RealCleaner - RealPlayer

[Guest]

Hi,

Yesturday I updated my RealPlayer and I did a full system scan with Avast!8 Free Edition and Malwarebytes Antimalware Free Edition it didn't show up any detection. I then did a full system scan with SuperAntiSpyware Free Edition and it detected this file called RealCleaner and the detection name is Trojan.Agent/Gen-FraudScan[Prod]. Location of this file is on C:\Program Files(x86)\Real\RealPlayer\RealCleaner.EXE.

Is this a legit detection or a false warning? I did some research yesturday but couldn't come up with any concrete evidence if this is true or false? Please advice. That file is now deleted and in quarantine.

Did anyone of you here have experienced this? Please advice and help?

 

Log file during that time is as follows:

Application version: 5.6.1014

Core Rules Database Version: 10121

Trace Rules Database Version: 7933

 

The detection name and location is: Trojan.Agent/Gen-FraudScan[Prod]. Location of this file is on C:\Program Files(x86)\Real\RealPlayer\RealCleaner.EXE.

 

I don't know if this is a false positive or not? Please help and advice? The file is deleted and in quarantine.

[GuiltySpark]

Hi staticguy,

 

RealCleaner is a fake antimalware get rid of it ASAP

[Guest]

Thanks for your reply! Why would RealPlayer incorporate RealCleaner in the new update? Been using it for many years on and off? Seems like they incorporate random programs into their own products.

 

DAEMON Tools installing a random toolbar i forgot the name of it and etc. Hate this when this happens? Now i am safe because it has been deleted and quarantined. Thanks.

 

Why did SuperAntiSpyware able to catch this but not Avast! 8, AVG, Norton, MalwareBytes Antimalware, and etc?

[GuiltySpark]

MBAM should've caught it as it always used to.

[Guest]

Trojan.Agent/Gen-FraudScan[Prod]

 

What does [Prod] means?

[GuiltySpark]

Possibly Productivity but am unsure exactly.

 

Why Productivity ?

 

Because of the way it works maybe ????

[Guest]

Oh okay fair enough... don't really want to know about it because you told me it's a fake antimalware! Ummm... interesting since MBAM didn't detect this threat found this from MBAM forum about RealCleaner http://forums.malwarebytes.org/index.php?showtopic=97240

[Guest]

Continuing from my above message.

I even didn't double click the RealCleaner icon from the RealPlayer folder. i just did a full system scan from SuperAntiSpyware and it detected that. I also didn't get any pop up dialog box or notification from RealCleaner.

[GuiltySpark]

It may have deactivated MBAMs detection, give your computer a good going over including starting in safe mode to see if MBAM is working fine.

[Guest]

SuperAntiSpyware already deleted this threat and quarantined it? Should i update MBAM again and run in safe mode?

[GuiltySpark]

Might be worth it as it never hurts to double check just to make sure everythings working as it should be

 

Incidently, if you want a decent media player thats not as much of a resource hog and plays just about any type of vid files : http://www.filehippo.com/download_vlc_32/

[Guest]

Yeap will do it right now and will report back

I already have VLC installed

[Guest]

No malicious stuff found running MBAM in safe mode. that link that i gave you http://forums.malwarebytes.org/index.php?showtopic=97240 it's 3 years ago? Probably it was being detected back then. Back then I didn't have RealPlayer installed? Probably it came back again.

[Guest]

Uhh.... I got some new developments regarding RealCleaner. One of the staff from MBAM forum wrote this to me:

 

I was able to retrieve the file you uploaded to virustotal from the link in the avast forum. This is a false positive detection on Superantispywares part. Notice on virustotal they are the only one to detect it out of 40+ av companies? This is a legit component of realplayer. If you right click the file and hit properties it has a valid signature signed by realnetworks.

There is a realcleaner rogue but its not in this location ever.

This is where the realcleaner rogue is located:

C:\Program Files\realcleaner\realcleaner.exe

This is where the legit realcleaner is located:

C:\Program Files(x86)\Real\RealPlayer\RealCleaner.EXE.

Sigcheck

publisher................: RealNetworks, Inc.
product..................: RealCleaner
internal name............: RealCleaner
copyright................: Copyright © RealNetworks, Inc. 1995-2012
original name............: RealCleaner.exe
signing date.............: 9:03 PM 3/6/2013
signers..................: RealNetworks, Inc.; Thawte Code Signing CA - G2; thawte Primary Root CA
file version.............: 16.0.1.18
description..............: RealCleaner

 

Can the SuperAntiSpyware team verify this please?

[GuiltySpark]

Hi staticguy,

Thanks for reporting back.

In order for the SAS malware team to update the next batch of definitions, when SAS picks it up again can you use the built in FP reporter, the file will then be sent to the team for further analysis and update.

Thanks

[Guest]

How and where can i use the FP reporter. I am new at this . I am using the Free version of SuperAntiSpyware.

[GuiltySpark]

https://forums.superantispyware.com/index.php?/topic/6825-how-to-submit-false-positives/

[Guest]

the button "report false positive" is greyed out

[GuiltySpark]

Did you highlight the detection first ?

[Guest]

oh lol my bad. forgot to highlight it. Thanks.

[GuiltySpark]

No worries

The malware team should have things sorted in the next update or two

Thanks again for reporting your findings.

[Guest]

Done. Just now I reported it. It will take some time. Thanks for all of your help and assistance

 

And your welcome for reporting this

[geoff]

Hi,

This should be fixed as of SUPERAntiSpyware Core 10132 or greater.  Can you let us know if it's not resolved for you?

 

Thanks,

 

Geoff

[Guest]

Yeap it has been resolved.