tobor

Thanks for fast reply

setup.exe is the flagged file. https://www.virustotal.com/en/file/0197f29e067696acbf61d889b71ab13218ac34be6d3370ae4032adc02412a745/analysis/ winhex.zip

This document should help you: http://www.mcafee.com/us/resources/reports/rp-predicting-stealth-attacks.pdf It goes over history of rootkit techniques. I think most modern rootkits use IRP hooking; SSDT/IAT hooks are trivial to bypass.

If you right-click in the scan results, there is a 'check all items' option

thanks

Part of the guest additions for Virtual Box. File and log attached. mbam-log-2011-10-28 (11-40-45).zip

For disassembling .NET projects, I would recommend ILSpy. It's easy to use and very good. You can also try Red Gate's Reflector, but it is no longer free (comes with a trial though).

well not anymore it isn't now that you've posted it You should PM a Malwarebytes staff instead.

I think this was for the old RogueRemover section. I think he moved all the topics from RogueRemover in here. This sticky should probably be deleted. Unless I'm wrong, that would be horrible if the general chat was removed

Wow you guys are fast. Thanks!

This is a setup for a legit application, it doesn't install any adware. http://rapidshare.de/files/48043693/epidemosetup.exe.html

He should have been using Relakks...

I'm not sure why MBAM can't update on a limited account, it stores its database in the all users application data, which can be written to from the Guest account (I just tried creating a text file, and it worked). I think it's best to run MBAM under an admin account, since it needs to load its driver for direct disk access. Programs that are run under limited accounts do not have permission to load drivers (I think, not 100% sure). Also, if you run it under an admin account, you shouldn't have to run it on any other user's accounts, since MBAM is capable of finding the paths to other user's files (open MBAM, go to 'More Tools' tab, and click 'Collect Information'. It will find everyone's folder locations).

I kind of doubt Evidence Eliminator is a rogue also, they make use of one of Eldos's drivers for direct disk access, and that costs hundreds of dollars. Doesn't quite seem like something a rogue would do.

I think I found a small bug, when you try to close the protection module via the tray icon, the service still runs in the background, using up cpu when processes start.

It's working good for me (Vista 32 bit). The protection module's CPU usage spikes 4-12% when I start a process, but it dosen't seem to slow down execution at all. Oh yeah, it just took out Trojan.Agent.H, so A++ for new heuristics

EDIT: You can still use File Assassin, just don't use the one built into MBAM. Download File Assassin and drag a file into the text box. Try File Assassin before Hazard Shield, it works much better

You could try using Hazard Shield's file killer. You can drag the corrupted files into the file killer box to avoid opening them with the open file dialog. Secure shredder might help, I'm not sure.

Malwarebytes' Anti-Malware 1.34 Database version: 1820 Windows 6.0.6001 Service Pack 1 3/5/2009 10:42:11 AM mbam-log-2009-03-05 (10-42-09).txt Scan type: Quick Scan Objects scanned: 12954 Time elapsed: 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Andy\Desktop\vcredist_x86.exe (Trojan.Vundo) -> No action taken. [5253514247403034173621171717182334393639392422172539391822352118181717171822373 61917251717363636363636363636362535393922222535383625182437173635181717171717172 4 22181725202437181717172422173425202437182139382422172120203617383518253939242218 2 13939242218173939242217363939242217253939202234173621171717183939182235361818171 7 171822373619]

Malwarebytes AM found 700 items all in activeX compatibility. i had to upload an attachment because it was too long for the post log_8.7.2007__10251_.txt log_8.7.2007__10251_.txt