C:\windows\system32\taskmon.exe

[CharleyO]

***

Paddy -

When avast reports the file in question, where does the avast report the location of the file to be ?

c: (??)


***

[Maxx_original]

there are 181 different (malicious) taskmons in our submission system, but not all of them are detected ATM.. i'll ping Misak with this

[Ltangelic]

***

Paddy -

When avast reports the file in question, where does the avast report the location of the file to be ?

c: (??)


***

The topic title already says it is in system32 folder. It is actually a legit system file, but some malware is using it to execute itself.

[Ltangelic]

there are 181 different (malicious) taskmons in our submission system, but not all of them are detected ATM.. i'll ping Misak with this

I highly doubt that this taskmon.exe is malicious, it's most likely used as a process to execute some other malware.

[Abraxas]

Ltangelic,  could you suggest a course of action paddyc could take as his system seems caught up in a "vicious circle" , along with the Avast! detection alert. I note you're from GeekstoGo Malware Staff , and all other attempts to stabilise paddyc's system have not resolved the problem .
I believe your diagnosis to be a likely scenario worth following up:
Ltangelic said:

I highly doubt that this taskmon.exe is malicious, it's most likely used as a process to execute some other malware.

Makes sense if Avast! keeps detecting "C:\windows\system32\taskmon.exe" , but the file appears to not exist 
Just my two cents worth 

[Maxx_original]

there's also a possibility that the file is renewed from somewhere..

[Ltangelic]

Hey Abraxas,

Ah, I missed something important. :knocksheadagainstwall: This taskmon.exe IS a malicious file because a legit taskmon.exe should have been in Windows folder. Look at this:

http://www.bleepingcomputer.com/startups/taskmon.exe-5665.html

I have already advised paddy to post a HijackThis log in one of the free tech help sites so as to get his computer cleaned up in this other topic he started:

http://forum.avast.com/index.php?topic=40244.0

His Avast just found a backdoor trojan recently and I'm thinking that he has more malware hidden on his computer. The best way would be to reformat, but paddy doesn't want to do so, so the next best thing he can do is let an expert clean up his computer.

[Abraxas]

there's also a possibility that the file is renewed from somewhere..

True ...
Ltangelic:

His Avast just found a backdoor trojan recently and I'm thinking that he has more malware hidden on his computer. The best way would be to reformat, but paddy doesn't want to do so, so the next best thing he can do is let an expert clean up his computer.

Thanks for the info on taskmon.exe @ bleepingcomputer. "It is not normally on a WinXP system"

Seems Format or try expert malware cleaning help is best . Interesting , but nasty 

[Ltangelic]

Hey Maxx,

there's also a possibility that the file is renewed from somewhere..

You are right, it is replicating itself, because it is a type of worm. (W32/Mydoom.a@MM)

As said here:

http://vil.nai.com/vil/content/v_100983.htm

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

    * contains its own SMTP engine to construct outgoing messages
    * contains a backdoor component (see below)
    * contains a Denial of Service payload

paddy also has a backdoor on his computer (._file(1).exe), most likely it is created by this worm (just a guess). 

The virus uses a DLL that it creates in the Windows System directory:

    *  %SysDir%\shimgapi.dll (4,096 bytes)

This should be the file that is regenerating taskmon.exe.

I wonder if paddy did download some attachment from an email that delivered this worm.

[paddyc]

Hi Guys

You have all got me really worried now.

I did a search for shimgapi.dll and found nothing.

As I said at the beginning I am new to this and did not realise that the trojans could replicate or that they could be associated with each other.

As well as the ._file[1].exe which is discussed on a separate thread I now realise that I should have mentioned that there is another file in the chest which was picked up at the same time as ._file[1].exe.
This file is called A0177674.exe and was found in my system restore folders. Avast identifies it as win32:trojan-gen (other). I do use Limewire and I did download a file that contained a generic trojan that AVG8 said it caught but AVG did not report the two files that Avast has found so I wonder if it caught everything it should have.

Does this help

I have not cleared anything out of the chest yet but I am presuming that while they are in the chest they cannot continue to function -is this correct?

Ltangelic re your post on the other thread Avast does not offer me a quarantine facility -simply delete the file or ignore it. However it returns the next time I boot up and even a boot scan does not identify anything.

[Ltangelic]

Hey paddyc,

Alright, even though I'm tight for time, let's see if I can help you fix your problem. Please follow my instructions carefully and reply ONLY to THIS thread with the logs I ask you to post.

For now, please do the following:

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
  
• Doubleclick on the HJTInstall.exe icon on your desktop.
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
  

[paddyc]

Ltangelic here is part 1 of the Hijack file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:10, on 25/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

[paddyc]

Ltangelic here is part 2

[Ltangelic]

Hey paddyc,

Thanks for the logs. They look alright from what I see, let's try a stronger tool.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

I'm going offline now because it's late here, do post the logs on here and I'll have a look tomorrow. Thanks for understanding. :)

[paddyc]

Ltangelic It is late here too! I will do this in the morning and post back to you

Thanks for the help