Hi,

Yesturday I updated my RealPlayer and I did a full system scan with Avast!8 Free Edition and Malwarebytes Antimalware Free Edition it didn’t show up any detection. I then did a full system scan with SuperAntiSpyware Free Edition and it detected this file called RealCleaner and the detection name is Trojan.Agent/Gen-FraudScan[Prod]. Location of this file is on C:\Program Files(x86)\Real\RealPlayer\RealCleaner.EXE.

Is this a legit detection or a false warning? I did some research yesturday but couldn’t come up with any concrete evidence if this is true or false? Please advice. However i couldn’t give post a screenshot of this because file is a bit big? That file is now deleted and in quarantine. Log file of SuperAntiSpyware said this Trojan.Agent/Gen-FraudScan[Prod]

Did anyone of you here have experienced this?

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
you may post link to scan result here…

the best to answer questions regarding SAS detections would be in SAS forum http://forums.superantispyware.com/

https://www.virustotal.com/en/file/87df506864cb2cd5102d90275f96947c61ef4eb79f093c50a9e4418f70f53a28/analysis/1363210831/

Posted my message on the SuperAntiSpyware forum and MalwareBytes’ AntiMalware Forum.

seems like False positive detection…
and what does SAS [prod] mean ?

Hi Pondus,

Just got confirmation from SuperAntiSpyware forum that this is not a false detection and it’s a fake antimalware! Can you please pass this information to the moderators and to the Avast Team to inform them and update avast! 8 detection capabilities. Thanks. I will report this to virus at avast dot com.

Continuing from my above message. I have reported this to virus at avast dot com.

Since MBAM didn’t detect this threat i found this from MBAM forum http://forums.malwarebytes.org/index.php?showtopic=97240

I even didn’t double click the RealCleaner icon from the RealPlayer folder. i just did a full system scan from SuperAntiSpyware and it detected that. I also didn’t get any pop up dialog box or notification from RealCleaner.

that is what you do if you upload the file to avast lab

Did u get my mail i send it from my yahoo account.

One of the staff from malwarebytes antimalware forum wrote this:

I was able to retrieve the file you uploaded to virustotal from the link in the avast forum. This is a false positive detection on Superantispywares part. Notice on virustotal they are the only one to detect it out of 40+ av companies? This is a legit component of realplayer. If you right click the file and hit properties it has a valid signature signed by realnetworks.

There is a realcleaner rogue but its not in this location ever.

This is where the realcleaner rogue is located:

C:\Program Files\realcleaner\realcleaner.exe

This is where the legit realcleaner is located:

C:\Program Files(x86)\Real\RealPlayer\RealCleaner.EXE.

Sigcheck

publisher…: RealNetworks, Inc.
product…: RealCleaner
internal name…: RealCleaner
copyright…: Copyright © RealNetworks, Inc. 1995-2012
original name…: RealCleaner.exe
signing date…: 9:03 PM 3/6/2013
signers…: RealNetworks, Inc.; Thawte Code Signing CA - G2; thawte Primary Root CA
file version…: 16.0.1.18
description…: RealCleaner

I have also gave another mail to virus at avast dot com about this discarding my 1st mail. I have also given you a mail discard it if you want at your discretion.

Thanks Pondus just now i reported as false positive via the SuperAntiSpyware program. It will take some time in the next update or two for the definition files to SuperAntiSpyware. Great to see you in MBAM forum and takes for posting the file ;D