Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

taskman.exe virus reinstalls itself after malwarebytes disinfects


  • Please log in to reply
8 replies to this topic

#1 Richard Sharpe

Richard Sharpe

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 April 2009 - 01:44 AM

WinXP system with SP3. Malwarebytes finds five problems, including a couple of hijack etc stuff.

Reboots and I can run TaskManager once, but then it is reinfected.

Taskman.exe and regedit.exe exist, both exist and have date of 4/14/2008 at 5PM, and lots of other weird files exist.

How can I delete this stuff?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 01 April 2009 - 01:36 PM

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Please download and scan with Dr.Web CureIt.
Follow the instructions here for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 April 2009 - 11:19 PM

OK, thanks. I will upload the log.

I cannot get into safe mode. System just reboots if I try.

Anything I run on the first reboot after MBAM cleans out the registry entries etc, seems to re-infect. Just bringing up a command prompt is enough.

#4 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 April 2009 - 11:46 PM

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.35

Database version: 1926

Windows 5.1.2600 Service Pack 3



3/31/2009 10:16:18 PM

mbam-log-2009-03-31 (22-16-18).txt



Scan type: Full Scan (C:\|F:\|)

Objects scanned: 244941

Time elapsed: 1 hour(s), 27 minute(s), 41 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 0



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.



Folders Infected:

(No malicious items detected)



Files Infected:

(No malicious items detected)


Also, Dr Web Cureit claimed that I had a lot of instances of Win32.Sector.17.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 02 April 2009 - 09:51 AM

Please post the results of the DrWebCureIt scan.

Your MBAM log indicates you are using an outdated database version. Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.Mbam-rules.exe is not updated daily. Another way to get the most current database definitions is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Your database shows 1926. Last I checked it was 1932.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 04 April 2009 - 11:14 AM

Looks like there might be several separate infections.

I ran the Dr Web boot CD (was great to see Linux in there) and cleaned or deleted some 1200 or more files. Now the system runs better, but it still has the flash infection and even after running MBAM and cleaning the machine I still cannot run task manager.

I will rerun the flash disinfector and the latest copy of MBAM to see what happens.

#7 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 04 April 2009 - 07:08 PM

Hmm, it might have been the java preloader service (now disabled) that was reintroducing the viruses.

I installed the sysinternals procexp tool and noticed lots of weird processed being started when it was running (they were being attached against other processes). It has stopped since I killed that process.

#8 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 04 April 2009 - 09:25 PM

I updated MBAM and re-ran it. It found the same registry problems. However, this time, after the reboot, I did not get a re-infection, and MBAM ran to completion without finding anything.

Dr Web's CureIt is now running and finding the ones that were inserted before I found the Java preloader was the culprit. I can also run regedit and taskmgr, and when I insert a flash drive I no longer get crap placed on it (Win32.sector.17).

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:26 AM

Posted 05 April 2009 - 07:06 AM

Sounds like your java is out of date and/or infected?

See this post by QM7 regarding Javara

http://www.bleepingcomputer.com/forums/ind...t&p=1050402
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users