Jump to content
Sign in to follow this  
DWishR

MoveNetworks player

Recommended Posts

I just downloaded and ran a scan using your software (now being sworn-by). It picked up 3 positives, one is the move media player extension for Firefox (used for viewing video on ABC.com) and the other two were .dll files in system32. The two .dll files are both 0 byte definitions, as far as I can tell. All three seem to be related (Vendor: Trojan.Agent).

Must admit I was hesitant to install the app when I came across it although it seems to be working fine. Is there a huge security vulnerability I should be aware of? In order to catch the move plugin I would have to run a whole system scan again (1.5+ hours) so you won't get the developer log for that one, sorry. And your forum won't let me upload the .zip/.rar (800K).

Malwarebytes' Anti-Malware 1.30

Database version: 1405

Windows 5.1.2600 Service Pack 3

11/17/2008 4:21:30 PM

mbam-log-2008-11-17 (16-21-28).txt

Scan type: Quick Scan

Objects scanned: 53728

Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761564247374856526184908485707820196

1847083668685731815697777]

C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761564247374856526184908485707820196

1847083668685731915697777]

=============FROM NON-DEVELOPER====================

Files Infected:

C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\3dmijx07.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll (Trojan.Agent) -> No action taken.

Share this post


Link to post
Share on other sites

The .dll files are 0-bytes. I opened them with a hex editor which confirmed them to be blank but if you want I'll post them.

I'm more concerned about the Firefox extension after the bottom of the posted log which I can't upload because it is larger than the forum limit. I can e-mail it if you'll provide me with an address.

Share this post


Link to post
Share on other sites

We can do 2 things that might avoid the need to upload at all .

First submit that file to http://www.virustotal.com/ .

Unless the report says that no vendors detect this please copy and paste just the vendor detection part of the scan .

Next a dev log (like you posted for the other 2 files) would help me a lot .

Share this post


Link to post
Share on other sites

I'll do the full developer scan tonight if you still need it. I'm booted into linux atm and have to leave in a hurry.

http://www.virustotal.com/analisis/887b70b...5f1a7518347be1e

Antivirus  	Version  	Last Update  	ResultAhnLab-V3	2008.11.18.2	2008.11.18	-AntiVir	7.9.0.31	2008.11.18	-Authentium	5.1.0.4	2008.11.18	-Avast	4.8.1281.0	2008.11.18	-AVG	8.0.0.199	2008.11.18	-BitDefender	7.2	2008.11.18	-CAT-QuickHeal	10.00	2008.11.18	-ClamAV	0.94.1	2008.11.18	-DrWeb	4.44.0.09170	2008.11.18	-eSafe	7.0.17.0	2008.11.18	-eTrust-Vet	31.6.6214	2008.11.18	-Ewido	4.0	2008.11.18	-F-Prot	4.4.4.56	2008.11.18	-F-Secure	8.0.14332.0	2008.11.18	-Fortinet	3.117.0.0	2008.11.18	-GData	19	2008.11.18	-Ikarus	T3.1.1.45.0	2008.11.18	-K7AntiVirus	7.10.527	2008.11.18	-Kaspersky	7.0.0.125	2008.11.18	-McAfee	5438	2008.11.18	-Microsoft	1.4104	2008.11.17	-NOD32	3623	2008.11.18	-Norman	5.80.02	2008.11.18	-Panda	9.0.0.4	2008.11.18	Suspicious filePCTools	4.4.2.0	2008.11.18	-Prevx1	V2	2008.11.18	-Rising	21.04.12.00	2008.11.18	-SecureWeb-Gateway	6.7.6	2008.11.18	-Sophos	4.35.0	2008.11.18	-Sunbelt	3.1.1801.2	2008.11.14	-Symantec	10	2008.11.18	-TheHacker	6.3.1.1.157	2008.11.18	-TrendMicro	8.700.0.1004	2008.11.18	-VBA32	3.12.8.9	2008.11.18	-ViRobot	2008.11.18.1474	2008.11.18	-VirusBuster	4.5.11.0	2008.11.18	-
Additional informationFile size: 847360 bytesMD5...: 24b0da7666ce4c04fc4aa9c19ecb8c02SHA1..: 60b8f76289f366c7596ed2f5d456a2e766e796b1SHA256: 0b42319fff1a70daaab6ca14a413c15b35f354f361ba5fb1841b0f42837af8c8SHA512: 94844f25dca4eb7d16d732e312e6432d0525422e6f223be96c762bc7fb04ff26d88231ec5dadb3f77e30cc95fe2a33c9a7b1ec617a82332902742b00cd37c4c2PEiD..: PECompact 2.xx --> BitSum TechnologiesTrID..: File type identificationWin32 EXE PECompact compressed (v2.x) (48.9%)Win32 EXE PECompact compressed (generic) (34.4%)Win32 Executable Generic (7.0%)Win32 Dynamic Link Library (generic) (6.2%)Generic Win/DOS Executable (1.6%)PEInfo: PE Structure information
( base data )entrypointaddress.: 0x10362c17timedatestamp.....: 0x48d12aa4 (Wed Sep 17 16:04:52 2008)machinetype.......: 0x14c (I386)
( 3 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x361000 0xcce00 8.00 47a38ebf5ed73a6d517e47336e0c583a.rsrc 0x362000 0x2000 0x1a00 6.58 dbc71690db4d0455d835dc5bbdbe341e.reloc 0x364000 0x1000 0x200 0.23 ab2c3862f0afa292c0ece2a9190d6196
( 21 imports )> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree> DSOUND.dll: -> DDRAW.dll: DirectDrawCreateEx> SHFOLDER.dll: SHGetFolderPathA> SETUPAPI.dll: SetupIterateCabinetA> WININET.dll: HttpQueryInfoA> MSVFW32.dll: DrawDibClose> WINMM.dll: timeGetTime> WS2_32.dll: WSAEnumNetworkEvents> USER32.dll: GetMonitorInfoA> GDI32.dll: SetDeviceGammaRamp> comdlg32.dll: GetOpenFileNameA> ADVAPI32.dll: RegSetValueExA> SHELL32.dll: ShellExecuteExA> ole32.dll: CoTaskMemFree> OLEAUT32.dll: -> SHLWAPI.dll: SHDeleteKeyA> VERSION.dll: GetFileVersionInfoSizeA> gdiplus.dll: GdipCreatePath> RPCRT4.dll: RpcStringFreeA> OPENGL32.dll: glGetString
( 5 exports )DllRegisterServer, DllUnregisterServer, NP_GetEntryPoints, NP_Initialize, NP_Shutdownpackers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompactpackers (F-Prot): PecBundle, PECompact

Share this post


Link to post
Share on other sites
Next a dev log (like you posted for the other 2 files) would help me a lot .

Can I copy the file into a directory that will be scanned by a quick scan? Would be a lot less cumbersome than running the full scan in developer mode. Is there a list of directories looked at in a quick scan?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.