Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: SoftCop false positive?

  1. #1
    Junior Member
    Join Date
    Oct 2009
    Posts
    2

    Default SoftCop false positive?

    I run Cygwin on a daily basis. This morning, I received a notification that cygrunsrv.exe contained Fraud.SoftCop. Shortly after that, I received the same notification on tail.exe. These have been installed for a long time, and I suspect this to be a false positive. Here's the info:

    OS: Windows XP SP3 (plus all of the latest updates, still has IE6 though)
    Browser: Firefox v2.0.0.20
    Spybot: v1.6.0.31 - Updated 10/28/2009
    Occurrence: When running Cygwin programs
    From Resident.log:
    10/28/2009 9:49:00 AM Encountered and terminated Fraud.SoftCop in C:\cygwin\bin\cygrunsrv.exe!
    10/28/2009 9:50:24 AM Encountered and terminated Fraud.SoftCop in C:\cygwin\bin\tail.exe!
    10/28/2009 10:33:17 AM Encountered and terminated Fraud.SoftCop in C:\cygwin\bin\gzip.exe!

    I even re-downloaded the package that tail.exe is contained in, extracted it, and I still get the notification when I run that program. The package I downloaded is http://mirror.mcs.anl.gov/cygwin/rel...6.10-2.tar.bz2
    Of course, you'll need more Cygwin files/apps to extract and run tail.exe.

    Can you look into this to see if it is a false positive?

    If there's any other info you need, let me know.

    Thanks in advance!

  2. #2
    Junior Member
    Join Date
    Oct 2009
    Posts
    1

    Default

    Yes, just registered so I could post that I seem to be having a similar problem, and yes I'm using Cygwin. Here's a snippet from my logs (note from them that Spybot also picks up Ethereal packet capture logs as being infected with XiaJian, and has done for a LONG time - there's another false pos for you). There's a couple of other programs in there, but until today nothing's been picked up, and it only seems to involve THAT specific directory.

    umx_decoder.exe is a little prog for replacing headers in Unreal music files with ones that are readable by most sound players, and has been living happily in that location for a couple of years. 20070522083604640_SM2032BW.exe is my monitor drivers...

    Hope you can help on this one and hopefully be able to confirm that they are indeed false positives. Give me a yell if you need samples of any of the below exes for testing.

    Cheers!


    --- Search result list ---
    Win32.XiaJian.bk: [SBI $2DE917CD] Data (File, nothing done)
    C:\Documents and Settings\xxx\Local Settings\Temp\etherXXXX03BA0U
    Properties.size=82397874
    Properties.md5=F7E31BE8FE95E3263A5E2BA2BA93132C
    Properties.filedate=1252694513
    Properties.filedatetext=2009-09-11 18:41:53

    Win32.XiaJian.bk: [SBI $2DE917CD] Data (File, nothing done)
    C:\Documents and Settings\xxx\Local Settings\Temp\etherXXXXQAIXZU
    Properties.size=24
    Properties.md5=AB487D36057D446B6A8B72091DA72F23
    Properties.filedate=1252684934
    Properties.filedatetext=2009-09-11 16:02:14

    Win32.XiaJian.bk: [SBI $2DE917CD] Data (File, nothing done)
    C:\Documents and Settings\xxx\Local Settings\Temp\etherXXXXUAXUZU
    Properties.size=38619711
    Properties.md5=D1218247502048BA0CF0AAA6F8AF43AD
    Properties.filedate=1252689174
    Properties.filedatetext=2009-09-11 17:12:53

    ######### today's results here ##############

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\ProgsAndUtils\umx_decoder.exe
    Properties.size=56367
    Properties.md5=22EF2F6A52815521FC1A702FFC756585
    Properties.filedate=1165052071
    Properties.filedatetext=2006-12-02 09:34:31

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\zip.exe
    Properties.size=68096
    Properties.md5=5E832F4FAF5F481F2EAF3B3A48F603B8
    Properties.filedate=1050278400
    Properties.filedatetext=2003-04-14 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\bc.exe
    Properties.size=52736
    Properties.md5=4F7938A88E4E4A069EB2E2EBFD466471
    Properties.filedate=942278400
    Properties.filedatetext=1999-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\csplit.exe
    Properties.size=65024
    Properties.md5=F6ED30D97FF1BC1351D4F5040AC442EA
    Properties.filedate=942278400
    Properties.filedatetext=1999-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\diff.exe
    Properties.size=68096
    Properties.md5=1B79CED2B4E7C4A2122256D584E9AD4B
    Properties.filedate=1005436800
    Properties.filedatetext=2001-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\find.exe
    Properties.size=65536
    Properties.md5=B7FB937DCFA116081AFC62E0AEC309E2
    Properties.filedate=1005436800
    Properties.filedatetext=2001-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\indent.exe
    Properties.size=58880
    Properties.md5=CC6463410508E98DA33E8844242E325D
    Properties.filedate=1050278400
    Properties.filedatetext=2003-04-14 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\Drivers\20070522083604640_SM2032BW.exe
    Properties.size=58880
    Properties.md5=286835AA4F875EBC7088AFD99A75FAB8
    Properties.filedate=1228763289
    Properties.filedatetext=2008-12-08 19:08:09

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\ln.exe
    Properties.size=69632
    Properties.md5=62F08F0A115BAC5BD853B62CB6A50007
    Properties.filedate=1050278400
    Properties.filedatetext=2003-04-14 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\ls.exe
    Properties.size=57856
    Properties.md5=81B68D181440D59C0565986ABC141139
    Properties.filedate=942278400
    Properties.filedatetext=1999-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\mv.exe
    Properties.size=69632
    Properties.md5=4A100C7BBB1E099F1807987756A1E9AF
    Properties.filedate=1005436800
    Properties.filedatetext=2001-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\nl.exe
    Properties.size=51712
    Properties.md5=C1F51174CE605FFD7E827DB4A566EE78
    Properties.filedate=942278400
    Properties.filedatetext=1999-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\patch.exe
    Properties.size=59904
    Properties.md5=EA36AA0F90982F9F29D020D9D5AA9AC9
    Properties.filedate=942278400
    Properties.filedatetext=1999-11-11 00:00:00

    Fraud.SoftCop: [SBI $39F20247] Downloaded program file (File, nothing done)
    E:\Downloads_1\Apps_Drivers\localbin\localbin\rm.exe
    Properties.size=65536
    Properties.md5=414DC024D7FD437D5EFC06663E4B184B
    Properties.filedate=971136000
    Properties.filedatetext=2000-10-10 00:00:00
    Last edited by Slibowicz; 2009-10-28 at 19:22.

  3. #3
    Junior Member
    Join Date
    Mar 2007
    Posts
    2

    Default Similar find

    First thanks very much for this software, I am a longtime fan. SpyBot SnD has rescued me more than once.

    OS: Windows XP SP3 up to date
    Browser: IE7
    Spybot: v1.6.2.146 - Updated 10/28/2009

    Got warnings below. From the resident log:
    10/28/2009 12:57:21 PM Encountered and terminated Fraud.SoftCop in C:\Program Files\Microsoft Office\Office\OSA.EXE!
    10/28/2009 12:57:37 PM Encountered and terminated Fraud.SoftCop in C:\WINDOWS\system32\shadow\ShadowService.exe!

    Are they false positives? OSA.exe is OK, associated w/ MS office, and ShadowService.exe is too, associated w/ PowerShadow.

    Thanks again.

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,

    thanks for reporting.
    I can confirm the false positive with Fraud.SoftCop.
    I will check if a correction can be uploaded today, otherwise it will be released with the next detection update scheduled for Wednesday 2009-11-04.

    Teatimer will have to be restarted after the update.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Update is online and is dated 2009-10-29, remember to restart the TeaTimer after the update.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  6. #6
    Junior Member
    Join Date
    Oct 2009
    Posts
    2

    Thumbs up Thank you!

    Thank you for the quick fix. The update must have downloaded automatically last night. I started up Cygwin this morning, and did not receive the notification (I double checked, and I do have the update). Awesome job!

  7. #7
    Junior Member
    Join Date
    Mar 2007
    Posts
    2

    Default Thank you

    Thanks for the quick fix. Very nice of you.

    OS = WXP hhome sp3 up to date
    Browser = IE7
    Spybot = v1.6.2.146 - Updated 10/28/2009
    Have not yet run the latest SnD update.

    After the attempt to terminate osa.exe and ShadowService.exe, Microsoft Excel began starting uninvited.

    Autoruns found it to be in the startup folder: C:\Documents and Settings\All Users\Start Menu\Programs\Startup. It was disabled and the unintended startup behavior has stopped, so I guess no problem exists.

    The only other recent change made to this computer was when SnD deleted a registry entry on the 28th of October. The log from that date showed this:

    Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-1799718865-984949040-1490943010-1009\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

    I wonder if these either or both of these changes caused Excel to autostart? Online ESET and Kaspersky say the machine is not infected with anything.

    Thanks again for the great work you do.

  8. #8
    Member
    Join Date
    Jul 2009
    Posts
    56

    Default How to restore osa.exe

    I took SS&D's recommendation: it deleted osa.exe.

    Now on startup, Win2000 complains about a missing shortcut.

    Has SS&D saved osa.exe for me, and if so how do I recover it?

    ...chris

  9. #9
    Junior Member
    Join Date
    Oct 2009
    Posts
    1

    Default Possible False Positive connected to the Update 2009-10-28

    Hi,

    I have only just registered but I am having a problem with a possible false positive. I updated my Spybot - S&D with the 2009-10-28 Update, but when I restarted my computer, I was told that "ibpmsvc.exe" and "PAStisvc.exe" were processes belong to malicious software identified as Fraud.SoftCop.

    I restored my computer to 27th October 2009, and the "ibmpmsvc.exe" notification didn't reappear, but the "PAStisvc.exe" did reappear. I don't want to allow this process to continue as I am not sure what it is for (I looked it up and it is something to do with a Webcam process), but I do need to know if this is an error as this is seriously slowing my computer down and I don't want the processor to give out from the stress.

    Please can I get help from a Member of the Spybt Team?

  10. #10
    Junior Member
    Join Date
    Oct 2009
    Posts
    7

    Default How to restart Teatimer

    How does one restart Teatimer? I just did "Exit Spybot S&D" from the toolbar/tray thing. Is that what you mean?

    Also, PDF995 had the same problem with claiming to have Fraud.SoftCop.


    Quote Originally Posted by Yodama View Post
    hello,

    thanks for reporting.
    I can confirm the false positive with Fraud.SoftCop.
    I will check if a correction can be uploaded today, otherwise it will be released with the next detection update scheduled for Wednesday 2009-11-04.

    Teatimer will have to be restarted after the update.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •