Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTDLL code modification detected... some help please.


  • Please log in to reply
26 replies to this topic

#16 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:23 PM

Posted 29 June 2011 - 10:47 PM

This one is different.
At least, it has some info:
sigcheck:
publisher....: gGamez.Org
copyright....: www.ggamez.org
product......: launcher

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


BC AdBot (Login to Remove)

 


#17 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 29 June 2011 - 10:48 PM

alright deleted. however if it was executed by the installer then i suppose it possibly carried out some nasty job on the system?


EDIT:
i just opened that website ggamez.org, in sandboxie of course, and i'm getting paranoid just looking at the title of that website :|

Edited by Punch007, 29 June 2011 - 10:50 PM.


#18 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:23 PM

Posted 29 June 2011 - 10:50 PM

We ran some scans and they all came negative.
Remember, the result was 5/42.
If something is bad for sure, most engines will get it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#19 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 29 June 2011 - 10:56 PM

i guess you're right... however avira did analyze it and afterward detected the file, the report being that it was indeed malware, previously it was being missed by their engine (like in the virustotal report now).

This was the report they sent after about a day (for the other file it was in some hours):

Thank you for your email to Avira's virus lab.
Tracking number: INC00772157.


A listing of files alongside their results can be found below:



File ID

Filename

Size (Byte)

Result



26201459

WBB.exe

126.5 KB

MALWARE



Please find a detailed report concerning each individual sample below:



Filename

Result



WBB.exe

MALWARE


The file 'WBB.exe' has been determined to be 'MALWARE'.Our analysts named the threat TR/Drop.Startpage.N.The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.
Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/details.php?uniqueid=q1zLD9BmNtSBNdR9CdW2UCxdndXfUB3y&incidentid=772157

An overview of all your submissions can be found here:
http://analysis.avira.com/samples/details.php?uniqueid=q1zLD9BmNtSBNdR9CdW2UCxdndXfUB3y



Please note: If you have specific questions please address them to support@avira.com

Kind regards
Avira Virus Lab

#20 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:23 PM

Posted 29 June 2011 - 10:58 PM

It must be then.
It looks like it didn't cause any damage though...

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#21 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 29 June 2011 - 11:04 PM

Hopefully so...i think i'l just run a scan with avira once they add its detection to their db to be sure.

#22 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:23 PM

Posted 29 June 2011 - 11:06 PM

Keep me posted....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#23 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 29 June 2011 - 11:09 PM

Will do :)
i'm in half a mind to just reinstall though with 64 bit this time round.

#24 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 30 June 2011 - 04:44 AM

Avira added its detection, ran a scan but it didn't find anything.

I was able to find some resource data from the two files using (it was still in quarantine :whistle: ) PE explorer, here it is if it means anything...

RC data for ggamez.exe
B Start http://www.ggamez.org
N launcher.cmd


RC data for wbb.exe
B start http://www.warez-bb.org/viewtopic.php?p=46956485
N WBB.bat

was avira's detection of startpage.n due to these lines :wink:

#25 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:23 PM

Posted 30 June 2011 - 08:34 PM

Possible.
Staying away from "warez" site would be a good idea.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#26 Punch007

Punch007
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 01 July 2011 - 12:05 AM

My bro bought it off ebay cause it was goin cheap.. thinking it would be the normal genuine dvd :rolleyes:

#27 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:23 PM

Posted 01 July 2011 - 12:12 AM

Aha....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users