Author Topic: PLEASE HELP - Packed.Win32.MUPX.Gen[at]129019204 downloading JRE from Oracle.com?  (Read 1860 times)

Offline brendamc

  • Newbie
  • *
  • Posts: 6
I went to the Oracle.com site this morning and downloaded the JRE 8.65 with no problem, then it said update to the current version 8.66, so I downloaded JavaSetup8u66.exe.jc - when I did this I had a warning from Comodo regarding Packed.Win32.MUPX.Gen[at]129019204 which it said it quarantined.

What made me really suspicious, is that I was also logged into my bank website, which had logged me out for inactivity, when I went back in to my bank website a different window popped up asking for my username and password, which I entered.  Then the normal bank window continued to the place I normally input my password after inactivity.  When I saw this screen, it made me really suspicious that the previous little popup window was possibly a hack.  I changed the bank password immediately after logging in again, but I need to see if my computer is compromised or if the bank account is compromised.

ANY SUGGESTIONS GREATLY APPRECIATED!

Blessings,
Brenda

Online EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23686
The file was quarantined so that makes it not likely you are infected. The detection is for using UPX packer for the installer. That is an open open source packer which is sometimes used by malware makers. So it could be a false positive.

What strikes me as odd is that you downloaded an older version from Oracle pages first. Update 66 was release November 16 2015. Can you upload both the executables to www.virustotal.com and post the url's to the reports here? I want to see their sizes and if they are digitally signed or not. How did you download JavaSetup8u66.exe.jc?

What also strikes me as odd is that JavaSetup8u66.exe.jc has a double extension. Can you confirm that the second extension .jc and not js?

As you see I am in doubt how to understand your situation. In case of doubt scanning your computer with various scanners is a good way of getting confirmation you're clean or not. If you are using CIS first run the Comodo AV. Then run the following scanners:
TDSS Killer
Hitman Pro
Super Antispyware Free
Malwarebytes Antimalware Free
Norton Power Eraser

Keep us posted.

Offline brendamc

  • Newbie
  • *
  • Posts: 6
I went here first:  http://www.oracle.com/technetwork/java/javase/downloads/index.html

I wasn't sure which file to download so I opted for the first one that sounded right:  jre-8u65-windows-i586-iftw.exe

I downloaded it and installed it and it seemed okay, but then Oracle took me to a page where it checks to see which version of Java you have installed on your computer. 

I am in the process of re-creating the sequence, taking screenshots as I go, but I'm going to post this before I continue because I may have to close my browser and I don't want to lose what I've already written here...

This is my history from that morning:  (starting from the bottom)

https://www.oracle.com/partners/en/opn-program/membership-resources/business-center/index.html
http://as00.estara.com/UI/gui.php?donotcache=1452512107018&accountid=200106303085&referrer=http%3A%2F%2Fwww.oracle.com%2Fpartners%2Fen%2Ftalk-to-an-expert%2Findex.html&pagetitle=OPN+%7C+Talk+to+an+Expert+%7C+OPN+Partner+Business+Center+%28PBC%29&template=1059129&urid=379854&calltype=webischatpop&estara_fsguid=A03A2C1A9D0B47DECAEBCB54C2CB5979&optionaldata7=http%3A%2F%2Fwww.oracle.com%2Fpartners%2Fen%2Ftalk-to-an-expert%2Findex.html&optionaldata12=opn%3A%2Fen%2Ftalk-to-an-expert%2F&varsessionkey=c-as01.estara.com%3A200106303085%3A1059129%3A1452512107017%3AA03A2C1A9D0B47DECAEBCB54C2CB5979&guiid=43834a54eac25&timestamp=1452512109&optionaldata8=czozNToiUFJPRCBJbnRlcm5hbCBPUE5IUCBSZWFjdGl2ZSBGbHlvdXQiOw==&di=-2&ai=7791
http://as00.estara.com/UI/UI0001/UI0001.php?donotcache=1452512107018&accountid=200106303085&referrer=http%3A%2F%2Fwww.oracle.com%2Fpartners%2Fen%2Ftalk-to-an-expert%2Findex.html&pagetitle=OPN%20%7C%20Talk%20to%20an%20Expert%20%7C%20OPN%20Partner%20Business%20Center%20(PBC)&template=1059129&urid=379854&calltype=webischatpop&estara_fsguid=A03A2C1A9D0B47DECAEBCB54C2CB5979&optionaldata7=http%3A//www.oracle.com/partners/en/talk-to-an-expert/index.html&optionaldata12=opn%3A/en/talk-to-an-expert/&varsessionkey=c-as01.estara.com:200106303085:1059129:1452512107017:A03A2C1A9D0B47DECAEBCB54C2CB5979
http://www.oracle.com/partners/en/most-popular-resources/partner-business-center-1954023.html
http://download.oracle.com/otn-pub/java/jdk/8u65-b17/jre-8u65-windows-i586-iftw.exe?AuthParam=1452510544_e9665f64339793d371975137f8b165e4
https://edelivery.oracle.com/otn-pub/java/jdk/8u65-b17/jre-8u65-windows-i586-iftw.exe
http://download.oracle.com/otn-pub/java/jdk/8u65-b17/jre-8u65-windows-i586-iftw.exe
http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
http://www.oracle.com/technetwork/java/javase/downloads/index.html

[attachment deleted by admin]

Offline brendamc

  • Newbie
  • *
  • Posts: 6
In attempting to recreate the sequence, I found that preparing to download the JRE 8.66 file with FlashGet 3 prompted the malware warning, but when I closed FlashGet and downloaded the file directly with IE, the warning did not reappear.  So, it may have been something to do with FlashGet.

At any rate, I will scan my computer as suggested - the username/password window at the bank website was definitely suspicious....

Thank you!
Brenda

Offline brendamc

  • Newbie
  • *
  • Posts: 6
I did scan both of the JRE files that I downloaded from Oracle at VirusTotal.com.  They both came up clean other than the option to change the default browser search.

My computer is running slower than normal and seems like it has something running in the background that is really bogging it down.  I had to take the battery out and unplug the computer to shut it down....  I attached a screenshot where I got a Comodo warning about Packed.Win32.MUPX.Gen[at]129019204 when I was preparing to download the second JRE file with FlashGet 3.

[at] EricJH Can you recommend a safe place to run or download the scans you suggested?

TDSS Killer
Hitman Pro
Super Antispyware Free
Malwarebytes Antimalware Free
Norton Power Eraser

Thank you for your help!!!

Blessings,
Brenda

[attachment deleted by admin]

Online EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23686
I did scan both of the JRE files that I downloaded from Oracle at VirusTotal.com.  They both came up clean other than the option to change the default browser search.

My computer is running slower than normal and seems like it has something running in the background that is really bogging it down.  I had to take the battery out and unplug the computer to shut it down....  I attached a screenshot where I got a Comodo warning about Packed.Win32.MUPX.Gen[at]129019204 when I was preparing to download the second JRE file with FlashGet 3.

[at] EricJH Can you recommend a safe place to run or download the scans you suggested?

TDSS Killer: http://www.bleepingcomputer.com/download/tdsskiller/
Super Antispyware Free: http://filehippo.com/download_superantispyware/
Malwarebytes Antimalware Free: http://filehippo.com/download_malwarebytes_anti_malware/
Hitman Pro: http://www.surfright.nl/en/hitmanpro
Norton Power Eraser: https://security.symantec.com/nbrt/npe.aspx

Thank you for your help!!!

Blessings,
Brenda
I am not familiar with Flashget but may be it tries to download from various sources like Download Accelarator Plus used to do. May be it got a source that added an adware or so.

I added download links in the quoted area for you.





Offline brendamc

  • Newbie
  • *
  • Posts: 6
All the scans came back clean, so I'm a happy camper!

Blessings and thanks for the help [at]EricJH!!!

Brenda

Online EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23686
Glad the scans came up clean. One last request that just popped in my head. Could you also scan with adwcleaner? It does a good job with findings adwares.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek