#1531 Privoxy downloads malware - iLividSetupV1.exe

3.0.19
closed
other (323)
5
2012-12-10
2012-12-10
Lebon14
No

Hello.
I am extremely shocked and angry to discover that such software falls so low! Backdoor malware downloading! Proof is attached (translation below)!
The heck?! Where does this happen? Now, please, someone explain this to me. I am NOT in a good mood.

OS : Windows 7 x64, Home Premium
Platform : Setup on Windows 7 x64 to be used on WiiU 2.1.0U
URL : N/A
Firewall : Windows built-in, router
Other proxy : No
E-mail : lebon14 [AT} hotmail {DOT] com

>Translation :<

======================================================
ESET NOD32 Antivirus 5
======================================================
Warning
Potential threat found
Object : (link to malware)
Threat : Win32/Toolbar.SearchSuite Potentially unwanted software

A threat has been detected while the following software accessed the web : C:\Program Files (x86)\Privoxy\privoxy.exe Please send this object to ESET laboratories for analysis.
Why does ESET dectect that file?

->| Deconnect
Terminates the connection and prevents the possible threat to accesss your system.
-> No actions
Allow the download of this object. This option allow thepotential threat to access your system.

>Hide advanced options

x Show alert window
x Copy to Quarantine
x Submit for analysis
_ Exclude from detection

Discussion

  • Lebon14

    Lebon14 - 2012-12-10

    Malware proof

     
  • Fabian Keil

    Fabian Keil - 2012-12-10

    How is that proof of anything?

    Have you ruled out the possibility that Privoxy is merely acting on behalf of another program on your system?

    Did you actually submit the privoxy.exe for analysis and have the "ESET laboratories" confirmed the "threat"?

    And if yes, did you verify that privoxy.exe hasn't been modified since you installed it?

    As you seem to believe that Antivirus software makes your system more secure, you may be interested in:
    https://lock.cmpxchg8b.com/sophailv2.pdf

     
  • Fabian Keil

    Fabian Keil - 2012-12-10
    • assigned_to: nobody --> fabiankeil
    • status: open --> pending
     
  • Lebon14

    Lebon14 - 2012-12-10

    >>>Have you ruled out the possibility that Privoxy is merely acting on behalf
    of another program on your system?

    How could it? Only my WiiU is configured to use Privoxy.

    >>>Did you actually submit the privoxy.exe for analysis and have the "ESET
    laboratories" confirmed the "threat"?

    The threat that could be sent is the iLividSetupV1, not Privoxy. NOD32 only told me what software accessed the internet in order to download that.

    >>>And if yes, did you verify that privoxy.exe hasn't been modified since you
    installed it?

    The only thing I remember modifying is the section 4.1 in the main config and add to the user.action file the line "-session-cookies-only".

    >>>As you seem to believe that Antivirus software makes your system more
    secure, you may be interested in:
    https://lock.cmpxchg8b.com/sophailv2.pdf

    Yes, I do believe but I won't read your technical jargon. It's an helper but doesn't replace my vigilence, of course.

    I started using Privoxy then those warnings started to popup out of nowhere and I had NO issues of that sort before. Care to explain instead of closing the issue?

     
  • Lebon14

    Lebon14 - 2012-12-10
    • status: pending --> open
     
  • Anonymous - 2012-12-10

    As Privoxy is acting as a proxy, any programs directed to use it have their traffic sent via Privoxy. Thus privoxy.exe is the program downloading data from the Internet and Eset will report accordingly.

    You, or other software you are using, has tried to download something that uses iLivid (I've seen a few of the bigger "download" sites wrapping software in this crapware) and since the request went via Privoxy, Eset reported it as such.

    Privoxy is not bundled with iLivid or anything else - it's just Privoxy.

     
  • Lebon14

    Lebon14 - 2012-12-10

    @proactivesvcs No software of mine beside my WiiU, as previosuly stated, use Privoxy. After Privoxy, I installed Netlimiter to check the data speed in/out of Privoxy.

    Do you have an idea what could be the problem? I know for a fact that the Privoxy icon in the taskbar turns into some kind of radar when it happens...

    Here is a list of the software that I have installed that I know could access the internet with or without user interaction :

    * Adobe Master Collection CS5 (Update/DRM)
    * AIM (Main purpose)
    * CCleaner (Update)
    * CDex (CD data/tagging)
    * dBPowerAmp Music Converter (CD data/tagging)
    * eMule (Main purpose)
    * ESET NOD32 (Update)
    * Filezilla FTP (Main purpose/update)
    * iTunes (Update, Store)
    * Last.fm (Main purpose)
    * Logitech drivers (Update)
    * Malwarebyte Anti-Malware (Update)
    * Microsoft Office (Anonymous data collection about usgae (asked on first boot))
    * mIRC (Main purpose)
    * Nero (DRM)
    * NewZFinder (Main Purpose)
    * Notepad++ (Update)
    * Powerpost (Main purpose)
    * QuickTime (Update, other) <- do not use, installed with iTunes
    * Skype (Main purpose)
    * Steam (Main purpose/DRM)
    * The KMPlayer (update)
    * VLC Media Player (Update)
    * Winamp (CD data, update & DRM)
    * Windows Live Messenger (Main purpose)
    * JDownloader (Main purpose, update)
    * Firefox (Main purpose, update)
    * Internet Explorer (Main purpose)
    * Google Chrome (Main purpose, update)
    * Thunderbird (Main purpose, update)
    * foobar2000 (update)
    * TweetDeck (Main purpose)
    * Flash (update)
    * Audiosurf [game) (Sends score to game server)
    Might have forgotten some... but still... I have no idea where it's coming from because all software that access internet on my computer, I know what they're doing and if another software would downloaded something against my will, I would have known.

    For now, I have uninstalled Netlimiter because it seemed to be the most liable culprit.

     
  • Anonymous - 2012-12-10
    • status: open --> closed
     
  • Anonymous - 2012-12-10

    I happen to use NetLimiter and it didn't come with any bundled software. It doesn't seem the sort to silently download something, especially as crass as iLivid. This is getting outside the remit of Privoxy support but I will say, from experience, that it's not likely to be Adobe, Eset, Filezilla, iTines, Microsoft Office, mIRC, QuickTime, Skype, Steam, VLC, WinAmp, Windows Live Messenger, Internet Explorer, Firefox, Thunderbird, Flash or Audiosurf. I suggest you look at the download sites of the others to see if they're bundling iLivid, and try searching for the software name and iLivid to see if you get hits. You could also try closing all of those programs (that you can), then with the Privoxy window open start each one at a time and see if you can catch the perpetrator red-handed.

    If you can find the iLivid URL(s) that are being requested that may also help. Best of luck!

     

Log in to post a comment.