Jump to content
Sign in to follow this  
whatmeworry?

udRemove.exe

Recommended Posts

Yesterday, an MBAM alert suddenly popped up informing me of malware at C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files\udRemove.exe . It identified it as Trojan.Agent and told me to Quarantine it. I did so. My question is, how do I determine whether this is really malware or a false positive? All kinds of false positives are being reported on this forum yesterday and today, and when I hunted about on the Internet to try to find out about udRemove.exe, I came across at least one other person who was told yesterday by MBAM that he had this same problem. I don't want to delete the file if it's not malware, but i don't want to restore it if it is. How do I determine this?

I'm sorry to seem so clueless, but I just about NEVER have real malware, so I don't really know what to do. I'm also a little gun shy, since I recently had to reinstall my operating system as the result of believing what turned out to be an MBAM false positive. I want to be sure this time. :)

I should add that I am using WinXP Pro. Yesterday, when the warning occurred, I still had MBAM 1.41. Today I upgraded to 1.42 and a quick scan revealed no problems, but of course the possible problem was by then in quarantine.

Thanks in advance for your help.

Share this post


Link to post
Share on other sites

There should never be files in that folder , it is a folder where the content.ie5 system folder goes . Typically only malware will stick files there as explorer will not allow normal browsing to it .

I will look into this to see of some software vendor is breaking this rule and causing a heuristic hit .

Share this post


Link to post
Share on other sites
Combofix and Prevex are both detecting this as well .

Thanks very much for your response. Am I right in thinking that I should I go into MBAM's Quarantine and delete the file?

FWIW, I'm pretty sure that it came when I downloaded a copy of the video player KMPlayer. The time stamp matches, and the .exe file for KMPlayer is apparently ud_The_KMPlayer_1435.exe. The "ud" plus the time stamp makes me think it's highly likely that the file came during the installation of KMPlayer. I've been very happy with KMPlayer, a highly recommended free video player. I doubt that the malware file is needed for KMPlayer to work.

Share this post


Link to post
Share on other sites

Do you have a place I can download that file ? I would love to install this and see what is going on because there is no reason for them to be sticking files there .

Share this post


Link to post
Share on other sites
I just installed the KMPLayer maybe 30 minutes ago and I don't have that file on my system.

This is becoming stranger and stranger. After reading Bruce's request for a copy of the file and then your message about having installed KMPlayer without that file appearing, I went to look for the installation file. To my astonishment, it was 279 KB! That's absurd, since the previous version was 11.9 MB. So I went to CNET's download site and downloaded a copy of the present version, which is 14.2 MB. I hadn't downloaded the copy yesterday from CNET but rather from kmplayer.en.softonic.com. I went back there now and tried to download a copy and was told to please wait for a download link from an external server. I think that's also what happened yesterday. In retrospect, I realize I've got no idea where the file actually came from.

So what I think I'm going to do is 1) uninstall KMPlayer 2) install the copy I've just downloaded from CNET 3) delete the file udRemove.exe file from the MBAM Quarantine.

Bruce, if you want a copy of the 279KB file ud_The_KMPlayer_1435.exe, I suppose I could send it via a PM. Or, if you don't want it, I'll just delete it from my computer.

Ron, was the file you installed called kmp.exe? That's the file I just downloaded from CNET. The version I installed a while ago was called The_KMPlayer_1434.exe. I no longer have any idea which files are legit. I should add that I scanned the ud_The_KMPlayer_1435.exe file that I downloaded yesterday with McAfee, MBAM, and Spybot before installing it, and none of the scans set off any alarms.

If I didn't like KMPlayer better than any other free video player I've used, I'd just remove it and forget about it, but I really like it a lot.

Share this post


Link to post
Share on other sites

Yes I was skeptical about The KMPlayer as well, but it turns out to be a pretty darn good media player. I've always liked the VLC Player but recently it's been having issues playing some media files so I went ahead and tried The KMPlayer and was pleasantly surprised. Jitter or poor video decoding issues that VLC was having no longer happen. Here is where I got my version.

This should be KMP.EXE only renamed to show/include the version.

The KMPlayer 2.9.4.1435 Release, Posted 09-15-2009

The KMPlayer - News & Announcements forum

kmp.exe (14,914,820Bytes)

MD4: 881CA86BFB0ADF723A407B7D0034621E

MD5: FC623D27A3A3DEB6820A444BE5A4E806

SHA-1: 7638A7C6E216BF83C82C2FC0922218996D4F7D0C

Share this post


Link to post
Share on other sites
Yes I was skeptical about The KMPlayer as well, but it turns out to be a pretty darn good media player. I've always liked the VLC Player but recently it's been having issues playing some media files so I went ahead and tried The KMPlayer and was pleasantly surprised. Jitter or poor video decoding issues that VLC was having no longer happen.

Hi, Ron. Thanks very much for your helpful response. My experience with KMPlayer is very similar to yours. I had been using VLC Player but I ran into problems playing some video files, and I saw KMPlayer highly recommended by sources I trust (though I can't recall now which--it was a while ago). I tried it and haven't looked back since. At least until now :). But I'm hoping that the current problem had more to do with a rogue site from which I may have gotten the most recent version. The version I downloaded yesterday from CNET seems to match yours in name and size--I haven't opened it yet or checked hash ID.

Now that I've heard from you, I think I'll proceed with getting rid of the copy I currently have installed and replacing it with the one from CNET. And I'll get rid of the trojan file I currently have in Quarantine. But all that will have to wait until later today. Gotta run right now.

Again, many thanks!

Share this post


Link to post
Share on other sites
Hi, Ron. Thanks very much for your helpful response. My experience with KMPlayer is very similar to yours. I had been using VLC Player but I ran into problems playing some video files, and I saw KMPlayer highly recommended by sources I trust (though I can't recall now which--it was a while ago). I tried it and haven't looked back since. At least until now ;). But I'm hoping that the current problem had more to do with a rogue site from which I may have gotten the most recent version. The version I downloaded yesterday from CNET seems to match yours in name and size--I haven't opened it yet or checked hash ID.

Now that I've heard from you, I think I'll proceed with getting rid of the copy I currently have installed and replacing it with the one from CNET. And I'll get rid of the trojan file I currently have in Quarantine. But all that will have to wait until later today. Gotta run right now.

Again, many thanks!

Evenin' folks,

I've had the same problem, dloaded KMPlayer from en.softonic.com, and have that "udRemove.exe" crap in my Temporary Internet Files folder as well, though this is Windows 7 I'm sailing on. Used AdvancedSetup's link to get a new executable. Thanks.

Share this post


Link to post
Share on other sites

Hi ... I just done a scan with Malwarebytes and I have that same trojan but I don't have KMPlayer install , not that I don't think I do . Could this player be installed without my knowledge , I mean I'm the only one using my computer . Could it had gotten installed by visiting a website ? Also I notice I am not able to open my temporary internet files folder if I try doing it manually, I get this windows saying " My current securty setting do not allow this action "

Share this post


Link to post
Share on other sites

I just got this as well. Not sure how I got it. MBAM scanned last night, no problems, I scanned about 3 hours before auto scan, and clean, but once it did the auto scan, this came up. I have not installed anything new, nor does it show anything installed without my knowledge.

I have Windows 7 Ultimate 32 bit.

Share this post


Link to post
Share on other sites

I've already deleted the file.

But I do have the log.

Malwarebytes' Anti-Malware 1.44

Database version: 3639

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

1/26/2010 12:52:00 AM

mbam-log-2010-01-26 (00-52-00).txt

Scan type: Quick Scan

Objects scanned: 96511

Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Darkmage\Local Settings\Temporary Internet Files\udRemove.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Not sure if that's gonna help. How would I be able to get it back? is that even possible?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.