Jump to content

MoveNetworks player

DWishR

By DWishR
in File Detections

 Share

Recommended Posts

DWishR

DWishR

Posted
Posted

I just downloaded and ran a scan using your software (now being sworn-by). It picked up 3 positives, one is the move media player extension for Firefox (used for viewing video on ABC.com) and the other two were .dll files in system32. The two .dll files are both 0 byte definitions, as far as I can tell. All three seem to be related (Vendor: Trojan.Agent).

Must admit I was hesitant to install the app when I came across it although it seems to be working fine. Is there a huge security vulnerability I should be aware of? In order to catch the move plugin I would have to run a whole system scan again (1.5+ hours) so you won't get the developer log for that one, sorry. And your forum won't let me upload the .zip/.rar (800K).

Malwarebytes' Anti-Malware 1.30

Database version: 1405

Windows 5.1.2600 Service Pack 3

11/17/2008 4:21:30 PM

mbam-log-2008-11-17 (16-21-28).txt

Scan type: Quick Scan

Objects scanned: 53728

Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761564247374856526184908485707820196

1847083668685731815697777]

C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761564247374856526184908485707820196

1847083668685731915697777]

=============FROM NON-DEVELOPER====================

Files Infected:

C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\3dmijx07.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll (Trojan.Agent) -> No action taken.

Link to post
Share on other sites
DWishR

DWishR

Posted
  • Author
Posted

The .dll files are 0-bytes. I opened them with a hex editor which confirmed them to be blank but if you want I'll post them.

I'm more concerned about the Firefox extension after the bottom of the posted log which I can't upload because it is larger than the forum limit. I can e-mail it if you'll provide me with an address.

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

We can do 2 things that might avoid the need to upload at all .

First submit that file to http://www.virustotal.com/ .

Unless the report says that no vendors detect this please copy and paste just the vendor detection part of the scan .

Next a dev log (like you posted for the other 2 files) would help me a lot .

Link to post
Share on other sites
DWishR

DWishR

Posted
  • Author
Posted

I'll do the full developer scan tonight if you still need it. I'm booted into linux atm and have to leave in a hurry.

http://www.virustotal.com/analisis/887b70b...5f1a7518347be1e

Antivirus  	Version  	Last Update  	ResultAhnLab-V3	2008.11.18.2	2008.11.18	-AntiVir	7.9.0.31	2008.11.18	-Authentium	5.1.0.4	2008.11.18	-Avast	4.8.1281.0	2008.11.18	-AVG	8.0.0.199	2008.11.18	-BitDefender	7.2	2008.11.18	-CAT-QuickHeal	10.00	2008.11.18	-ClamAV	0.94.1	2008.11.18	-DrWeb	4.44.0.09170	2008.11.18	-eSafe	7.0.17.0	2008.11.18	-eTrust-Vet	31.6.6214	2008.11.18	-Ewido	4.0	2008.11.18	-F-Prot	4.4.4.56	2008.11.18	-F-Secure	8.0.14332.0	2008.11.18	-Fortinet	3.117.0.0	2008.11.18	-GData	19	2008.11.18	-Ikarus	T3.1.1.45.0	2008.11.18	-K7AntiVirus	7.10.527	2008.11.18	-Kaspersky	7.0.0.125	2008.11.18	-McAfee	5438	2008.11.18	-Microsoft	1.4104	2008.11.17	-NOD32	3623	2008.11.18	-Norman	5.80.02	2008.11.18	-Panda	9.0.0.4	2008.11.18	Suspicious filePCTools	4.4.2.0	2008.11.18	-Prevx1	V2	2008.11.18	-Rising	21.04.12.00	2008.11.18	-SecureWeb-Gateway	6.7.6	2008.11.18	-Sophos	4.35.0	2008.11.18	-Sunbelt	3.1.1801.2	2008.11.14	-Symantec	10	2008.11.18	-TheHacker	6.3.1.1.157	2008.11.18	-TrendMicro	8.700.0.1004	2008.11.18	-VBA32	3.12.8.9	2008.11.18	-ViRobot	2008.11.18.1474	2008.11.18	-VirusBuster	4.5.11.0	2008.11.18	-
Additional informationFile size: 847360 bytesMD5...: 24b0da7666ce4c04fc4aa9c19ecb8c02SHA1..: 60b8f76289f366c7596ed2f5d456a2e766e796b1SHA256: 0b42319fff1a70daaab6ca14a413c15b35f354f361ba5fb1841b0f42837af8c8SHA512: 94844f25dca4eb7d16d732e312e6432d0525422e6f223be96c762bc7fb04ff26d88231ec5dadb3f77e30cc95fe2a33c9a7b1ec617a82332902742b00cd37c4c2PEiD..: PECompact 2.xx --> BitSum TechnologiesTrID..: File type identificationWin32 EXE PECompact compressed (v2.x) (48.9%)Win32 EXE PECompact compressed (generic) (34.4%)Win32 Executable Generic (7.0%)Win32 Dynamic Link Library (generic) (6.2%)Generic Win/DOS Executable (1.6%)PEInfo: PE Structure information
( base data )entrypointaddress.: 0x10362c17timedatestamp.....: 0x48d12aa4 (Wed Sep 17 16:04:52 2008)machinetype.......: 0x14c (I386)
( 3 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x361000 0xcce00 8.00 47a38ebf5ed73a6d517e47336e0c583a.rsrc 0x362000 0x2000 0x1a00 6.58 dbc71690db4d0455d835dc5bbdbe341e.reloc 0x364000 0x1000 0x200 0.23 ab2c3862f0afa292c0ece2a9190d6196
( 21 imports )> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree> DSOUND.dll: -> DDRAW.dll: DirectDrawCreateEx> SHFOLDER.dll: SHGetFolderPathA> SETUPAPI.dll: SetupIterateCabinetA> WININET.dll: HttpQueryInfoA> MSVFW32.dll: DrawDibClose> WINMM.dll: timeGetTime> WS2_32.dll: WSAEnumNetworkEvents> USER32.dll: GetMonitorInfoA> GDI32.dll: SetDeviceGammaRamp> comdlg32.dll: GetOpenFileNameA> ADVAPI32.dll: RegSetValueExA> SHELL32.dll: ShellExecuteExA> ole32.dll: CoTaskMemFree> OLEAUT32.dll: -> SHLWAPI.dll: SHDeleteKeyA> VERSION.dll: GetFileVersionInfoSizeA> gdiplus.dll: GdipCreatePath> RPCRT4.dll: RpcStringFreeA> OPENGL32.dll: glGetString
( 5 exports )DllRegisterServer, DllUnregisterServer, NP_GetEntryPoints, NP_Initialize, NP_Shutdownpackers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompactpackers (F-Prot): PecBundle, PECompact
Link to post
Share on other sites
DWishR

DWishR

Posted
  • Author
Posted
Next a dev log (like you posted for the other 2 files) would help me a lot .

Can I copy the file into a directory that will be scanned by a quick scan? Would be a lot less cumbersome than running the full scan in developer mode. Is there a list of directories looked at in a quick scan?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.