hi....

yes, i know there are many threads about trainers and them showing as false positives, and i know by how a trainer works that is usually the case but after having a search around i can't find any info on trainers using srchasm.dll so i was wondering if someone could give me some info on if this is a usual dll used for trainers? the only info i can find on the net about srchasm.dll is it being associated to a logger that steals bank info/passwords, but no mention of it being used commonly in trainers

trainer in point is Plants vs Zombies v1.2.0.1073 PLUS 10 TRAINER by BReWErS

anyone got any idea?

tia

Could just be a name clash.. Srchasm could be a byte pattern search code in asm for example.. Upload the file to virustotal.com to see what it says, and post the results, if its suspicious i will take a look

i don't have the dll anymore, i just deleted it. didn't seem to put anythin in the registry, just copied the dll to c:\windows\srchasm\. still got the trainer but that comes back with a few generic titles, guessin cause of the way its packed from what i read. heres the results for the trainer anyhow....

Antivirus results
AhnLab-V3 - 2011.08.07.00 - 2011.08.07 - Packed/Upack
AntiVir - 7.11.12.233 - 2011.08.05 - -
Antiy-AVL - 2.0.3.7 - 2011.08.06 - Trojan/win32.agent.gen
Avast - 4.8.1351.0 - 2011.08.07 - -
Avast5 - 5.0.677.0 - 2011.08.07 - -
AVG - 10.0.0.1190 - 2011.08.07 - Suspicion: unknown virus
BitDefender - 7.2 - 2011.08.07 - -
CAT-QuickHeal - 11.00 - 2011.08.07 - TrojanPWS.Gampass
ClamAV - 0.97.0.0 - 2011.08.07 - PUA.Packed.UPack-2
Commtouch - 5.3.2.6 - 2011.08.06 - W32/Heuristic-210!Eldorado
Comodo - 9662 - 2011.08.07 - Packed.Win32.MUPACK.~KW
DrWeb - 5.0.2.03300 - 2011.08.07 - -
Emsisoft - 5.1.0.8 - 2011.08.07 - Backdoor.Win32.Popwin!IK
eSafe - 7.0.17.0 - 2011.08.07 - Suspicious File
eTrust-Vet - 36.1.8486 - 2011.08.05 - -
F-Prot - 4.6.2.117 - 2011.08.06 - W32/Heuristic-210!Eldorado
F-Secure - 9.0.16440.0 - 2011.08.07 - -
Fortinet - 4.2.257.0 - 2011.08.07 - -
GData - 22 - 2011.08.07 - -
Ikarus - T3.1.1.104.0 - 2011.08.07 - Backdoor.Win32.Popwin
Jiangmin - 13.0.900 - 2011.08.07 - Trojan/Generic.atcq
K7AntiVirus - 9.109.4973 - 2011.08.02 - -
Kaspersky - 9.0.0.837 - 2011.08.07 - HEUR:Trojan.Win32.Generic
McAfee - 5.400.0.1158 - 2011.08.07 - Suspect-BL!C37746B6FE49
McAfee-GW-Edition - 2010.1D - 2011.08.07 - Heuristic.LooksLike.Win32.Suspicious.C
Microsoft - 1.7104 - 2011.08.07 - -
NOD32 - 6358 - 2011.08.07 - a variant of Win32/GameHack.O
Norman - 6.07.10 - 2011.08.07 - W32/Packed_Upack.A
nProtect - 2011-08-07.01 - 2011.08.07 - Trojan/W32.Agent.236624
Panda - 10.0.3.5 - 2011.08.07 - Trj/Pupack.A
PCTools - 8.0.0.5 - 2011.08.07 - Trojan-PSW.Gampass
Prevx - 3.0 - 2011.08.07 - -
Rising - 23.69.03.03 - 2011.08.04 - Suspicious
Sophos - 4.67.0 - 2011.08.07 - Sus/ComPack-C
SUPERAntiSpyware - 4.40.0.1006 - 2011.08.07 - -
Symantec - 20111.2.0.82 - 2011.08.07 - Infostealer.Gampass
TheHacker - 6.7.0.1.272 - 2011.08.06 - W32/Behav-Heuristic-060
TrendMicro - 9.200.0.1012 - 2011.08.07 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.08.07 - -
VBA32 - 3.12.16.4 - 2011.08.06 - -
VIPRE - 10094 - 2011.08.07 - Trojan.Win32.Packer.Upack0.3.9 (ep)
ViRobot - 2011.8.6.4609 - 2011.08.07 - -
VirusBuster - 14.0.156.1 - 2011.08.07 - Packed/Upack
File info:
MD5: c37746b6fe495b24e829f8af6d884e74
SHA1: 3fae205bf8a5db1d3aa577ed04a79585f13cd9f2
SHA256: 75160a71d7167fd324fe4cdef176f16ce42f6a8a6f6250ab90 0e5d2a6810fd87
File size: 236624 bytes
Scan date: 2011-08-07 16:27:50 (UTC)

ok, got bored/curious an plugged in my old tower runnin XP (just to be on the safe side) and let the trainer do it's thing. it installed the dll to C:\WINDOWS\srchasst and identifies as Microsoft Search-Assistant-Control which is a bit weird. uploaded the dll to virustotal.com and here are the results

Antivirus results
AhnLab-V3 - 2011.08.07.00 - 2011.08.07 - Packed/Win32.Vmpbad
AntiVir - 7.11.12.233 - 2011.08.05 - TR/Black.Gen2
Antiy-AVL - 2.0.3.7 - 2011.08.06 - -
Avast - 4.8.1351.0 - 2011.08.07 - -
Avast5 - 5.0.677.0 - 2011.08.07 - -
AVG - 10.0.0.1190 - 2011.08.07 - -
BitDefender - 7.2 - 2011.08.07 - Gen:Trojan.Heur.lO8@uGw8r7ni
CAT-QuickHeal - 11.00 - 2011.08.07 - -
ClamAV - 0.97.0.0 - 2011.08.07 - -
Commtouch - 5.3.2.6 - 2011.08.06 - W32/SuspPack.BB.gen!Eldorado
Comodo - 9664 - 2011.08.07 - UnclassifiedMalware
DrWeb - 5.0.2.03300 - 2011.08.07 - -
Emsisoft - 5.1.0.8 - 2011.08.07 - Gen.Trojan!IK
eSafe - 7.0.17.0 - 2011.08.07 - -
eTrust-Vet - 36.1.8486 - 2011.08.05 - -
F-Prot - 4.6.2.117 - 2011.08.06 - W32/SuspPack.BB.gen!Eldorado
F-Secure - 9.0.16440.0 - 2011.08.07 - Gen:Trojan.Heur.lO8@uGw8r7ni
Fortinet - 4.2.257.0 - 2011.08.07 - -
GData - 22 - 2011.08.07 - Gen:Trojan.Heur.lO8@uGw8r7ni
Ikarus - T3.1.1.104.0 - 2011.08.07 - Gen.Trojan
Jiangmin - 13.0.900 - 2011.08.07 - Trojan/Generic.bcfy
K7AntiVirus - 9.109.4973 - 2011.08.02 - Riskware
Kaspersky - 9.0.0.837 - 2011.08.07 - HEUR:Trojan.Win32.Generic
McAfee - 5.400.0.1158 - 2011.08.07 - Generic.dx!tij
McAfee-GW-Edition - 2010.1D - 2011.08.07 - Generic.dx!tij
Microsoft - 1.7104 - 2011.08.07 - VirTool:Win32/Obfuscator.XZ
NOD32 - 6358 - 2011.08.07 - a variant of Win32/Packed.VMProtect.AAA
Norman - 6.07.10 - 2011.08.07 - W32/Suspicious.C3!genr
nProtect - 2011-08-07.01 - 2011.08.07 - -
Panda - 10.0.3.5 - 2011.08.07 - Trj/CI.A
PCTools - 8.0.0.5 - 2011.08.07 - HeurEngine.Vmpbad
Prevx - 3.0 - 2011.08.07 - -
Rising - 23.69.03.03 - 2011.08.04 - -
Sophos - 4.67.0 - 2011.08.07 - Mal/Behav-363
SUPERAntiSpyware - 4.40.0.1006 - 2011.08.07 - -
Symantec - 20111.2.0.82 - 2011.08.07 - Packed.Vmpbad!gen1
TheHacker - 6.7.0.1.272 - 2011.08.06 - Trojan/Packed.VMProtect.aaa
TrendMicro - 9.200.0.1012 - 2011.08.07 - TROJ_GEN.R47E1HD
TrendMicro-HouseCall - 9.200.0.1012 - 2011.08.07 - TROJ_GEN.R47E1HD
VBA32 - 3.12.16.4 - 2011.08.06 - -
VIPRE - 10094 - 2011.08.07 - VirTool.Win32.Obfuscator.XZ (v)
ViRobot - 2011.8.6.4609 - 2011.08.07 - -
VirusBuster - 14.0.156.1 - 2011.08.07 - -
File info:
MD5: 2280af0ec5e9ca40818112d6f3f6e027
SHA1: 469f52995b2b5f2fbde322def4dabf1a4cf3a63a
SHA256: 496a61ab617b06548ee4d64d58ca952910519b2b4f1e5dc241 a91200f1b71942
File size: 183296 bytes
Scan date: 2011-08-07 17:08:17 (UTC)

Yeah, weird: Micro$oft executables are rarely encrypted, especially with serious stuff like VMProtect!

Its the dll the trainers uses for its hacks. I can recall BREWERS used dll injection in its trainer and named their dll srchasm.dll so no one would find it. As long as you got the trainer from GCW, you should be fine.

I find it weird brew decided to do that instead of just using brew.dll or something like that which most groups does.

is it actually brewer's himself or a teammate of his under brewers name?

more information for delete this file HERE (http://virus-com.com/viruscom/viruscom_93644.html)

lol?, Ikarus: Backdoor.Bifrost ( i can read this detection HERE (http://virus-com.com/viruscom/viruscom_93644.html) ), this is true?, bifrost is a trojan...