Beware: Unlocker 1.8.7 bundled with adware/spyware/junkware

I have the Unlocker 1.8.7 at home and used it and never had any issues with it. However, at the winery, I had it on one of the computers, and yesterday it said it was a Wine32/Agen.QBA trojan If I go to www.download.com and try to download it, our Nod 32 freezes the website and disconnects so that it cannot be downloaded. This is an odd thing. Why would this work and all of a sudden it now finds it as a trojan?
Nod32 4.0.437.0 version. latest updates.

 

Maybe because NOD32 is signature-based and these are updated regularly. One day a file is OK, the day after it is blacklisted. It just happens. Try to upload the file to VirusTotal and check the result. If you decide this software is harmless, you can probably exclude him (potentially dangerous), or just try another one like LockHunter.

 

I have just downloaded 1.8.7 from the official site and it appears the developer has cleaned it up. Nod32 was reporting a virus but the newly downloaded application is reporting as clean.

 

I've used Unlocker for a very long time without issue, however i decided to download it again and pull it to pieces.

First Norton says fine:



I unpacked the installer with Universal Extractor, and this is a tree view of all files/folders packaged in the installer and the installer itself:



The .sys driver contains references to functions such as ExFreePool, MmMapLockedPagesSpecifyCache, IoDeleteSymbolicLink, IoFileObjectType and various others that you would expect with a file unlocker.

If the Ebay Shortcuts is unticked during install, the Unlocker code does exactly what it says on the tin and no more.

Now, i also decompiled EbayShortcuts and went through all the ASM, now i'm no expert in malware binary analysis but i know enough to get by. You can see one of the strings the Ebay Shortcuts code references here:



I don't really like this part, this installer is from adon-media.de GmbH a German site who state they are an online advertising site. The Ebay Shortcuts exe tries to connect with this URL using a "Get" query:

_http://www.adon-media.de/red/2302/?s=Austria&c=1

Which at the moment is showing a broken MySql query, the exe also drops cookies in locations such as this:

It also fetches a page from Ebay using an "affiliate" query string in the URL. Here is the Anubis report of the Ebay exe file. I'd have to install Wireshark and test it a bit more, but if the cookie is indeed "forced" on the machine without the user choosing to visit Ebay of their own accord it's a breach of the Ebay affiliate agreement.

As for what it's it's supposed to be pulling from that currently broken script above i can't tell it could of been anything. It could be a malware payload, it could be a cookie stuffing scheme where they force cookie on your machine to earn revenue, it could be a simple counter to gauge the number of installs.. Who knows.

So, Unlocker itself is a good program and there's nothing untoward i can see if you install it and opt out of the Ebay options during install. However the author is using a really lousy affiliate company for revenue, and i don't particularly like what the Ebay Shortcuts does.

 

I'd suggest trying EjectUSB, I am using it for some time now and am very happy with it..
http://www.pocketappreview.com/main/item/17

As for unlocker, it helped me many times and am sorry to hear all this, but you can always install an older version if you don't trust the new one..

 

good thread!!

good 2 know ulocker 1.8.X contain some sort of hidden stuff installing....
a big ~offensive phrase removed~ from unlocker development team


cheers

 

I have used it for years with satisfaction. Evidently the latest version, 1.8.7 has some adware.
What is that adware, and how is it harmful?

Where can I find an older version that does not have the adware?

Regards,
Jerry

 

Careful what you read - https://www.wilderssecurity.com/showpost.php?p=1563957&postcount=1

 

GF -- thank you for posting about the update!

 

NOD32 is reporting an unwanted application in that download (v1.8.8 ), but when installed and ebay shortcuts unticked seems clean.

 

http://www.filehippo.com/download_unlocker/3861/

also there is 1.8.5

 

Thank you.
Regards,
Jerry

 

How about using the portable version of Unlocker.

Unlocker 1.8.8 Portable - From this website

MD5: 1dde1b34286c82a8f32fa22c5677c38c / SHA1: c0811fdc3bb10f3b48f821c2e4905a0638aef78e

http://ccollomb.free.fr/unlocker/#download

 

i absolutely agree with it too, after installing unlocker 1.8.8 my PC has started freezing, even after countless Restoring of my Backup,,,,somewhere this trojan seems to hide somewhere, dont download/install this stuff. It really is a junk n a tremendous wates of time, however i think this is an excellent program for removing TEMP files from the PC, which seems to stubbornly stick even after pressing the DELETE key, Unlocker does the job of unlocking and Deleting this files nicely.
However Unlocker 1.8.5 is absolutely clean and i dont think any changes is their in this program.
Download UNLOCKER 1.8.5:http://www.filehippo.com/download_unlocker/download/e2b3c414199c3ed0104f9be85802df77/

 

Has anyone found since upgrading to Win7 unlocker is useless and unlocks nothing?

 

It's not intended for seven nor sixty-four compatible. LockHunter looks to be the new kid on the block. <== Then, you knew this.

 

The Unlocker site is dead. Anyone know the new site or is the product discontinued? Thanks.

hxxp://ccollomb.free.fr/unlocker/ - dead

 

His malware is probably detected by all known anti-virus tools, so there's no more reason to share it.

 

Yes, you are right.

I unticked the check box for 'ebay shortcuts', but it seems Unlocker installed something related to eBay that sends hidden packets which somehow bypasses most software firewall.


Removed it immediately.. I don't like software that do something fishy on my system

 

Proof? or general comment (nomarjr3 only please)?

"It seems Unlocker installed something related to eBay that sends hidden packets which somehow bypasses most software firewall."

 

Try LockHunter instead ?

 

LockHunter has been at beta 3 since Apr 2009. It is already 2010! Still at beta 3? Maybe LockHunter is dead already.

 

Maybe so, but it has been working flawlessly on all my systems. Since it is a free tool, I can understand the developer doesn't make it a priority.

 

Unlocker Portable 1.8.8 is still here:

http://www.softpedia.com/progDownload/Unlocker-Portable-Download-142667.html

 

thanks for the link the 1 from file hippo gets flagged by mse