Official BS.Player forums  

Go Back   Official BS.Player forums > Main forum > General Talk And Support

General Talk And Support General talk and peer-to-peer support about BS.Player and other video and audio multimedia players.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default [Fixed]Virus Found in BS v 2.33 ???

Hej all..

i just downloaded the new version of BS Player (2.33 Free edition)
now my AVG comes up with a virus detect..
(don't know if it's of any importance, but I cancelled the Codecs download and deselected everything from the install other than the player itself and shortcut to menu - start)

The files it sais looks like a Trojan is installdata358.tmp.exe, which is placed under system32

infected - Win32:Trojan-gen {Other}

C:\Windows\system32\installdata358.tmp.exe
(the file is hidden)

Does anyone know what this file does ?
If i check the taskmanager i can see the installdata358.tmp.exe running, if i terminate the process and start it manually i still can't see what it is doin, just places itself in taskmanager again..


i have ******* [edited by IcoMan - sorry guys, no free advertising in this forum] Free Home edition installed on my comp fully updated

Hope someone can help..
Thanks
Reply With Quote
  #2 (permalink)  
Old 10th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default BS.Player video player

From where did you download BS.Player? Can you give us exact URL?
Reply With Quote
  #3 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

Sure..

downloaded it from this site

exact url is
http://www.bsplayer.com/inc/download...yer.php?type=1


downloaded from bsplayer.com
http://www.bsplayer.com/en/bs.player/download/
the Download BS.Player FREE (EU Server)
Reply With Quote
  #4 (permalink)  
Old 10th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default BS.Player YouTube player

BS.Player installation (or BS.Player itself) does not write anything in System32 folder.

Can you send us this file to email support@bsplayer.com so we can check it?
Reply With Quote
  #5 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

i sure can..

just send it.. from a mail called [deleted by Ico-man - you don't want to receive all the latest spam, do you? ;)]
and packed the file as an .Rar

tried scanning with F-Secure online scanned, which picked the file up as an virus to.
Reply With Quote
  #6 (permalink)  
Old 10th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default BS.Player avchd player

Ok, you sent us the infected file itself and not the BS.Player installation file (btw. our antivirus reports it as WORM/Kolabc.fat), but the problem is that BS.Player does not have anything to do with this infected file. Like stated before - BS.Player does not write anything in System32 folder.

BS.Player installation does not include any viruses, worms, trojans...

Your entire system may be infected (but not because of BS.Player) and now with every installation, virus copies itself over and over again. I suggest you run full computer antivirus scan and delete/quarantine all infected files and then install BS.Player.
Reply With Quote
  #7 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

yea the thing is though..

I have installed it at 3 different computers..

i installed it on a homecomputer which is on a totally different network, not to say different physical location an different ISP..

that comp caught the file..

Then i installed the player at work, (checked the system32 folder befor install) and then the file got there..

Then i took another machine at work, with a totally new image on, and installed bs.player, now the file is there to..

so 2 computers in same network, and 1 computer from different ISP and dif location, got the same file right after BS.Player install..

the computers in dif location has never had any contact with each other.
Reply With Quote
  #8 (permalink)  
Old 10th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default BS.Player flv player

Please send us the installation file. (something like this bsplayer234.978_clip.exe)

If we distributed viruses in our downloads... how many users do you think would be posting complaints on our forum? 1 or hundreds?
Reply With Quote
  #9 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

hey im not to blame you guys for the virus problem, i'm just trying to figure out why i suddenly get the file on my computers.. which seems to be after the installation..
Reply With Quote
  #10 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

Im sorry to say guys but it seems like your european mirror has been highjacked.

Correct me if i am wrong but doesn't you use nullsoft installer.. ?

the file from the euro mirror uses CAB-self extract installer have i been informed..

also the file size should be different between the two files from the us vs the eu mirror
Reply With Quote
  #11 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 3
Rep Power: 0
Maxx is an unknown quantity at this point
Default

To whom it may concern

Guys, it's a serious problem, which must be solved ASAP. The US mirror returns a valid installation file, but the EU mirror returns a file injected by virus. The original file is a Nullsoft Installer (MD5: 55E0B18B5600339D50842D9514F5FDB5), the injected file is bigger and it is a CAB self-extract with the original installer and a virus included (MD5 of the injected installer: EBFF8F450FB4EEE11D7FC100126A6D75). The virus is detected by some engines http://www.virustotal.com/en/analisi...72e14d84ae4947. Assuming my DNS is not cloaked it must be a problem on your side (maybe a hacked download server). Anyway, you should correct it and put a warning on your homepage before anyone else does that (it could significantly discredit your reputation).

Regards
Michal Krejdl
*********** (the developer of ********** antivirus) [edited by IcoMan - sorry guys, no free advertising on this forum]
Reply With Quote
  #12 (permalink)  
Old 10th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default

Fixed.
Reply With Quote
  #13 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 3
Rep Power: 0
Maxx is an unknown quantity at this point
Default

How about the official "press release" or warning on the home page? We're thinking about the warning on our home page, because many people could be affected (when their AV solutions did not a good job). You've been notified and got the chance to put some official words to the people. We will publish the warning in a hour or two.

MK
Reply With Quote
  #14 (permalink)  
Old 10th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default

Please read:
http://bsplayer.com/en/bs.player/new...nt/?article=34


@iceman69: You were right, the problem was on our side, hopefully you didn't have too much problems because of it, because your av worked like it should and has detected the error in time.
Reply With Quote
  #15 (permalink)  
Old 10th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

Hey Ico-man

Don't worrie about it, i work with computers for a living so ill manage..
just saw the file an wanted to get rid of it..

Yea ********** [edited by IcoMan - sorry guys, no free advertising on this forum] detected it, and deleted it, an my HIPS kept it down from doin any harm, i reinstalled the system tho just to be on the safe side.. (but thats my choice, im sure the AVG removed it as it should)
Reply With Quote
  #16 (permalink)  
Old 11th December 2008
Ico-man's Avatar
BS.Support
BS.Player Power User
 
Join Date: Sep 2006
Location: Slovenia
Posts: 1,469
Rep Power: 10
Ico-man is on a distinguished road
Default

Completely changing the meaning of our posts are we? :)

PostPosted: Wed Dec 10, 2008 3:43 pm
Last edited by Maxx on Wed Dec 10, 2008 4:09 pm; edited 1 time in total
Reply With Quote
  #17 (permalink)  
Old 11th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 3
Rep Power: 0
Maxx is an unknown quantity at this point
Default

Just changed the "maybe" statement. The final decision was made meanwhile, so the current phrase is more precise. :)

MK
Reply With Quote
  #18 (permalink)  
Old 11th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 1
Rep Power: 0
gulfstar is an unknown quantity at this point
Default How can I remove the virus ?

I have had the same problem, my computer is infected now with the virus ...can anyone guide me please to a tool to remove this virus? the AV I have is not able to remove it, every time the computer starts the installdata358.tmp.exe file appears again..?
Reply With Quote
  #19 (permalink)  
Old 11th December 2008
Junior Member
BS.Player Newbie
 
Join Date: Dec 2008
Posts: 8
Rep Power: 0
iceman69 is an unknown quantity at this point
Default

Hey Gulfstar

F-Secure Online Scanner is able to detect the virus an remove it..

******* [edited by IcoMan, sorry guys, no free advertising on this forum] is able to remove it to..
(I use the free home version, the online scanner can detect it, but i have to locate the file yourself.)

The file is located at C:\Windows\System32\installdata358.tmp.exe.
it's an hidden file, so u have to show hidden files and folders...

First, open task manager, and find the file under processes, and terminate it.. then go to C:\Windows\System32 and delete the file...

Restart the system an check if the file is startet in the task manager again, if not go to system32 and see if you can find the file..

after you see that the file is gone, run either F-Secure online scanner, or install ********* home edition ******* [edited by IcoMan, sorry guys, no free advertising on this forum] and run one of thoes, see what it comes up with
Reply With Quote
Reply

Tags
233, found

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules


All times are GMT +1. The time now is 07:06 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
Ad Management plugin by RedTyger

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20