So Kaskpersky tells me to uninstall this because it's *apparently* incompatible with Spybot Search and Destroy as it would seem it pretty much does what Spybot S&D already does and more. Well luckily I never uninstalled(as I don't believe KIS 2016 can do everything that Spybot does - I don't see immunization option(one of the reasons why I've kept Spybot) in KIS 2016) and just recently did a scan and it found a Morto worm that Kaskersky(so much for people touting "you should just only have an AV installed and that's it, nothing more and you should be safe" saying), Malwarebytes and SUPERAntiSpyware failed to find. In the attachment you will find a screenshot of Spybot finding and fixing up the Morto worm. So I've already scanned the system with Rkill and TDSSK so I should be clean right...?
Morto.fi detected?
- Thread starter Nnewb
- Start date
- Status
Hello Nnewb,
Did another scan flag anything, how is the computer running?
Best regards.
Hi thanks for replying - hmm strange I didn't even get an email notification of it....and yes I subscribed with instant email notification....I thought you guys forgot all about me or had more pressing matters to deal with(or maybe the answer is so obvious that there's no point in replying). I was about to go and bump this post and or post in the malware removal forum(thinking maybe I posted in the wrong section...) and link it to this thread, but saw someone has already replied.:bigthumb:
Well I just rescan with Spybot and it appears clean, would you like me to re-scan with the other programs too?
Also, I have suspicion that this trainer may have been the cause of this(despite the website I got it from says that everything there is 100% virus/malware free and are false positives if any programs do pick them up and that he wouldn't upload them if something bad did happen whilst he was working with them)....well one of the reason is why does the exe file delete itself randomly? Or after some set period of time? The rar files it came with didn't get deleted with it though so I still have a copy of them....
Check it out, it's in the attachment, I've zipped up for you. Inside it is a picture, two rar files and a txt file containing some detail info about it.
Hashes for the zipped file=> MD5: cfe4123e54ba56a1149d6f47215385c2, SHA256: 46031b1e168ce7a38cf491065f7b751cf65029aab672c9d992273703cb56321c
Hmmm strange, it won't let me upload the zipped file....you see the load icon animation and then it disappears....is there a size limit or maybe this...hidden malware/virus is preventing me from doing so? I tried to upload a couple or random smaller zip files and they came through. I tried splitting the archive to 256KB size but upon uploading the 256 part, it says sorry invalid file or something like that.. Nope file size limit is 2.86MB for zip format, the file itself is only 1.07MB....is your uploader screwed or is it me?
Besides that, the computer seems to be running as if nothing has happened....................
Oh well I've uploaded it on an external website:
Last edited by a moderator:
tashi
Member of Team Spybot
Hello Nnewb,
Unfortunately there was an issue with notifications which has now been resolved.
Trainer?
The links were removed for the safety of other users. Glad to hear the computer is running well, if any malware issues do occur please start a topic in the malware forum. FAQ here.
Have a nice weekend!
Unfortunately there was an issue with notifications which has now been resolved.
Trainer?
The links were removed for the safety of other users. Glad to hear the computer is running well, if any malware issues do occur please start a topic in the malware forum. FAQ here.
Have a nice weekend!
Ah I see, well I just woke up and saw the notification via email so it's working!Hello Nnewb,
Unfortunately there was an issue with notifications which has now been resolved.
Game Trainer, basically what it does is allow you to cheat in games that either don't have cheat codes and thus impossible to cheat or you're too lazy to type in the codes.....in my case for Oil Rush(a game from these guys running Unigine engine) there were no such codes existed and I felt like power housing and mucking about.....hee hee.....and yeah, that's when I decided to go and grab a trainer....
Oh there was a delete link that you could have used that I did provide.......and that would have rendered both links invalid.....I didn't anticipate you removing the entire URL so I don't even have a backup of those URL links.....hahahahaha
Well I did mention they were suspicious so why would anyone in their right mind would want to download them knowing that I put a caution on it? hahaha Unless they skip reading and just go straight to clicking on random links on forums and posts coz they can....which is just plain dumb without knowing what the hell they're downloading/clicking on.......hahaha
:Well I guess I'll go make another one and upload it again....I'll PM you the link this time....for the safety of others....
PS - Hm, looks like your uploader still refuses to take my zip file despite being under the file size limit.
PPS - Somehow Intel True Key got installed, apparently associated with McAfee....could have also been bundled with Adobe Flash player.....-.-
PPPS - So you don't think a file deleting itself(yes only just that one file so far that I've noticed) after some period of time is considered suspicious...? Or you overlooked that part in my post? I also ran the trainer in Sandbox but it somehow escaped and was running outside Sandboxie when it crashed ...with admin privileges I might add....(or at least I presume it was in, as I had to run SB as admin to run the trainer so I would guess that would still be in effect once it's outside?) it was working for the time being when it didn't crash, but after that, the trainer no longer works even after extrcting a new copy from the rar file.....I find that strange....you wouldn't think a program suddenly stops working completely because of one crash.....
Last edited:
So why can't I edit my post after a set period of time? 15 minutes or so? It would save your forum from being cluttered with new posts that aren't needed that could have been appended to the last post(if the last post is yours and you feel it's not necessary to bump the thread up either)....unless you are forcing users to bump their thread post every 15 minutes if they want to add something which would then alert you guys, rather them appending to the last post?
I had something else added onto that(that would have gone but because of this time limit of editing after posting...) but it looks like your admin(yes I contacted the guy so he could edit and append my post...) hasn't added it in for me yet or has ignored my request. The next part of that would have said something along the lines of: or I have a hidden keylogger that so inconspicuous that all my security scanners fail to pick up or and is wait for the right moment to cause havoc....but the only destruction I've seen is said trainer exe file deleting itself.....
I had something else added onto that(that would have gone but because of this time limit of editing after posting...) but it looks like your admin(yes I contacted the guy so he could edit and append my post...) hasn't added it in for me yet or has ignored my request. The next part of that would have said something along the lines of: or I have a hidden keylogger that so inconspicuous that all my security scanners fail to pick up or and is wait for the right moment to cause havoc....but the only destruction I've seen is said trainer exe file deleting itself.....
tashi
Member of Team Spybot
Hello Nnewb,
Forums:
Can I edit my own posts?
I received your PM but I don't open such links. You may zip or rar the file/s and send them to: detections AT spybot.info
Subject: 'Infected" Please provide a link to this thread.
If you would like someone to take a look at the system in the Malware Removal Forum please start a new topic there after reading that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.
http://forums.spybot.info/showthread.php?t=288
Then a volunteer analyst will advise.
If you choose to do that please do not provide links to the files. If an analyst wants to take a look at the scan results of any suspicious files you may be asked to upload them to a site such as:
http://virusscan.jotti.org/
http://www.virustotal.com/
Best regards.
Forums:
Can I edit my own posts?
- In the Malware Removal Forum, members may not edit their posts.
- In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.
I received your PM but I don't open such links. You may zip or rar the file/s and send them to: detections AT spybot.info
Subject: 'Infected" Please provide a link to this thread.
If you would like someone to take a look at the system in the Malware Removal Forum please start a new topic there after reading that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.
http://forums.spybot.info/showthread.php?t=288
Then a volunteer analyst will advise.
If you choose to do that please do not provide links to the files. If an analyst wants to take a look at the scan results of any suspicious files you may be asked to upload them to a site such as:
http://virusscan.jotti.org/
http://www.virustotal.com/
Best regards.
Oh fair enough.:bigthumb:
Replace AT with @ and remove the spaces between the word detections and spybot? So it would read detections @ spybot.info?
Alright cool, I'll go do that, to make sure my computer is actually clean and not me thinking it is when it isn't and there are still stuff lurking about....
Thanks!
Last edited by a moderator:
But that's why we have the quotes right? Which is one of the reasons why I make use of the quote function in forums.....just in case it gets deleted, so long as the quoted text still exist, people can still read what it used to say(and what it was answering too as well) unless the answer post was edited by someone(the poster, mod or admin).
Say for example if the quoted text I just quoted for this reply gets deleted or modified, so long as this post doesn't get edited by me or the mods/admins, viewers would still see what the post was referring to.
Last edited:
tashi
Member of Team Spybot
Hi. I have read your post and e-mails, but I cannot say that I found anything. So here are a few statements and questions:
1. In your first post there is a Spybot detection of a registry key showing. The value has been changed by Spybot to "0" as it was not 0. (Probably 1) As there are no files detected, either Spybot missed those too or the value was changed by anything else.
2. I could not find any upload of yours. Thus no file has been analyzed. Didn't you say you were not able to upload previously?
3. It is possible that it is a false positive. We will try to find out.
Thank you for your cooperation.:bigthumb:
The screenshot was taken *after* I fixed the problem. I just wanted to make sure if I was still infected or not and hence I started this thread.
I had upload a zip file to detections @ spybot.info called Trainer for Oil Rush.zip, in it should look like this:
The two rar files contains the trainer, the extracted one with the brackets around said word is extracted from the source file that gameplanetpatch or gamepatchplanet which ever it is seen has zipped an pass worded. the capture.png is a screenshot of where I got it from and the txt file is more info but in txt format and the hashes of the source file.So if you didn't get it for some reason, I can upload the file again to that same email for you or I can link you the download link here and you can analyse it yourself?
Well I suppose you'll find out.
Status update please. :thanks:
Sorry that I forgot to post here: Microsoft states that the value of the registry entry can be either 0 or 1.
https://msdn.microsoft.com/en-us/library/bb513638(VS.85).aspx
In one of our Morto.fi analyses the value was set to 1 instead of the default 0. So a detection rule has been added for that value to change it back to 0. However, users may deliberately choose to alter this value themselves. I do not know what or who changed the value in your case. As there were no files found by KIS and Spybot, I tend to say it has not been changed by Morto.fi.
Best Regards
https://msdn.microsoft.com/en-us/library/bb513638(VS.85).aspx
In one of our Morto.fi analyses the value was set to 1 instead of the default 0. So a detection rule has been added for that value to change it back to 0. However, users may deliberately choose to alter this value themselves. I do not know what or who changed the value in your case. As there were no files found by KIS and Spybot, I tend to say it has not been changed by Morto.fi.
Best Regards
tashi
Member of Team Spybot
Hello Nnewb,
I was going to say you could upload any suspicious file to: https://www.virustotal.com/ and http://virusscan.jotti.org/en
Then I noticed your topic at WTT.
Best regards.
I was going to say you could upload any suspicious file to: https://www.virustotal.com/ and http://virusscan.jotti.org/en
Then I noticed your topic at WTT.
Best regards.
This is what virustotal says: https://www.virustotal.com/en/file/...51cf65029aab672c9d992273703cb56321c/analysis/ and this is what jotti says: https://virusscan.jotti.org/en-US/filescanjob/4vh8fttvsf however, they don't have your scanner on it and I asked for your opinion of it after doing a thorough analysis of it, even to the point of decompiling the trainer exe file if you must to what EXACTLY it does from code level(I would of course do all this myself but I don't understand coding language nor know how to de-compile....so even if I *do* manage to decompile it, I wouldn't have a clue as to what the code level stuff says or means in plain English....:laugh:
), but never got a straight answer... I already uploaded the zip file containing all the files I mentioned earlier.....no comment since then....except that other guy but he forgot to mention about the zip file I sent him for analysis...Perhaps you would like to analyze this for me at code level by de-compiling it and then explain to me in plain English what it is SUPPOSED to be doing and not what I thought it should be doing, mmm?:bigthumb:
Yes, that is the same laptop - but that was for a different issue, but I thought it may have some sort of relation to this since (I believe of course) I never found what was causing this....actually speaking of which - this entry point also came up again last time I re-scanned again.
- Status