Program: Keylaunch URL:Mal

Hello World!

So, I’ve had a proggie called Keylaunch for years. To make a long story short, you activate it with a keystroke, and type a command that you assign to run a script/program/etc. I’ve got 5 commands loaded, and all go to programs (IE, Firefox, Freecell, Winamp, Utorrent).

Every few minutes (shorter or longer depending on… nothing…) I get a ‘Malicious URL Blocked’ notice. The notice varies a bit, but says that Keylaunch is loading a bad URL.

As far as I can tell, all it does is sit there until I run a command. I’ve had the thing for years, and never got a virus… from it… lol.

On a side not… Avast has kept this puter virus free for longer than all the others I’ve tried combined, including the expensive ones… so… props!

Pleas attach a screenshot of just the avast alert window.

Sorry for the delay, I was away from my home for a few days. Uploaded.

It isn’t so much saying that keylaunch.exe is infected, just that that is the process which initiated the connection to what the Network Shield considers a malicious site.

So one of the applications that you have linked to be launched is connecting (trying) to a malicious site.

I've got 5 commands loaded, and all go to programs (IE, Firefox, Freecell, Winamp, Utorrent).

So one of these apps that keylaunch.exe starts is trying to connect to a malicious site, which one is the $64,000 question, but me I would plumb for utorrent.

Unfortunately your image concatenates the domain name the .…\ bit so we can’t investigate what is considered a malicious site. but the rest of the URL looks suspicious, why an image would have what appear to be parameters after it the ?info_hash= stuff.

If this malicious sites domain or IP is always the same, then it could be investigated further, when posting URLs to suspect sited change the http to hXXp so the link isn’t active, risking exposure to the site.

I was finally able to use the ‘more info’ button on the alert. It brought me to a site with this little bit of info;

Infection Details URL: hxtp://vip.coralplayer.com/img/s_full_full.jpg?info_hash Process: C:\Program Files (x86)\Key Launch\keylaunch.exe Infection: URL:Mal

That button almost never works for whatever reason. Avast! always seems to stop whatever is happening, but I’d rather it not be a problem at all.

Zulu
http://zulu.zscaler.com/submission/show/0709d75ccb375c57d2df385f5de90aaa-1332693633

urlQuery - suspicious
http://urlquery.net/report.php?id=34795

from urlquey picture it seems to be a empty website ?

What programme are you trying to launch to get this alert ?

Hi reyak,

Make that url non-click-through please, like hxtp
URL gives a lot of re-directions. It is not the correct entrance URL and has a bad WOT rep index. BrightCloud gives it a yellow 40 rep index, which is suspicious.
Questionable pirated content, spam, spyware, Fake AV, phish,

polonus

What programme are you trying to launch to get this alert ?

I am not trying to launch anything at the time. Usually I am already running Firefox (sometimes I have been for quite some time before hand), and the sites I am traveling through are various, including Facebook, Aim, Google, and HubPages.

Make that url non-click-through please

Sorry, I didn’t even look. I took care of it.

from urlquey picture it seems to be a empty website ?

It doesn’t surprise me. It’s a random redirect.

I wish I knew what was failing to send me there though…

But why you need info-hash?
It is part of a Tracker Announce Request.
Means you want do download from a tracker, like BitTorrent or not?
One should know the risks there,

polonus

CoralPlayer is scam application and we block its connections/installation.

http://www.theseoinfo.com/how-to-avoid-coral-scam/621/

But why you need info-hash? It is part of a Tracker Announce Request. Means you want do download from a tracker, like BitTorrent or not?

I am using Utorrent, but none of my trackers consist of even the word coral… I don’t have coralplayer, I use Zoomplayer for just about everything. I have for a few years now.

vip coralplayer com is where it is being directed to though

And the instigater is launcher

You could remove all scripts from the launcher
Renable them one at a time to determine which programme is trying to get there

Well, isn’t it a good thing that avast blocked that then? Thanks for doing that for us, kubecj.

@Reyak. Did you ever consider to use specific blocklists like certain iblocklists to be/feel better protected?
You know that P2P-ing has become frowned upon by certain official parties at least.
Be aware of the risks and the possible implications involved.

polonus

Today, avast! was claiming that my uTorrent version 2.2.1 was trying to connect to vip.coralplayer.com as if it were a tracker (sending a hash and stuff). I checked all my torrents, but none of them had that listed as a tracker. I checked the torrent files i have on hand, and none of them mention coralplayer. I checked the contents of utorrent.exe, and the string is not in the file (though the exe may be packed). Yet it does show up in utorrent.exe’s memory, as viewed by Winhex - the primary memory, but not the Utorrent.exe section. I’m no expert at memory hacking, but i think that means it isn’t in the .exe, but was loaded afterward somehow. Maybe it follows an HTTP redirect from another tracker, but i’m just speculating.

So the program was definitely trying to connect, for some reason, and i don’t know what that reason is. For now, i have deleted all trackers from all torrents that showed up as unable to connect (avast blocking it should mean that it would have that kind of failure status), and i also added a URL block in avast to block access to the site silently, which may or may not prevent avast popups about it in the future, i don’t know.

Anyway, thanks for blocking this site. I don’t want my system going anywhere near it.