Jump to content

Senzorei

Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Posts posted by Senzorei

    Win32/Gleamaster.A

    in Malware Finding and Cleaning

    Posted · Edited by Senzorei

    I'm not exactly sure, as it happened almost 2 years ago. But that's probably the cause of this case. P.S. found another file linked to this somewhere in ProgramData (that points to the old directory of a Half-Life installation) I think (cleaning up computer =) )

    Win32/Gleamaster.A

    in Malware Finding and Cleaning

    Posted · Edited by Senzorei

    NOTE: You can skip the wall of text if you want to get to the important part. So, this morning ESET found a virus on my PC (first detection 8/11/2014) Win32/Gleamaster.A . I know how I got this and how it affected me (IDK about anyone else). So I was playing CS 1.6 on international servers and I somehow had this weird thing; several of the game's configuration files were getting replaced (or were in use) constantly. It bugged me since pretty much all the unused buttons were bound to connect you to a*l*e*m*s*e*s.*r* (domain) so I just blocked write access for myself to the affected files. This morning, when I booted up, NOD 32 detected some threat in %appdata% (%currentuser%\appdata\Roaming\glister) so I decided to investigate. Made a copy in my personal quarantine folder. There were 4 files in total - acfg_options , nvm , ucfg_options (all with no extension) and nvm.dll (which I can't recover anymore since I deleted it and all of the copies are gone from the present and previous versions (system restore) folders) and it's the threat that got detected in the first place. The DLL was ran under regsvr32.exe and I thought that regsvr32 appearing in the tskmgr was nothing to raise the red flags for since something might have changed in an update. What I did with the files is I tried giving them a text extension and running them sandboxed - to my surprise they opened. And looked at the contents.

    acfg_options.txt (guessing this to be short for "autoexecconfig_options")

    frequency=10
    timeout=30020
    command=Connect allnetmaster.org:27015
    nvm.txt
    C:\Users\%currentuser%\Desktop\Stuff\Games\Counter-Strike 1.6
    ucfg_options.txt (guessing this to be short for "userconfig_options")
    frequency=10
    timeout=30020
    command=Connect allnetmaster.org:27015
     
    I made this thread so people know some specifics about the virus, since virusradar has literally no info on this threat.
    What it does is it replaces some of the game files (2 *.cfg and 1 *.res file) so you get your unbinded keys bound to connect commands so you keep getting unwillingly connected to their servers. More of a PUP, nothing serious, but what people should know about nonetheless. EDIT: The md5 hash of the nvm.dll is "dc265339e77d4cb0ef6ecbd9da3cf758" Virustotal: https://www.virustotal.com/en/file/e086c75a691a779eda52a82406ca9ed1f4d6c6ab4eca973e64226a0148d708b6/analysis/1415523880/

    steam_api.dll

    in Malware Finding and Cleaning

    Posted · Edited by Senzorei

    Hello everyone, haven't been here in a long time and I'm happy to be here again. That aside, my ESET NOD 32 4.0.417.0 signature DB 9040 detects a variant of Win32/HackTool.Crack.BL Potentially unsafe application in the file steam_api.dll (https://www.virustotal.com/en/file/1827e9eb9417bec0d9869ba6a36d62b48f548dbb30c881dbf47ee1cb38304eb2/analysis/1384354621/).

    This steam_api.dll came from a torrent which included a crack provided with a game (XCOM: Enemy Within). I'm not sure whether this is a false positive (which seems unlikely) or a legitimate virus. Also, someone explain how can I upload samples (ESET doesn't want any potentially malicious files on their forums, but we need a way to send samples for other people to inspect) and why can't I submit files for analysis from the quarantine menu (It displays a pop-up with the title "Threatsense early warning system" and contains "Submission of suspicious files is currently disabled. File was placed in cache."). Thank you in advance.

    GuardMailRu.exe

    in Malware Finding and Cleaning

    Posted

     

     

    If you would like to tackle it yourself try starting here :

    hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm

    Only "do not download unhackme ". I am unaware of its legitimacy.

    File location on part of it is there. :)

    I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.

     

     

     

    Its not about trusting or not. Its in plain view :

     

     

    Manual removal instructions:

    Antivirus Report of %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE:

    %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Win32.HeurC.KVM019.a.(kcloud) %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Dangerous %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE High Risk
    %program files%\mail.ru\sputnik\sputnikflashplayer.exe We suggest you to remove SPUTNIKFLASHPLAYER.EXE from your computer as soon as possible.

    SPUTNIKFLASHPLAYER.EXE is known as: Win32.HeurC.KVM019.a.(kcloud)

    MD5 of SPUTNIKFLASHPLAYER.EXE = 551054755de3fb70c82766da9a84e8a7

    SPUTNIKFLASHPLAYER.EXE size is 601120 bytes.

    Full path on a computer: %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE

    Related Files:

    C:\Documents and Settings\All Users\Favorites\Mail.Ru.url

    %Program Files%\Mail.Ru\Guard\GuardMailRu.exe

    %Program Files%\Mail.Ru\Sputnik\MailRuSputnik.dll

    %Program Files%\Mail.Ru\Sputnik\mailrusputnik.exe

    %Program Files%\Mail.Ru\Sputnik\SputnikFlashPlayer.exe  

     

      So check if the files are there or not. If they aren't, its a false website or a different version of the virus If they are, start removal process.

    Clean registry after the fact. If you need help just ask. I will remote in and clean it for you :)

     

    Or make a batch file based on what needs to be removed. :)

     

     

    The MD5 hash is a mismatch, so is the filesize. The MD5 hash of sputnikflashplayer.exe is 8d2e41b2b917b361c50b74db271d31b9 with a filesize of 595560 bytes (598016 bytes on disk), while the other sputnikflashplayer.exe (the one in the link you sent me) MD5 is 551054755de3fb70c82766da9a84e8a7 with a filesize of 601120 bytes. I am not sure as to whether remove these files (since it's a mismatch) or to do so.

    GuardMailRu.exe

    in Malware Finding and Cleaning

    Posted

    Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to?

    I sent them to samples@eset.com .

    GuardMailRu.exe

    in Malware Finding and Cleaning

    Posted

    If you would like to tackle it yourself try starting here :

    hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm

    Only "do not download unhackme ". I am unaware of its legitimacy.

    File location on part of it is there. :)

    I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.

    Future changes to ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium and ESET Ultimate Security

    in ESET Internet Security & ESET Smart Security Premium

    Posted

    Orange was just fine as it was before IMO. I mean if something more "severe" is happening then it will turn Red as it still does of course, but Orange for "hey I need your attention" is OK I think. But maybe that's just me, and each to their own I guess. :)

    I agree with SweX. Even though I am using ESET NOD32 4 I have the orange icon, but a green icon with an exclamation mark isn't really that much spottable IMO. I haven't seen it since I am using NOD32 4 (which is an older version) it still has the orange icon.

    Introduce yourself

    in General Discussion

    Posted

     

     

    Hello, Nodders (if I may call you like that :) ), I am Senzorei, interested in viruses, gaming, hardware and programming.

    How did you find the ESET Security Forum? I came here to request that you add GuardMailRu.exe and associated processes to potentially unwanted programs or adware classification since it modifies IE, Firefox, Opera and possibly other browsers (toolbar). I will get into detail in another post.

     

    What OS are you running? Windows 7 Ultimate x64 Service Pack 1.

    What AV are you running? ESET NOD 4.

    What’s an interesting fact about you? I am only 12.

     

     

    Good day to you Senzorei , nice to meet you,  and welcome to the forums !

    Your etiquette and vocabulary are surprising to me in regards to your age.

    I am sure you will excel and accomplish great things in the IT world.

    Welcome again ! :)

    Thanks for the welcome :) . I'm not going to be on the forums that much but while I am could you please check out this thread? https://forum.eset.com/topic/773-guardmailruexe/ . Thanks in advance :) .

    GuardMailRu.exe

    in Malware Finding and Cleaning

    Posted · Edited by dwomack
    please do not link to potentially malicious sites. You gave a warning but some users may click anyways unknowingly. Thank you.

    Hello, I did some research on the file GuardMailRu.exe and in this site (respecively: habrahabr.ru/post/149636/ ) it says that it adds a toolbar to IE, Firefox and Opera browsers, which I can confirm since 1 account on this machine (respectively the one that installed something that I'm unaware of which also installed the toolbar) has the toolbar on IE, Firefox and Opera. I hope that you can inspect these files and possibly find a solution.

    P.S. The file runs on the System privilege level and when i tried to terminate the program it executed (approx.) 3000 more executables with the same filename. I sent an archive with these files for inspection. The installation folder consisted of these branches.
    CASE SENSITIVE
    Mail.ru-----Guard-------GuardMailRu.exe
               |                   |__GuardMailRu.dll

              Sputnik

               |____mailrusputnik.exe

               |____MailRuSputnik.dll

               |____SputnikFlashPlayer.exe


    For some reason it doesn't allow me to upload the files, but I sent them for inspection.

    Introduce yourself

    in General Discussion

    Posted

    Hello, Nodders (if I may call you like that :) ), I am Senzorei, interested in viruses, gaming, hardware and programming.

    How did you find the ESET Security Forum? I came here to request that you add GuardMailRu.exe and associated processes to potentially unwanted programs or adware classification since it modifies IE, Firefox, Opera and possibly other browsers (toolbar). I will get into detail in another post.
     

    What OS are you running? Windows 7 Ultimate x64 Service Pack 1.

    What AV are you running? ESET NOD 4.

    What’s an interesting fact about you? I am only 12.

×
×
  • Create New...