KMPlayer and Temp33.exe (+other junk)

[Firewrath]

So I loved KMP as a video player, but when I needed to watch .flv files, I ditched it for VLC.
When I seen the update on the front page, I downloaded it (from the Download link here at TPFC) and installed it as portable.
Originally I was going to do a post this weekend about how it has a startup web-interface of some kind now, builtin websearch and logs data/play list and uploads it when you start the program to 'log.kmplayer.com'

The application: C:\Documents and Settings\Owner\My Documents\Downloads\KMPlayer_3.6.0.87_h.exe try to launch another application: C:\Documents and Settings\Owner\Desktop\Stuff\kmp\KMPlayer.exe to go to remote host log.kmplayer.com

Well it turns out it also installed, basically a virus called 'temp33.exe'.
I know it was KMPlayer because my firewall picked it up during the install

7/31/2013 3:47:15 AM Blocked 10 Outgoing TCP 188.233.30.230 C:\WINDOWS\Temp\temp33.exe 7/31/2013 3:46:11 AM 7/31/2013 3:46:11 AM

Which also comes with 'npf.sys':

7/31/2013 3:47:09 AM Blocked 10 Incoming UDP C:\WINDOWS\system32\drivers\NPF.sys 1 7/31/2013 3:46:08 AM 7/31/2013 3:46:08 AM

Now I was going to say the first bit was enough to either have it removed or reverted to a previous version, but if it actually installs this junk and the link or their download wasn't hacked/hijacked. Then i think it should be removed completely.

So now I'm off to try to remove this crap. >.<
But just thought I should let you guys know first.

[SYSTEM]

Well it turns out it also installed, basically a virus called 'temp33.exe'.
I know it was KMPlayer because my firewall picked it up during the install

7/31/2013 3:47:15 AM Blocked 10 Outgoing TCP 188.233.30.230 C:\WINDOWS\Temp\temp33.exe 7/31/2013 3:46:11 AM 7/31/2013 3:46:11 AM

Merely creating executable files in %TEMP% is not malicious behavior (many installers do so). If you still have the file, could you send it to VirusTotal?

Which also comes with 'npf.sys':

7/31/2013 3:47:09 AM Blocked 10 Incoming UDP C:\WINDOWS\system32\drivers\NPF.sys 1 7/31/2013 3:46:08 AM 7/31/2013 3:46:08 AM

A video player should not need custom drivers to function. NPF.sys may well be malware.

[Napiophelios]

NPF.sys is part of Wincap for capturing web video
maybe KMPlayer can download web videos?

Jotti's Malwarescan Results

[SYSTEM]

NPF.sys is part of Wincap for capturing web video
maybe KMPlayer can download web videos?

Jotti's Malwarescan Results

Maybe. I'm not interested to test it.

Anyway, this shows that The KMPlayer is not malicious. The worst thing it does is send data to log.kmplayer.com. Not bad enough to warrant fully removing The KMPlayer from the DB.

[Firewrath]

Well it turns out it also installed, basically a virus called 'temp33.exe'.
I know it was KMPlayer because my firewall picked it up during the install

7/31/2013 3:47:15 AM Blocked 10 Outgoing TCP 188.233.30.230 C:\WINDOWS\Temp\temp33.exe 7/31/2013 3:46:11 AM 7/31/2013 3:46:11 AM

Merely creating executable files in %TEMP% is not malicious behavior (many installers do so). If you still have the file, could you send it to VirusTotal?

Ok, I was in a hurry so its my fault for not explaining well enough. I installed this before I went to bed, and I blocked temp33.exe from connecting to the internet when I installed KMP because all the "?????" in the name. I figured it was something install related so basically ignored other then blocking it, because I figured that a selfcontained installer didn't need to connect to the internet.
When I turned my PC on again, it ran with with startup and NPF.sys was pinging around my network.

Merely creating executable files in %TEMP% is not malicious behavior (many installers do so). If you still have the file, could you send it to VirusTotal?

Yes, I know that, but setting it to run at startup is.
Though like i said, I didn't fully explain.
I sent temp33.exe to VT and it came back with a 6/40. I didn't save the link though and I deleted the file as soon as I could.

NPF.sys is part of Wincap for capturing web video
maybe KMPlayer can download web videos?

It also turned out that NPF.sys is Not related to KMP and came with temp33.exe
temp33.exe Info: http://greatis.com/blog/backdoor/temp33-exe.htm

What happens is that when you run the KMP installer, it connects to the internet downloads files and runs another included installer called 'PIPInstaller_PTV_.exe'

Settings\Owner\Desktop\MyStuff\Downloads\KMPlayer_3.6.0.87_h.exe try to launch another application: C:\Documents and Settings\Owner\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\PIPInstaller_PTV_.exe to go to remote host pipoffers.apnpartners.com

It so it was either when KMP or PIPInstaller_PTV_.exe connected to the internet that I got the temp33.exe
I don't know from which.

Anyway, this shows that The KMPlayer is not malicious. The worst thing it does is send data to log.kmplayer.com. Not bad enough to warrant fully removing The KMPlayer from the DB.

I don't know if it's malicious or not, though imo logging every file I play and sending it back to kmpmedia is bad enough.
My first choice is to revert it to an old version. That's what I did, I always backup my programs before updating, so I just deleted it and unziped my backup.

But given the extra installer (one of which can apparently download malware) and logging your personal data. I think its listing needs a hard second look.

[SYSTEM]

I tested the installer of The KMPlayer and can't confirm your findings.

PIPInstaller_PTV_.exe installs the KMP Grid Network. Installing it is not mandatory, but it has been put sneakily to the end of the component list (can't be seen without scrolling) and is installed in all preset configurations (even the most minimal one).

Pandora TV tries hard to get us install the KMP Grid Network...

I kept that checkbox selected. Next, the installer offers you a rebranded Ask toolbar:

..and the KMP Toolbar...

You need to click "Cancel" here (I did). *

It also looks like the Comodo Dragon web browser is much worse than it once was ("Optimized for Ask®"?!)

...and Comodo Dragon.

I didn't allow the installer to install Dragon.

I do not have either Temp33.exe or NPF.sys, even though I allowed the installer to install the KMP Grid Network.

The installer did extract and run PIPInstaller_PTV_.exe. (Most likely it wouldn't have if I had disallowed installing the KMP Grid Network.)

I got exactly one auto-starting file: the Pandora Service. HiJackThis log entry:

Code: Select all

O23 - Service: PandoraService (PanService) - Pandora.TV - C:\Program Files (x86)\PANDORA.TV\PanService\KMPService.exe

VirusTotal analysis (0/46): https://www.virustotal.com/en/file/422b ... /analysis/

In conclusion: you did not get Temp33.exe and NPF.sys from the installer of The KMPlayer.

----

* I hate that way to trick computer users to install crapware.

The fact that Pandora TV attempts to earn money this way is bad. The fact that it violates the GPL and the LGPL is very bad. But these things combined (taking work of open source programmers and then using it to trick users into installing crapware) is just... just... immoral.

[lautrepay]

Why the need to install when the installer can be extracted (with 7-zip, PeaZip or Uniextract)?

[Firewrath]

In conclusion: you did not get Temp33.exe and NPF.sys from the installer of The KMPlayer.

Well I don't think Peerblock, Networx, Miranda, or my firewall just suddenly decided I didnt have enough spyware on my PC and installed it for me. >.>
(IE: the only programs I had actively running at the time.)

I was installing KMP, I let it connect to the internet, it downloaded some stuff and next thing I know temp33.exe was trying to connect to the internet also.
Seems a rather large coincidence then...

Also here is what I had selected:

Executable File (required)
KMPlayer Extender File
KMPlayer Internal Codec
KMPlayer External Codec
KMPlayer Skins

Now I've checked to make sure, and PIPInstaller_PTV_.exe Still Runs and trys to connect to the internet even when the grid service isn't selected.

But, you're partly right, I don't think its the KMP installer, I think its PIPInstaller_PTV_.exe that did it.
VT checks domains it seems and 'pipoffers.apnpartners.com' has various worms/trojans/etc:
https://www.virustotal.com/en/domain/pi ... formation/

I hate that way to trick computer users to install crapware.

The fact that Pandora TV attempts to earn money this way is bad. The fact that it violates the GPL and the LGPL is very bad. But these things combined (taking work of open source programmers and then using it to trick users into installing crapware) is just... just... immoral.

OMG! something we can agree on!
Seriously, though, Yes. I completely agree.
I know theres always been issues with KMP but I liked its minimalistic look and that I didn't have to mess with all the codec crap from 30 different places to watch a video. -_-
This just ticks me off in general. >.<
But I agree, this whole thing just crosses a huge line now.
Specially the fact it tracks you. >.<

Why the need to install when the installer can be extracted (with 7-zip, PeaZip or Uniextract)?

Because:

How to extract:
Download the self-extracting EXE and extract to a folder of your choice.
/etc

^-- http://www.portablefreeware.com/index.php?id=835

So since it was updated I figured that still worked and was harmless.
There's a bunch of files if you open it with 7zip and I've no idea whats Actually needed or not.

[lautrepay]

Because:

How to extract:
Download the self-extracting EXE and extract to a folder of your choice.
/etc

^-- http://www.portablefreeware.com/index.php?id=835

So since it was updated I figured that still worked and was harmless.
There's a bunch of files if you open it with 7zip and I've no idea whats Actually needed or not.

Instructions updated.

[SYSTEM]

In conclusion: you did not get Temp33.exe and NPF.sys from the installer of The KMPlayer.

Well I don't think Peerblock, Networx, Miranda, or my firewall just suddenly decided I didnt have enough spyware on my PC and installed it for me. >.>
(IE: the only programs I had actively running at the time.)

I was installing KMP, I let it connect to the internet, it downloaded some stuff and next thing I know temp33.exe was trying to connect to the internet also.
Seems a rather large coincidence then...

Because I couldn't confirm your findings, I have to assume it was a coincidence.

But, you're partly right, I don't think its the KMP installer, I think its PIPInstaller_PTV_.exe that did it.
VT checks domains it seems and 'pipoffers.apnpartners.com' has various worms/trojans/etc:
https://www.virustotal.com/en/domain/pi ... formation/

All detected files in that page are in the "Latest detected files that communicate with this domain" section. According to that page VirusTotal has not downloaded anything malicious from pipoffers.apnpartners.com. (Some semi-malicious programs download stuff from there, though.)

Instructions updated.

Thanks.

[Cattleya]

But with more ad inside the installer, I think you should use Portable zip/rar version instead or use VLC Player, I see VLC is much better than almost video player.

[SYSTEM]

But with more ad inside the installer, I think you should use Portable zip/rar version instead or use VLC Player, I see VLC is much better than almost video player.

I agree.

The fact that Pandora TV does immoral things is alone a big enough reason to use another player. Some alternatives: http://www.portablefreeware.com/index.php?sc=210&so=p.

[billon]

May be that's the reason of all troubles?

3.6.0.87 fix

Dear KMP users,

First of all, we would like to thank you for your continuous support.

Unfortunately, we have been affected by modulated virus intermittently through external hackers from last July 26th to August 8th.

This violation is clearly considered to be a serious crime and we have passed this case to the national investigative agency for investigation and referral situation.

For our KMP users who downloaded KMPlayer from July 26TH to August 8TH please be advised that your PC could have been affected by this virus, we strongly suggest you to check your PC immediately with the latest antivirus software. (i.e Ahn Lab V.3, AntiVir, and Microsoft Security)

Now, we have strictly secured KMPlayer, you may feel free to download and install from us.

We sincerely apologize for your inconvenience and once again, we thank you for using KMP.

Sincerely yours,
KMP Media

[webfork]

For our KMP users who downloaded KMPlayer from July 26TH to August 8TH please be advised that your PC could have been affected by this virus, we strongly suggest you to check your PC immediately with the latest antivirus software. (i.e Ahn Lab V.3, AntiVir, and Microsoft Security)

I understand that these are criminals and criminals generally do bad things, but they don't generally piss in their own backyard. Free, cool stuff makes everyone's lives better is usually something they avoid polluting.

Anyway, I'm not a KMPlayer user, but I can see this setting a bad precedent and that sucks.

[SYSTEM]

For our KMP users who downloaded KMPlayer from July 26TH to August 8TH please be advised that your PC could have been affected by this virus, we strongly suggest you to check your PC immediately with the latest antivirus software. (i.e Ahn Lab V.3, AntiVir, and Microsoft Security)

I understand that these are criminals and criminals generally do bad things, but they don't generally piss in their own backyard. Free, cool stuff makes everyone's lives better is usually something they avoid polluting.

These are real criminals who are content with distributing malware. I'm sure they don't think about ethics at all.