Jump to content
xx521xx

meta4.exe and MOTA113.exe

Recommended Posts

New detections after updating my MBAM database today... a quick Google search suggests these files are added by SUPER, a popular video converter which I have installed. Apparently they have a history of detection by antivirus software, some of which have later removed the detection as false positives. They do get some hits on VirusTotal, though. What do you think?

The "hijack" entries are unrelated changes that I made myself and haven't set MBAM to ignore.

Malwarebytes' Anti-Malware 1.37

Database version: 2259

6/10/2009 5:13:09 PM

mbam-log-2009-06-10 (17-13-09).txt

Scan type: Quick Scan

Objects scanned: 101545

Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Not selected for removal. [3857535134304144385864365451513847536454523851615248395356345138614674688380848

07185615674796980888461368683837079855570838474807961498077746874708461388981778

0

83708393398083687036776684847468368079858380774966797077]

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Not selected for removal. [5138494534363830414438586436545151384753645452385161524839535634513861467468838

08480718561567479698088846136868383707985557083847480796149807774687470846138898

1

77808370839347805246417077813018130117]

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\meta4.exe (Trojan.Agent) -> Quarantined and deleted successfully. [41345241302324712218671866251971671818676767266921252371246870211868692022]

c:\WINDOWS\MOTA113.exe (Trojan.Agent) -> Quarantined and deleted successfully. [41345241307166712623701720671720241922676825182368181869226671171726232518]

Share this post


Link to post
Share on other sites
Guest

Hi,

I also registered these two entries. A while back my virus scanner incorrectly identified them as false positives.

Hope this is fixed quickly.

Best regards,

Newbi3

Malwarebytes' Anti-Malware 1.37

Database version: 2259

Windows 5.1.2600 Service Pack 3

11/06/2009 12:03:46 AM

mbam-log-2009-06-11 (00-03-42).txt

Scan type: Quick Scan

Objects scanned: 80452

Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\meta4.exe (Trojan.Agent) -> No action taken. [41345241302324712218671866251971671818676767266921252371246870211868692022]

c:\WINDOWS\MOTA113.exe (Trojan.Agent) -> No action taken. [41345241307166712623701720671720241922676825182368181869226671171726232518]

Share this post


Link to post
Share on other sites

I still have the previous version (2009.build.35), I didn't know there was a new one. I haven't added any additional add-ons for the program. I'm 99% sure I got it from erightsoft.com, but it's been a while. I don't know for sure whether those files are supposed to be part of SUPER or not, that's just what I found elsewhere on the web. But some people with SUPER don't have those files... I still have the same installer I used, so I think I'll install it on a virtual machine and see whether those files show up.

Share this post


Link to post
Share on other sites
Guest

Hi,

My advice: Don't panic. Fools rush in where wisemen fear to tread.

I had an old version which I am 100% sure I downloaded from http://www.erightsoft.com.

It has since been uninstalled from my computer. However this shows how uninstall programs sometimes leave remnants on the system.

This same issue occurred with my virus scanner around two or three months ago. It was promptly fixed as a false positive.

I am convinced that this is the same issue. It had something to do with packing of the files.

I left these two files on my system more for amusement to see whether other programs would pick them up.

MBAM has done it today.

I hope this is fixed soon.

Best regards,

Newbi3

Share this post


Link to post
Share on other sites
Guest

PS: I did not install ANY other add-ons or plug-ins.

Share this post


Link to post
Share on other sites

No sign of the files on my virtual machine after installing the program, then converting a few files and rebooting for good measure. Strange. Maybe they were only added by older versions, and then never removed? I've had older versions on my machine before.

Do I need to restore the files to submit them? If not, where do I find the quarantined files?

Share this post


Link to post
Share on other sites

If you click on the ADDREPLY button you should see a small GREEN button that says UPLOAD with a BROWSE button just in front of it.

Browse to the ZIP/RAR file to upload and then click the UPLOAD button.

EDIT.... YES that did it. The file is here. Thanks.

Share this post


Link to post
Share on other sites

I found MBAM's quarantine. Is it alright to zip up the quarantined files and submit them?

Share this post


Link to post
Share on other sites
Guest

Glad to help.

And the verdict is...........?

:-)

Share this post


Link to post
Share on other sites

The verdict is that WinRAR 3.80 thinks something is wrong with the file and won't allow me to extract them.

I'm due for a reboot though, so I'll check again in a little while.

Share this post


Link to post
Share on other sites
Guest

Well I used WinZip Pro 10.0 to send them.

I tried to upload the raw .exe files but it won't let me. Even if I change the file extensions.

What can I do to help you?

Share this post


Link to post
Share on other sites
Guest

It's just after midnight here so if anybody could tell me I'd be more than happy to help before I go.

Thanks.

Share this post


Link to post
Share on other sites

I think I'll wait for the verdict from someone at Malwarebytes before I make that decision. ;)

Share this post


Link to post
Share on other sites
I think I'll wait for the verdict from someone at Malwarebytes before I make that decision. ;)

Are you aware that alot of anti virus actually detect Supers Main EXE file as malware?

Share this post


Link to post
Share on other sites

You mean SUPER.exe?

http://www.virustotal.com/analisis/08751b5...6f8e-1244695780

5 detections, that's far from a majority, but still enough to be suspicious. But on the other hand, 4 of them are heuristic detections, and the other looks like a detection of the file's compression scheme. I just find it hard to believe that SUPER, a fairly well-known program (or so it seems to me), is a trojan but hasn't been assigned a specific detection by any major antivirus vendors...

Share this post


Link to post
Share on other sites
Guest

Hi,

Here is some information why these files can appear 'suspicious':

The S.U.P.E.R. software is packed under three layers (1

Share this post


Link to post
Share on other sites
Guest

Hello,

I must admit some of my initial confidence that this is a false positive is now beginning to falter.

The MBAM experts have not commented on it which is making me feel a little uneasy.

I (fearfully) await your response, oh MBAM Gods!

Newbi3

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.