CamStudio uninstaller

[konikula]

Hi all

 

I found "2M Tetris" fraud in uninstaller of current camstudio software

sourceforge.net/projects/camstudio/

I compared it to uninstaller of MicroDVD player, and it's kind of different. I had to replace this uninstaller with MDP uninstaller, which is currently able to uninstall anything with uninstall.ini file (blah blah). But. But I am curious if it is infected or not. Thanks for any update on this.

 

BTW it could be good to provide some automated way to replace unwise applications in "heal" detection post process. But there's lot of custom uninstallers, where such automation should be really aware of bad steps.

 

Cheers, Matt

[konikula]

appendix

 

sourceforge.net/tracker/?func=detail&aid=2936010&group_id=131922&atid=722679

[konikula]

appendix 2

 

Great software, :wink:

[samr]

Hi konikula,

Please locate the file that IS 360 found & upload it to Virus Total to check it. Please post the results here. If it passes, place it in your ignore list until the fase positive is updated.

 

http://www.virustotal.com/

 

samr.

[konikula]

Thanks

 

Hi samr,

 

I am sending you everything I consider necessary:

 

Results from VT

Permalink

 

---

Reported file:

CamStudio.zip

CRC: CRC.zip

 

Some documents:

mayBeUseful.zip

 

Unwise binary (healthy for me):

MDVDP unwise.zip

CRC: MDVDP unwise crc.zip

---

 

Hope that helps

Best Regards, Matt

 

PS/BTW: thanks for VirusTotal link. It's kind of heaven for me to know about this link... Hellishly Useful for me!

[BleeBlap]

I'm one of the lead developers on the CamStudio project.

 

The files contained in the CamStudio.zip file above are NOT the uninstall files distributed with our application. I cannot verify that they are infected, but they are definitely suspicious.

 

The uninstall files that come with our application are:

 

unins000.exe (707,354 bytes)

unins000.dat (9,031 bytes)

 

Please be sure to download CamStudio from sourceforge to ensure you are getting the correct version.

[Melvin_Deal]

Thanks bleeblap!

 

A complete uninstall along with the removal of the program file is in order. Then a reinstall using the link bleeblap provided.

[konikula]

Movie and MD5 response

 

Hi BleeBlap

I think watching following movie is not necessary

 

 

youtube.com/watch?v=IM8wBT1pP0g

 

but maybe you'll find it easier to believe :)

Maybe there is also some virus on my site, which infect just your installer, but that seems as too strange explanation to me.

It's quite possible that somehow your last package got infected...

But it's really strange that you distribute totally different unwise binary than I recieved...

 

For extension I prepared

fingerprints of download files (current instances from movie :-)):

 

SHA1

00a3e65cf78337c77cb08828e945f7d8224efe68 *Camstudio-2.0-w32.zip

47f18cfbae451c51eab548d42712eb2b29402170 *Camstudio2-0.exe

 

MD5

bafe1933bd5b2b7904c36edb0c939c77 *Camstudio-2.0-w32.zip

1c374ea1d363ce916f2d835c50a9c105 *Camstudio2-0.exe

 

 

Btw I am not sure if it is really infected (VirusTotal result is not so unambiguous for me). What is really strange is that uninstall.exe and uninstall.ini is deployed on my site (while uninstall.ini is working well with uninstaller from MicroDVD player). Everything totally strange for me.

 

I hope you are wiser than me.

 

P.S: video can disappear if you wish... ;-)

[konikula]

Appendix

 

File "uninstall.ini" which is without any functional gap:

uninstall.zip

 

Best Regards

And have a luck solving this issue. I must end for today...

Matt

[BleeBlap]

Sorry about that, I forgot that the CamStudio installed on my computer is a beta version and not the current public release.

 

I received the same hashes as you did:

 

SHA1

00a3e65cf78337c77cb08828e945f7d8224efe68 *Camstudio-2.0-w32.zip

47f18cfbae451c51eab548d42712eb2b29402170 *Camstudio2-0.exe

 

MD5

bafe1933bd5b2b7904c36edb0c939c77 *Camstudio-2.0-w32.zip

1c374ea1d363ce916f2d835c50a9c105 *Camstudio2-0.exe

 

I ran the uninstaller in a sandbox it seemed safe to me (but I'm no security expert).

 

Also, the file on sourceforge has a modified date from '06.

 

I now think this is a false positive.