Detected trheats are not removed.....

pebcak2000 · October 9, 2006

Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode??

nosirrah · October 9, 2006

Press crtl + alt + delete . Click the processes tab . Look for the following processes :

isamini.exe

isamonitor.exe

update.exe

I am doing some research and these processes belong to a rogue antispyware advertising trojan that SAS can only partially remove . The remnants regenerate whatever SAS removes . After 5 clean and remove cycles SAS has not removed this trojan . I have it set up to terminate memory resident threats before it deletes them and the problem still remains . Scanning in safe mode showed no problems for me . On reboot the problems returned .

@Nic New samples will be coming today .

UPDATE :

isamonitor.exe is zlob and undetected by SAS

STATUS: FINISHEDComplete scanning result of "isamonitor.exe", received in VirusTotal at 10.09.2006, 15:52:35 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.25 10.09.2006 HEUR/Malware

Authentium 4.93.8 10.06.2006 no virus found

Avast 4.7.892.0 10.08.2006 no virus found

AVG 386 10.07.2006 no virus found

BitDefender 7.2 10.09.2006 no virus found

CAT-QuickHeal 8.00 10.07.2006 no virus found

ClamAV devel-20060426 10.09.2006 no virus found

DrWeb 4.33 10.09.2006 STPAGE.Trojan

eTrust-InoculateIT 23.73.16 10.07.2006 no virus found

eTrust-Vet 30.3.3123 10.09.2006 no virus found

Ewido 4.0 10.09.2006 Downloader.Zlob.aos

Fortinet 2.82.0.0 10.09.2006 no virus found

F-Prot 3.16f 10.06.2006 no virus found

F-Prot4 4.2.1.29 10.06.2006 no virus found

Ikarus 0.2.65.0 10.09.2006 no virus found

Kaspersky 4.0.2.24 10.09.2006 Trojan-Downloader.Win32.Zlob.aos

McAfee 4868 10.06.2006 no virus found

Microsoft 1.1603 10.09.2006 Getter

NOD32v2 1.1795 10.09.2006 no virus found

Norman 5.80.02 10.09.2006 W32/Malware.BIQ

Panda 9.0.0.4 10.08.2006 Suspicious file

Sophos 4.10.0 10.05.2006 no virus found

TheHacker 6.0.1.094 10.08.2006 Trojan/Puper

UNA 1.83 10.06.2006 no virus found

VBA32 3.11.1 10.08.2006 no virus found

VirusBuster 4.3.7:9 10.09.2006 no virus found

UPDATE :

Also look for these files :

pmmon.exe

pmsngr.exe

They are new and undetected by SAS .

STATUS: FINISHEDComplete scanning result of "pmmon.exe", received in VirusTotal at 10.09.2006, 15:57:46 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.25 10.09.2006 no virus found

Authentium 4.93.8 10.06.2006 no virus found

Avast 4.7.892.0 10.08.2006 no virus found

AVG 386 10.07.2006 no virus found

BitDefender 7.2 10.09.2006 no virus found

CAT-QuickHeal 8.00 10.07.2006 TrojanDownloader.Small.dge

ClamAV devel-20060426 10.09.2006 no virus found

DrWeb 4.33 10.09.2006 no virus found

eTrust-InoculateIT 23.73.16 10.07.2006 no virus found

eTrust-Vet 30.3.3123 10.09.2006 no virus found

Ewido 4.0 10.09.2006 no virus found

Fortinet 2.82.0.0 10.09.2006 suspicious

F-Prot 3.16f 10.06.2006 no virus found

F-Prot4 4.2.1.29 10.06.2006 no virus found

Ikarus 0.2.65.0 10.09.2006 no virus found

Kaspersky 4.0.2.24 10.09.2006 no virus found

McAfee 4868 10.06.2006 no virus found

Microsoft 1.1603 10.09.2006 no virus found

NOD32v2 1.1795 10.09.2006 no virus found

Norman 5.80.02 10.09.2006 W32/Suspicious_U.gen

Panda 9.0.0.4 10.08.2006 Trj/Briz.N

Sophos 4.10.0 10.05.2006 Mal/Packer

TheHacker 6.0.1.094 10.08.2006 no virus found

UNA 1.83 10.06.2006 no virus found

VBA32 3.11.1 10.08.2006 no virus found

VirusBuster 4.3.7:9 10.09.2006 no virus found

STATUS: FINISHEDComplete scanning result of "pmsngr.exe", received in VirusTotal at 10.09.2006, 15:57:56 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.25 10.09.2006 no virus found

Authentium 4.93.8 10.06.2006 no virus found

Avast 4.7.892.0 10.08.2006 no virus found

AVG 386 10.07.2006 no virus found

BitDefender 7.2 10.09.2006 no virus found

CAT-QuickHeal 8.00 10.07.2006 (Suspicious) - DNAScan

ClamAV devel-20060426 10.09.2006 no virus found

DrWeb 4.33 10.09.2006 no virus found

eTrust-InoculateIT 23.73.16 10.07.2006 no virus found

eTrust-Vet 30.3.3123 10.09.2006 no virus found

Ewido 4.0 10.09.2006 no virus found

Fortinet 2.82.0.0 10.09.2006 suspicious

F-Prot 3.16f 10.06.2006 no virus found

F-Prot4 4.2.1.29 10.06.2006 no virus found

Ikarus 0.2.65.0 10.09.2006 no virus found

Kaspersky 4.0.2.24 10.09.2006 no virus found

McAfee 4868 10.06.2006 no virus found

Microsoft 1.1603 10.09.2006 no virus found

NOD32v2 1.1795 10.09.2006 no virus found

Norman 5.80.02 10.09.2006 W32/Suspicious_U.gen

Panda 9.0.0.4 10.08.2006 Suspicious file

Sophos 4.10.0 10.05.2006 Mal/Packer

TheHacker 6.0.1.094 10.08.2006 no virus found

UNA 1.83 10.06.2006 no virus found

VBA32 3.11.1 10.08.2006 no virus found

VirusBuster 4.3.7:9 10.09.2006 no virus found

SirJon · October 9, 2006

Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode??

You haven't mentioned if you have an anti-virus program installed. Update your antivirus, boot into Safe Mode, end the unknown processes like nosirrah says, run your updated anti-virus in Safe Mode first, then follow up with SAS in Safe Mode after.

SUPERAntiSpy · October 9, 2006

Detected threats are quaranted and removed .....but I am still having issues with intrusions and they all reappear in the next scan. Should I be scanning in Safe Mode??

Please submit a support ticket here and we will diagnose your system with our special diagnostic tools:

https://www.superantispyware.com/support.html

fatdcuk · October 9, 2006

isamini.exe
isamonitor.exe

update.exe

Yep,i know these well,normaly c/o free codec upgrade,quite a few titles or brought in by free pr0n password generator

I believe they encompany protectionbar and appear as the little blinking yellow triangle in the taskbar with an exclamation mark....i have submitted 14 vars of these files since they have emerged on the scene and can see new variants be generated almost weekly :cry:

Yesterdays codec run got totally cleaned by SAS but maybe these are new variants you've found.Beat me to it :lol:

nosirrah · October 9, 2006

isamini.exe
isamonitor.exe

update.exe

Yep,i know these well,normaly c/o free codec upgrade,quite a few titles or brought in by free pr0n password generator

I believe they encompany protectionbar and appear as the little blinking yellow triangle in the taskbar with an exclamation mark....i have submitted 14 vars of these files since they have emerged on the scene and can see new variants be generated almost weekly

Yesterdays codec run got totally cleaned by SAS but maybe these are new variants you've found.Beat me to it

Softcodec to be precise :wink: and yes the security bar as well . I had two different versions of the security bar at the hight of the infection .

Nic has notified me that isamonitor.exe is being added to the definitions today . In my case it was the cause of the problem . All of the other isa***** files are already detected by the current SAS definitions . isamonitor.exe was recreating the rest on reboot . This does give the appearance of files being reported as deleted but still being present on reboot .

Sign In

Detected trheats are not removed.....

Recommended Posts

pebcak2000

Share this post

Link to post

Share on other sites

nosirrah

Share this post

Link to post

Share on other sites

SirJon

Share this post

Link to post

Share on other sites

SUPERAntiSpy

Share this post

Link to post

Share on other sites

fatdcuk

Share this post

Link to post

Share on other sites

nosirrah

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Activity