sopcast fp rogue installer?

[Kambz]

I just opened the folder where my sopcast was at. And maleware said it was a rogue.installer?

[TeMerc]

Welcome to the forums.

Thst system is badly infected. The system needs cleaning before we do anything else

Please follow these basic steps first before posting any logs.

Our program, Malwarebytes' Anti-Malware can detect and remove most Malware with no further actions required for free.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
    

  [*]Then click Finish.

  [*]If an update is found, it will download and install the latest version.

  [*]Once the program has loaded, select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

We hope our application has helped you eradicate this malicious Malware.

If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection.

Update your current Anti-Virus to the latest definitions and then perform a Full scan of your system.

If you don't currently have Anti-Virus please download and install Avira AntiVir Personal

Then update to the latest definitions and perform a Full scan of your system.

If you're still experiencing issues after running the above procedures then please follow the instructions below.

• Scan and Log Procedures
• Please download this program Trend Micro HijackThis to your desktop.
  
• Double-click on it to run and install it.
  
• Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
  
• Please start a Newtopic here and post the most recent Malwarebytes' Anti-Malware log file and HijackThis log file using Copy/Paste.
  
• The Malwarebytes' Anti-Malware log file is located in the Logs tab of the program.
  

Someone will analyze the logs and give you further instructions.

Prompt responses to instructions and performing the required fixes as soon as possible is always best.

During this scan and cleanup process you should not install any other software unless requested to do so.

Logs to reply with: MBAM and HijackThis

NOTE: If Malwarebytes won't run or HijackThis won't run please still create a new post in the Malware Removal - HijackThis Logs forum and explain what happens.

NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.

As soon as someone is available they will assist you.

[Kambz]

oh those are cleaned already. I was just showing u the rogue.file there.

[Kambz]

Yeah those are my Quaratine items from some time ago.

[TeMerc]

That being said then, we need a developers log, which will give us a coded reference to the signatures used to create the detection. Open Malwarebytes and update(this is crucial), then close Malwarebytes.

Click Start>>select Run>>>type mbam.exe /developer

Please note there is a space between 'mbam.exe' & '/developer'

This will open MBAM, first select the 'quick scan' option then click scan. Once completed, send us that log

This will give us the detailed code of each file, from which we can make adjustments to our detection strings. Without it, we cannot make those adjustments.

[Kambz]

Malwarebytes' Anti-Malware 1.39

Database version: 2510

Windows 5.1.2600 Service Pack 2

7/27/2009 12:01:09 AM

mbam-log-2009-07-27 (00-01-04).txt

Scan type: Quick Scan

Objects scanned: 95917

Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. [4054423730921826181924666919142026216714241771221468232217146726242523246766661

8712494]

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. [4054423730922120677125686918146822692214191920171424676719142625711919681967246

9682394]

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. [4054423730921826181924666919142026216714241771221468232217146726242523246766661

8712494]

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. [4054423730922120677125686918146822692214191920171424676719142625711919681967246

9682394]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hmmmm seems this poped up.

[Kambz]

Oh I just updated and I have the pro version of maleware too btw.

[TeMerc]

What makes you think those are part of that program? Google tells me otherwise.

[Kambz]

Those are not. I am sorry I quaratine sopcast already. Now am wondering if those are FP ?

[TeMerc]

Those are not. I am sorry I quaratine sopcast already. Now am wondering if those are FP ?

Restore sopcast and get dev log.

The ones above appear to be bad and should be quarantined.

[Kambz]

Malwarebytes' Anti-Malware 1.39

Database version: 2510

Windows 5.1.2600 Service Pack 2

7/27/2009 12:44:19 AM

mbam-log-2009-07-27 (00-44-04).txt

Scan type: Quick Scan

Objects scanned: 96002

Time elapsed: 14 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> No action taken.

[TeMerc]

Sorry, I should have been more clear, we need you to run the dev log for that.

[Kambz]

Malwarebytes' Anti-Malware 1.39

Database version: 2510

Windows 5.1.2600 Service Pack 2

7/27/2009 1:07:45 AM

mbam-log-2009-07-27 (01-07-38).txt

Scan type: Quick Scan

Objects scanned: 95938

Time elapsed: 16 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> No action taken. [41345241306666186619262071242023262117697126266718181970231968262321242667]

[TeMerc]

There ya go, onw the research team has something to go on. Thanks.

[Kambz]

any updates on that sopcast being a rogue installer?

[nosirrah]

I am sorry , I did lose track of this one .

This is a heuristic hit created when an executable was discovered in an off limits location . While we wont hit everything in the root of program files this is a common location to launch malware from so heuristics are more aggressive there .

If you move this file to a more correct storage folder I believe you will find that it is no longer detected . If the detection persists it is a real FP and I need to know about this .