Fasterxp and sopcast ad element.

D

digideath

New member
Hi.
I had a nasty worm infection of the win32/rbot family recently, that dropped/used a load of malware. After removal, spybot removed a heck of a lot of the malware for me. For this I am gratefull and thank the dev's of sybot for such an essential program.

One infection spybot missed was a spyware trend micro's housecall id'd as fasterxp. I am afraid I can't supply a sample though as it is erased from my system. Since s&d doesn't detect it, I thought the least I could do is make you aware of it.

May I submit a suspected adware to spybot for analasys? I use an internet tv program called sopcast. It has an ad element called "sopadver.exe". This normaly puts adds in the "tv screen" while waiting to buffer a stream or when no channel is selected. I have reson to suspect that this ad element is also responsible for a few ad popups I've had in ie ( popups occuring while ad element is running. None when it isn't. ). If this is acurate, it means that the ad element operates outwith acceptable parameters and should be considred adware.
Would the team care to investigate this? If so, what would you prefer an upload of, the whole program or the "sopadver.exe" file?
 
Hello.
digideath said:
May I submit a suspected adware to spybot for analasys?
Click to expand...

Yes, please zip or rar the file/s and send them to: detections(AT)spybot.info (Replace AT with @)

You could also provide a link back to this topic.

Thank you. :)
 
That's it posted. As you didn't specify which to post, either the ad element or the program, I posted both. Zipped as per requested. I virus scanned them at virustotal.com before attaching. I also linked this thread as requested and to this extent would like to add more info on this.

I tested to see if the program would run without the ad element. Just wanted to see how it would react. To do this I...

Opened my prefetch folder and deleted the prefetch entry for sopadver.exe.
In a seperate window, opened the folder which contained the sopadver element. This was located at folder
C:\Documents and Settings\Administrator\Application Data\SopCast\adv
I renamed the sopadver.exe file and it's .dat file to sopadver.exe.bak and sopadver.dat.bak.

I then ran the program. The program worked ok. There was no adds, just the inbuilt, flashy "your add here" part. Got to buffer a channel as well but during this the program...

Locked the buffering for a second while it did the following.
Renamed the sopadver.exe.bak file to sopadver.exe. And yes I do mean renamed it. The sopadver.exe.bak file vanished and sopadver.exe appeared in it's place.
It generated a new .dat file for itself.
A new prefetch file appeared for it showing that it was instantly executed.

I opened my browser and surfed for a bit and got the same couple of popups. I then closed the program and browsed a bit but received no more popups. Visited the same circle of sites each time to get a clearer picture.

Thats all I did with it. It seems to be protecting it's add element pretty aggressively and I'm pretty certain it's poping up adds for affiliates or whatever in ie. Just to increase ad exposure.
 
Hello.

Thank you for the extra information, I left a note for a detective to please respond here if possible.

Cheers.
 
Hello Digideath,
Thank you for sending the files. We have tested them - but we could not find anything bad. They did not produce any popups and did not try to connect to the internet except to the tv-stations where it has to connect to.

Best regards,
Markus
 
You must log in or register to reply here.
Back
Top