XMPlay ERROR! This file has been tampered with and MAY BE INFECTED BY A VIRUS!

[Guest]

[mntech]

Comodo Internet Security did an update today and asked for a reboot. After rebooting, when trying to play XMPlay.exe ver. 3.4.2.111, I am getting a popup with window title "ERROR!" and text "This file has been tampered with and MAY BE INFECTED BY A VIRUS!"

I have been running this program version fine for days and previous versions of this program for years. The program ran fine yesterday. I am not seeing this message so far when opening any other programs.

Various previous versions of the XMPlay executable were tried and come up with the same message. I unzipped XMPlay files to another directory -- this program does not require an install -- and I received the same message when trying to execute.

I have Windows Vista 64-bit Service Pack 2 with all updates and Comodo Internet Security, Product 3.10.102194.530, Virus Signature Database 1544.

A full scan and cleaning by Comodo Antivirus did not cure the issue, even after reboot. I followed sticky "What to do if you're infected - eXPerience Rev.3" and cleaned with Malwarebytes and Superantispyware programs. My issue persisted after each cleaning and a reboot.

A-Squared revealed the following detections, which I did not remove per the sticky advice:
Trace.Directory.FavSearch!A2
Trace.File.Ezula!A2
Trojan-Downloader.DelphiIK
Trojan.Generic!IK
HTML.Infected.WebPage!IK
Virus.Win32.Downloader.BV!IK
Trojan.ATRAPS!IK
Virus.JS.ScriptIP!IK
Cracker!IK
Trojan-Dropper.Agent!IK
Trojan-Proxy.Win32.Steredir!IK
Trojan-Spy.Win32.Agent.asf!IK
Riskware.Client-IRC.Win32.mIRC!IK
Trojan.Crypt!IK
Trojan.Dropper!IK
Email-Worm.VBS.Brit!IK
Trojan.BAT.Agent!IK
Trojan.Exploit.Dcomrpc.A!IK

Note: Trojan-Downloader.DelphiIK seems to be present at C:\Program Files\ (x86)\XMPlay\Plugins\dsp_vst.dll, though this may be a false positive and this plugin should not be engaged when running XMPlay from another directory. It is possible that this plugin would be engaged normally, however.

Then I ran HijackThis and I'm attaching the log.

Please help with removing my malware. Thank you!

[EDIT: I also run Spybot Search & Destroy. Yesterday before this problem appeared I know that I updated the program's malware database and did full immunization. I have found very little on the Internet about the exact error that I'm reporting; I don't know if it comes from Comodo, Vista, or elsewhere.]

[Rotty]

Could you post the name and directory of the files detected by A-Squared?

[mntech]

Could you post the name and directory of the files detected by A-Squared?

I've attached the scan text, with minor edits ([xxxxx]) for protecting identity.

[mntech]

Update: After more research, it appears that code which generates this error is contained in another program written by the author of XMPlay, called Petite Packer. The code may also be contained somewhere in XMPlay.exe or a related file. I've contacted the author to inquire about this message, as he probably knows what is happening.

[mntech]

Update: Another person has reported this same problem with XMPlay after updating to Comodo version 3.10, but their problem was fixed by reverting to version 3.9. I can try to revert as well and confirm if Comodo version 3.10 is the culprit.

[Toggie]

Curious! I just downloaded XMPlay and it works without problem. Strangely enough it must be on the Comodo safe list as I didn't receive an alert, but an entry has been added to D+

I don't believe 3.10 is the problem here, I guess we need to look elsewhere.

[mntech]

Well, I reverted to Comodo Internet Security 3.9 and all versions I have of the XMPlay executable now work!   

Now what? And can someone advise me now how I should proceed with the detections found by A-Squared and HijackThis?

[Toggie]

It's not unusual for an AV/AS application to misinterpret a 'packed' application as malicious. it's the way they work. Unfortunately CIS AV also, sometimes, gets the wrong idea.

Best I can do is suggest you forward your scan results and any files that may be suspect to the various vendors, then wait...

I've now tried XMP on the systems I have here, unfortunately no Vista, but XP and 7. It works...

I ran a scan with mbam, Spybot, hjt as well as CIS AV and nothing untoward was detected. I didn't try a-squared as i don't like it.

[mntech]

Best I can do is suggest you forward your scan results and any files that may be suspect to the various vendors, then wait...

According to the sticky in this forum: "Here you can receive assistance by the thousands of other forum members in helping you clean your PC and getting it infection free! The type of support you get is irrelevant to if you use CAVS or not, this is for anybody who needs help in cleaning their PC of infections."

So I've submitted A-Squared and HijackThis results above and I'm asking for help HERE! Can someone advise on those?

It seems CIS version 3.10 has the same affect on XMPlay for at least two people, but the program appears virus and malware free. I'd think Comodo needs then to investigate the XMPlay issue. I've submitted my XMPlay executables to Comodo for analysis.

[Toggie]

I can appreciate your concern and of course we will do what we can to help.

[EricJH]

I just installed XMPlayer and had it scanned by a2, MBAM (database 2388) and CIS (database 1578) and it didn't find anything suspicious.

With regards to your HJT log. I ran it through www.hijackthis.de and these entries got flagged:
E:\PROGRAMS\TaskbarHide\TBhide.exe
E:\PROGRAMS\CoreFTP\coreftp.exe
O4 - Startup: TBhide.exe.lnk = E:\PROGRAMS\TaskbarHide\TBhide.exe
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

What is taskbar hide? An application you know and use? I guess you have Core FTP installed. The AMD service misses a file and is innocuous because of that.

I have one question for now. From what source did you download the XMPlayer? May be got an infected version.

[mntech]

Thanks for looking into this!

TBHide I'm aware of and have been using for years. It's a small proggie that just removes the single line of pixels at the bottom of the screen that still remains when putting Windows taskbar into auto-hide mode.

CoreFTP is installed, yes, but I'm pretty sure it's clean.

XMPlayer was downloaded from the author's ftp site. I get all the executables from the website or the author's ftp location.

Someone has suggested that maybe Comodo's Image Execution setting had something to do with the problem, though with version 3.9 of CIS all of my XMPlay executables work fine with either the Disabled or Normal settings.

[mntech]

Good news! CIS has updated today to version 3.10.102363.531. After uninstalling version 3.9, installing my previous version of 3.10 and then updating to 3.01.102363.531, I'm no longer having the trouble with XMPlay! It will run fine with Image Execution set to Disabled or Normal.

I did notice, however, that the trouble persisted when I first reinstalled 3.10, which was version 3.10.102194.530. Apparently some shortcomings in that version were fixed, or something got corrected on my system.

Anyone have further advice to give on my A-Squared log?

[EricJH]

I tried to open the a2 log but it partially show Chinese. Can you post it again?

[mntech]

I tried to open the a2 log but it partially show Chinese. Can you post it again?

Thanks! Perhaps there was trouble reading the unicode text Attached is the same file, but encoded in ANSI text.

[Tags:]