Simviation Forums

[Formula_1]

Hi all

I think this might just be a false positive, but wanted to know if anyone else has seen such.
In Malwarebytes these were found. They all came from the main sites Missions section for FSX, I believe.

[garymbuska]

Hi all

I think this might just be a false positive, but wanted to know if anyone else has seen such.
In Malwarebytes these were found. They all came from the main sites Missions section for FSX, I believe.

Where did you download these files from?
I have had Malware bytes for some time and so far have not seen a false positive yet. But by no means does that mean these are not.
Just to be on the safe side i would go ahead and quarantine them and check it out.
I goggled Adware,Rabio and found out this is more than likely something that you do not want on your system.
If I were you I would contact the site that you downloaded these files from and let them know what you found they might not be aware of this.

[Bass]

Nasties like these you can find in many dl's from various places!
Today idiots are able to hide their junk carefully inside any compressed file

Before Xmas i dl'ed REX4 texture direct from FSPilotShop. After install i ran Malwarebytes and found 7 PUP's!!!
REX has been notified.

[Formula_1]

I got them all on the main site > FSX > Missions.
I also just noticed that these four missions were all uploaded by Ronald Dandurand.

[garymbuska]

I got them all on the main site > FSX > Missions.
I also just noticed that these four missions were all uploaded by Ronald Dandurand.

Now if that does not send a red flag up than nothing will. I should state that this person might not be aware of the adware but odds are it was intentional.
This is how some people get free advertisement.

[Formula_1]

I've got these missions installed and have had for a while. I haven't noticed anything strange happening with Windows, no pop-ups or anything like that. But, if it did install some sort of aware, maybe it was removed in an earlier scan. Normally I just do a Quick Scan with Malwarebytes, and that doesn't scan my partitions, which has my FSX install as well as a folder with all my downloaded FSX items saved on D:
I did a Full Scan the other day and that is when it found these, which are in the folder with the downloaded FSX add-on files, not the actual FSX folder where these missions are installed to.
When I look at the files installed in FSX Missions, I see nothing that looks out of place.
When I do a system search for Adware.rabio (with the tick bix checked to include system, hidden, etc., etc. files), it comes up with nothing found. So I want to think this is a false positive from Malwarebytes, but I'm really not sure.

Maybe someone that knows more about what to look for can download one of them and check it?
I hate to say Mr Dandurand is up to no good, when I am not sure there is anything wrong with the files he uploaded. They are self installers and at the end of one install there is a box that can be checked to Launch Program (I did not check the box for it to take this action, I just clicked Finish).
I just did a 'false' install into a folder on my desktop of the two CL-215 firebombing missions. I see nothing in there that looks suspicious. But again, if anyone that knows what to look for wants to check these out, please do.
But I really am starting to think they are safe and Malwarebytes just got it wrong.

[garymbuska]

I've got these missions installed and have had for a while. I haven't noticed anything strange happening with Windows, no pop-ups or anything like that. But, if it did install some sort of aware, maybe it was removed in an earlier scan. Normally I just do a Quick Scan with Malwarebytes, and that doesn't scan my partitions, which has my FSX install as well as a folder with all my downloaded FSX items saved on D:
I did a Full Scan the other day and that is when it found these, which are in the folder with the downloaded FSX add-on files, not the actual FSX folder where these missions are installed to.
When I look at the files installed in FSX Missions, I see nothing that looks out of place.
When I do a system search for Adware.rabio (with the tick bix checked to include system, hidden, etc., etc. files), it comes up with nothing found. So I want to think this is a false positive from Malwarebytes, but I'm really not sure.

Maybe someone that knows more about what to look for can download one of them and check it?
I hate to say Mr Dandurand is up to no good, when I am not sure there is anything wrong with the files he uploaded. They are self installers and at the end of one install there is a box that can be checked to Launch Program (I did not check the box for it to take this action, I just clicked Finish).
I just did a 'false' install into a folder on my desktop of the two CL-215 firebombing missions. I see nothing in there that looks suspicious. But again, if anyone that knows what to look for wants to check these out, please do.
But I really am starting to think they are safe and Malwarebytes just got it wrong.

As for myself I am always leery about any download that uses a self installer unless I know it is from a trusted site.
The reason behind this is because you do not have any control of what and where the files are going to install at
I would not install any file from a individual that I did not know anything about. It is kind of like playing Russian roulette with a gun that you do not know how many bullets are in it.
But this is your system and as I stated these files could be a false positive but you have to ask yourself is it worth the risk.
I would hate to be the one that tells you I told you so.

[Formula_1]

I understand your concern and I appriciate your warning. But I had installed these missions weeks ago. I just happened to run a FULL scan that looked at the drive where the original downloaded files were stored. Past scan were only QUICK Scans and only looked at bits of Windows. etc on C drive. I had these mission files stored on D drive. But at any rate, nothing has happened since I installed them a few weeks ago.

Maybe the sites admin would want to check them?
They are still in the FSX Mission section here at Simv's main site.

If it really is adware, I hope it is the cool kind and while flying one of the missions a sky writter appears and writes Eat at Joe's,,, lol.

[garymbuska]

I understand your concern and I appriciate your warning. But I had installed these missions weeks ago. I just happened to run a FULL scan that looked at the drive where the original downloaded files were stored. Past scan were only QUICK Scans and only looked at bits of Windows. etc on C drive. I had these mission files stored on D drive. But at any rate, nothing has happened since I installed them a few weeks ago.

Maybe the sites admin would want to check them?
They are still in the FSX Mission section here at Simv's main site.

If it really is adware, I hope it is the cool kind and while flying one of the missions a sky writter appears and writes Eat at Joe's,,, lol.

Now that would be cool

I did a little more digging and found this
March 21, 2008 3:29:27 PM
Type:
Adware
Infection Length:
406,800 bytes
Name:
RCSE
Version:
4.1.0.0
Publisher:
Rabio
Risk Impact:
Medium
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the program is executed, it creates the following folders:

C:\Documents and Settings\All Users\Application Data\Rabio\
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer\
%ProgramFiles%\RCSE\


It then creates the following files:

%UserProfile%\Start Menu\Programs\Startup\Rabio - Auto Update.lnk
%ProgramFiles%\RCSE\Execution.dll
%ProgramFiles%\RCSE\rcse.dll
%ProgramFiles%\RCSE\rcse.dll.intermediate.manifest
%ProgramFiles%\RCSE\se.exe
%ProgramFiles%\RCSE\se.original
%ProgramFiles%\RCSE\Setup.log
%ProgramFiles%\RCSE\un_RCSESetup_15856.exe
%ProgramFiles%\RCSE\un_RCSESetup_15856.txt
%ProgramFiles%\RCSE\X_se.exe
%ProgramFiles%\RCSE\X_se.log



It also creates the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKEY_CURRENT_USER\Software\RCSE
HKEY_CLASSES_ROOT\AppID\RCSE.DLL
HKEY_CLASSES_ROOT\AppID\{89CC26BC-9256-4CCA-A7F3-B9D6C48DBA71}
HKEY_CLASSES_ROOT\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKEY_CLASSES_ROOT\Interface\{923CA88A-AE69-49AF-BF65-9A3123B14CCB}
HKEY_CLASSES_ROOT\Rabio.RabioBHO.1
HKEY_CLASSES_ROOT\Rabio.RabioBHO
HKEY_CLASSES_ROOT\TypeLib\{8C36D71B-0A48-4D38-9DEF-2A2A2669D0C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rabio
HKEY_LOCAL_MACHINE\SOFTWARE\Rabio


It then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\Rabio RCSE (4.4.0.0) = " "

The program attempts to connect to the following Web sites:

server.rabio.com
www.rabio.com



It registers itself as a Browser Helper Object for Internet Explorer.

The program attempts to redirect users to a Web site that displays advertisements.

This came from Symatic or NORTON

[logjam]

Thanks for the heads up. I didn't have "malwarebytes" just running a scan right now.

[OldAirmail]

Malwarebytes seems to catch far more stuff than any of the anti-virus programs, and I usually accept their judgment.

On the other hand, they'll tag some stuff that isn't an offender. So look into whatever it does find before you remove the Malwarebytes offender.



Back when I used to be paid to play with computers I found that Malwarebytes didn't like most of my network software tools.

After removing the tools, downloading new software tools, checking for viruses, and installing them, I found Malwarebytes complaining about them again and again.


Other than that, I really like Malwarebytes.

[logjam]

Well it found 17 'pup' files that I decided to remove. I just hope it wasn't something I needed. My AVG has picked up on "updatetask.exe" being a dangerous file so it has blocked it for a few weeks now. I researched it and it seems that there are various versions of this. Some are ok, others are dangerous. I trust AVG to decide.

[pete]

I have delisted the above mentioned files and will contact the author to see if he can fix them.

(I did install 2 of the files in my system without any problem but they did bring up the adware warning when scanned with malwarebytes. I suspect it wasn't much of a threat but better safe than sorry ..)

[Formula_1]

When the program is executed, it creates the following folders:

C:\Documents and Settings\All Users\Application Data\Rabio\
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer\
%ProgramFiles%\RCSE\


It then creates the following files:

%UserProfile%\Start Menu\Programs\Startup\Rabio - Auto Update.lnk
%ProgramFiles%\RCSE\Execution.dll
%ProgramFiles%\RCSE\rcse.dll
%ProgramFiles%\RCSE\rcse.dll.intermediate.manifest
%ProgramFiles%\RCSE\se.exe
%ProgramFiles%\RCSE\se.original
%ProgramFiles%\RCSE\Setup.log
%ProgramFiles%\RCSE\un_RCSESetup_15856.exe
%ProgramFiles%\RCSE\un_RCSESetup_15856.txt
%ProgramFiles%\RCSE\X_se.exe
%ProgramFiles%\RCSE\X_se.log



It also creates the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKEY_CURRENT_USER\Software\RCSE
HKEY_CLASSES_ROOT\AppID\RCSE.DLL
HKEY_CLASSES_ROOT\AppID\{89CC26BC-9256-4CCA-A7F3-B9D6C48DBA71}
HKEY_CLASSES_ROOT\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKEY_CLASSES_ROOT\Interface\{923CA88A-AE69-49AF-BF65-9A3123B14CCB}
HKEY_CLASSES_ROOT\Rabio.RabioBHO.1
HKEY_CLASSES_ROOT\Rabio.RabioBHO
HKEY_CLASSES_ROOT\TypeLib\{8C36D71B-0A48-4D38-9DEF-2A2A2669D0C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rabio
HKEY_LOCAL_MACHINE\SOFTWARE\Rabio


It then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\Rabio RCSE (4.4.0.0) = " "

The program attempts to connect to the following Web sites:

server.rabio.com
http://www.rabio.com



It registers itself as a Browser Helper Object for Internet Explorer.

The program attempts to redirect users to a Web site that displays advertisements.

This came from Symatic or NORTON

Thanks for looking up this information. I can happily say I have none of that on my system. I checked the paths and the registry, it is clean of anything you posted above. And, since I ran the installers for 2 of the files a couple days ago (mentioned in my above post) with 'no objects found' in Malwarebytes when I scanned afterwards, I really do think that they are safe.

And to Pete, thanks for looking into it. Hopefully Mr. Dandurand will find what it causing the packaged files to set off alarms and fix it.

[Woodylepic]

Hello

I'm the author of this Files

Aeromarine39b
USS Langley
FSX Los Angeles CoFD CL-215_mission
FSX Marignane Sécurité Civile CL-215 mission

I have scanned the above missions and Models whit Malwarebites, Microsoft essential antivirus and do a scan of all of my registry for Adware and I have find nothing about Adware or virus on my computer or compressed files.

I have compressed this mission and Models whit Qsetup a program that compress and make the installation of the missions and models more friendly and more easier.

I just want to clarify
There is no adware, virus, or any kind of malware incorporate in to my Qsetup mission and models.

Hi have a very low speed connection and its will take me long time to restore all this files on Simviation.

So please be careful on what you post.

Thank you for your interet on my models and mission.

Ronald dandurand