9 replies to this topic

[neuro]

Hello,

I posted on Sept. 11 about a Taskman registry agent that re-creates itself after deletion (link). An update was generated to eliminate the malware, and it seemed to fix the issue quite well. Unfortunately, the registry agent seems to have reappeared on my system as of this afternoon.

I downloaded the latest MBAM update, scanned and cleaned up infected items, re-booted and then re-scanned. One registry value keeps reappearing. I am hoping that nothing was missed the last time. I have scanned the system numerous times since the last time I posted, and nothing unusual came up (until today, that is).

Here is the log entry:

Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 5.1.2600 Service Pack 3

9/27/2009 8:32:52 PM
mbam-log-2009-09-27 (20-32-52).txt

Scan type: Quick Scan
Objects scanned: 138293
Time elapsed: 14 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Any advice on how to remove this item would be greatly appreciated!

[neuro]

I re-ran the export.zip file and am attaching the result. Hopefully this wil help speed up the process.

Attached Files

•  export.zip   5.25K   14 downloads

[Fatdcuk]

Thanks Neuro,

I will be adding new signature to attack your variant of the autorun worm shortly

[Fatdcuk]

Hi neuro,

Please update and run MBAM quick scan,allow it to delete what it finds and then reboot!

Please then run quick scan again to confirm that we have unloaded your variant.

Thanks in advance

[neuro]

Unfortunately, the registry value is still there after scan and re-boot.

Here is the log file:

Malwarebytes' Anti-Malware 1.41
Database version: 2867
Windows 5.1.2600 Service Pack 3

9/28/2009 12:58:44 PM
mbam-log-2009-09-28 (12-58-44).txt

Scan type: Quick Scan
Objects scanned: 137905
Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Any ideas??

[Fatdcuk]

Hi,

Please rerun quick scan when we update to database 2868.

Thanks in advance

[neuro]

Here it is.

Attached Files

•  export.zip   5.25K   6 downloads

[neuro]

I ran MBAM with the latest update. It picked up an additional file to delete on re-boot. I am about to repeat the scan, so hopefully everything will come up clean.

Here is the log file:

Malwarebytes' Anti-Malware 1.41
Database version: 2868
Windows 5.1.2600 Service Pack 3

9/28/2009 2:03:00 PM
mbam-log-2009-09-28 (14-02-59).txt

Scan type: Quick Scan
Objects scanned: 138070
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-3127580010-4974886753-998515483-7444\wmiprvse.exe (Worm.Autorun. -> Delete on reboot.

[neuro]

The latest scan came up clean, so I hope that means it's taken care of. As I mentioned in the first post of this topic, I was having the same issue on Sept. 11, and it came up clean at that time but reappeared on Sept. 27th. I hope it doesn't reappear again, but I will keep my eye on it just in case. I don't know if anyone else has seen this thing recur, but I certainly hope not!

Thank you very much for all of your help - your service is excellent and very much appreciated!

[Fatdcuk]

Neuro,

That is that worm take care of but it was almost certainly another worm at the start of September and you/someone else has reinfected that computer.

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.


We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.


Safe surfing