Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivir detected TR\Spy.Agent.azob.2


  • This topic is locked This topic is locked
6 replies to this topic

#1 mazorra

mazorra

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 31 August 2009 - 01:29 PM

hi,

I'm running Windows XP Pro SP2 on a Pentium4. As you can see I have Antivir installed, the free edition, and it's been telling me the whole day that I've been infected, more precisely, it says:

C:\WINDOWS\system32\ms32clod.exe
Is the TR/Spy.Agent.azob.2 Trojan

I installed this morning an actualization for the Java vitual machine, so I'm guessing there is where I got fooled :S
I've succesfully deleted all the files in the C:\Archivos de Programa\Java (yeah, it's in spanish :S, it just says Program files) folder using Unlocker to get access to them. I tried deleting also the ms32clod.dll file, but when I rebooted it was back. It is just a guess, but i think at least explorer.exe, taskmgr.exe, firefox.exe and Belkinwcui.exe (the process of my WiFi module) have already been infected. I say so because antivir pops up a message everytime I activate any of these porcesses.

Apart from that, I had been having many problem with several messenger programs (Windows live messenger, MSN messenger 7, even Windows Messenger), they would crash directly after loggin, but I don't think that has much to do with this actual problem ...

Thanks in advance for any course of action you could propouse me, i'll start looking around the forum.

EDIT: I forgot to mention that the Safe mode doesn't seem to be availabe, I've even tried powering down the computer while running to force the entrance to Safe mode and it ignored me completely

Edited by mazorra, 31 August 2009 - 01:42 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 PM

Posted 31 August 2009 - 04:04 PM

Hello i am already suspicious of the newest rootkit.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mazorra

mazorra
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 31 August 2009 - 05:08 PM

OK, all done. I don't get much of what it says, but it seems to have found something. I don't seem to find any way to attach the *.txt file, so i'm just going to copy the report directly here, hope that's not a problem. Thanks for your help boopme.




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 23:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD67000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D69000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA846C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7f5c246

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7f5c23c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7f5c24b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7f5c255

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7f5c25a

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7f5c228

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7f5c22d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7f5c264

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7f5c25f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7f5c250

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7f5c237

==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 PM

Posted 01 September 2009 - 09:56 PM

hello.
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Now rerun Rootrepeal... Under scan selecy ONLY Files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mazorra

mazorra
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 02 September 2009 - 05:12 AM

Eeeeehhhh, well, here is the thing, I've been working parallel with another spanish spyware forum and right now everything has changed a little bit. They helped get rid of the ms32clod.dll infection, but as we did so, more infection poped up. I'll tell whar we've done.

- First they told me to install CCleaner and get rid of all temporary files, cookies and so on, and also run the Register clean up and let it solve any problems that it encountered.

- Second came the MBAM, a complete scan with it and clean up anything it found. Here is the log:

Malwarebytes' Anti-Malware 1.40
Versión de la Base de Datos: 2725
Windows 5.1.2600 Service Pack 2

01/09/2009 18:04:07
mbam-log-2009-09-01 (18-04-07).txt

Tipo de examen : Examen Completo (C:\|)
Objetos examinados: 118958
Tiempo transcurrido: 51 minute(s), 21 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 1
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{99esp9c2-4fed-15cf-aae5-62cb5f2x4512} (Generic.Bot.H) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
(No se han detectado elementos maliciosos)


- Third, a complete scan with Panda's active scan (they said panda or kaspersky, i chose panda), and it yield this report:


;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-09-01 22:19:51
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 2
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AntiVir Desktop 9.0.1.32 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\Desktop.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP10\A0005863.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP11\A0005875.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP11\A0005881.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP11\A0005908.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP12\A0006000.ini
02353127 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\48sj1npk.tmp
02353127 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP32\A0008839.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\p0uswjc8.tmp
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\4fx24azb.tmp
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location h
;================================================= ================================================== ================================================== ==============================
No C:\WINDOWS\system32\ms32clod.dll h
No C:\Documents and Settings\mazawer\Escritorio\programas\AudioVideo\Q uicktime 6.0+Keygen\Quicktime Pro 7.0+Keygen\Quicktime Keygen.exe
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description h
;================================================= ================================================== ================================================== ==============================
211784 HIGH MS09-032 h
211781 HIGH MS09-029 h
210625 HIGH MS09-026 h
210624 HIGH MS09-025 h
210621 HIGH MS09-022 h
210618 HIGH MS09-019 h
208380 HIGH MS09-015 h
208379 HIGH MS09-014 h
208378 HIGH MS09-013 h
208377 HIGH MS09-012 h
206981 HIGH MS09-007 h
206980 HIGH MS09-006 h
204670 HIGH MS09-001 h
203806 HIGH MS08-078 h
203508 HIGH MS08-073 h
203505 HIGH MS08-071 h
202465 HIGH MS08-068 h
201683 HIGH MS08-067 h
201258 HIGH MS08-066 h
201256 HIGH MS08-064 h
201255 HIGH MS08-063 h
201253 HIGH MS08-061 h
201250 HIGH MS08-058 h
209275 HIGH MS08-049 h
209273 HIGH MS08-045 h
196455 MEDIUM MS08-037 h
194862 HIGH MS08-032 h
194861 HIGH MS08-031 h
194860 HIGH MS08-030 h
191618 HIGH MS08-025 h
191617 HIGH MS08-024 h
191616 HIGH MS08-023 h
191614 HIGH MS08-021 h
191613 HIGH MS08-020 h
187735 HIGH MS08-010 h
187733 HIGH MS08-008 h
184380 MEDIUM MS08-002 h
184379 MEDIUM MS08-001 h
182048 HIGH MS07-069 h
182046 HIGH MS07-067 h
179553 HIGH MS07-061 h
176383 HIGH MS07-058 h
176382 HIGH MS07-057 h
170911 HIGH MS07-050 h
170907 HIGH MS07-046 h
170906 HIGH MS07-045 h
170904 HIGH MS07-043 h
164915 HIGH MS07-035 h
164913 HIGH MS07-033 h
164911 HIGH MS07-031 h
160623 HIGH MS07-027 h
157262 HIGH MS07-022 h
157261 HIGH MS07-021 h
157260 HIGH MS07-020 h
157259 HIGH MS07-019 h
156477 HIGH MS07-017 h
150253 HIGH MS07-016 h
150249 HIGH MS07-013 h
150248 HIGH MS07-012 h
150247 HIGH MS07-011 h
150243 HIGH MS07-008 h
150242 HIGH MS07-007 h
150241 MEDIUM MS07-006 h
141033 MEDIUM MS06-075 h
141030 HIGH MS06-072 h
137571 HIGH MS06-070 h
137568 HIGH MS06-067 h
133387 MEDIUM MS06-065 h
133386 MEDIUM MS06-064 h
133385 MEDIUM MS06-063 h
133379 HIGH MS06-057 h
131654 HIGH MS06-055 h
129977 MEDIUM MS06-053 h
129976 MEDIUM MS06-052 h
126093 HIGH MS06-051 h
126092 MEDIUM MS06-050 h
126087 HIGH MS06-046 h
108738 HIGH MS06-004 h
126083 HIGH MS06-042 h
126082 HIGH MS06-041 h
126081 HIGH MS06-040 h
123421 HIGH MS06-036 h
123420 HIGH MS06-035 h
120825 MEDIUM MS06-032 h
120823 MEDIUM MS06-030 h
120818 HIGH MS06-025 h
120815 HIGH MS06-022 h
120814 HIGH MS06-021 h
117384 MEDIUM MS06-018 h
114666 HIGH MS06-015 h
114664 HIGH MS06-013 h
108738 HIGH MS06-004 h
108738 HIGH MS06-004 h
108738 HIGH MS06-004 h
104567 HIGH MS06-002 h
104237 HIGH MS06-001 h
96574 HIGH MS05-053 h
93395 HIGH MS05-051 h
93454 MEDIUM MS05-049 h
;================================================= ================================================== ================================================== ==============================



- Forth came the OTM.exe, where i had to entered a little bit of code for it to set some files to quarentine. Here is the code and after the line of * the report:

:files
C:\Documents and Settings\mazawer\Escritorio\programas\AudioVideo\Quicktime 6.0+Keygen\Quicktime Pro 7.0+Keygen\Quicktime Keygen.exe
C:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\Desktop.ini
C:\WINDOWS\system32\48sj1npk.tmp
C:\WINDOWS\system32\4fx24azb.tmp
C:\WINDOWS\system32\ms32clod.dll
C:\WINDOWS\system32\p0uswjc8.tmp
:commands
[emptytemp]
[purity]
[Reboot]

***********************************************************************************************************************************

All processes killed
========== FILES ==========
C:\Documents and Settings\mazawer\Escritorio\programas\AudioVideo\Q uicktime 6.0+Keygen\Quicktime Pro 7.0+Keygen\Quicktime Keygen.exe moved successfully.
C:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\Desktop.ini moved successfully.
C:\WINDOWS\system32\48sj1npk.tmp moved successfully.
C:\WINDOWS\system32\4fx24azb.tmp moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ms32clod.dll
C:\WINDOWS\system32\ms32clod.dll NOT unregistered.
C:\WINDOWS\system32\ms32clod.dll moved successfully.
C:\WINDOWS\system32\p0uswjc8.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 76984 bytes

User: mazawer
->Temp folder emptied: 853993 bytes
->Temporary Internet Files folder emptied: 2185714 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 91137786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119389 bytes
%systemroot%\System32 .tmp files removed: 1471357 bytes
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 92,44 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09022009_002720

Files moved on Reboot...

Registry entries deleted on Reboot...



- Finally we used to OTC.exe to remove on start up all the files in quarentine and both application, OTM.exe and OTC.exe


After that I just repeated both scans, with mbam and Panda's active scan and here are the results:


Malwarebytes' Anti-Malware 1.40
Versión de la Base de Datos: 2725
Windows 5.1.2600 Service Pack 2

02/09/2009 3:41:18
mbam-log-2009-09-02 (03-41-18).txt

Tipo de examen : Examen Completo (C:\|)
Objetos examinados: 119121
Tiempo transcurrido: 1 hour(s), 25 minute(s), 53 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
(No se han detectado elementos maliciosos)









;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-09-02 1139
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 6
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AntiVir Desktop 9.0.1.32 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP11\A0005875.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP11\A0005881.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP11\A0005908.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP12\A0006000.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP37\A0010470.ini
02111504 W32/AutoRun.APJ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP10\A0005863.ini
02353127 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP32\A0008839.dll
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location Z
;================================================= ================================================== ================================================== ==============================
No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP37\A0010469.dll Z
No C:\System Volume Information\_restore{F4B0F41C-E192-4492-9742-E8C23905BC53}\RP37\A0010471.exe Z
No C:\WINDOWS\system32\perfc5932.dat Z
No C:\WINDOWS\system32\win32xcpw.exe Z
No C:\WINDOWS\system32\winxp32cpert.exe Z
No C:\WINDOWS\system32\winxp32sndpc.exe Z
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description Z
;================================================= ================================================== ================================================== ==============================
212530 HIGH MS09-034 Z
211784 HIGH MS09-032 Z
211781 HIGH MS09-029 Z
210625 HIGH MS09-026 Z
210624 HIGH MS09-025 Z
210621 HIGH MS09-022 Z
210618 HIGH MS09-019 Z
208380 HIGH MS09-015 Z
208379 HIGH MS09-014 Z
208378 HIGH MS09-013 Z
208377 HIGH MS09-012 Z
206981 HIGH MS09-007 Z
206980 HIGH MS09-006 Z
204670 HIGH MS09-001 Z
203806 HIGH MS08-078 Z
203508 HIGH MS08-073 Z
203505 HIGH MS08-071 Z
202465 HIGH MS08-068 Z
201683 HIGH MS08-067 Z
201258 HIGH MS08-066 Z
201256 HIGH MS08-064 Z
201255 HIGH MS08-063 Z
201253 HIGH MS08-061 Z
201250 HIGH MS08-058 Z
209275 HIGH MS08-049 Z
209273 HIGH MS08-045 Z
196455 MEDIUM MS08-037 Z
194862 HIGH MS08-032 Z
194861 HIGH MS08-031 Z
194860 HIGH MS08-030 Z
191618 HIGH MS08-025 Z
191617 HIGH MS08-024 Z
191616 HIGH MS08-023 Z
191614 HIGH MS08-021 Z
191613 HIGH MS08-020 Z
187735 HIGH MS08-010 Z
187733 HIGH MS08-008 Z
184380 MEDIUM MS08-002 Z
184379 MEDIUM MS08-001 Z
182048 HIGH MS07-069 Z
182046 HIGH MS07-067 Z
179553 HIGH MS07-061 Z
176383 HIGH MS07-058 Z
176382 HIGH MS07-057 Z
170911 HIGH MS07-050 Z
170907 HIGH MS07-046 Z
170906 HIGH MS07-045 Z
170904 HIGH MS07-043 Z
164915 HIGH MS07-035 Z
164913 HIGH MS07-033 Z
164911 HIGH MS07-031 Z
160623 HIGH MS07-027 Z
157262 HIGH MS07-022 Z
157261 HIGH MS07-021 Z
157260 HIGH MS07-020 Z
157259 HIGH MS07-019 Z
156477 HIGH MS07-017 Z
150253 HIGH MS07-016 Z
150249 HIGH MS07-013 Z
150248 HIGH MS07-012 Z
150247 HIGH MS07-011 Z
150243 HIGH MS07-008 Z
150242 HIGH MS07-007 Z
150241 MEDIUM MS07-006 Z
141033 MEDIUM MS06-075 Z
141030 HIGH MS06-072 Z
137571 HIGH MS06-070 Z
137568 HIGH MS06-067 Z
133387 MEDIUM MS06-065 Z
133386 MEDIUM MS06-064 Z
133385 MEDIUM MS06-063 Z
133379 HIGH MS06-057 Z
131654 HIGH MS06-055 Z
129977 MEDIUM MS06-053 Z
129976 MEDIUM MS06-052 Z
126093 HIGH MS06-051 Z
126092 MEDIUM MS06-050 Z
126087 HIGH MS06-046 Z
108738 HIGH MS06-004 Z
126083 HIGH MS06-042 Z
126082 HIGH MS06-041 Z
126081 HIGH MS06-040 Z
123421 HIGH MS06-036 Z
123420 HIGH MS06-035 Z
120825 MEDIUM MS06-032 Z
120823 MEDIUM MS06-030 Z
120818 HIGH MS06-025 Z
120815 HIGH MS06-022 Z
120814 HIGH MS06-021 Z
117384 MEDIUM MS06-018 Z
114666 HIGH MS06-015 Z
114664 HIGH MS06-013 Z
108738 HIGH MS06-004 Z
108738 HIGH MS06-004 Z
108738 HIGH MS06-004 Z
104567 HIGH MS06-002 Z
104237 HIGH MS06-001 Z
96574 HIGH MS05-053 Z
93395 HIGH MS05-051 Z
93454 MEDIUM MS05-049 Z
;================================================= ================================================== ================================================== ==============================



As you can see, Malwarebytes's doesn't find anything else, but the active scan is still pointing at some stuff. I'm still waiting for their response. I hope it is not a problem that i was so impatient and kept on looking for solutions, but i would understand it if you didn't want to go on with this problem.

Thanks for the time taken.


EDIT: I forgot, i ran the RootRepeal after all this and it didn't find anythign suspicious.

Edited by mazorra, 02 September 2009 - 05:17 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 PM

Posted 02 September 2009 - 08:54 AM

Hello, i didn ot mind working with you. You look clean now. i see that you use keygens.. These with Have you reinfected in no time. You were fortunate here not to have contracted an incurable such as Virut.
I feel tho that you should stick to one forum as it takes time to look at this logs and figure the next steps. It's not fair to your helper and others in need. As they have you in good shape let them finish.
Thanks for visiting us.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mazorra

mazorra
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 02 September 2009 - 10:05 AM

Ok, thanks for everything, and sorry for my impatience, from now on i'll serialize my visits to diferent forum instead of parallelizing them. Till next time.

Thread to be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users