x.264.exe, False Positives regarding "SUPER" Options

[exile360]

Using a quick scan with database 357 this item was detected. I went to my system32 folder and could not locate the file. I searched google and found that it is part of SUPER, a video conversion program that I did install, but have long since removed. I believe the FP is on a file that SUPER left behind. I did a scan two days ago(I don't recall what the database version was) and it found 2 or 3 other files it claimed were trojans in my System32 folder. I researched them and likewise found them to be components of SUPER. I am currently running KAV, SuperAntispyware Pro, TeaTimer, Windows Defender and Comodo Boclean and none of them made any of these detections. I was just wondering if this is an FP or something they missed. Thanks. I have attached the log file from todays scan as instructed in the sticky.

[nosirrah]

This super c thing . I have seen many forum threads where people claim that once they install it there systems become unstable and have seen reports that it also hides files from the user .

I may be wrong about it being a trojan (still not sure) but it does seem to be junk .

I am going to look into this one a lot more today .

[nosirrah]

OK , you cant see that file because its hidden , and for no reason it seems .

When you google any of the files involved with super c all you get is hijackthis help forum threads .

I can find experts removing them , I can find experts not removing them .

I can find VirusTotal reports where these files are listed with 3 to 5 heuristic hits but no actual direct hits for malware .

One thing I cant find are reports where is this is outright listed as malware .

I am removing this for now , I will look into this further though .

These are the reasons I added it to begin with :

1. Searching for its files netted nothing but help forum threads .
2. Multiple reports of it being removed because for various reasons all involving people not being happy with it .
3. Multiple reports of it being uninstalled but leaving some of its files behind .
4. It hiding its files from the user .
5. Some evidence of other vendors detecting it as malware .

[nosirrah]

http://www.witcobber.com/download.htm

This seems to be the downlad page . I want to test this further but the download is not working .

I am trying to find something that is not a strike against this software but I just cant .

[nosirrah]

I cant find a download for this that still works and because of time issues (and loads of real malware to research) I cant look into this any further today .

I have removed it for now , next update will up soon .

If anyone can find me a link to this software I would be grateful .

[Cobra]

Here is a link for Super Video Converter 5.3

hxxp://www.download.com/3001-2194_4-108011...a696a53874d62c5

This post has been edited by JeanInMontana: Feb 14 2008, 09:02 PM

Reason for edit: mung live link

[JeanInMontana]

Here is a link for Super Video Converter 5.3

hxxp://www.download.com/3001-2194_4-108011...a696a53874d62c5

Please don't post live links to malware. We appreciate your help but munged links are to protect others.

[nosirrah]

This did not drop any files into system32 or windows , I do not hink that this is the same app .

The one I hear mentioned is super c .

Im going to check some more .

[nosirrah]

http://www.erightsoft.com/S6Kg1.html

Now this looks like it , cant find a working link on this site either though .

[exile360]

Thanks for all your hard work and research guys. I will agree that the program seems to be junk, that's why I uninstalled it to begin with, but I just like you could find nothing truly malicious about it. Again, I appreciate all the assistance and all the work Malwarebytes has done on RoguRemover, MBAM, Qoofix etc. You guys are great, please keep up the good work.

[dr_Bora]

@nosirrah: you need to start from the home page: http://www.erightsoft.net/home.html

- below Super picture> link Download and use for free
- next link (on the new page) > Start Downloading SUPER ©
- next page> link: download and use
- on the last page you need to wait 10 seconds and you'll get the download link near the bottom of the page.

Btw, file (C:\WINDOWS\system32\) x.264.exe:


Antivirus Version Last Update Result

eSafe 7.0.15.0 2008.02.14 suspicious Trojan/Worm
FileAdvisor 1 2008.02.14 High threat detected

Additional information
File size: 240128 bytes
MD5: 5fdd7d827c1cc58567367d03d24548ce
SHA1: 9937882f96f025991634b2833c5f4bcaef70beb2
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
Bit9 info: http://fileadvisor.bit9.com/services/extin...7367d03d24548ce
packers: UPX
packers: UPX

[nosirrah]

Got it now , thanks for the info .

Guess I was in to big of a hurry earlier .

[nosirrah]

OMG

These guys have a funny definition of the term uninstall .

At the very most their uninstaller removed 10% of this software .

I just may build a removal tool for this , should be real easy .

I am also taking a close look at all of the files left behind , what still loads and what this file is that runs for a split second after you uninstall .

[nosirrah]

I m not adding this back into defs .

Here is the deal , two things combine to make this "look" like malware .

First it removes next to nothing that it adds to windows and system 32 .

Next a lot of these files are hidden from the user and many also have no version info .


But .....


None of whats left is set to load and all detection on these files are based on their executable packers , they use a lot that malware also uses .

[exile360]

Thanks for the additional info. I'm inclined to agree that it isn't malware, however, an uninstall tool would be handy to remove all the junk this software leaves behind, especially if it could cause any conflicts with the codecs installed on a user's system.

[Citrus]

OMG

These guys have a funny definition of the term uninstall .

At the very most their uninstaller removed 10% of this software .

I just may build a removal tool for this , should be real easy .

I am also taking a close look at all of the files left behind , what still loads and what this file is that runs for a split second after you uninstall .

Any news on that removal tool? I uninstalled the program and would like to remove all traces of it.

[P.K. Atomsk]

I've been using SUPER for a while now to convert .flv files to MP3's and haven't had any problems with it. My friend said that he had it and uninstalled it and had no problems. I'm sure it's just bad design and not malicious in nature.

[AdvancedSetup]

Hi Bruce,

SUPER © is NOT Malware. It is just a front end GUI to a bunch of command line audio/video tools for video manipulation.
I've used the program off and on for a long time now and had no problems with it.

I don't care for how he has you get to the actual download link but hey it's his software.
If you follow through to either the 3rd or 4th page the link to download is at the very bottom of the page.

I can sniff the actual link if you really need or want it.

[CJS]

OMG

These guys have a funny definition of the term uninstall .

At the very most their uninstaller removed 10% of this software .

I just may build a removal tool for this , should be real easy .

I am also taking a close look at all of the files left behind , what still loads and what this file is that runs for a split second after you uninstall .

Did you ever build a removal tool for SUPER? I would be greatly interested in it. Or could you post a log of all the files it installs, so I know which ones to manually delete to uninstall the program? Thanks for any help.

[GT500]

Did you ever build a removal tool for SUPER? I would be greatly interested in it. Or could you post a log of all the files it installs, so I know which ones to manually delete to uninstall the program? Thanks for any help.

At the very least a list of what's left behind would allow one of us to create a BFU script to automate the cleanup.