MoveMediaPlayer_07103010.exe and IFinst27.exe

[MrNoatak]

Good Day,

This is a question that is strictly forum-specific about whether two detected programs on my laptop are false positives or not. I have not a single computer symptom that needs fixed. Of course it could be a John Wayne moment- things are TOO quiet out there with my perfectly operating laptop.

I am inquiring about two files that I believe yield false positives with the most updated version of free Malwarebytes: MoveMediaPlayer_07103010.exe (Backdoor.Bot) and IFinst27.exe (Trojan.Downloader). Neither is a startup process on my machine and I myself have never opened these files, but they would have been used by a previous owner in 2008. This is a laptop with XP home SP2 that I inherited from a relative one year ago after he graduated from college. The computer has had a Comodo firewall for years, and I myself always run Windows Firewall too. I have used the short Malwarebytes scans many times on this laptop and never found anything other than some very mild adware in one instance (adware.myweb). A few days ago I ran the long Malwarebytes scan for the first time and found the two files that I named above. I checked the creation dates of this 'malware' before quarantining (not deleted yet!) and they have been on the computer since early-middle 2008 and were installed by the previous owner. I guess I think if a backdoor bot was on this machine for more than two years, there would be numerous symptoms by now, rather than none. In the year I have used this laptop, not a single problem, no redirects, no popups, no freezes ever or bluescreens. I mean perfectly clean, maybe even stellar behavior. I also check Hijackthis now and then, and no important or unexpected changes over that time.

From the old install log, I determine that the MoveMediaPlayer_07103010.exe was installed directly from the vendor's site in early 2008. I also note from internet searches that this older version of MoveMediaPlayer seems to ALWAYS be detected as a backdoor bot by Malwarebytes. Yet at virustotal.com, only 9 of 43 virus scanning programs detect it as malicious. In all but one instance of many I researched online, ComboFix also ignored it. On the day of installation in 2008, a lot of qss files were included in the new Move Media folder- it all looks like a legit and intended download based upon the remaining files in the folder that contained MoveMediaPlayer_07103010.exe, meaning to say the quarantined file was not just a 'floater'.

As for IFinst27.exe, it was a 'floater' in the Windows folder with a cute icon. But threatexpert.com found only 1 instance in 95 submitted cases where this file was a threat. It (InstallFactory V2.70?) is supposedly needed to add/remove some program in Windows. Some say it is an installer for certain games. At the time it was installed I find files involving Macromedia Flash Player and widgetbox.com/widgetserver.com and a DNS Caching Resolver Service from Microsoft.

Attached are four logs: HJTbeforeMWBfix (HijackThis log before running Malwarebytes); MBAMlog (the long scan that found and quarantined the two files in question); ComboFix (run after the MBAM long scan); HJTafterMWBfix (HijackThis log AFTER running Malwarebytes/quarantining and ComboFix). I also have the installation log for MoveMediaPlayer if it is needed later. Note that the only change between the pre- and post- HijackThis logs was the removal by either MBAM or ComboFix of a single entry: O8 - Extra context menu item: &Search - ?p=ZKxdm011YYUS. Also note that the Firefox plug-in (npmnqmp07076007.dll) for MoveMediaPlayer was not removed by either ComboFix or Malwarebytes. Also I ran Kaspersky today for all of the relevant parts of C-drive and got nothing.

What do you think? Are MoveMediaPlayer_07103010.exe and IFinst27.exe really malware? If so, why did they not attack this laptop over the past two years?

Thanks for any expert advice you can offer.

HJTbeforeMWBfix.txt

Combofix_scan.txt

MBAMlog.txt

HJTafterMWBfix.txt

[nosirrah]

Zip and attach both files and we can actually answer the question.

[MrNoatak]

Zip and attach both files and we can actually answer the question.

Good Day,

They are in the quarantine folder. I would rather wait until my current job assignment (requires this computer) is done before reinstalling them onto the laptop, just in case. Unless there is a way to extract them without a complete restoration into my system?. If not, it will be two weeks before I can risk restoring the files.

One more thing, since Malwarebytes already shows these two files as malicious- what additional tests can you run to see if they are false postives?

Thanks,

Mr Noatak

[nosirrah]

Unless I have the files I cant tell you anything or test anything, its as simple as that.

[MrNoatak]

Unless I have the files I cant tell you anything or test anything, its as simple as that.

I will try to get them to you in a couple of weeks. Will this thread be closed before then?

[nosirrah]

There is no reason to close it.