• AnyStream is having some DRM issues currently, Netflix is not available in HD for the time being.
    Situations like this will always happen with AnyStream: streaming providers are continuously improving their countermeasures while we try to catch up, it's an ongoing cat-and-mouse game. Please be patient and don't flood our support or forum with requests, we are working on it 24/7 to get it resolved. Thank you.

Malware Detection in 8.1.2.0 Download

I have to say that I'm not very happy about this - and that is very gently put!
Your site is currently spreading virus. You should take your system offline right now until you get control over the situation! Or is this on purpose?
What you see is two different sites on two different IPs. One is ours, the other (the "evil clone") is not. We are still investigating...

EDIT: We can't turn it off, because the "evil clone" is not our site.
 
just to be safe, I did a System Restore back several days, even though my Virus software said I was now clean. Just wanted to be as safe as possible.

Just wonder how many Anydvd users have been hit with this, and for one reason or another, don't know it. Maybe you should send out a warning email, just keep us all safe.
 
just to be safe, I did a System Restore back several days, even though my Virus software said I was now clean. Just wanted to be as safe as possible.

Just wonder how many Anydvd users have been hit with this, and for one reason or another, don't know it. Maybe you should send out a warning email, just keep us all safe.

I just did the same. Still not 100% confident till I hear back from James on what the virtual machine found it installed - so I can manually check for it.
-W
 
James, the download web page itself must have the power or logic, to send out the popups we get when a new version is released. That's kind of scary they were able to do that to lure us to their infected download. I would suggest that be changed, and have the popups manually sent out via a program or function that is not automatic. Obviously that is a flaw that was exploited, and pretty easy for the hackers. Also, it's pretty fishy, they sent out their clone popups, minutes before the real popup came out for the new version. You don't have any bad guys working for you, I hope not trying to defeat Anydvd, or confidence for us users.
 
James, the download web page itself must have the power or logic, to send out the popups we get when a new version is released. That's kind of scary they were able to do that to lure us to their infected download. I would suggest that be changed, and have the popups manually sent out via a program or function that is not automatic. Obviously that is a flaw that was exploited, and pretty easy for the hackers. Also, it's pretty fishy, they sent out their clone popups, minutes before the real popup came out for the new version. You don't have any bad guys working for you, I hope not trying to defeat Anydvd, or confidence for us users.

Didn't I tell you to stop thinking? LOL!
The popups were correct as per normal - it's the DNS lookup services that were hacked.
The popup's link to the CORRECT download was redirecting (out in the wild blue interwebs) to the bad site.
Nothing was hacked in Redfox, the hacking was in the DNS servers.
-W
 
Hey Dude, give me a break. I was the first to report this on the forum. I may have saved a lot of users from getting infected. Give me at least a little credit.
 
James, the download web page itself must have the power or logic, to send out the popups we get when a new version is released. That's kind of scary they were able to do that to lure us to their infected download. I would suggest that be changed, and have the popups manually sent out via a program or function that is not automatic. Obviously that is a flaw that was exploited, and pretty easy for the hackers. Also, it's pretty fishy, they sent out their clone popups, minutes before the real popup came out for the new version. You don't have any bad guys working for you, I hope not trying to defeat Anydvd, or confidence for us users.
The popups were sent out manually, because we have released a new version. I know nothing about "clone popups".
 
Scanning now - thanks.
It found it and I removed it.
That said, it was only shown extant in the download file itself, in the downloads folder.
It doesn't seem to have "installed" on the PC proper.
Wouldn't it have to be installed and running to have gone "active" ??
-W
 
Last edited:
The popups were sent out manually, because we have released a new version. I know nothing about "clone popups".

then who does know something about the clone popup that started this whole thing, and sent me to the bogus site? if I hadn't received that clone popup, I would never have known to go to that site and download the infected file.
 
Scanning now - thanks.
It found it and I removed it.
That said, it was only shown extant in the download file itself, in the downloads folder.
It doesn't seem to have "installed" on the PC proper.
Wouldn't it have to be installed and running to have gone "active" ??
-W
This looks interesting:
https://www.hybrid-analysis.com/sam...1a9d9e9bdf36f2bd06c909cbf83?environmentId=100

It drops a file named adprtext.exe
It autostarts it via "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "API-GSVC"; Value: "%APPDATA%\Microsoft\Cmdisvc6\adprtext.exe"

It looks like it must be executed at least once for infection.
 
then who does know something about the clone popup that started this whole thing, and sent me to the bogus site? if I hadn't received that clone popup, I would never have known to go to that site and download the infected file.
What "clone popup"? Maybe I am missing something here. You mean the "AnyDVD informing you about a new version" message box / info bubble?
 
This looks interesting:
https://www.hybrid-analysis.com/sam...1a9d9e9bdf36f2bd06c909cbf83?environmentId=100

It drops a file named adprtext.exe
It autostarts it via "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "API-GSVC"; Value: "%APPDATA%\Microsoft\Cmdisvc6\adprtext.exe"
It looks like it must be executed at least once for infection.

Which is exactly why I **refused** to reboot until I was sure I was clean. I didn't just fall off the turnip truck.
I don't have that reg key, nor to I have it under HKLM either. A file search does not find adprtext.exe nor the Cmdisvc6 folder.
I searched for a bunch of other stuff I researched for Win32/Ursnif and have none of that either.
I suspect the installer may have somehow been terminated before completing because it never tried to install AnyDVD either.
For all we know it was bugged and failed. (or Windows Defender killed it silently)
Now the new question:
Since this was for all purposes an attack on Redfox and its customer base - do you have a means to retaliate and cause them some "pain"?
Once you know the IP that was meant to get the data from the trojan - what can you do to screw with them? <EG>
-W
 
Last edited:
then who does know something about the clone popup that started this whole thing, and sent me to the bogus site? if I hadn't received that clone popup, I would never have known to go to that site and download the infected file.

I don't think you're grasping this.... The popups are triggered manually by Refox to inform you of a new version available. You got the CORRECT pop-up as usual.
Problem is when you clicked the popup to go to the (same as ever) Rexfox download page - the poisoned DNS lookup servers out there redirected you to the bad site.
Alas, I'm afraid I have more required reading assignments for you! <EG>
https://en.wikipedia.org/wiki/DNS_spoofing

-W
 
then who does know something about the clone popup that started this whole thing, and sent me to the bogus site? if I hadn't received that clone popup, I would never have known to go to that site and download the infected file.
Just uncheck the 'automatically check for new versions' from the default settings and you won't be lured out of your safe space again.
 
Wrong, that setting had nothing to do with the fake version that was floating around. All that setting does is check the CORRECT RedFox server if there's an update. The problem began when you CLICKED on it and your BROWSER/system redirected to a malicious server for the actual download when you clicked download on the RedFox server. Due to how DNS records work (for any site for that matter), it is difficult but not impossible to hijack a DNS record and have it redirect to a malicious one.

Which is what happened here.

Verstuurd vanaf mijn Nexus 7 met Tapatalk
 
Back
Top