What is Grim Soap?

There is an application that is found in a folder called heartbaseburn in Program Data, it is called grim soap. I would like to know if it should be there or not. I am using VISTA Home Premium.

I googled it and I was unable to find anything but then again, I really don't know what I should be looking for.

 

I believe it's a trojan, I couldn't find anything with the name "heartbaseburn" or "grim soap" as a legit application, the closest thing I can find is "Bone Grim Soap" and it's a trojan. This page is not in English too, it's in French.

 

By the way, can you go to the folder and check what's the name of the .exe file if there is any?

 

the name of it is grim soap

 

It may still be the same trojan stewie found, as the file names tend to be rather variable.

For example, here are a couple of web pages from people reporting infections that list a similar item in their hijack this! logs (specifically, the registry key contains the line "[FREE VIEW GRIM SOAP]"):
1) http://209.85.165.104/search?q=cach...uded.html+grim-soap&hl=en&ct=clnk&cd=37&gl=us

2) http://forums.spybot.info/archive/index.php/t-24357.html

3) http://forums.whatthetech.com/iesearch_home_page_redirect_key_logger_computer_slo_t88970.html

4) http://209.85.165.104/search?q=cach...irus.html+grim-soap&hl=en&ct=clnk&cd=71&gl=us

5) http://209.85.165.104/search?q=cach...Meal+Memo+Free+View"&hl=en&ct=clnk&cd=7&gl=us

This webpage indicates that this registry key is also related to an unknown exe named site_bait.exe

There's also a webpage on a German anti-trojans forum with a hijack this! log that lists the same exe you have - grimsoap.exe - here (the link is to the google translation of the page): http://translate.google.com/transla...ap&start=50&num=50&hl=en&safe=off&sa=N&pwst=1

Other than that, there doesn't seem to be anything else on google that matches grimsoap. Perhaps running a hijack this! log would pull up some more info.

 

Shyster1 is right about the name having different variations, such as Blue Soap.exe, Meet Soap.exe, Dash Soap.exe, etc., and all of them are trojans or viruses. I think you should delete "Grim Soap" and its folder.

1. Boot into Safe Mode by pressing F8 before Windows loads.

2. Delete the heartbaseburn folder and its contents.

3. Start -> Run -> regedit

On the top menu, click on Edit -> Find

Enter the word heartbaseburn and click on "Find Next".

Delete every entry it finds, when you delete one, press F3 and it will try to find the next out until it cannot find anymore entry with heartbaseburn.

Now, repeat this for the words "grim soap". In regedit, scroll back to the top and click on "Computer" once to make sure you're at the top, then proceed with the search.

4. Clear your IE cache and cookies.

 

where can i download grim soap. i think i want this application on my computer.

 

I need some of this grim soap, too.

 

Ah-hah! I think I've found what it might be. You appear to have a version of a piece of adware on your system that generates random names for its executable.

The generic name for it seems to be Lop.com spyware. Both SuperAdBlocker.com and FileResearchCenter.com have entries for lop.com processes, and list a large number of identified random names the exe's go under.

The SuperAdBlocker page is particularly instructive, because if you scroll down (actually, just do a search for "grim"), you'll find that there are 19 identified random names that begin with the letters g-r-i-m; e.g., there are names such as GRIM AUDIO.EXE, GRIM CAKE.EXE, and GRIM EGGS.EXE. Since the lop.com process generates random names for its executable, it looks like you've gotten a recently generated variant that expands the number of different grim*.exe variants discovered.

Some further information on lop.com spyware can be found on the following webpages (some of which might be out of date, and none of which I can vouch for - sorry):

http://www.free-web-browsers.com/remove-lop.shtml

http://www.spywareinfo.com/articles/lop/

http://www.spywaredata.com/spyware/threat_list/LOP.COM/result.php

http://www.ca.com/securityadvisor/pest/pest.aspx?id=59266

And, of course, there's even a short Wikipedia article on lop.com.

 

Great find, Shyster1!

 

According to the Wikipedia article on C2 Lop, you can download the malware from at least two places (it's bundled with the app you download):

• http://www.msgplus.net/
• http://www.warezclient.com/

So, there you go.