the biggest telecom corporation in my country. It can be that MS uses one of VNPT’s servers for local requests. And some one who can analyze the file should do just to be sure.

Ehh I know nothing about reverse engineering DLL file so I just uploaded the content of the cab file to virus total instead. The result is good.

http://i.imgur.com/g1nuU41.jpg

Blacklisted by Sophos
https://virustotal.com/en/url/1e5649e7b7cbd4224d16f47d6c51e60cdc56dcdf98d751750d00b26cb8f9d11d/analysis/1464672874/

No listing on second link
https://virustotal.com/en/url/b4ee5569ed7adb29d3957f20aab94f0018c67cf636c68f87d7d23378e29e5aa7/analysis/1464673030/

This is a component of an unwanted program (adware) from Thinknice that may hinder the performance, security and privacy of you or your computer.
So it is PUP adware, PUP is a potentially unwanted program. See: -http://54.209.243.235/software-removal-tool.exe-c4e1887c4ae7a8bc46ceee758417f118b67df09a.aspx
This has the same IP origin: -http://113.171.224.166/videoplayer/MuCatalogWebControl.cab?ich_u_r_i=142a3e282dbcaff8fd10a3828395ae3c&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1645058930750863212401&ich_t_y_p_e=7786&ich_d_i_s_k_i_d=1&ich_u_n_i_t=1
The component is added by CN=Thinknice Co. Limited, O=Thinknice Co. Limited, L=香港, S=香港, C=HK

polonus

Hello sorry I was really busy. There was actually a malware. It’s PUP.OpenCandy. Avast couldn’t detect and remove it. I had to use Avira to scan and remove. Although it’s a PUP but I think this one is really infamous so Avast should have at least detected it.

Do you have PUP detection enabled in avast ?

Just checked. Nope. :-\

I just didn’t know that option exist and I have to turn it on

When you install software it is always a good practice to at least look at the settings/options and see what they are for/do. :wink: