Jump to content
pebcak2000

Detected trheats are not removed.....

Recommended Posts

Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode??

Share this post


Link to post
Share on other sites

Press crtl + alt + delete . Click the processes tab . Look for the following processes :

isamini.exe

isamonitor.exe

update.exe

I am doing some research and these processes belong to a rogue antispyware advertising trojan that SAS can only partially remove . The remnants regenerate whatever SAS removes . After 5 clean and remove cycles SAS has not removed this trojan . I have it set up to terminate memory resident threats before it deletes them and the problem still remains . Scanning in safe mode showed no problems for me . On reboot the problems returned .

@Nic New samples will be coming today .

UPDATE :

isamonitor.exe is zlob and undetected by SAS

STATUS: FINISHEDComplete scanning result of "isamonitor.exe", received in VirusTotal at 10.09.2006, 15:52:35 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.25 10.09.2006 HEUR/Malware

Authentium 4.93.8 10.06.2006 no virus found

Avast 4.7.892.0 10.08.2006 no virus found

AVG 386 10.07.2006 no virus found

BitDefender 7.2 10.09.2006 no virus found

CAT-QuickHeal 8.00 10.07.2006 no virus found

ClamAV devel-20060426 10.09.2006 no virus found

DrWeb 4.33 10.09.2006 STPAGE.Trojan

eTrust-InoculateIT 23.73.16 10.07.2006 no virus found

eTrust-Vet 30.3.3123 10.09.2006 no virus found

Ewido 4.0 10.09.2006 Downloader.Zlob.aos

Fortinet 2.82.0.0 10.09.2006 no virus found

F-Prot 3.16f 10.06.2006 no virus found

F-Prot4 4.2.1.29 10.06.2006 no virus found

Ikarus 0.2.65.0 10.09.2006 no virus found

Kaspersky 4.0.2.24 10.09.2006 Trojan-Downloader.Win32.Zlob.aos

McAfee 4868 10.06.2006 no virus found

Microsoft 1.1603 10.09.2006 Getter

NOD32v2 1.1795 10.09.2006 no virus found

Norman 5.80.02 10.09.2006 W32/Malware.BIQ

Panda 9.0.0.4 10.08.2006 Suspicious file

Sophos 4.10.0 10.05.2006 no virus found

TheHacker 6.0.1.094 10.08.2006 Trojan/Puper

UNA 1.83 10.06.2006 no virus found

VBA32 3.11.1 10.08.2006 no virus found

VirusBuster 4.3.7:9 10.09.2006 no virus found

UPDATE :

Also look for these files :

pmmon.exe

pmsngr.exe

They are new and undetected by SAS .

STATUS: FINISHEDComplete scanning result of "pmmon.exe", received in VirusTotal at 10.09.2006, 15:57:46 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.25 10.09.2006 no virus found

Authentium 4.93.8 10.06.2006 no virus found

Avast 4.7.892.0 10.08.2006 no virus found

AVG 386 10.07.2006 no virus found

BitDefender 7.2 10.09.2006 no virus found

CAT-QuickHeal 8.00 10.07.2006 TrojanDownloader.Small.dge

ClamAV devel-20060426 10.09.2006 no virus found

DrWeb 4.33 10.09.2006 no virus found

eTrust-InoculateIT 23.73.16 10.07.2006 no virus found

eTrust-Vet 30.3.3123 10.09.2006 no virus found

Ewido 4.0 10.09.2006 no virus found

Fortinet 2.82.0.0 10.09.2006 suspicious

F-Prot 3.16f 10.06.2006 no virus found

F-Prot4 4.2.1.29 10.06.2006 no virus found

Ikarus 0.2.65.0 10.09.2006 no virus found

Kaspersky 4.0.2.24 10.09.2006 no virus found

McAfee 4868 10.06.2006 no virus found

Microsoft 1.1603 10.09.2006 no virus found

NOD32v2 1.1795 10.09.2006 no virus found

Norman 5.80.02 10.09.2006 W32/Suspicious_U.gen

Panda 9.0.0.4 10.08.2006 Trj/Briz.N

Sophos 4.10.0 10.05.2006 Mal/Packer

TheHacker 6.0.1.094 10.08.2006 no virus found

UNA 1.83 10.06.2006 no virus found

VBA32 3.11.1 10.08.2006 no virus found

VirusBuster 4.3.7:9 10.09.2006 no virus found

STATUS: FINISHEDComplete scanning result of "pmsngr.exe", received in VirusTotal at 10.09.2006, 15:57:56 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.25 10.09.2006 no virus found

Authentium 4.93.8 10.06.2006 no virus found

Avast 4.7.892.0 10.08.2006 no virus found

AVG 386 10.07.2006 no virus found

BitDefender 7.2 10.09.2006 no virus found

CAT-QuickHeal 8.00 10.07.2006 (Suspicious) - DNAScan

ClamAV devel-20060426 10.09.2006 no virus found

DrWeb 4.33 10.09.2006 no virus found

eTrust-InoculateIT 23.73.16 10.07.2006 no virus found

eTrust-Vet 30.3.3123 10.09.2006 no virus found

Ewido 4.0 10.09.2006 no virus found

Fortinet 2.82.0.0 10.09.2006 suspicious

F-Prot 3.16f 10.06.2006 no virus found

F-Prot4 4.2.1.29 10.06.2006 no virus found

Ikarus 0.2.65.0 10.09.2006 no virus found

Kaspersky 4.0.2.24 10.09.2006 no virus found

McAfee 4868 10.06.2006 no virus found

Microsoft 1.1603 10.09.2006 no virus found

NOD32v2 1.1795 10.09.2006 no virus found

Norman 5.80.02 10.09.2006 W32/Suspicious_U.gen

Panda 9.0.0.4 10.08.2006 Suspicious file

Sophos 4.10.0 10.05.2006 Mal/Packer

TheHacker 6.0.1.094 10.08.2006 no virus found

UNA 1.83 10.06.2006 no virus found

VBA32 3.11.1 10.08.2006 no virus found

VirusBuster 4.3.7:9 10.09.2006 no virus found

Share this post


Link to post
Share on other sites

Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode??

You haven't mentioned if you have an anti-virus program installed. Update your antivirus, boot into Safe Mode, end the unknown processes like nosirrah says, run your updated anti-virus in Safe Mode first, then follow up with SAS in Safe Mode after.

Share this post


Link to post
Share on other sites
isamini.exe

isamonitor.exe

update.exe

Yep,i know these well,normaly c/o free codec upgrade,quite a few titles or brought in by free pr0n password generator :P

I believe they encompany protectionbar and appear as the little blinking yellow triangle in the taskbar with an exclamation mark....i have submitted 14 vars of these files since they have emerged on the scene and can see new variants be generated almost weekly :cry:

Yesterdays codec run got totally cleaned by SAS but maybe these are new variants you've found.Beat me to it :lol:

Share this post


Link to post
Share on other sites
isamini.exe

isamonitor.exe

update.exe

Yep,i know these well,normaly c/o free codec upgrade,quite a few titles or brought in by free pr0n password generator :P

I believe they encompany protectionbar and appear as the little blinking yellow triangle in the taskbar with an exclamation mark....i have submitted 14 vars of these files since they have emerged on the scene and can see new variants be generated almost weekly :cry:

Yesterdays codec run got totally cleaned by SAS but maybe these are new variants you've found.Beat me to it :lol:

Softcodec to be precise :wink: and yes the security bar as well . I had two different versions of the security bar at the hight of the infection .

Nic has notified me that isamonitor.exe is being added to the definitions today . In my case it was the cause of the problem . All of the other isa***** files are already detected by the current SAS definitions . isamonitor.exe was recreating the rest on reboot . This does give the appearance of files being reported as deleted but still being present on reboot .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...