Jump to content

MBAM keeps finding infection even after clean up?


Recommended Posts

For two days now I have had a "Spyware.Banker" infection (see logs below). I scanned and cleaned the first day, but it returned again the next night when MBAM ran it's nightly scan. SpyBot S&D finds nothing! Please advise.

Malwarebytes' Anti-Malware 1.24

Database version: 1030

Windows 5.1.2600 Service Pack 1

8:11:21 AM 8/8/2008

mbam-log-8-8-2008 (08-11-15).txt

Scan type: Quick Scan

Objects scanned: 42018

Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> No action taken.

HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\System32\AOSMTP.dll (Spyware.Banker) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> No action taken.

Link to post
Share on other sites

  • Staff

I may have missed part of this infection .

The next set of defs should have the rest , if not we will take a look inside your system and see where its regenerating from .

This malware collects your passwords to online accounts so make sure not to log into any of them till we have this cleared .

Link to post
Share on other sites

I may have missed part of this infection .

The next set of defs should have the rest , if not we will take a look inside your system and see where its regenerating from .

This malware collects your passwords to online accounts so make sure not to log into any of them till we have this cleared .

ummm, so what do I do in the meantime??? I run a strong firewall, will this help? Is there other files I should be looking for so that it doesn't reload upon startup please?

Link to post
Share on other sites

UPDATE: After doing an online search for SPYWARE.BANKER I came up with two more files that are suspect even though MBAM didn't catch them, and they could be the ones responsible for re-installing the spyware after a re-boot and MBAM not cleaning the items thoroughly.

Here is the info on the additional files:

ANPOP.dll Copyright 2001-2006 AdminSystem Software

AOSMTPEX.dll Copyright 2006-2007 AdminSystem Software

Hope this helps

In the meantime I have deleted those two extra files and did another MBAM scan and so far it isn't finding anything after I rebooted after deleting those files.

Any more info you may be able to provide would be appreciated.

Ohhh, and I am currently running MBAM version: 1.24 Database version 1033 dated 08.08.08

Link to post
Share on other sites

  • 2 months later...

Can someone please help me remove the SPYWARE.BANKER please. As mentioned above. I am using GroupMail Free Edition and also that DLL files appears to be infected. MBAM finds and removes it but then I am unable to use my Groupmail. After a re-installation of GroupMail then MBAM finds the Spyware.Banker again and I have to repeat the process of scanning and removing all over again.

Can you please advise how to take action and remove the Spyware.Banker :blink:

Malwarebytes' Anti-Malware 1.28

Database version: 1134

Windows 5.1.2600 Service Pack 2

10/12/2008 11:07:17 AM

mbam-log-2008-10-12 (11-07-17).txt

Scan type: Full Scan (C:\|)

Objects scanned: 19228

Time elapsed: 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\aosmtp.fastsender (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{ff14b02b-6ee4-400f-a729-b0ea35f921c2} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1ecc44fb-970d-4bc8-90e3-002da4dd21b8} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{63bd4ee4-660b-434d-a54b-7c1f53e2fedd} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6d2c09c4-ec95-4251-81fd-1cd01fd8ae44} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d622e87a-35f9-4fb2-afee-4f5bf8407c7a} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{69620165-77dd-44ee-995c-3632e525a22b} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f8d07b72-b4b4-46a0-acc0-c771d4614b82} (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\aosmtp.fastsender.1 (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\aosmtp.mail (Spyware.Banker) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\aosmtp.mail.1 (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\AOSMTP.dll (Spyware.Banker) -> Delete on reboot.

Link to post
Share on other sites

  • Staff

Best I can thell there are only 2 things that can be going on here .

The mail program you are using is malware .

The mail program you are using uses many identical components to this malware (even typelibs match wich is very odd) .

I want to take a look at the files we are hitting myself . Please run a scan and save the log file (but remove nothing) . Use the log to find the files we are detecting . Copy and paste them to a new folder on your desktop called banker . Zip and attach that folder here :

http://www.malwarebytes.org/forums/index.php?showforum=55

BTW I have started researching some of the other GUIDs in you log and spyware is what I am getting for all of them .

http://www.group-mail.com/asp/common/default.asp

I think this is your installer , I will check it out and see if it is legit .

Link to post
Share on other sites

Best I can thell there are only 2 things that can be going on here .

The mail program you are using is malware .

The mail program you are using uses many identical components to this malware (even typelibs match wich is very odd) .

I want to take a look at the files we are hitting myself . Please run a scan and save the log file (but remove nothing) . Use the log to find the files we are detecting . Copy and paste them to a new folder on your desktop called banker . Zip and attach that folder here :

http://www.malwarebytes.org/forums/index.php?showforum=55

BTW I have started researching some of the other GUIDs in you log and spyware is what I am getting for all of them .

http://www.group-mail.com/asp/common/default.asp

I think this is your installer , I will check it out and see if it is legit .

She has illegal software on the system. This is her 3rd time here posting with the same problem. I told her once to show me un-tampered logs with no key gens and we can help her. Her Panda scan clearly showed 4 programs with keygens, and that is why she is infected. Plus look at the version of the DB

Malwarebytes' Anti-Malware 1.28

Database version: 1134

Windows 5.1.2600 Service Pack 2

Link to post
Share on other sites

  • Staff
Bruce,

We've used GroupMail in our Corporate business for years now. It is very legitimate.

The application yes , but I am wondering if it is the legit version and why all of its components google as spyware .

We have had 0 FP reports on this one so something just does not feel right here .

Link to post
Share on other sites

The application yes , but I am wondering if it is the legit version and why all of its components google as spyware .

We have had 0 FP reports on this one so something just does not feel right here .

Her problem is not with the mail program though.

She has illegal software on the system. This is her 3rd time here posting with the same problem. I told her once to show me un-tampered logs with no key gens and we can help her. Her Panda scan clearly showed 4 programs with keygens, and that is why she is infected. Plus look at the version of the DB

Malwarebytes' Anti-Malware 1.28

Database version: 1134

Windows 5.1.2600 Service Pack 2

Here's the proof from her Panda scan http://www.malwarebytes.org/forums/index.p...amp;#entry28321

No C:\MULTIMEDIA\edrive\Software New\selteco full suite crack.zip[selteco.full.suite.5.0.full.incl.keygen-tsrh.exe]

No C:\MULTIMEDIA\edrive\Software New\Selteco.Flash.Designer.v5.0.24.Incl.Keygen-SSG.zip[keygen.exe]

No C:\Program Files\Selteco\Alligator Flash Designer 5\keygen.exe

No C:\Program Files\Selteco\Alligator Flash Designer 5\selteco.full.suite.5.0.full.incl.keygen-tsrh.exe

No C:\Torrents\New Folder\Dreamweaver Plugins\Lab_Plugs_in\PluginLab Combo Box Menu V1.4.0 For Adobe Dreamweaver\KeyGen\keygen.exe

She sent me a PM I told her show me clean Panda and we talk.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.