Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Senzorei

  1. The problem is the installer is bundled with a toolbar which is causing a detection. It's not really a false positive, considering this is a PUP - potentially unwanted program.
  2. I'm not exactly sure, as it happened almost 2 years ago. But that's probably the cause of this case. P.S. found another file linked to this somewhere in ProgramData (that points to the old directory of a Half-Life installation) I think (cleaning up computer =) )
  3. Not all anti-virus programs detect the same threat 100% of the time. Ditto to what Marcos said.
  4. NOTE: You can skip the wall of text if you want to get to the important part. So, this morning ESET found a virus on my PC (first detection 8/11/2014) Win32/Gleamaster.A . I know how I got this and how it affected me (IDK about anyone else). So I was playing CS 1.6 on international servers and I somehow had this weird thing; several of the game's configuration files were getting replaced (or were in use) constantly. It bugged me since pretty much all the unused buttons were bound to connect you to a*l*e*m*s*e*s.*r* (domain) so I just blocked write access for myself to the affected files. This morning, when I booted up, NOD 32 detected some threat in %appdata% (%currentuser%\appdata\Roaming\glister) so I decided to investigate. Made a copy in my personal quarantine folder. There were 4 files in total - acfg_options , nvm , ucfg_options (all with no extension) and nvm.dll (which I can't recover anymore since I deleted it and all of the copies are gone from the present and previous versions (system restore) folders) and it's the threat that got detected in the first place. The DLL was ran under regsvr32.exe and I thought that regsvr32 appearing in the tskmgr was nothing to raise the red flags for since something might have changed in an update. What I did with the files is I tried giving them a text extension and running them sandboxed - to my surprise they opened. And looked at the contents. acfg_options.txt (guessing this to be short for "autoexecconfig_options") frequency=10 timeout=30020 command=Connect allnetmaster.org:27015 nvm.txt C:\Users\%currentuser%\Desktop\Stuff\Games\Counter-Strike 1.6 ucfg_options.txt (guessing this to be short for "userconfig_options") frequency=10 timeout=30020 command=Connect allnetmaster.org:27015 I made this thread so people know some specifics about the virus, since virusradar has literally no info on this threat. What it does is it replaces some of the game files (2 *.cfg and 1 *.res file) so you get your unbinded keys bound to connect commands so you keep getting unwillingly connected to their servers. More of a PUP, nothing serious, but what people should know about nonetheless. EDIT: The md5 hash of the nvm.dll is "dc265339e77d4cb0ef6ecbd9da3cf758" Virustotal: https://www.virustotal.com/en/file/e086c75a691a779eda52a82406ca9ed1f4d6c6ab4eca973e64226a0148d708b6/analysis/1415523880/
  5. Hello everyone, haven't been here in a long time and I'm happy to be here again. That aside, my ESET NOD 32 4.0.417.0 signature DB 9040 detects a variant of Win32/HackTool.Crack.BL Potentially unsafe application in the file steam_api.dll (https://www.virustotal.com/en/file/1827e9eb9417bec0d9869ba6a36d62b48f548dbb30c881dbf47ee1cb38304eb2/analysis/1384354621/). This steam_api.dll came from a torrent which included a crack provided with a game (XCOM: Enemy Within). I'm not sure whether this is a false positive (which seems unlikely) or a legitimate virus. Also, someone explain how can I upload samples (ESET doesn't want any potentially malicious files on their forums, but we need a way to send samples for other people to inspect) and why can't I submit files for analysis from the quarantine menu (It displays a pop-up with the title "Threatsense early warning system" and contains "Submission of suspicious files is currently disabled. File was placed in cache."). Thank you in advance.
  6. No its ok Its just possible it may be a different variant of sputnik There are many many many versions floating around. Thanks Senz !! You're welcome .
  7. Sorry for the late reply, I forget about this .
  8. I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work. Its not about trusting or not. Its in plain view : So check if the files are there or not. If they aren't, its a false website or a different version of the virus If they are, start removal process.Clean registry after the fact. If you need help just ask. I will remote in and clean it for you Or make a batch file based on what needs to be removed. The MD5 hash is a mismatch, so is the filesize. The MD5 hash of sputnikflashplayer.exe is 8d2e41b2b917b361c50b74db271d31b9 with a filesize of 595560 bytes (598016 bytes on disk), while the other sputnikflashplayer.exe (the one in the link you sent me) MD5 is 551054755de3fb70c82766da9a84e8a7 with a filesize of 601120 bytes. I am not sure as to whether remove these files (since it's a mismatch) or to do so.
  9. I sent them to samples@eset.com .
  10. I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.
  11. I ran a scan on the files before posting, it did not detect anything. I will try to run a scan now, even though the process GuardMailRu.exe is in memory, it does not detect it.
  12. I agree with SweX. Even though I am using ESET NOD32 4 I have the orange icon, but a green icon with an exclamation mark isn't really that much spottable IMO. I haven't seen it since I am using NOD32 4 (which is an older version) it still has the orange icon.
  13. Good day to you Senzorei , nice to meet you, and welcome to the forums ! Your etiquette and vocabulary are surprising to me in regards to your age. I am sure you will excel and accomplish great things in the IT world. Welcome again ! Thanks for the welcome . I'm not going to be on the forums that much but while I am could you please check out this thread? https://forum.eset.com/topic/773-guardmailruexe/ . Thanks in advance .
  14. Update: I sent the files through email.
  15. The file submission failed for mailrusputnik.exe .
  16. Hello, I did some research on the file GuardMailRu.exe and in this site (respecively: habrahabr.ru/post/149636/ ) it says that it adds a toolbar to IE, Firefox and Opera browsers, which I can confirm since 1 account on this machine (respectively the one that installed something that I'm unaware of which also installed the toolbar) has the toolbar on IE, Firefox and Opera. I hope that you can inspect these files and possibly find a solution. P.S. The file runs on the System privilege level and when i tried to terminate the program it executed (approx.) 3000 more executables with the same filename. I sent an archive with these files for inspection. The installation folder consisted of these branches. CASE SENSITIVE Mail.ru-----Guard-------GuardMailRu.exe | |__GuardMailRu.dll Sputnik |____mailrusputnik.exe |____MailRuSputnik.dll |____SputnikFlashPlayer.exe For some reason it doesn't allow me to upload the files, but I sent them for inspection.
  17. Hello, Nodders (if I may call you like that ), I am Senzorei, interested in viruses, gaming, hardware and programming. How did you find the ESET Security Forum? I came here to request that you add GuardMailRu.exe and associated processes to potentially unwanted programs or adware classification since it modifies IE, Firefox, Opera and possibly other browsers (toolbar). I will get into detail in another post. What OS are you running? Windows 7 Ultimate x64 Service Pack 1. What AV are you running? ESET NOD 4. What’s an interesting fact about you? I am only 12.
  • Create New...