Installer intercepted with fraps?

Discuss Malware removal, techniques, trends, etc. and repairing Windows after removal.
Forum rules
1. Try to give more than you take, when possible.
2. Don't be a prick.

Installer intercepted with fraps?

Postby chrisbitz » Mon Oct 07, 2013 12:25 pm

Hi,

Today I had an unusual problem - the customer wants to install an epson scanner driver, and it downloads as a winzip self extractor.

it downloads correctly, unzips automatically, but then launches a fraps installation program!

I sent myself the downloaded file, and it is definitely an Epson scanner driver..

How could this happen?

Malware bytes and MB rootkit both run, and found nothing.

(one thing I just though of, but can't test just now, is maybe there's a setup.com file in the extractor folder, and it has higher running priority than setup.exe?)

Alternatively, where does winzip extract it's files to, as there always seems to be a variety of tmp folders! :-)
chrisbitz
 
Posts: 4
Joined: Thu Apr 18, 2013 6:04 am

Re: Installer intercepted with fraps?

Postby und3rtak3r » Tue Oct 08, 2013 1:13 am

Did the installer come from Epson? if not.. bin it
also IS WinZip installed on the PC? if not certainly bin the download.

if the driver is for an end of life product I can appreciate downloading from a 3rd party.. most of the Epson drivers I have downloaded are NOT ZIP or RAR most are exe.. actually looking at my archive.. ALL are exe.. so should not have opened with WinZip (BTW: advise your client to use something other than that adware whore).. so I would suspect that what is in the package is something other than an Epson driver, even the Fraps installer may not even be legit..

As a matter of caution .. have a closer look at the machine.. throw a tool like d7 at it esp the Malwarescan.. look for startups executing from a Temp folder or a /user/roaming folder .. throw ADWcleaner at it, THEN give Malwarebytes a lick of the body...
WinZip typically creates a temp folder in the folder where the Zip file opened.. UNLESS the config has been changed or as otherwise indicated.. if winzip opened directly to the self-extractor.. it normally has the destination path in the window.

2 policies:
1: Download ONLY from trusted sources.
2: Clean the user PC before doing any work .. ( all my clients are aware of this before I accept their machines)
The TechGuru4U
RTFM D7 here
RTFM D7II here
RTFM dSupportSuite Here


You may call me Glenn
User avatar
und3rtak3r
 
Posts: 306
Joined: Mon Mar 18, 2013 8:05 pm

Re: Installer intercepted with fraps?

Postby chrisbitz » Wed Oct 09, 2013 8:00 am

Thanks for the reply, but I think I've tried all the obvious steps already.

I downloaded it myself from the epson website, and when it didn't work, I sent the exact same file to my computer and proved that the file was correct and working fine.

I also did a scan with malware bytes and malware bytes anti root kit too.

So indisputably, the correct file is being executed, but AFTER automatically unzipping with winzip self extractor, a different file is being run than the expected setup.exe or whatever that winzip self extractor is expecting.

Any ideas?

Many thanks!
chrisbitz
 
Posts: 4
Joined: Thu Apr 18, 2013 6:04 am


Return to Malware Removal