Web-MediaPlayer

Learn about Computer Security Virus/Malware Removal Assistance
#1

Hi,

The Web-mediaplayer is a french application that allow to view TV and Radio by using WMP11.
It contains more than 400 Thousands TV & Radio in all countries.

The problem is i suspect this program contain spywares, worms or even trojan !
The Comodo Antivirus did not find anything suspitious, however the HIPS interactive allowed me to Block BUT the problem is that spyware or malware install itself with the Setup so first i have allowed all.

But when i saw that a weird program called lbfkxcjpei.exe i told myself “Man you’ve got pawned”.
First, the file is not visible on Windows, but it is on MS-DOS Console by using “ATTRIB” which show all attributs about a file or folder.
Even on Windows, when you setup to Show all files including protected files, the file remain invisible.

So i’ve guess, if the file is so hard to find, it means its a malware who try to remain hidden.

Then, Comodo Firewall react and tell me “lbfkxcjpei.exe try to use OLE of FTPRush with invisible connection”, doh, i’m right, i’ve got pawned.

My solution is : Using Hijackthis, not from TrendSecure but the old, then i go to Misc Tools and i choose “Delete file on reboot”, then i write the full path(that i can’t see) and when i press Open, then Hijackthis could open :slight_smile:
Then, i clean my registry with RegSeeker by searching about lbfkxcjpei.exe and i remove all links about that file.(About 100 links)
So i had rebooted my system, the file is gone and guess what ? I can see his brothers ! So i removed all !

Now i try to search where did i got that ? What was the last program i tried to install ? Web-MediaPlayer ! Ok then let’s restart it… Guess what ? Comodo Firewall tell me that program want to drop another random file… Cool now i know where did i get infected. The Comodo Antivirus cannot find it but the firewall helped me =)

The new random file has been submitted to Comodo Antivirus by the HIPS control which i press Block, and i have enabled the file submission. The file has been successfully sent BUT it is not removed yet because its not active.

If you wanna test your skills :
http://www.web-mediaplayer.com/
have fun, just click “Télécharger ici” with IE only because with Firefox it doesn’t work lol
Then run it… and install and look for the surprises…

#2

Sorry for the late reply.

Since you have sent the file to Comodo Labs, they should be able to look at it.

#3

Layered security, what one misses another catches!

:SMLR

#4

This one was a fake russian player, basically a rogue “copycat” dropping a bunch of malwares/spywares.

( The real french player was ‘‘web media player’’ not ‘‘web mediaplayer’’ here http://www.azertysite.new.fr/ it is outdated )

If you got infected you can use Navilog1 or mbam

#5

You might want to look at post dates before replying. This thread last saw action in 2007…