Jump to content
Sign in to follow this  
ky331

TaskMgr --- presumed f/p?

Recommended Posts

Malwarebytes' Anti-Malware 1.20

Database version: 931

Windows 5.1.2600 Service Pack 3

11:34:13 AM 7/8/2008

mbam-log-7-8-2008 (11-34-07).txt

Scan type: Quick Scan

Objects scanned: 44781

Time elapsed: 7 minute(s), 31 second(s)

Registry Values Infected: 1

Files Infected: 1

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows TaskManager (Backdoor.Bot) -> No action taken.

Files Infected:

C:\WINDOWS\system32\taskmgr.exe (Backdoor.Bot) -> No action taken.

======================================================

Note: As best as I can tell, these were picked up during the HEURISTIC scan

=====================================================

FYI:

taskmgr.exe

Microsoft Corporation

File Version 5.1.2600.5512 (xpsp.080413-2105)

Share this post


Link to post
Share on other sites

Im checking this out now , we should have missed this as it is a MS file it points to .

Share this post


Link to post
Share on other sites

You have task manager set to run automatically using a known bot run name .

I can make it miss MS files in the next version but I would be interested to know why you have task manager set to run at boot ?

Share this post


Link to post
Share on other sites
You have task manager set to run automatically using a known bot run name .

I can make it miss MS files in the next version but I would be interested to know why you have task manager set to run at boot ?

Processes have been using an unusually high amount of CPU (on this one particular system -- which, so far as I can tell, is virus/malware/rootkit free), and so at some point, I decided to auto-launch task manager to keep an eye on things. It's been a while... so i'm not sure how I did it... perhaps via WinPatrol, adding taskmgr to its startup tab??? Is there another way I should arrange for it to auto-start? or should I just remove the auto-start?

Share this post


Link to post
Share on other sites

No , next def update will have it whitelisted .

Keep in mind that if you use any tool that goes after bots (SDFix will for sure) it will hit this .

Share this post


Link to post
Share on other sites
Keep in mind that if you use any tool that goes after bots (SDFix will for sure) it will hit this .

Hi Bruce,

Just passing through so thought Id reply to that statement, SDFix does not remove that HKCU Run value or the legit system32\taskmgr file :)

Thanks

Andy

Share this post


Link to post
Share on other sites

I had that wrong then , thought it would link known bad run to file .

Share this post


Link to post
Share on other sites

You just had me worried for a minute :)

I was about to remove it from sdfix after seeing your post but thankfully it doesnt remove that run value under HKCU, it does get filenames by checksums or strings then removes the run keys for them but not the other way round like you mean

Keep up the great work guys, your doing an amazing job

Share this post


Link to post
Share on other sites

Thanks :)

It sure is the job of a lifetime , I would not trade this for anything .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.