So Kaskpersky tells me to uninstall this because it's *apparently* incompatible with Spybot Search and Destroy as it would seem it pretty much does what Spybot S&D already does and more. Well luckily I never uninstalled(as I don't believe KIS 2016 can do everything that Spybot does - I don't see immunization option(one of the reasons why I've kept Spybot) in KIS 2016) and just recently did a scan and it found a Morto worm that Kaskersky(so much for people touting "you should just only have an AV installed and that's it, nothing more and you should be safe" saying), Malwarebytes and SUPERAntiSpyware failed to find. In the attachment you will find a screenshot of Spybot finding and fixing up the Morto worm. So I've already scanned the system with Rkill and TDSSK so I should be clean right...?

Hello Nnewb,

Did another scan flag anything, how is the computer running? :)

Best regards.

Hello Nnewb,

Did another scan flag anything, how is the computer running? :)

Best regards.

Hi thanks for replying - hmm strange I didn't even get an email notification of it....and yes I subscribed with instant email notification....I thought you guys forgot all about me or had more pressing matters to deal with(or maybe the answer is so obvious that there's no point in replying). I was about to go and bump this post and or post in the malware removal forum(thinking maybe I posted in the wrong section...) and link it to this thread, but saw someone has already replied.:bigthumb:

Well I just rescan with Spybot and it appears clean, would you like me to re-scan with the other programs too?

Also, I have suspicion that this trainer may have been the cause of this(despite the website I got it from says that everything there is 100% virus/malware free and are false positives if any programs do pick them up and that he wouldn't upload them if something bad did happen whilst he was working with them)....well one of the reason is why does the exe file delete itself randomly? Or after some set period of time? The rar files it came with didn't get deleted with it though so I still have a copy of them....

Check it out, it's in the attachment, I've zipped up for you. Inside it is a picture, two rar files and a txt file containing some detail info about it.
Hashes for the zipped file=> MD5: cfe4123e54ba56a1149d6f47215385c2, SHA256: 46031b1e168ce7a38cf491065f7b751cf65029aab672c9d992273703cb56321c

Hmmm strange, it won't let me upload the zipped file....you see the load icon animation and then it disappears....is there a size limit or maybe this...hidden malware/virus is preventing me from doing so? I tried to upload a couple or random smaller zip files and they came through. I tried splitting the archive to 256KB size but upon uploading the 256 part, it says sorry invalid file or something like that.. Nope file size limit is 2.86MB for zip format, the file itself is only 1.07MB....is your uploader screwed or is it me?

Besides that, the computer seems to be running as if nothing has happened....................

Oh well I've uploaded it on an external website:

Hello Nnewb,


Hi thanks for replying - hmm strange I didn't even get an email notification of it....and yes I subscribed with instant email notification....I thought you guys forgot all about me or had more pressing matters to deal with(or maybe the answer is so obvious that there's no point in replying). I was about to go and bump this post and or post in the malware removal forum(thinking maybe I posted in the wrong section...) and link it to this thread, but saw someone has already replied.:bigthumb:

Unfortunately there was an issue with notifications which has now been resolved. :)



Also, I have suspicion that this trainer may have been the cause of this(despite the website I got it from says that everything there is 100% virus/malware free and are false positives if any programs do pick them up and that he wouldn't upload them if something bad did happen whilst he was working with them)....well one of the reason is why does the exe file delete itself randomly? Or after some set period of time? The rar files it came with didn't get deleted with it though so I still have a copy of them....

Trainer?


Check it out, it's in the attachment, I've zipped up for you. Inside it is a picture, two rar files and a txt file containing some detail info about it.
Hashes for the zipped file=> MD5: cfe4123e54ba56a1149d6f47215385c2, SHA256: 46031b1e168ce7a38cf491065f7b751cf65029aab672c9d992273703cb56321c

Hmmm strange, it won't let me upload the zipped file....you see the load icon animation and then it disappears....is there a size limit or maybe this...hidden malware/virus is preventing me from doing so? I tried to upload a couple or random smaller zip files and they came through. I tried splitting the archive to 256KB size but upon uploading the 256 part, it says sorry invalid file or something like that.. Nope file size limit is 2.86MB for zip format, the file itself is only 1.07MB....is your uploader screwed or is it me?

Besides that, the computer seems to be running as if nothing has happened....................

Oh well I've uploaded it on an external website:

The links were removed for the safety of other users. Glad to hear the computer is running well, if any malware issues do occur please start a topic in the malware forum. FAQ here (https://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)-Updated).

Have a nice weekend!

Hello Nnewb,



Unfortunately there was an issue with notifications which has now been resolved. :)Ah I see, well I just woke up and saw the notification via email so it's working!




Trainer?Game Trainer, basically what it does is allow you to cheat in games that either don't have cheat codes and thus impossible to cheat or you're too lazy to type in the codes.....in my case for Oil Rush(a game from these guys (http://oilrush-game.com/) running Unigine engine) there were no such codes existed and I felt like power housing and mucking about.....hee hee.....and yeah, that's when I decided to go and grab a trainer....




The links were removed for the safety of other users. Glad to hear the computer is running well, if any malware issues do occur please start a topic in the malware forum. FAQ here (https://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)-Updated).

Have a nice weekend!

Oh there was a delete link that you could have used that I did provide.......and that would have rendered both links invalid.....I didn't anticipate you removing the entire URL so I don't even have a backup of those URL links.....hahahahaha

Well I did mention they were suspicious so why would anyone in their right mind would want to download them knowing that I put a caution on it? hahaha Unless they skip reading and just go straight to clicking on random links on forums and posts coz they can....which is just plain dumb without knowing what the hell they're downloading/clicking on.......hahaha:D:

Well I guess I'll go make another one and upload it again....I'll PM you the link this time....for the safety of others....

PS - Hm, looks like your uploader still refuses to take my zip file despite being under the file size limit.
PPS - Somehow Intel True Key got installed, apparently associated with McAfee....could have also been bundled with Adobe Flash player.....-.-
PPPS - So you don't think a file deleting itself(yes only just that one file so far that I've noticed) after some period of time is considered suspicious...? Or you overlooked that part in my post? I also ran the trainer in Sandbox but it somehow escaped and was running outside Sandboxie when it crashed ...with admin privileges I might add....(or at least I presume it was in, as I had to run SB as admin to run the trainer so I would guess that would still be in effect once it's outside?) it was working for the time being when it didn't crash, but after that, the trainer no longer works even after extrcting a new copy from the rar file.....I find that strange....you wouldn't think a program suddenly stops working completely because of one crash.....

So why can't I edit my post after a set period of time? 15 minutes or so? It would save your forum from being cluttered with new posts that aren't needed that could have been appended to the last post(if the last post is yours and you feel it's not necessary to bump the thread up either)....unless you are forcing users to bump their thread post every 15 minutes if they want to add something which would then alert you guys, rather them appending to the last post?






Besides that, the computer seems to be running as if nothing has happened....................


I had something else added onto that(that would have gone but because of this time limit of editing after posting...) but it looks like your admin(yes I contacted the guy so he could edit and append my post...) hasn't added it in for me yet or has ignored my request. The next part of that would have said something along the lines of: or I have a hidden keylogger that so inconspicuous that all my security scanners fail to pick up or and is wait for the right moment to cause havoc....but the only destruction I've seen is said trainer exe file deleting itself.....

Hello Nnewb,


So why can't I edit my post after a set period of time? 15 minutes or so? It would save your forum from being cluttered with new posts that aren't needed that could have been appended to the last post(if the last post is yours and you feel it's not necessary to bump the thread up either)....unless you are forcing users to bump their thread post every 15 minutes if they want to add something which would then alert you guys, rather them appending to the last post?.

Forums: (https://forums.spybot.info/showthread.php?3922-Spybot-Search-amp-Destroy-FAQs-and-Information&p=22032&viewfull=1#post22032)
Can I edit my own posts?



In the Malware Removal Forum, members may not edit their posts.
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.





I had something else added onto that(that would have gone but because of this time limit of editing after posting...) but it looks like your admin(yes I contacted the guy so he could edit and append my post...) hasn't added it in for me yet or has ignored my request. The next part of that would have said something along the lines of: or I have a hidden keylogger that so inconspicuous that all my security scanners fail to pick up or and is wait for the right moment to cause havoc....but the only destruction I've seen is said trainer exe file deleting itself.....

I received your PM but I don't open such links. You may zip or rar the file/s and send them to: detections AT spybot.info

Subject: 'Infected" Please provide a link to this thread.

If you would like someone to take a look at the system in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) please start a new topic there after reading that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then a volunteer analyst will advise.

If you choose to do that please do not provide links to the files. If an analyst wants to take a look at the scan results of any suspicious files you may be asked to upload them to a site such as:

http://virusscan.jotti.org/
http://www.virustotal.com/

Best regards.

Hello Nnewb,



Forums: (https://forums.spybot.info/showthread.php?3922-Spybot-Search-amp-Destroy-FAQs-and-Information&p=22032&viewfull=1#post22032)
Can I edit my own posts?



In the Malware Removal Forum, members may not edit their posts.
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.

Oh fair enough.:bigthumb:





I received your PM but I don't open such links. You may zip or rar the file/s and send them to: detections AT spybot.info

Subject: 'Infected" Please provide a link to this thread. Replace AT with @ and remove the spaces between the word detections and spybot? So it would read detections @ spybot.info?


If you would like someone to take a look at the system in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) please start a new topic there after reading that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then a volunteer analyst will advise.

If you choose to do that please do not provide links to the files. If an analyst wants to take a look at the scan results of any suspicious files you may be asked to upload them to a site such as:

http://virusscan.jotti.org/
http://www.virustotal.com/

Best regards.

Alright cool, I'll go do that, to make sure my computer is actually clean and not me thinking it is when it isn't and there are still stuff lurking about....

Thanks!

Hello Nnewb,



Forums: (https://forums.spybot.info/showthread.php?3922-Spybot-Search-amp-Destroy-FAQs-and-Information&p=22032&viewfull=1#post22032)
Can I edit my own posts?



In the Malware Removal Forum, members may not edit their posts.
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.



Oh fair enough.:bigthumb: But that's why we have the quotes right? Which is one of the reasons why I make use of the quote function in forums.....just in case it gets deleted, so long as the quoted text still exist, people can still read what it used to say(and what it was answering too as well) unless the answer post was edited by someone(the poster, mod or admin).

Say for example if the quoted text I just quoted for this reply gets deleted or modified, so long as this post doesn't get edited by me or the mods/admins, viewers would still see what the post was referring to. :D

New topic: https://forums.spybot.info/showthread.php?73742-Please-check-my-computer-for-sny-possible-further-infection

Hi, I would like to request an update on my analysis of suspected virus/malware file I have submitted sometime ago. What have you found out about it? What does it *really* do? Is it really a false positive as claimed by the site owner?

Thanks.

Hi, I would like to request an update on my analysis of suspected virus/malware file I have submitted sometime ago. What have you found out about it? What does it *really* do? Is it really a false positive as claimed by the site owner?

Thanks.

Hi. I have read your post and e-mails, but I cannot say that I found anything. So here are a few statements and questions:

1. In your first post there is a Spybot detection of a registry key showing. The value has been changed by Spybot to "0" as it was not 0. (Probably 1) As there are no files detected, either Spybot missed those too or the value was changed by anything else.

2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?

3. It is possible that it is a false positive. We will try to find out.

Thank you for your cooperation.:bigthumb:

Hi. I have read your post and e-mails, but I cannot say that I found anything. So here are a few statements and questions:

1. In your first post there is a Spybot detection of a registry key showing. The value has been changed by Spybot to "0" as it was not 0. (Probably 1) As there are no files detected, either Spybot missed those too or the value was changed by anything else.The screenshot was taken *after* I fixed the problem. I just wanted to make sure if I was still infected or not and hence I started this thread.


2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?I had upload a zip file to detections @ spybot.info called Trainer for Oil Rush.zip, in it should look like this: 12650 The two rar files contains the trainer, the extracted one with the brackets around said word is extracted from the source file that gameplanetpatch or gamepatchplanet which ever it is seen has zipped an pass worded. the capture.png is a screenshot of where I got it from and the txt file is more info but in txt format and the hashes of the source file.

So if you didn't get it for some reason, I can upload the file again to that same email for you or I can link you the download link here and you can analyse it yourself?


3. It is possible that it is a false positive. We will try to find out.

Thank you for your cooperation.:bigthumb:

Well I suppose you'll find out.

....soooooo anything or nothing....? Or too busy with more important matters to deal with than my trivial matter...?

2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?
I had upload a zip file to detections @ spybot.info called Trainer for Oil Rush.zip, in it should look like this: 12650 The two rar files contains the trainer, the extracted one with the brackets around said word is extracted from the source file that gameplanetpatch or gamepatchplanet which ever it is seen has zipped an pass worded. the capture.png is a screenshot of where I got it from and the txt file is more info but in txt format and the hashes of the source file.

So if you didn't get it for some reason, I can upload the file again to that same email for you or I can link you the download link here and you can analyse it yourself?....soooooo anything or nothing....? Or too busy with more important matters to deal with than my trivial matter...?

Status update please. :thanks:

Sorry that I forgot to post here: Microsoft states that the value of the registry entry can be either 0 or 1.

https://msdn.microsoft.com/en-us/library/bb513638(VS.85).aspx

In one of our Morto.fi analyses the value was set to 1 instead of the default 0. So a detection rule has been added for that value to change it back to 0. However, users may deliberately choose to alter this value themselves. I do not know what or who changed the value in your case. As there were no files found by KIS and Spybot, I tend to say it has not been changed by Morto.fi.

Best Regards

Okay....what about analysis on the trainer file? Anything suspicious at all or know why it disappears after a certain period of time...?

...nothing? .......or have you forgot again....?

Hello Nnewb,

I was going to say you could upload any suspicious file to: https://www.virustotal.com/ and http://virusscan.jotti.org/en

Then I noticed your topic (https://forums.whatthetech.com/index.php?showtopic=131117) at WTT. :)

Best regards.

Hello Nnewb,

I was going to say you could upload any suspicious file to: https://www.virustotal.com/ and http://virusscan.jotti.org/en

This is what virustotal says: https://www.virustotal.com/en/file/46031b1e168ce7a38cf491065f7b751cf65029aab672c9d992273703cb56321c/analysis/ and this is what jotti says: https://virusscan.jotti.org/en-US/filescanjob/4vh8fttvsf however, they don't have your scanner on it and I asked for your opinion of it after doing a thorough analysis of it, even to the point of decompiling the trainer exe file if you must to what EXACTLY it does from code level(I would of course do all this myself but I don't understand coding language nor know how to de-compile....so even if I *do* manage to decompile it, I wouldn't have a clue as to what the code level stuff says or means in plain English....:laugh::confused:), but never got a straight answer... I already uploaded the zip file containing all the files I mentioned earlier.....no comment since then....except that other guy but he forgot to mention about the zip file I sent him for analysis...

Perhaps you would like to analyze this for me at code level by de-compiling it and then explain to me in plain English what it is SUPPOSED to be doing and not what I thought it should be doing, mmm?:bigthumb:


Then I noticed your topic (https://forums.whatthetech.com/index.php?showtopic=131117) at WTT. :)

Best regards.Yes, that is the same laptop - but that was for a different issue, but I thought it may have some sort of relation to this since (I believe of course) I never found what was causing this....actually speaking of which - this entry point also came up again last time I re-scanned again.

Hi. I have read your post and e-mails, but I cannot say that I found anything.



We looked again at your e-mail to detections(at)spybot but it has no attachment. So we still have no file to analyze. Please resend the file in a password protected .zip. Thank you.

We looked again at your e-mail to detections(at)spybot but it has no attachment. So we still have no file to analyze. Please resend the file in a password protected .zip. Thank you.

What really?! :scratch: :slap::buried:I knew it!!! :laugh::laugh::laugh::rotfl::rotfl:

*sigh* ...ok here's the file in question that's passworded: http://s000.tinyupload.com/index.php?file_id=39055518938693596987 - password is in the description.

And I will upload once again, to detections@spybot....um that's invalid.....is a dot com after that or dot something? Oh it's dot info.....as I last sent....

Got the files. I will have a look today. :eek: Thank you.

Got the files. I will have a look today. :eek: Thank you.

*phew* THANKYOU! :):cool:

The actual directory should be something like this:


Trainer for Oil Rush.rar
-\Trainer for Oil Rush




--\Capture.PNG
>> Screencap of the download page


--\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar
>> This is the file you want to get into - this one is also passworded, but not by me - by the original site I downloaded it from...


---\Oil Rush V1.0_1.01 +2 Trn_2.exe
>> This is the file you want to be analyzing.


--\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar.txt
>> Hashes, download link and page and further details(like said password mentioned earlier) for OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar file


--\Trainer for Oil Rush.zip
>> Original zip file that I sent over to detections @ spybot . info but as you had said, never got the file.....luckily I've still have it all this time...(I stupidly rar'd this zip file with it....so now you will have duplicate sets of files...)


---\Capture.PNG
>> Screencap of the download page(Duplicate file, I stupidly rar'd the zip file with it...)


---\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar
>> This is the file you want to get into - this one is also passworded, but not by me - by the original site I downloaded it from... (Duplicate file, I stupidly rar'd the zip file with it...)


----\Oil Rush V1.0_1.01 +2 Trn_2.exe
>> Or this file you want to be analyzing(Duplicate file, I stupidly rar'd the zip file with it...)


---\OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar.txt
>> Hashes, download link and page and further details(like said password mentioned earlier) for OIL.RUSH.V1.0.AND.V1.01.PLUS.2.TRAINER.BY.Burmass.rar file(Duplicate file, I stupidly rar'd the zip file with it...)



Ok, so let me know how the analysis goes and what it is trying to do and whether if it's malicious or not..... Hopefully there, it will explain the mysterious event of it deleting itself after a while.....

Sooooo, I analyzed the file and executed it in a safe environment and found nothing had been changed in the system. As I do not have the game installed I could not prove that it did change the content of the registers as stated in the code (those occupied when the game is running). I guess that other AV take this altering of register content as malicious behaviour. I let the file run for some time (not hours, but a few minutes) and it is still persistent on the system. I double checked the hashes of the file just in case, but they were the ones stated in the text file.

In short: I could not find any link to Morto.fi in the file. Best Regards.

Sooooo, I analyzed the file and executed it in a safe environment and found nothing had been changed in the system. As I do not have the game installed I could not prove that it did change the content of the registers as stated in the code (those occupied when the game is running). I guess that other AV take this altering of register content as malicious behaviour. I let the file run for some time (not hours, but a few minutes) and it is still persistent on the system. I double checked the hashes of the file just in case, but they were the ones stated in the text file.

In short: I could not find any link to Morto.fi in the file. Best Regards.

Okay, so it does no other activity besides modify some registers that are to do with the game and nothing else? ...which would mean all those scanners that picked this up as a trojan(including the ones from Jotti and Virustotal), any kind, are false positives.....therefore this trainer program is 100% safe as it does what it's supposed to be doing and nothing more/else? Oh wait you can't test that out; but you can read the de-compiled code that says it is supposed to do this and there's no other code that says, do this extra thing while you're at it(like oh idk...maybe phone home and grab some more files from there and execute that to do some damage?)? If I give you a copy of this game, will you be able to confirm this? And then you delete it afterwards? Or..you can tell me how I can do this myself since I have a copy of the game(if you don't want to deal in pirating stuff from me....unless you wanna buy it off the official site(I believe they still sell it...last I checked anyways) and then go from there....just to test this out), so guide me through all the steps and then find out myself...?

Ok, so what's with the mysterious event where it deletes itself after a set period of time? Or is that something external? Because I have no log of any of my pro-active scanners doing such a thing, so none has ever quarantined it nor deleted and log the delete event, etc..... Is there code in there that mentions something about deleting itself after a period of time?:scratch::confused: Otherwise I would then be quite confuse as to why this happens, assuming my system is 110% clean of malware....