Fixed: SoftCop false positive?

[TWilson]

I run Cygwin on a daily basis. This morning, I received a notification that cygrunsrv.exe contained Fraud.SoftCop. Shortly after that, I received the same notification on tail.exe. These have been installed for a long time, and I suspect this to be a false positive. Here's the info:

OS: Windows XP SP3 (plus all of the latest updates, still has IE6 though)
Browser: Firefox v2.0.0.20
Spybot: v1.6.0.31 - Updated 10/28/2009
Occurrence: When running Cygwin programs
From Resident.log:
10/28/2009 9:49:00 AM Encountered and terminated Fraud.SoftCop in C:\cygwin\bin\cygrunsrv.exe!
10/28/2009 9:50:24 AM Encountered and terminated Fraud.SoftCop in C:\cygwin\bin\tail.exe!
10/28/2009 10:33:17 AM Encountered and terminated Fraud.SoftCop in C:\cygwin\bin\gzip.exe!

I even re-downloaded the package that tail.exe is contained in, extracted it, and I still get the notification when I run that program. The package I downloaded is http://mirror.mcs.anl.gov/cygwin/rel...6.10-2.tar.bz2
Of course, you'll need more Cygwin files/apps to extract and run tail.exe.

Can you look into this to see if it is a false positive?

If there's any other info you need, let me know.

Thanks in advance!

[Slibowicz]

Yes, just registered so I could post that I seem to be having a similar problem, and yes I'm using Cygwin. Here's a snippet from my logs (note from them that Spybot also picks up Ethereal packet capture logs as being infected with XiaJian, and has done for a LONG time - there's another false pos for you). There's a couple of other programs in there, but until today nothing's been picked up, and it only seems to involve THAT specific directory.

umx_decoder.exe is a little prog for replacing headers in Unreal music files with ones that are readable by most sound players, and has been living happily in that location for a couple of years. 20070522083604640_SM2032BW.exe is my monitor drivers...

Hope you can help on this one and hopefully be able to confirm that they are indeed false positives. Give me a yell if you need samples of any of the below exes for testing.

Cheers!


--- Search result list ---
Win32.XiaJian.bk: [SBI $2DE917CD] Data (File, nothing done)
C:\Documents and Settings\xxx\Local Settings\Temp\etherXXXX03BA0U
Properties.size=82397874
Properties.md5=F7E31BE8FE95E3263A5E2BA2BA93132C
Properties.filedate=1252694513
Properties.filedatetext=2009-09-11 18:41:53

Win32.XiaJian.bk: [SBI $2DE917CD] Data (File, nothing done)
C:\Documents and Settings\xxx\Local Settings\Temp\etherXXXXQAIXZU
Properties.size=24
Properties.md5=AB487D36057D446B6A8B72091DA72F23
Properties.filedate=1252684934
Properties.filedatetext=2009-09-11 16:02:14

Win32.XiaJian.bk: [SBI $2DE917CD] Data (File, nothing done)
C:\Documents and Settings\xxx\Local Settings\Temp\etherXXXXUAXUZU
Properties.size=38619711
Properties.md5=D1218247502048BA0CF0AAA6F8AF43AD
Properties.filedate=1252689174
Properties.filedatetext=2009-09-11 17:12:53

######### today's results here ##############

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\ProgsAndUtils\umx_decoder.exe
Properties.size=56367
Properties.md5=22EF2F6A52815521FC1A702FFC756585
Properties.filedate=1165052071
Properties.filedatetext=2006-12-02 09:34:31

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\zip.exe
Properties.size=68096
Properties.md5=5E832F4FAF5F481F2EAF3B3A48F603B8
Properties.filedate=1050278400
Properties.filedatetext=2003-04-14 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\bc.exe
Properties.size=52736
Properties.md5=4F7938A88E4E4A069EB2E2EBFD466471
Properties.filedate=942278400
Properties.filedatetext=1999-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\csplit.exe
Properties.size=65024
Properties.md5=F6ED30D97FF1BC1351D4F5040AC442EA
Properties.filedate=942278400
Properties.filedatetext=1999-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\diff.exe
Properties.size=68096
Properties.md5=1B79CED2B4E7C4A2122256D584E9AD4B
Properties.filedate=1005436800
Properties.filedatetext=2001-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\find.exe
Properties.size=65536
Properties.md5=B7FB937DCFA116081AFC62E0AEC309E2
Properties.filedate=1005436800
Properties.filedatetext=2001-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\indent.exe
Properties.size=58880
Properties.md5=CC6463410508E98DA33E8844242E325D
Properties.filedate=1050278400
Properties.filedatetext=2003-04-14 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\Drivers\20070522083604640_SM2032BW.exe
Properties.size=58880
Properties.md5=286835AA4F875EBC7088AFD99A75FAB8
Properties.filedate=1228763289
Properties.filedatetext=2008-12-08 19:08:09

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\ln.exe
Properties.size=69632
Properties.md5=62F08F0A115BAC5BD853B62CB6A50007
Properties.filedate=1050278400
Properties.filedatetext=2003-04-14 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\ls.exe
Properties.size=57856
Properties.md5=81B68D181440D59C0565986ABC141139
Properties.filedate=942278400
Properties.filedatetext=1999-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\mv.exe
Properties.size=69632
Properties.md5=4A100C7BBB1E099F1807987756A1E9AF
Properties.filedate=1005436800
Properties.filedatetext=2001-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\nl.exe
Properties.size=51712
Properties.md5=C1F51174CE605FFD7E827DB4A566EE78
Properties.filedate=942278400
Properties.filedatetext=1999-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\patch.exe
Properties.size=59904
Properties.md5=EA36AA0F90982F9F29D020D9D5AA9AC9
Properties.filedate=942278400
Properties.filedatetext=1999-11-11 00:00:00

Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
E:\Downloads_1\Apps_Drivers\localbin\localbin\rm.exe
Properties.size=65536
Properties.md5=414DC024D7FD437D5EFC06663E4B184B
Properties.filedate=971136000
Properties.filedatetext=2000-10-10 00:00:00

[login123]

First thanks very much for this software, I am a longtime fan. SpyBot SnD has rescued me more than once.

OS: Windows XP SP3 up to date
Browser: IE7
Spybot: v1.6.2.146 - Updated 10/28/2009

Got warnings below. From the resident log:
10/28/2009 12:57:21 PM Encountered and terminated Fraud.SoftCop in C:\Program Files\Microsoft Office\Office\OSA.EXE!
10/28/2009 12:57:37 PM Encountered and terminated Fraud.SoftCop in C:\WINDOWS\system32\shadow\ShadowService.exe!

Are they false positives? OSA.exe is OK, associated w/ MS office, and ShadowService.exe is too, associated w/ PowerShadow.

Thanks again.

[Yodama]

hello,

thanks for reporting.
I can confirm the false positive with Fraud.SoftCop.
I will check if a correction can be uploaded today, otherwise it will be released with the next detection update scheduled for Wednesday 2009-11-04.

Teatimer will have to be restarted after the update.

[Yodama]

Update is online and is dated 2009-10-29, remember to restart the TeaTimer after the update.

[TWilson]

Thank you for the quick fix. The update must have downloaded automatically last night. I started up Cygwin this morning, and did not receive the notification (I double checked, and I do have the update). Awesome job!

[login123]

Thanks for the quick fix. Very nice of you.

OS = WXP hhome sp3 up to date
Browser = IE7
Spybot = v1.6.2.146 - Updated 10/28/2009
Have not yet run the latest SnD update.

After the attempt to terminate osa.exe and ShadowService.exe, Microsoft Excel began starting uninvited.

Autoruns found it to be in the startup folder: C:\Documents and Settings\All Users\Start Menu\Programs\Startup. It was disabled and the unintended startup behavior has stopped, so I guess no problem exists.

The only other recent change made to this computer was when SnD deleted a registry entry on the 28th of October. The log from that date showed this:

Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1799718865-984949040-1490943010-1009\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

I wonder if these either or both of these changes caused Excel to autostart? Online ESET and Kaspersky say the machine is not infected with anything.

Thanks again for the great work you do.

[Chris Haslam]

I took SS&D's recommendation: it deleted osa.exe.

Now on startup, Win2000 complains about a missing shortcut.

Has SS&D saved osa.exe for me, and if so how do I recover it?

...chris

[pjh1992]

Hi,

I have only just registered but I am having a problem with a possible false positive. I updated my Spybot - S&D with the 2009-10-28 Update, but when I restarted my computer, I was told that "ibpmsvc.exe" and "PAStisvc.exe" were processes belong to malicious software identified as Fraud.SoftCop.

I restored my computer to 27th October 2009, and the "ibmpmsvc.exe" notification didn't reappear, but the "PAStisvc.exe" did reappear. I don't want to allow this process to continue as I am not sure what it is for (I looked it up and it is something to do with a Webcam process), but I do need to know if this is an error as this is seriously slowing my computer down and I don't want the processor to give out from the stress.

Please can I get help from a Member of the Spybt Team?

[Wilkins]

How does one restart Teatimer? I just did "Exit Spybot S&D" from the toolbar/tray thing. Is that what you mean?

Also, PDF995 had the same problem with claiming to have Fraud.SoftCop.

Quote:

Originally Posted by Yodama

hello,

thanks for reporting.
I can confirm the false positive with Fraud.SoftCop.
I will check if a correction can be uploaded today, otherwise it will be released with the next detection update scheduled for Wednesday 2009-11-04.

Teatimer will have to be restarted after the update.