Maybe malware site

boombastik · September 9, 2011, 7:55am

I think that i found a malware site with froud downloads.
hxxp://www.uptodown.com/

and from there—> hxxp://avast-home.uptodown.com
Is this site legitame?

Pondus · September 9, 2011, 10:14am

URLVoid

Report 2011-09-07 21:27:58 (GMT 1)
Website uptodown.com
Domain Hash 76b59d0c53fb780e3984234bcf529194
IP Address 46.105.108.62 [SCAN]
IP Hostname ns222339.ovh.net
IP Country – (–)
AS Number 16276
AS Name OVH OVH Systems
Detections 2 / 23 (9 %)
Status SUSPICIOUS

Scanning site with: hpHosts DETECTED
Scanning site with: ParetoLogic URL Clearing House DETECTED

URLVoid

Report 2011-03-07 01:53:18 (GMT 1)
Website avast-home.uptodown.com
Domain Hash 0113e3996e92a1cb1c02eee4b9baa414
IP Address 81.19.96.183 [SCAN]
IP Hostname eva0600016-vip-media-ingea.eu.verio.net
IP Country ES (Spain)
AS Number 2914
AS Name NTT-COMMUNICATIONS-2914 - NTT America, Inc.
Detections 0 / 18 (0 %)
Status CLEAN

polonus · September 9, 2011, 2:29pm

Hi boombastik & Pondus

Well the average scanners do not flag anything but javascript irregularity is being flagged,
maybe that was the reason for the suspicious status, see description below…

So scans lLook fine here: http://urlquery.net/report.php?id=2721
also here: http://siteinspector.comodo.com/public/reports/323138

But a specific JS unpacker scanner flags “maxruntime exceeded”,
so 2 suspicious instances found, e.g.:
-www.uptodown.com/ suspicious
[suspicious:2] (ipaddr:46.105.108.62) (var portal) -www.uptodown.com/
here > status: (referer=-gstatic.uptodown.net/js/es.v10.23.js)saved 50570 bytes f7332d72c7ec545b171964b79e133bc73fd0c20f
info: [script] -partner dot googleadservices dot com/gampad/service.js

polonus

Left123 · September 9, 2011, 2:49pm

Anyone remember avastfrance.fr or something like that which would download a Hoax/avast?
Maybe something alternative?

boombastik · September 10, 2011, 4:53am

Well i check some downlods from the site in a test machine with deep freeze.
All the downloads are legitame programmes witch come with an installer with a conduit toolbar.
(name:uptodown toolbar)
In the installer u have the option to install or not this crap with the option to change your home page in somthing like google powered by uptodown.
If it ur choise to install the toolbar without the search engine, it will change it. So the option to change your homepage simply dosent work.(it will change it with or without you confirmation).
Also the unistaller dont remove the toolbar.(if u want to remove it ,it comes with an unistaller but it doesnt work).So u need third party tools to remove it from IE.
Also i check the avast from their site, is it legitame to have the avast with the option of the toolbar?
An non experience user will install the avast with that toolbar but the real installer of avast has no toolbar…

Coolmario88 · September 10, 2011, 5:27am

In Internet Explorer WebRep is a toolbar. So the real avast installer does have a toolbar which is WebRep in IE

boombastik · September 10, 2011, 5:34am

Well the diference is that u can unistall the webrep if u dont like it. For conduit can we say the same?

polonus · September 11, 2011, 2:11pm

Hi boombastik,

Normally it should be like that via “Start”, “Control Panel”, “Uninstall a programme”, Select “Conduit” and click uninstall, Click “Remove Conduit Engine and all your apps” button, click “Remove” button and you done, Conduit extension in Fx can be removed like other extensions, but sometimes help from a qualified remover is necessary to remove remnants/garbage. There are specific removal tools to do this,

polonus

Maybe malware site

Announcements