Hello, all.

Status
Not open for further replies.

JGKnotts

New Member
Thread author
Oct 10, 2017
2
Hi, everyone. I'm so very glad to have found this forum. I've had two (possibly only apparent) brushes with malware in just the last two days. I grew up on the wrong side of the digital divide, so I'm a far cry from a techie, and don't know the first thing about these things. I hope I've come to the right place.

Both times, the trojans/malware/false positives came from downloading media players. Yesterday, Virustotal found a trojan and a malware file in VLC, which I uninstalled, ran an apparently hidden copy through AVG's shredder, and then ran scans with both AVG and Malwarebytes. But the latter found only 2 PUAs with "Amazon" in the name. My computer showed no signs of infection, no problems. I've still been careful, avoiding banking, etc. And I figured and hoped any bad stuff had been eliminated, even if I didn't understand how.

But then when I downloaded Potplayer today -- after vigorously researching to make sure it had no reports of such problems, which I found VLC did, though most people claimed they were fixed -- a Virustotal scan found a trojan in there, too. Win32.Trojan.Falsesign.Agbi

Then I got suspicious. Malwarebytes' scan again found nothing wrong. Haven't run AVG yet to avoid the drag on my system. But I read on another site that media players often bring up false positives.

Is this true? Is Potplayer really safe? I haven't uninstalled yet this time...nothing seems wrong. Is there a way to tell for sure? I need a media player, and this one seems fine from all reports...except one.

...Advice, please! What should I do?

Went rather off-topic for the intro, sorry. It's what brought me here, though. I posted about it in the Malware Removal forum. Sorry if it's in the wrong place/s, but I'm at a loss here. Any help would be profoundly appreciated!

Edit: Twice now, Potplayer has asked me to install updates since installing an hour ago, saying " a new version is available." I said yes because I'm exhausted at this point...is this incredibly stupid? Is it a sign of malware?

Well, at least it's playing just fine...and nothing weird is happening on my computer so far...
 
Last edited by a moderator:

Bleak

Level 4
Verified
Well-known
Sep 5, 2017
149
Welcome to MT. First of all; always make sure you download these programs from their official sites.
Can you post the virustotal scan links of VLC and Potplayer?
Scan your system with both HitmanPro and Zeman Antimalware and see if there's any results and let us know. (both offer free trial, no need for a purchase)
 

JGKnotts

New Member
Thread author
Oct 10, 2017
2
Thanks!

Here's the scan link (I think) from Virustotal for Potplayer. I didn't save the one from VLC.
Antivirus scan for a83d4df1d9a6f141b1002f77d5dbd69e06a54bd4dd372fb8476e80c3beb9796e at 2017-08-29 15:35:29 UTC - VirusTotal

File name: PotPlayerSetup64.exe
Says it was infected with Win32.Trojan.Falsesign.Agbi

I'm getting more suspicious of Potplayer because I've got it open, and I can see that the second downloaded "updated" has started again from scratch. (Its icon on the taskbar fills with a yellow color, like AVG's does to show its scan progress, or like Chrome's turns green to show the progress of a download. The yellow was at haflway point, and now it's just a growing sliver of yellow again.)

I'll try those scans, too, and post the results as soon as I get them.
 

Bleak

Level 4
Verified
Well-known
Sep 5, 2017
149
Thanks!

Here's the scan link (I think) from Virustotal for Potplayer. I didn't save the one from VLC.
Antivirus scan for a83d4df1d9a6f141b1002f77d5dbd69e06a54bd4dd372fb8476e80c3beb9796e at 2017-08-29 15:35:29 UTC - VirusTotal

File name: PotPlayerSetup64.exe
Says it was infected with Win32.Trojan.Falsesign.Agbi

I'm getting more suspicious of Potplayer because I've got it open, and I can see that the second downloaded "updated" has started again from scratch. (Its icon on the taskbar fills with a yellow color, like AVG's does to show its scan progress, or like Chrome's turns green to show the progress of a download. The yellow was at haflway point, and now it's just a growing sliver of yellow again.)

I'll try those scans, too, and post the results as soon as I get them.

Despite this virustotal link is 1 month old, it almost surely is just false positive, also because if you look at the digital cert it has been expired for this old setup file which is more likely why it generated that false positive with Tencent with the sig name 'Falsesign'.
And that update is just because you installed an old version of the application.
So imo, nothing suspicious about this, but to set yourself assure, do the scans as mentioned.

About the update hanging, try again with Potplayer running as admin?
 

JGKnotts

New Member
Thread author
Oct 10, 2017
2
Wow...thanks. I didn't even notice that the link was old. I just ran it two hours ago, so I just figured it was the date from when the trojan definition came in...or something like that. So you're saying Virustotal flagged it as matching something old that no longer applies, or doesn't apply to Potplayer?

Potplayer is running normally. I don't understand why an old version would've been offered on the Softonic site, but I guess that makes sense. HitmanPro is finding nothing but cookies on my computer so far, but yes, I'll run all 3 scans just to be safe.

About running Potplayer as admin -- how would I do that? This is my personal laptop, so there's no other user.
 

Bleak

Level 4
Verified
Well-known
Sep 5, 2017
149
Wow...thanks. I didn't even notice that the link was old. I just ran it two hours ago, so I just figured it was the date from when the trojan definition came in...or something like that. So you're saying Virustotal flagged it as matching something old that no longer applies, or doesn't apply to Potplayer?

Potplayer is running normally. I don't understand why an old version would've been offered on the Softonic site, but I guess that makes sense. HitmanPro is finding nothing but cookies on my computer so far, but yes, I'll run all 3 scans just to be safe.

About running Potplayer as admin -- how would I do that? This is my personal laptop, so there's no other user.

It no longer applies, check here Antivirus scan for e4ab0226c8c2eb431bd0cd1d1d9fac08175a48b7a87e8aceddcf54d09b94d247 at 2017-10-10 03:28:50 UTC - VirusTotal
This is a 1 day old scan of the latest setup file from Potplayer official site (Global Potplayer).

So, always avoid 3rd party downloading site as long as you can get that program from developer's official site.

Some windows software require admin right to be able to write/change files on your system, to give an application admin rights, right click on the file (or desktop shortcut) and choose 'Run as admin', do that and see if this fixes the update issue.
 

JGKnotts

New Member
Thread author
Oct 10, 2017
2
OK, good to know, I thought the Softonic site was the official one for some reason...I might try uninstalling and reinstalling from the right one, since the downlod still isn't finished for that last update.

Hitman Pro is only at 12% in the Classifying stage after 2 1/2 hours...hopefully that's just from too many things happening on the system at once and not some sign of malware interference, but it doesn't sound like it from everything else. I'll still run the other scans ASAP and post the results.

Just checked Global Potplayer, and remembered why I thought Softonic was the right one: GP isn't fully secure, and I had no idea which version to choose. Softonic was fully secure, and seemed more streamlined. Obviously I should've done more checking, but I've heard never to download anything from a site that isn't fully secure as "things can sneak in" the files.
 

JGKnotts

New Member
Thread author
Oct 10, 2017
2
OK, so Zemana found only a suspicious browser setting from IE, which it removed.
Emsisoft found 12 "no risk" adware-looking elements that it's not letting me quarantine or delete because they're "too deeply embedded" in my system...I'll have to go through malware removal steps for that...
HitmanPro is still going! 13 hours in, it's only at 65% in the classifying stage...hope that's the last one. Yet it's found nothing more than the 99 cookies it had last night.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top