Jump to content

sopcast fp rogue installer?


Kambz
 Share

Recommended Posts

  • Staff

Welcome to the forums.

Thst system is badly infected. The system needs cleaning before we do anything else

Please follow these basic steps first before posting any logs.

Our program, Malwarebytes' Anti-Malware can detect and remove most Malware with no further actions required for free.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

We hope our application has helped you eradicate this malicious Malware.

If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection.

Update your current Anti-Virus to the latest definitions and then perform a Full scan of your system.

If you don't currently have Anti-Virus please download and install Avira AntiVir Personal

Then update to the latest definitions and perform a Full scan of your system.

If you're still experiencing issues after running the above procedures then please follow the instructions below.

  • Scan and Log Procedures
  • Please download this program Trend Micro HijackThis to your desktop.
  • Double-click on it to run and install it.
  • Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
  • Please start a Newtopic here and post the most recent Malwarebytes' Anti-Malware log file and HijackThis log file using Copy/Paste.
  • The Malwarebytes' Anti-Malware log file is located in the Logs tab of the program.

Someone will analyze the logs and give you further instructions.

Prompt responses to instructions and performing the required fixes as soon as possible is always best.

During this scan and cleanup process you should not install any other software unless requested to do so.

Logs to reply with: MBAM and HijackThis

NOTE: If Malwarebytes won't run or HijackThis won't run please still create a new post in the Malware Removal - HijackThis Logs forum and explain what happens.

NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.

As soon as someone is available they will assist you.

Link to post
Share on other sites

  • Staff

That being said then, we need a developers log, which will give us a coded reference to the signatures used to create the detection. Open Malwarebytes and update(this is crucial), then close Malwarebytes.

Click Start>>select Run>>>type mbam.exe /developer

Please note there is a space between 'mbam.exe' & '/developer'

This will open MBAM, first select the 'quick scan' option then click scan. Once completed, send us that log

This will give us the detailed code of each file, from which we can make adjustments to our detection strings. Without it, we cannot make those adjustments.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.39

Database version: 2510

Windows 5.1.2600 Service Pack 2

7/27/2009 12:01:09 AM

mbam-log-2009-07-27 (00-01-04).txt

Scan type: Quick Scan

Objects scanned: 95917

Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. [4054423730921826181924666919142026216714241771221468232217146726242523246766661

8712494]

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. [4054423730922120677125686918146822692214191920171424676719142625711919681967246

9682394]

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. [4054423730921826181924666919142026216714241771221468232217146726242523246766661

8712494]

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. [4054423730922120677125686918146822692214191920171424676719142625711919681967246

9682394]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hmmmm seems this poped up.

Link to post
Share on other sites

  • Staff
Those are not. I am sorry I quaratine sopcast already. Now am wondering if those are FP ?
Restore sopcast and get dev log.

The ones above appear to be bad and should be quarantined.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.39

Database version: 2510

Windows 5.1.2600 Service Pack 2

7/27/2009 12:44:19 AM

mbam-log-2009-07-27 (00-44-04).txt

Scan type: Quick Scan

Objects scanned: 96002

Time elapsed: 14 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> No action taken.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.39

Database version: 2510

Windows 5.1.2600 Service Pack 2

7/27/2009 1:07:45 AM

mbam-log-2009-07-27 (01-07-38).txt

Scan type: Quick Scan

Objects scanned: 95938

Time elapsed: 16 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> No action taken. [41345241306666186619262071242023262117697126266718181970231968262321242667]

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

I am sorry , I did lose track of this one .

This is a heuristic hit created when an executable was discovered in an off limits location . While we wont hit everything in the root of program files this is a common location to launch malware from so heuristics are more aggressive there .

If you move this file to a more correct storage folder I believe you will find that it is no longer detected . If the detection persists it is a real FP and I need to know about this .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.