MBAM keeps finding infection even after clean up?

smartdog · August 8, 2008

For two days now I have had a "Spyware.Banker" infection (see logs below). I scanned and cleaned the first day, but it returned again the next night when MBAM ran it's nightly scan. SpyBot S&D finds nothing! Please advise.

Malwarebytes' Anti-Malware 1.24

Database version: 1030

Windows 5.1.2600 Service Pack 1

8:11:21 AM 8/8/2008

mbam-log-8-8-2008 (08-11-15).txt

Scan type: Quick Scan

Objects scanned: 42018

Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\System32\AOSMTP.dll (Spyware.Banker) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> No action taken.

nosirrah · August 8, 2008

I may have missed part of this infection .

The next set of defs should have the rest , if not we will take a look inside your system and see where its regenerating from .

This malware collects your passwords to online accounts so make sure not to log into any of them till we have this cleared .

smartdog · August 8, 2008

I may have missed part of this infection .
The next set of defs should have the rest , if not we will take a look inside your system and see where its regenerating from .
This malware collects your passwords to online accounts so make sure not to log into any of them till we have this cleared .

ummm, so what do I do in the meantime??? I run a strong firewall, will this help? Is there other files I should be looking for so that it doesn't reload upon startup please?

smartdog · August 8, 2008

UPDATE: After doing an online search for SPYWARE.BANKER I came up with two more files that are suspect even though MBAM didn't catch them, and they could be the ones responsible for re-installing the spyware after a re-boot and MBAM not cleaning the items thoroughly.

Here is the info on the additional files:

Hope this helps

In the meantime I have deleted those two extra files and did another MBAM scan and so far it isn't finding anything after I rebooted after deleting those files.

Any more info you may be able to provide would be appreciated.

Ohhh, and I am currently running MBAM version: 1.24 Database version 1033 dated 08.08.08

smartdog · August 8, 2008

Upon further investigation I have found out that GroupMail requires those two files in order to run....weird!

So, i put them back and did another MBAM scan, and it's not finding anything!!! I am not sure if I am still infected or not now.

JeanInMontana · August 8, 2008

It's going to keep finding them until you "take action" and remove. The log shows your not doing that.

smartdog · August 9, 2008

It's going to keep finding them until you "take action" and remove. The log shows your not doing that.

Jean: Marcin has helped in this matter. I was removing the issue, it kept reappearing after a reboot. It's fine now.

Zarina · October 12, 2008

Can someone please help me remove the SPYWARE.BANKER please. As mentioned above. I am using GroupMail Free Edition and also that DLL files appears to be infected. MBAM finds and removes it but then I am unable to use my Groupmail. After a re-installation of GroupMail then MBAM finds the Spyware.Banker again and I have to repeat the process of scanning and removing all over again.

Can you please advise how to take action and remove the Spyware.Banker :blink:

Malwarebytes' Anti-Malware 1.28

Database version: 1134

Windows 5.1.2600 Service Pack 2

10/12/2008 11:07:17 AM

mbam-log-2008-10-12 (11-07-17).txt

Scan type: Full Scan (C:\|)

Objects scanned: 19228

Time elapsed: 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Delete on reboot.

nosirrah · October 12, 2008

Best I can thell there are only 2 things that can be going on here .

The mail program you are using is malware .

The mail program you are using uses many identical components to this malware (even typelibs match wich is very odd) .

I want to take a look at the files we are hitting myself . Please run a scan and save the log file (but remove nothing) . Use the log to find the files we are detecting . Copy and paste them to a new folder on your desktop called banker . Zip and attach that folder here :

http://www.malwarebytes.org/forums/index.php?showforum=55

BTW I have started researching some of the other GUIDs in you log and spyware is what I am getting for all of them .

http://www.group-mail.com/asp/common/default.asp

I think this is your installer , I will check it out and see if it is legit .

smartdog · October 13, 2008

Bruce: seeing as I am using the paid version of GroupMail and since the initial MBAM scan and an update of both GroupMail and MBAM..those infections have never come back again.

AdvancedSetup · October 13, 2008

Bruce,

We've used GroupMail in our Corporate business for years now. It is very legitimate.

JeanInMontana · October 13, 2008

Best I can thell there are only 2 things that can be going on here .
The mail program you are using is malware .
The mail program you are using uses many identical components to this malware (even typelibs match wich is very odd) .
I want to take a look at the files we are hitting myself . Please run a scan and save the log file (but remove nothing) . Use the log to find the files we are detecting . Copy and paste them to a new folder on your desktop called banker . Zip and attach that folder here :
http://www.malwarebytes.org/forums/index.php?showforum=55
BTW I have started researching some of the other GUIDs in you log and spyware is what I am getting for all of them .
http://www.group-mail.com/asp/common/default.asp
I think this is your installer , I will check it out and see if it is legit .

She has illegal software on the system. This is her 3rd time here posting with the same problem. I told her once to show me un-tampered logs with no key gens and we can help her. Her Panda scan clearly showed 4 programs with keygens, and that is why she is infected. Plus look at the version of the DB

Malwarebytes' Anti-Malware 1.28

Database version: 1134

Windows 5.1.2600 Service Pack 2

nosirrah · October 13, 2008

Bruce,
We've used GroupMail in our Corporate business for years now. It is very legitimate.

The application yes , but I am wondering if it is the legit version and why all of its components google as spyware .

We have had 0 FP reports on this one so something just does not feel right here .

smartdog · October 13, 2008

That would make sense as the GroupMail software that I use is a "bought and PAID FOR" version and since this thread had been started (originally by me) MBAM has been fine. :blink:

JeanInMontana · October 13, 2008

The application yes , but I am wondering if it is the legit version and why all of its components google as spyware .
We have had 0 FP reports on this one so something just does not feel right here .

Her problem is not with the mail program though.

She has illegal software on the system. This is her 3rd time here posting with the same problem. I told her once to show me un-tampered logs with no key gens and we can help her. Her Panda scan clearly showed 4 programs with keygens, and that is why she is infected. Plus look at the version of the DB
Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 2

Here's the proof from her Panda scan http://www.malwarebytes.org/forums/index.p...amp;#entry28321

No C:\MULTIMEDIA\edrive\Software New\selteco full suite crack.zip[selteco.full.suite.5.0.full.incl.keygen-tsrh.exe]

No C:\MULTIMEDIA\edrive\Software New\Selteco.Flash.Designer.v5.0.24.Incl.Keygen-SSG.zip[keygen.exe]

No C:\Program Files\Selteco\Alligator Flash Designer 5\keygen.exe

No C:\Program Files\Selteco\Alligator Flash Designer 5\selteco.full.suite.5.0.full.incl.keygen-tsrh.exe

No C:\Torrents\New Folder\Dreamweaver Plugins\Lab_Plugs_in\PluginLab Combo Box Menu V1.4.0 For Adobe Dreamweaver\KeyGen\keygen.exe

She sent me a PM I told her show me clean Panda and we talk.

AdvancedSetup · October 14, 2008

Thanks for clearing that up Jean. You have a better memory than I

MBAM keeps finding infection even after clean up?

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information