It appears it comes from a sponsored link. Looks like MBAM can remove the pest.
Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)
During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details
Does anyone know how to get rid of the trojan that is in the winrar download on CNET from www.dreamcentury.cn? It changes the home page and pops up an annoying box with "applehebi!". Kapersky is unable to disinfect, quarrantine or delete it.
go a head a delete it, cnet offers an infected file that inefected 1,000s. I post away for people to fix there computers and you call it advertising. Its like you dont want to help fix the problems CNET started.
Anyways, you can stop people from googling cnet applehebi you will find your solution
1.) Blatant Advertising: You are linking to a mainpage of your own website, NOT directly to the information about the issue in question.
2.) Self Promotion: Instead of offering the users information on how to recover from such an infection you offer your professional services, for a fee.
3.) Misleading Information: You are claiming the application from download.com when the issue is (was) actually with a third-party advertising, which distribute the infected downloads, on download.com.
4.) Professionalism: Your information on the topic is poorly written, backed by apparently no first-hand knowledge, and does not include any citations from known-trustworthy sources.
You have been warned, and seven minutes after acknowledging that warning you reposted the deleted link. That link is in the process of being removed from your post as another violation of the forum policies. You are welcome to discuss the issue here, based on creditable facts and first-hand knowledge, but if you persist in violating the forum policies a ban request will be issued.
OMG! This is so annoying..
And yes i can help you get rid of this trojan.
For anyone that doesn't know what's going on...
If you were to search for WinRar on Download.com,
There would be many links to select from however,
On the top of the page..
There are 2 sponsored links on the top of the search field area..
1.Download Free RAR Utility
AND THE 2ND ONE WHICH REDIRECTS YOU TO A BOGUS SITE THAT INFECTS YOUR COMPUTER (Sorry for caps)
2. Download WinRAR 3.80 Free
Okay this is how I was able to get rid of the Trojan.
I ran these free programs:
1. Malwarebytes' Anti-Malware
3. AVG 8.0
1. The complete scan took about 30 min.
2. Used the Cleaner, then the Registry tool
3. Ran a scan din't find anything.
4. Ran Hjackthis and deleted all the "host","BHO","Extra buttons",
Selections. There were items up top that linked google to
microsoft and so on, deleted those too.
5. I ran CCleaner's registry tool one last time and everything is
in working order.
Message was edited by: admin, to edit acronym.
The sponsored ads are not static, and with many advertisers using the same keywords it is entirely possible two will fit the same description yet represent separate entities. However, the following three are most prominent:
WinRAR Free download
Visit Web SiteWinRAR new version Free, instant download
This website simply links to the direct download from rarlab.com, the developer's official website, and the EXE is determined to be clean by all but one malware scanner, which is a false positive.
Download WinRAR 3.80 Free
Visit Web SiteFree Full version of WinRAR 3.80 No limitations, free download.
This website offers offers alternate download pages, which is suspicious.
1.) The user is given two download links on a blank page. The first is to RapidShare, but it cannot be downloaded given a free user's 10-download limitation. The other simply takes the user to the official download.com page.
2.) The user is redirected to winrar.powered-by.zango.com, where he/she is prompted to download the Zango advertising package. This adware package will be flagged by malware scanners and hooks into your browser, among other things. However, it is not actually a trojan (though commonly misidentified as one) and the user is explicitly told what is being downloaded, and required to agree to the EULA.
Download Free RAR Utility
Visit Web SiteFast, safe and Easy to use software Supports ZIP, RAR, ISO and more.
This website is actually for the third-party application jZip, which is legitimate though flagged by two scanners as containing the Shopper adware.
As Lee mentioned previously, there was an advertisement for a malicious download of WinRAR on download.com, but it has been removed. If you have found another please provide the full details and the advertisement will be removed. However, I am unable to find such at this time.
1.) Which security application detected it?
2.) Had you clicked on a Sponsored Link or other advertisement on Cnet? (Some are shown right with the traditional search results.)
3.) Do you have the link you used to download WinRAR from Cnet?
I have downloaded WinRAR myself and not encountered any malicious activity, so every detail matters in tracking this issue down.
did a search on 1/1/09. for winrar. one of the results was a sponsored link for a free winrar 3.80 with n limitations. downloaded it and not only got the winrar but it also installed a trojan virus. it would not let me go to many websites. instead it would only take me to a fake microsoft page and direct me to download a anti virus program. an annoying window would pop up every 45 seconds that showed the words comaglia!! comaglia!!! comaglia!!. had to use avast, spybot, defender, and microsoft malware removal tool to get rid of it because one by itself would not get it done. just letting people know to be carefull and hopefully cnet will remove that particular link. (sorry cant remember the exact link but did a search before this and it was still there.)
I absolutely can not believe that this is still here!!!!!!!!!!!!! After all the complaints by people who have been harmed by this virus that came off CNET Download, AND THEY STILL ALLOW THIS SPONSOR!
My sister called me yesterday in a panic because her business computer got infected. I asked her if she had been to CNET and she said that she had downloaded WinRar.
Now everyone at CNET with their heads up their asses says "It didn't come from us." And YES, it did come from the CNET Download page! TRUE, it is a sponsored link. But the small print and the positioning of that link causes a lot of people to hit it. I did and I am very computer savvy. But I was in a hurry and hit the first link. WHAM. Got the APPLEHEBI!!!
WHY DOES CNET CONTINUE TO ALLOW THIS SPONSORED SITE??? Needless to say, the pedestal that I have had CNET on for so long has toppled to the ground.
On another note: I was able to remove this virus myself very easily without any spybots, malwares or AV. One registry entry and one sys32 entry were deleted and it was gone. I was able to clean up my sisters computer via the phone in about 10 minutes.
WinRar from CNET Downloads has been tested virus and spyware free many times.
Did you see the post by our Forum Admin here;
The site mentioned in that post looks similar to the CNET Download site but is, in fact, a spoof. That sponsored link was removed sometime ago.
If there is now another sponsored link doing the same thing, then CNET will need to know which link, pointing to which site, so they can investigate fully.
Please, look at the image below. It is an image posted in ImageShack, free of viruses;
It looks like CNET's Download.com site. It only looks incomplete because my Firefox browser security settings and add-ons prevented the many scripts it attempted to download from doing so.
Can you see the difference from the real thing?
Look closely at the url address in the address bar. That h t t p ://www.wintechaiitm.org.cn doesn't look like;
http://www.download.com/windows/ , (I disabled the http in the wintechchaiitm link as I don't want anyone going there).
Can you tell the difference? Could your sister have told the difference?
As a matter of interest, I carried out a WHOIS on www.wintechaiitm.org.cn, athough that .cn gives it away. (WHOIS - Wikipedia definition).
The WHOIS result gives the IP result of Beijing - Beijing - Hichina Web Solutions (beijing) Limited. China.
Is that where your sister downloaded WinRar from?
How did your sister get to that download in the first place? If she went to www.download.com and typed in WinRar in the Search box, she would have seen this list;
There are no sponsored links there.
CNET will need to know, so they can track back and, if there is yet another suspect sponsored link, investigate it and remove it. They need yours and your sister's help to do that.
I have verified that www.downloadcom.net.cn is hosting a malware-infected version of WinRAR and attempting to pass itself off as a legitimate download.com page when in realty there is no affiliation with Cnet. However, I have been unable to find an advertisement for that website on Cnet as of this point. Nevertheless, I have placed a request for the list of advertisements, provided by Google, be checked for www.downloadcom.net.cn and for any/all advertisements be pulled based on that URL. Once Cnet returns from the holiday break and catches up on past requests I hope to hear back that this issue has been resolved, at which time I will post an update here.
>>> Continued here due to depth of subthread being reached. <<<
In fact the CNET offices have officially been closed since December 23rd (and will reopen Monday), so except for select editors and skeleton crews the Cnet employees are still home enjoying the holidays. None of them actively monitor these forums, requests from the moderators (including myself) are pending response, and user-submitted reports will not be read until Monday as the customer service crew is on vacation. Thus, if that ad was in the queue I have every reason to believe it is still there.
I've been checking off and on since this issue was raised, and dropped by download.com this morning, but have not seen it or any other malicious WinRAR ad since a previous removal. However, since ads are targeted based on page content and frequency, among other things, it is entirely possible, albeit quite unusual if specifically looking for it, for an individual to never see a particular ad. That is why I have submitted the request.
That's all good John. Stay on top of it, because like I said, it was there this AM. AND HAS BEEN THERE SINCE I HIT IT LAST NOVEMBER.
Also, I always warn my clients about double-dot suffixes. If you see a [.com.cn] it is very often a malware site. Avoid it. I am sure Cnet is aware of this.
And the website I posted this AM (copied and pasted from CNET Download.com) was definitely a [.com.cn] (Refer to my previous posts.)
Some countries, such as the UK, use second-level domains, making .co.uk the standard for commercial websites. Also, Cnet owns http://www.com.com, using it for displaying much of their multimedia content (including the images in these forums). Thus, while it is commonly an indication of suspicious activity one should never avoid or block on that basis alone without researching the site/domain first.
Your favorite shows are back!
Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!