Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Morto.fi detected?

  1. #11
    Member
    Join Date
    Jan 2016
    Posts
    65

    Question Analysis update?

    Hi, I would like to request an update on my analysis of suspected virus/malware file I have submitted sometime ago. What have you found out about it? What does it *really* do? Is it really a false positive as claimed by the site owner?

    Thanks.

  2. #12
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    294

    Default

    Quote Originally Posted by Nnewb View Post
    Hi, I would like to request an update on my analysis of suspected virus/malware file I have submitted sometime ago. What have you found out about it? What does it *really* do? Is it really a false positive as claimed by the site owner?

    Thanks.
    Hi. I have read your post and e-mails, but I cannot say that I found anything. So here are a few statements and questions:

    1. In your first post there is a Spybot detection of a registry key showing. The value has been changed by Spybot to "0" as it was not 0. (Probably 1) As there are no files detected, either Spybot missed those too or the value was changed by anything else.

    2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?

    3. It is possible that it is a false positive. We will try to find out.

    Thank you for your cooperation.
    (m/f)

  3. #13
    Member
    Join Date
    Jan 2016
    Posts
    65

    Post

    Quote Originally Posted by (m/f) View Post
    Hi. I have read your post and e-mails, but I cannot say that I found anything. So here are a few statements and questions:

    1. In your first post there is a Spybot detection of a registry key showing. The value has been changed by Spybot to "0" as it was not 0. (Probably 1) As there are no files detected, either Spybot missed those too or the value was changed by anything else.
    The screenshot was taken *after* I fixed the problem. I just wanted to make sure if I was still infected or not and hence I started this thread.

    Quote Originally Posted by (m/f) View Post
    2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?
    I had upload a zip file to detections @ spybot.info called Trainer for Oil Rush.zip, in it should look like this: rar file.png The two rar files contains the trainer, the extracted one with the brackets around said word is extracted from the source file that gameplanetpatch or gamepatchplanet which ever it is seen has zipped an pass worded. the capture.png is a screenshot of where I got it from and the txt file is more info but in txt format and the hashes of the source file.

    So if you didn't get it for some reason, I can upload the file again to that same email for you or I can link you the download link here and you can analyse it yourself?

    Quote Originally Posted by (m/f) View Post
    3. It is possible that it is a false positive. We will try to find out.

    Thank you for your cooperation.
    Well I suppose you'll find out.

  4. #14
    Member
    Join Date
    Jan 2016
    Posts
    65

    Question

    ....soooooo anything or nothing....? Or too busy with more important matters to deal with than my trivial matter...?

  5. #15
    Member
    Join Date
    Jan 2016
    Posts
    65

    Question

    Quote Originally Posted by Nnewb View Post
    Quote Originally Posted by Nnewb View Post
    Quote Originally Posted by (m/f) View Post

    2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?
    I had upload a zip file to detections @ spybot.info called Trainer for Oil Rush.zip, in it should look like this: rar file.png The two rar files contains the trainer, the extracted one with the brackets around said word is extracted from the source file that gameplanetpatch or gamepatchplanet which ever it is seen has zipped an pass worded. the capture.png is a screenshot of where I got it from and the txt file is more info but in txt format and the hashes of the source file.

    So if you didn't get it for some reason, I can upload the file again to that same email for you or I can link you the download link here and you can analyse it yourself?
    ....soooooo anything or nothing....? Or too busy with more important matters to deal with than my trivial matter...?
    Status update please.

  6. #16
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    294

    Default

    Sorry that I forgot to post here: Microsoft states that the value of the registry entry can be either 0 or 1.

    https://msdn.microsoft.com/en-us/lib...38(VS.85).aspx

    In one of our Morto.fi analyses the value was set to 1 instead of the default 0. So a detection rule has been added for that value to change it back to 0. However, users may deliberately choose to alter this value themselves. I do not know what or who changed the value in your case. As there were no files found by KIS and Spybot, I tend to say it has not been changed by Morto.fi.

    Best Regards
    (m/f)

  7. #17
    Member
    Join Date
    Jan 2016
    Posts
    65

    Question

    Okay....what about analysis on the trainer file? Anything suspicious at all or know why it disappears after a certain period of time...?

  8. #18
    Member
    Join Date
    Jan 2016
    Posts
    65

    Question

    ...nothing? .......or have you forgot again....?

  9. #19
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello Nnewb,

    I was going to say you could upload any suspicious file to: https://www.virustotal.com/ and http://virusscan.jotti.org/en

    Then I noticed your topic at WTT.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  10. #20
    Member
    Join Date
    Jan 2016
    Posts
    65

    Default

    Quote Originally Posted by tashi View Post
    Hello Nnewb,

    I was going to say you could upload any suspicious file to: https://www.virustotal.com/ and http://virusscan.jotti.org/en
    This is what virustotal says: https://www.virustotal.com/en/file/4...321c/analysis/ and this is what jotti says: https://virusscan.jotti.org/en-US/fi...job/4vh8fttvsf however, they don't have your scanner on it and I asked for your opinion of it after doing a thorough analysis of it, even to the point of decompiling the trainer exe file if you must to what EXACTLY it does from code level(I would of course do all this myself but I don't understand coding language nor know how to de-compile....so even if I *do* manage to decompile it, I wouldn't have a clue as to what the code level stuff says or means in plain English....), but never got a straight answer... I already uploaded the zip file containing all the files I mentioned earlier.....no comment since then....except that other guy but he forgot to mention about the zip file I sent him for analysis...

    Perhaps you would like to analyze this for me at code level by de-compiling it and then explain to me in plain English what it is SUPPOSED to be doing and not what I thought it should be doing, mmm?

    Quote Originally Posted by tashi View Post
    Then I noticed your topic at WTT.

    Best regards.
    Yes, that is the same laptop - but that was for a different issue, but I thought it may have some sort of relation to this since (I believe of course) I never found what was causing this....actually speaking of which - this entry point also came up again last time I re-scanned again.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •