10 replies to this topic

[perrim]

I have a similar problem to some of the other forum members. Using Malwarebytes I scan the computer and it finds one registry key infection., Trojan.Agent Taskman Malwarebytes says the infection is deleted but it is there the next time I run a scan. I am not sure if it is related but if I stick a memory stick into the infected machine, an autorun.inf is placed on the root directory of the memory stick. This is picked up when I put the memory stick into another machine running Mcafee, Mcafee deletes the autorun file.

I have the latest updates for Malwarebytes.

Please help

Thank you

[perrim]

Malwarebytes' Anti-Malware 1.41
Database version: 3134
Windows 5.1.2600 Service Pack 3

11/11/2009 11:54:32 AM
mbam-log-2009-11-11 (11-54-32).txt

Scan type: Quick Scan
Objects scanned: 110752
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




The autorun file can not be detected at the moment to upload. I did see the autorun file soon after putting the memory stick into the computer.

[Fatdcuk]

Hi perrim and welcome to the MBAM forums

The key is being reported because you have an autorun worm located inside a system reserved folder(Not visible but present) inside of your Recycler bin.

I will PM you a capture script routine for your computer,please follow the instructions in the personal message and post back the requested file.

Thanks in advance

[perrim]

Hi Fatdcuk,

Here is the zipped file.

Thank you

[Fatdcuk]

Hi perrim,

There is no file attached to your post.

When replying,use more Options button and look down below the data entry box for the attachments options.

Use browse to locate the newly created Export.zip and select upload.

Wait until it confirms the file has attached and then post reply.

Thanks in advance

[perrim]

Oh damn!! I did upload the file or so I thought, I am trying again.

Thanks again.

Attached Files

•  export.zip   218bytes   3 downloads

[Fatdcuk]

Hi perrim,

The file has sucesssfully attached this time however you have uploaded the the same file that you downloaded(Export.zip).

I need to see the Export.reg created on your desktop by double clicking on export.bat

When export.reg is created on your desktop,this file needs to zipped and uploaded.

Thanks in advance

[perrim]

Sorry I messed up again. Hope it is right this time.

Attached Files

•  export.zip   3.14K   6 downloads

[Fatdcuk]

Hi perrim,

Thats the one

On the next MBAM update due in about a hours time i have added a signature to unload your variant.

When MBAM updates to database 3161 please run MBAM Quick scan.Allow it to delete what it finds and then reboot immediately.

Please the run another quick scan to confirm we have completed the unloading of your Worm.Autorun.B variant.

Thanks in advance

[perrim]

Hi Fatdcuk,
I have not been able to get the latest database update. The infected computer is not connected to the internet and I therefore have to update the mbam-rules file manually.

I use the following URL
http://www.malwareby.../mbam-rules.exe
but the database version is 3151, is the some place I can get the latest or 3161 as your have mentioned.

Thanks

[Fatdcuk]

Hi perrim,

Check your personal messages for most recent rules.ref