ky331 Posted July 8, 2008 ID:22215 Share Posted July 8, 2008 Malwarebytes' Anti-Malware 1.20Database version: 931Windows 5.1.2600 Service Pack 311:34:13 AM 7/8/2008mbam-log-7-8-2008 (11-34-07).txtScan type: Quick ScanObjects scanned: 44781Time elapsed: 7 minute(s), 31 second(s)Registry Values Infected: 1Files Infected: 1Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows TaskManager (Backdoor.Bot) -> No action taken.Files Infected:C:\WINDOWS\system32\taskmgr.exe (Backdoor.Bot) -> No action taken.======================================================Note: As best as I can tell, these were picked up during the HEURISTIC scan=====================================================FYI:taskmgr.exeMicrosoft CorporationFile Version 5.1.2600.5512 (xpsp.080413-2105) Link to post Share on other sites More sharing options...
nosirrah Posted July 8, 2008 ID:22220 Share Posted July 8, 2008 Im checking this out now , we should have missed this as it is a MS file it points to . Link to post Share on other sites More sharing options...
nosirrah Posted July 8, 2008 ID:22222 Share Posted July 8, 2008 You have task manager set to run automatically using a known bot run name .I can make it miss MS files in the next version but I would be interested to know why you have task manager set to run at boot ? Link to post Share on other sites More sharing options...
ky331 Posted July 8, 2008 Author ID:22232 Share Posted July 8, 2008 You have task manager set to run automatically using a known bot run name .I can make it miss MS files in the next version but I would be interested to know why you have task manager set to run at boot ?Processes have been using an unusually high amount of CPU (on this one particular system -- which, so far as I can tell, is virus/malware/rootkit free), and so at some point, I decided to auto-launch task manager to keep an eye on things. It's been a while... so i'm not sure how I did it... perhaps via WinPatrol, adding taskmgr to its startup tab??? Is there another way I should arrange for it to auto-start? or should I just remove the auto-start? Link to post Share on other sites More sharing options...
nosirrah Posted July 8, 2008 ID:22239 Share Posted July 8, 2008 No , next def update will have it whitelisted .Keep in mind that if you use any tool that goes after bots (SDFix will for sure) it will hit this . Link to post Share on other sites More sharing options...
AndyManchesta Posted July 9, 2008 ID:22301 Share Posted July 9, 2008 Keep in mind that if you use any tool that goes after bots (SDFix will for sure) it will hit this .Hi Bruce, Just passing through so thought Id reply to that statement, SDFix does not remove that HKCU Run value or the legit system32\taskmgr file ThanksAndy Link to post Share on other sites More sharing options...
nosirrah Posted July 9, 2008 ID:22360 Share Posted July 9, 2008 I had that wrong then , thought it would link known bad run to file . Link to post Share on other sites More sharing options...
AndyManchesta Posted July 9, 2008 ID:22364 Share Posted July 9, 2008 You just had me worried for a minute I was about to remove it from sdfix after seeing your post but thankfully it doesnt remove that run value under HKCU, it does get filenames by checksums or strings then removes the run keys for them but not the other way round like you meanKeep up the great work guys, your doing an amazing job Link to post Share on other sites More sharing options...
nosirrah Posted July 10, 2008 ID:22379 Share Posted July 10, 2008 Thanks It sure is the job of a lifetime , I would not trade this for anything . Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now