Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details Site Feedback forum

General discussion

Winrar download trojan

by billh_2008 / November 16, 2008 12:06 AM PST

Does anyone know how to get rid of the trojan that is in the winrar download on CNET from It changes the home page and pops up an annoying box with "applehebi!". Kapersky is unable to disinfect, quarrantine or delete it.

Discussion is locked
You are posting a reply to: Winrar download trojan
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Winrar download trojan
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
See link.
by R. Proffitt Forum moderator / November 16, 2008 12:14 AM PST
In reply to: Winrar download trojan
Collapse -
by billh_2008 / November 16, 2008 12:25 PM PST
In reply to: See link.

Where do I get MBAM? My serach led me to a trojan called mbam.exe

Collapse -
by MarkFlax Forum moderator / November 17, 2008 4:30 AM PST
In reply to: mbam
Collapse -
To NickLockard, posts deleted.
by MarkFlax Forum moderator / November 17, 2008 6:16 PM PST
In reply to: Winrar download trojan

Sorry but we are deleting all your posts.

Advertising web sites contravenes Forum Policy.


Collapse -
by NickLockard / November 17, 2008 6:31 PM PST

go a head a delete it, cnet offers an infected file that inefected 1,000s. I post away for people to fix there computers and you call it advertising. Its like you dont want to help fix the problems CNET started.

Anyways, you can stop people from googling cnet applehebi you will find your solution

Collapse -
Free information regarding this infection
by NickLockard / November 17, 2008 6:38 PM PST

I would like to point out this link [EDITED by forum admin--please read moderator note to your posting]

Here you will find information on this nasty infection cnet gave you.

Collapse -
Are you sure our winrar is infected?
by Kees Bakker / November 17, 2008 7:22 PM PST
Collapse -
I am sure
by billh_2008 / November 18, 2008 3:03 AM PST

It is there if you download winrar from the CNET link that I used. Prevx identified and isolated it. It installs a file named explore.exe in the Windows System32 folder. It can simply be deleted once found. My Kapersky did not recognize it either.

Collapse -
Are you really sure? Take a look at this...
by Lee Koo (ADMIN) CNET staff/forum admin / November 18, 2008 7:17 AM PST
In reply to: I am sure

This was one of the links found on our sponsored link which has since been removed. The page looks like CNET, but isn't:


Collapse -
Final warning...
by John.Wilkinson / November 18, 2008 9:32 AM PST

1.) Blatant Advertising: You are linking to a mainpage of your own website, NOT directly to the information about the issue in question.
2.) Self Promotion: Instead of offering the users information on how to recover from such an infection you offer your professional services, for a fee.
3.) Misleading Information: You are claiming the application from when the issue is (was) actually with a third-party advertising, which distribute the infected downloads, on
4.) Professionalism: Your information on the topic is poorly written, backed by apparently no first-hand knowledge, and does not include any citations from known-trustworthy sources.

You have been warned, and seven minutes after acknowledging that warning you reposted the deleted link. That link is in the process of being removed from your post as another violation of the forum policies. You are welcome to discuss the issue here, based on creditable facts and first-hand knowledge, but if you persist in violating the forum policies a ban request will be issued.


Collapse -
applehebi! !!!!
by ihopenoonehasthisuserid / November 19, 2008 2:22 AM PST
In reply to: Winrar download trojan

OMG! This is so annoying..

And yes i can help you get rid of this trojan.

For anyone that doesn't know what's going on...

If you were to search for WinRar on,
There would be many links to select from however,

On the top of the page..

There are 2 sponsored links on the top of the search field area..

1.Download Free RAR Utility


2. Download WinRAR 3.80 Free

Okay this is how I was able to get rid of the Trojan.

I ran these free programs:

1. Malwarebytes' Anti-Malware
2. CCleaner
3. AVG 8.0
4. Hijackthis

1. The complete scan took about 30 min.
2. Used the Cleaner, then the Registry tool
3. Ran a scan din't find anything.
4. Ran Hjackthis and deleted all the "host","BHO","Extra buttons",
Selections. There were items up top that linked google to
microsoft and so on, deleted those too.
And rebooted.
5. I ran CCleaner's registry tool one last time and everything is
in working order.

Message was edited by: admin, to edit acronym.

Collapse -
URLs would help...
by John.Wilkinson / November 19, 2008 7:47 AM PST
In reply to: applehebi! !!!!

The sponsored ads are not static, and with many advertisers using the same keywords it is entirely possible two will fit the same description yet represent separate entities. However, the following three are most prominent:

WinRAR Free download
Visit Web SiteWinRAR new version Free, instant download

This website simply links to the direct download from, the developer's official website, and the EXE is determined to be clean by all but one malware scanner, which is a false positive.

Download WinRAR 3.80 Free
Visit Web SiteFree Full version of WinRAR 3.80 No limitations, free download.

This website offers offers alternate download pages, which is suspicious.
1.) The user is given two download links on a blank page. The first is to RapidShare, but it cannot be downloaded given a free user's 10-download limitation. The other simply takes the user to the official page.
2.) The user is redirected to, where he/she is prompted to download the Zango advertising package. This adware package will be flagged by malware scanners and hooks into your browser, among other things. However, it is not actually a trojan (though commonly misidentified as one) and the user is explicitly told what is being downloaded, and required to agree to the EULA.

Download Free RAR Utility
Visit Web SiteFast, safe and Easy to use software Supports ZIP, RAR, ISO and more.

This website is actually for the third-party application jZip, which is legitimate though flagged by two scanners as containing the Shopper adware.

As Lee mentioned previously, there was an advertisement for a malicious download of WinRAR on, but it has been removed. If you have found another please provide the full details and the advertisement will be removed. However, I am unable to find such at this time.


Collapse -
by lionshooter / November 26, 2008 1:13 PM PST
In reply to: URLs would help...

Yer damn right I got it from CNET. Trying to get a ZIP program and downloaded WINRAR. That was 0n 11/20 and I still haven't been able to get rid of it. And CNET says it didn't come from them. JERKS!!!!!!!!!!!!!

Collapse -
The more details the better...
by John.Wilkinson / November 26, 2008 2:25 PM PST
In reply to: Applrhebi

For instance:
1.) Which security application detected it?
2.) Had you clicked on a Sponsored Link or other advertisement on Cnet? (Some are shown right with the traditional search results.)
3.) Do you have the link you used to download WinRAR from Cnet?

I have downloaded WinRAR myself and not encountered any malicious activity, so every detail matters in tracking this issue down.


Collapse -
by ihopenoonehasthisuserid / December 3, 2008 6:49 AM PST

The first Sponsored Link, is the one that links to a bogus site..

Where it reads:

WinRAR Free Download
Free, instant download WinRAR 3.80

Collapse -
trojan from winrar download
by joker1271 / January 2, 2009 1:04 PM PST
In reply to: ok

did a search on 1/1/09. for winrar. one of the results was a sponsored link for a free winrar 3.80 with n limitations. downloaded it and not only got the winrar but it also installed a trojan virus. it would not let me go to many websites. instead it would only take me to a fake microsoft page and direct me to download a anti virus program. an annoying window would pop up every 45 seconds that showed the words comaglia!! comaglia!!! comaglia!!. had to use avast, spybot, defender, and microsoft malware removal tool to get rid of it because one by itself would not get it done. just letting people know to be carefull and hopefully cnet will remove that particular link. (sorry cant remember the exact link but did a search before this and it was still there.)

Collapse -
WinRar virus
by lionshooter / January 2, 2009 10:44 PM PST
In reply to: ok

I absolutely can not believe that this is still here!!!!!!!!!!!!! After all the complaints by people who have been harmed by this virus that came off CNET Download, AND THEY STILL ALLOW THIS SPONSOR!
My sister called me yesterday in a panic because her business computer got infected. I asked her if she had been to CNET and she said that she had downloaded WinRar.
Now everyone at CNET with their heads up their asses says "It didn't come from us." And YES, it did come from the CNET Download page! TRUE, it is a sponsored link. But the small print and the positioning of that link causes a lot of people to hit it. I did and I am very computer savvy. But I was in a hurry and hit the first link. WHAM. Got the APPLEHEBI!!!

WHY DOES CNET CONTINUE TO ALLOW THIS SPONSORED SITE??? Needless to say, the pedestal that I have had CNET on for so long has toppled to the ground.

On another note: I was able to remove this virus myself very easily without any spybots, malwares or AV. One registry entry and one sys32 entry were deleted and it was gone. I was able to clean up my sisters computer via the phone in about 10 minutes.

Collapse -
Just to be sure.
by MarkFlax Forum moderator / January 2, 2009 11:10 PM PST
In reply to: WinRar virus

WinRar from CNET Downloads has been tested virus and spyware free many times.

Did you see the post by our Forum Admin here;;posts

The site mentioned in that post looks similar to the CNET Download site but is, in fact, a spoof. That sponsored link was removed sometime ago.

If there is now another sponsored link doing the same thing, then CNET will need to know which link, pointing to which site, so they can investigate fully.


Collapse -
by lionshooter / January 2, 2009 11:39 PM PST
In reply to: Just to be sure.

I don't know which one it is and I am not about to experiment, although I guess I could stick in an old HDD and play around but I don't have time. But my sister got it last week off CNET download site. So there obviously is one still there.
Should be your responsibility to find it.

Collapse -
How can you know?
by MarkFlax Forum moderator / January 3, 2009 2:26 AM PST
In reply to: WinRar

Please, look at the image below. It is an image posted in ImageShack, free of viruses;

It looks like CNET's site. It only looks incomplete because my Firefox browser security settings and add-ons prevented the many scripts it attempted to download from doing so.

Can you see the difference from the real thing?

Look closely at the url address in the address bar. That h t t p :// doesn't look like; , (I disabled the http in the wintechchaiitm link as I don't want anyone going there).

Can you tell the difference? Could your sister have told the difference?

As a matter of interest, I carried out a WHOIS on, athough that .cn gives it away. (WHOIS - Wikipedia definition).

The WHOIS result gives the IP result of Beijing - Beijing - Hichina Web Solutions (beijing) Limited. China.

Is that where your sister downloaded WinRar from?

How did your sister get to that download in the first place? If she went to and typed in WinRar in the Search box, she would have seen this list;

There are no sponsored links there.

CNET will need to know, so they can track back and, if there is yet another suspect sponsored link, investigate it and remove it. They need yours and your sister's help to do that.


Collapse -
by lionshooter / January 3, 2009 3:10 AM PST
In reply to: How can you know?

She says: I put Cnet into Google search, clicked on downloads, put winrar in the Cnet search box, and clicked on the first site (

Collapse -
That doesn't appear to be or Cnet at all!
by R. Proffitt Forum moderator / January 3, 2009 3:20 AM PST
In reply to: winrar

Don't get stuff from there. Looks shady to me.

Collapse -
shady site
by lionshooter / January 3, 2009 3:57 AM PST

Looks shady to me too but not to the average neophyte. The public ASSUMES that if it is on the Cnet download site, than it must be legit. I did and I know better. Been building and selling computers since 1993. Know my way around. Didn't look, just assumed and clicked.

Collapse -
I am looking into it...
by John.Wilkinson / January 3, 2009 9:03 AM PST
In reply to: winrar

I have verified that is hosting a malware-infected version of WinRAR and attempting to pass itself off as a legitimate page when in realty there is no affiliation with Cnet. However, I have been unable to find an advertisement for that website on Cnet as of this point. Nevertheless, I have placed a request for the list of advertisements, provided by Google, be checked for and for any/all advertisements be pulled based on that URL. Once Cnet returns from the holiday break and catches up on past requests I hope to hear back that this issue has been resolved, at which time I will post an update here.


Collapse -
John are you screwing with me?
by lionshooter / January 3, 2009 11:06 AM PST

I copied this link ( right off the top of the front page of> winrar into my post at 11:10 AM today. It is not there now. So look into it all you want...someone removed it after I posted this morning!

Collapse -
No, I am being quite honest...
by John.Wilkinson / January 3, 2009 11:28 AM PST
In reply to: WinRar virus

>>> Continued here due to depth of subthread being reached. <<<

In fact the CNET offices have officially been closed since December 23rd (and will reopen Monday), so except for select editors and skeleton crews the Cnet employees are still home enjoying the holidays. None of them actively monitor these forums, requests from the moderators (including myself) are pending response, and user-submitted reports will not be read until Monday as the customer service crew is on vacation. Thus, if that ad was in the queue I have every reason to believe it is still there.

I've been checking off and on since this issue was raised, and dropped by this morning, but have not seen it or any other malicious WinRAR ad since a previous removal. However, since ads are targeted based on page content and frequency, among other things, it is entirely possible, albeit quite unusual if specifically looking for it, for an individual to never see a particular ad. That is why I have submitted the request.


Collapse -
Ongoing-APPLEHEBI; et al malware
by lionshooter / January 3, 2009 1:12 PM PST

That's all good John. Stay on top of it, because like I said, it was there this AM. AND HAS BEEN THERE SINCE I HIT IT LAST NOVEMBER.

Also, I always warn my clients about double-dot suffixes. If you see a [] it is very often a malware site. Avoid it. I am sure Cnet is aware of this.

And the website I posted this AM (copied and pasted from CNET was definitely a [] (Refer to my previous posts.)

Collapse -
A note on the 'double-suffix'...
by John.Wilkinson / January 3, 2009 1:24 PM PST

Some countries, such as the UK, use second-level domains, making the standard for commercial websites. Also, Cnet owns, using it for displaying much of their multimedia content (including the images in these forums). Thus, while it is commonly an indication of suspicious activity one should never avoid or block on that basis alone without researching the site/domain first.


Collapse -
by lionshooter / January 3, 2009 1:43 PM PST

Better safe than sorry. For many years, double suffix spelled trouble. I'm an old timer and live in the past. But I stay safe...most of the time. Never had a virus until I got the malware 'Applehebi' from

Collapse -
winrar trojan
by joker1271 / January 3, 2009 2:09 PM PST
In reply to: double-suffix

did the same search today and the same link came up. but this time when you click on it to download, you go to a different site as it did when i downloaded the trojan infested virus. this new site looks legit. it is sponsored by zango. this is bizare to say the least.

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!