See: https://www.virustotal.com/nl/url/d8fc0eaddf717c2d3a4c6391b6f01e181cde2780fc92d01e1b1c40dc41e9aab3/analysis/1384035776/
file detection: https://www.virustotal.com/nl/file/2d6055c4b36e6870b357f6bbfde0d13192d5ef25dd6ca0c6d198339730fab439/analysis/1384001785/
See: http://urlquery.net/report.php?id=7554487
Known as Installmonetizer.AF; Trojan.Win32.InstallMonetizer.Aho; Win32/InstallMonetizer.AF; AdWare.Win32.

pol

Undetected.

Also almost unknown to Symantec.

On execution 2 .exe files are being blocked.

Its installing DealPly, Video Saver, RegClean Pro and other Crap.

DealPly is blocked by Avast, and its downloading something else in background.

I will run this on a clean VM without an Antivirus now, then i will do some scans. Norton is just sleeping on the file.

Avast blocked some parts of this PUP.

This time there is much more garbage.

Without any AV.

Its still installing in background. when done i will run some scans. (Hitman Pro, Norton Power Eraser, Malwarebytes, etc…)

A ton of extensions has been installed.

Here are logs:

https://drive.google.com/folderview?id=0B28ldDzASOt3dnJQT0JNNnVPb0U&usp=sharing

You can download the logs from there.

There are ADWCleaner, Malwarebytes and Hitman pro logs now.

File is now detected as TR/Rogue.9933116 by Avira.

Hi Steven Winderlich,

Thanks for posting and aiding avast! detection,

Damian

ITS DETECTED BY AVIRA NOT BY AVAST.

Hi Steven Winderlich,

I know, I know, did not misread that. I only hope that avast will read over our shoulders to soon add with an upcoming virus def update.

[pol