pebcak2000 Posted October 9, 2006 Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode?? Share this post Link to post Share on other sites
nosirrah Posted October 9, 2006 Press crtl + alt + delete . Click the processes tab . Look for the following processes : isamini.exe isamonitor.exe update.exe I am doing some research and these processes belong to a rogue antispyware advertising trojan that SAS can only partially remove . The remnants regenerate whatever SAS removes . After 5 clean and remove cycles SAS has not removed this trojan . I have it set up to terminate memory resident threats before it deletes them and the problem still remains . Scanning in safe mode showed no problems for me . On reboot the problems returned . @Nic New samples will be coming today . UPDATE : isamonitor.exe is zlob and undetected by SAS STATUS: FINISHEDComplete scanning result of "isamonitor.exe", received in VirusTotal at 10.09.2006, 15:52:35 (CET). Antivirus Version Update Result AntiVir 7.2.0.25 10.09.2006 HEUR/Malware Authentium 4.93.8 10.06.2006 no virus found Avast 4.7.892.0 10.08.2006 no virus found AVG 386 10.07.2006 no virus found BitDefender 7.2 10.09.2006 no virus found CAT-QuickHeal 8.00 10.07.2006 no virus found ClamAV devel-20060426 10.09.2006 no virus found DrWeb 4.33 10.09.2006 STPAGE.Trojan eTrust-InoculateIT 23.73.16 10.07.2006 no virus found eTrust-Vet 30.3.3123 10.09.2006 no virus found Ewido 4.0 10.09.2006 Downloader.Zlob.aos Fortinet 2.82.0.0 10.09.2006 no virus found F-Prot 3.16f 10.06.2006 no virus found F-Prot4 4.2.1.29 10.06.2006 no virus found Ikarus 0.2.65.0 10.09.2006 no virus found Kaspersky 4.0.2.24 10.09.2006 Trojan-Downloader.Win32.Zlob.aos McAfee 4868 10.06.2006 no virus found Microsoft 1.1603 10.09.2006 Getter NOD32v2 1.1795 10.09.2006 no virus found Norman 5.80.02 10.09.2006 W32/Malware.BIQ Panda 9.0.0.4 10.08.2006 Suspicious file Sophos 4.10.0 10.05.2006 no virus found TheHacker 6.0.1.094 10.08.2006 Trojan/Puper UNA 1.83 10.06.2006 no virus found VBA32 3.11.1 10.08.2006 no virus found VirusBuster 4.3.7:9 10.09.2006 no virus found UPDATE : Also look for these files : pmmon.exe pmsngr.exe They are new and undetected by SAS . STATUS: FINISHEDComplete scanning result of "pmmon.exe", received in VirusTotal at 10.09.2006, 15:57:46 (CET). Antivirus Version Update Result AntiVir 7.2.0.25 10.09.2006 no virus found Authentium 4.93.8 10.06.2006 no virus found Avast 4.7.892.0 10.08.2006 no virus found AVG 386 10.07.2006 no virus found BitDefender 7.2 10.09.2006 no virus found CAT-QuickHeal 8.00 10.07.2006 TrojanDownloader.Small.dge ClamAV devel-20060426 10.09.2006 no virus found DrWeb 4.33 10.09.2006 no virus found eTrust-InoculateIT 23.73.16 10.07.2006 no virus found eTrust-Vet 30.3.3123 10.09.2006 no virus found Ewido 4.0 10.09.2006 no virus found Fortinet 2.82.0.0 10.09.2006 suspicious F-Prot 3.16f 10.06.2006 no virus found F-Prot4 4.2.1.29 10.06.2006 no virus found Ikarus 0.2.65.0 10.09.2006 no virus found Kaspersky 4.0.2.24 10.09.2006 no virus found McAfee 4868 10.06.2006 no virus found Microsoft 1.1603 10.09.2006 no virus found NOD32v2 1.1795 10.09.2006 no virus found Norman 5.80.02 10.09.2006 W32/Suspicious_U.gen Panda 9.0.0.4 10.08.2006 Trj/Briz.N Sophos 4.10.0 10.05.2006 Mal/Packer TheHacker 6.0.1.094 10.08.2006 no virus found UNA 1.83 10.06.2006 no virus found VBA32 3.11.1 10.08.2006 no virus found VirusBuster 4.3.7:9 10.09.2006 no virus found STATUS: FINISHEDComplete scanning result of "pmsngr.exe", received in VirusTotal at 10.09.2006, 15:57:56 (CET). Antivirus Version Update Result AntiVir 7.2.0.25 10.09.2006 no virus found Authentium 4.93.8 10.06.2006 no virus found Avast 4.7.892.0 10.08.2006 no virus found AVG 386 10.07.2006 no virus found BitDefender 7.2 10.09.2006 no virus found CAT-QuickHeal 8.00 10.07.2006 (Suspicious) - DNAScan ClamAV devel-20060426 10.09.2006 no virus found DrWeb 4.33 10.09.2006 no virus found eTrust-InoculateIT 23.73.16 10.07.2006 no virus found eTrust-Vet 30.3.3123 10.09.2006 no virus found Ewido 4.0 10.09.2006 no virus found Fortinet 2.82.0.0 10.09.2006 suspicious F-Prot 3.16f 10.06.2006 no virus found F-Prot4 4.2.1.29 10.06.2006 no virus found Ikarus 0.2.65.0 10.09.2006 no virus found Kaspersky 4.0.2.24 10.09.2006 no virus found McAfee 4868 10.06.2006 no virus found Microsoft 1.1603 10.09.2006 no virus found NOD32v2 1.1795 10.09.2006 no virus found Norman 5.80.02 10.09.2006 W32/Suspicious_U.gen Panda 9.0.0.4 10.08.2006 Suspicious file Sophos 4.10.0 10.05.2006 Mal/Packer TheHacker 6.0.1.094 10.08.2006 no virus found UNA 1.83 10.06.2006 no virus found VBA32 3.11.1 10.08.2006 no virus found VirusBuster 4.3.7:9 10.09.2006 no virus found Share this post Link to post Share on other sites
SirJon Posted October 9, 2006 Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode?? You haven't mentioned if you have an anti-virus program installed. Update your antivirus, boot into Safe Mode, end the unknown processes like nosirrah says, run your updated anti-virus in Safe Mode first, then follow up with SAS in Safe Mode after. Share this post Link to post Share on other sites
SUPERAntiSpy Posted October 9, 2006 Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode?? Please submit a support ticket here and we will diagnose your system with our special diagnostic tools: https://www.superantispyware.com/support.html Share this post Link to post Share on other sites
fatdcuk Posted October 9, 2006 isamini.exe isamonitor.exe update.exe Yep,i know these well,normaly c/o free codec upgrade,quite a few titles or brought in by free pr0n password generator I believe they encompany protectionbar and appear as the little blinking yellow triangle in the taskbar with an exclamation mark....i have submitted 14 vars of these files since they have emerged on the scene and can see new variants be generated almost weekly Yesterdays codec run got totally cleaned by SAS but maybe these are new variants you've found.Beat me to it Share this post Link to post Share on other sites
nosirrah Posted October 9, 2006 isamini.exe isamonitor.exe update.exe Yep,i know these well,normaly c/o free codec upgrade,quite a few titles or brought in by free pr0n password generator I believe they encompany protectionbar and appear as the little blinking yellow triangle in the taskbar with an exclamation mark....i have submitted 14 vars of these files since they have emerged on the scene and can see new variants be generated almost weekly Yesterdays codec run got totally cleaned by SAS but maybe these are new variants you've found.Beat me to it Softcodec to be precise and yes the security bar as well . I had two different versions of the security bar at the hight of the infection . Nic has notified me that isamonitor.exe is being added to the definitions today . In my case it was the cause of the problem . All of the other isa***** files are already detected by the current SAS definitions . isamonitor.exe was recreating the rest on reboot . This does give the appearance of files being reported as deleted but still being present on reboot . Share this post Link to post Share on other sites