Hi forum friends,

See: cdn.bigspeedpro.com is in Dr.Web malicious sites list!
See: http://urlquery.net/report.php?id=3383
Nothing here: http://siteinspector.comodo.com/public/reports/364194
Given as dangerous: http://www.urlvoid.com/scan/cdn.bigspeedpro.com
On the complaints board: http://www.complaintsboard.com/complaints/bigspeedprocom-c447643.html
Only one here: http://www.virustotal.com/url-scan/report.html?id=fb2186f6ed28256c482e31ec9e275b3c-1311839669
But this URL is certainly infected: -http://cdn.bigspeedpro.com/mirror/toolbars/facesmooch-minibar-silent.ex- as Trojan.AVKill.2 & Trojan.KillProc.4308 (DrWeb),
see: http://www.virustotal.com/file-scan/report.html?id=57fa1d7c65ee6d274d7b91d07613ddd949f05333ca22662a96207d05688ffd1e-1316002204 &
http://www.virustotal.com/file-scan/report.html?id=9e0bdafb2992307078f0f5646abf3be1d42447d2b720782819135a32b0755a6a-1299773508
Also see: http://camas.comodo.com/cgi-bin/submit?file=57fa1d7c65ee6d274d7b91d07613ddd949f05333ca22662a96207d05688ffd1e&iframe=
sent to virus AT avast dot com

polonus

Thanks for posting about this one, Polonus, as it is surely one nobody should want to incounter.

Reanalyzed -http://cdn.bigspeedpro.com/mirror/toolbars/facesmooch-minibar-silent.exe because there could be a FP involved as I was informed and it is only detected by DrWeb’s.
http://www.garyshood.com/virus/results.php?r=bc57891b8249f2bd406e2562ce75e1cc
So took an Anubis Analysis: http://anubis.iseclab.org/?
action=result&task_id=1319b250c7d6715e481978fbdb22b648c
Some characteristics found -
The executable issues HTTP Requests and downloads potential malicious executable code…risk
DNS queries to bad web host: Bad Host Experience malware network activity 216.137.45.etc.
domain known to have some 132 spam bot servers, C&C servers, 1 exploit server…
Spoof with trojan payload possible: 86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll 0x773D0000
86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll 0x773D0000 could lead to profiler crashes
Migrate proxy mutex created: 8HKU\​S-1-5-21\42925246 1425521274 308236825 500
Named pipe 0x0011C017 \PIPE ROUTER
_SHuassist.mtx. mutex host name requests from a host database

So Comodo flags it, some say FP (Norman), well will hear about the verdict, could be a PUP!
check:
-http://www.bigseekpro.com/installer/execution_arguments
-http://www.bigseekpro.com/install_ping/facesmooch/{D68B9B88-7A31-2D3C-47DE-F10633B1D06A}/5
-http://www.bigseekpro.com/install_ping/facesmooch22/{D68B9B88-7A31-2D3C-47DE-F10633B1D06A}/5
-http://www.bigseekpro.com/installer/complete
-http://www.bigspeedpro.com/button/facesmooch/ie/config.json
-http://www.bigspeedpro.com/button/facesmooch22/ie/config.json
-http://www.bigspeedpro.com/button/C:/Program%20Files/Minibar//ie/config.json
-http://www.bigspeedpro.com/button/facesmooch22/ie/icons/icon16.ico
-http://www.bigspeedpro.com/button/facesmooch/ie/icons/icon16.icoinstaller/execution_arguments
-http://www.bigseekpro.com/install_ping/facesmooch/{D68B9B88-7A31-2D3C-47DE-F10633B1D06A}/5
-http://www.bigseekpro.com/install_ping/facesmooch22/{D68B9B88-7A31-2D3C-47DE-F10633B1D06A}/5
-http://www.bigseekpro.com/installer/complete
-http://www.bigspeedpro.com/button/facesmooch/ie/config.json
-http://www.bigspeedpro.com/button/facesmooch22/ie/config.json
-http://www.bigspeedpro.com/button/C:/Program%20Files/Minibar//ie/config.json
-http://www.bigspeedpro.com/button/facesmooch22/ie/icons/icon16.ico
-http://www.bigspeedpro.com/button/facesmooch/ie/icons/icon16.ico

polonus