C:\windows\system32\taskmon.exe

[Maxx_original]

paddyc: ook, try this..

start -> run -> "cmd" -> ENTER
"c:" -> ENTER
"cd \" -> ENTER
"cd windows\system32" -> ENTER
"attrib -r -s -h taskmon.exe" -> ENTER

can you see the file now?

[paddyc]

paddyc: ook, try this..

start -> run -> "cmd" -> ENTER
"c:" -> ENTER
"cd \" -> ENTER
"cd windows\system32" -> ENTER
"attrib -r -s -h taskmon.exe" -> ENTER

can you see the file now?

Maxx did the above and got nothing but I figured that I had already deleted the file so did a reboot and waited til the suspicious message came up. I am looking at the cmd screen and the suspicious message together and cmd screen says "file not found - taskmon.exe" but Avast says it's there and type  is Rootkit:hidden process. Available actions are delete now or Ignore with option to not tell about this file in future. The recommended action is ignore. Submission box is ticked to submit file to ALWIL Software virus lab for further analysis.

This is what I have been saying all along.

[Eddy]

Since it is a rootkit, you will not see the file by changing the attributes of it.
Get and run THIS

[paddyc]

Since it is a rootkit, you will not see the file by changing the attributes of it.
Get and run THIS

Eddy

have already run rootkit reveal and Macfee Rootkit Detective - why will this one be any different?

[paddyc]

Eddy

I run sophos and it came up clean although I am still sitting with the avast suspicious warning on screen.

Maxx
What I need is for someone to give me a definitive answer on whether or not Avast is sending this file to ALWIL software virus lab and if so what have they got? It is not a difficult question!

[Maxx_original]

paddyc: can you send me your installation GUID via PM? you can obtain it in the Program Files\Alwil software\Avast4\Setup\setup.ini file..

[Eddy]

ok. C:\windows\system32\taskman.exe is a legitimate windows file (unless it is altered ofcourse) and should show if you navigate to it through explorer (=my computer)

Visit JOTTI and type (or copy/paste) C:\windows\system32\taskmon.exe and hit the submit button. What happens? Getting an error? If so, what is the error?

Also let me know how you installed XP. Was it a upgrade from windows98? A clean install?
And last (for now) right click my computer, properties an look at the number there.
It will look like: XXXXX-YYY-YYYXXX-XXXX
Tell me what is says about the YYY-YYY part

[paddyc]

ok. C:\windows\system32\taskmon.exe is a legitimate windows file (unless it is altered ofcourse) and should show if you navigate to it through explorer (=my computer)

Visit JOTTI and type (or copy/paste) C:\windows\system32\taskmon.exe and hit the submit button. What happens? Getting an error? If so, what is the error?

Also let me know how you installed XP. Was it a upgrade from windows98? A clean install?
And last (for now) right click my computer, properties an look at the number there.
It will look like: XXXXX-YYY-YYYXXX-XXXX
Tell me what is says about the YYY-YYY part

Eddy

Taskmon.exe is NOT a legitimate file in Windows XP although it is in 98. Besides it should appear in the windows directory not system 32. WE have already tried to send the file to virus scan and it could not find it. This discussion has already been made in this thread. My installation of XP came preloaded with the computer and has all the latest updates. The number you want is
OEM-001.

[Maxx_original]

i can't find any file with your GUID.. that's really strange

[Eddy]

I'm wondering... Get a live cd (list of live cd's) and see if you can find the file with it.

btw, do you have avast home or pro? If pro, how/where did you register it?

I also wonder about the use of fat32 instead of ntfs. Normally XP is installed on ntfs. FAT32 can be a indication that it is not a clean install of XP but a upgrade from 98.

Did you get a XP cd rom with your system or is there a recovery partition or something?

[paddyc]

I'm wondering... Get a live cd (list of live cd's) and see if you can find the file with it.

btw, do you have avast home or pro? If pro, how/where did you register it?

I also wonder about the use of fat32 instead of ntfs. Normally XP is installed on ntfs. FAT32 can be a indication that it is not a clean install of XP but a upgrade from 98.

Did you get a XP cd rom with your system or is there a recovery partition or something?

Eddy you are going to have to explain the live cd thing to me as I don't understand what this is about.

Using Avast Home 4.8.1296

System says FAT32

As stated earlier the windows xp came preloaded with the computer. I do have a recovery disc which is about 5 years old which is why I was reluctant to simply reformat as it would be a monumental pain to update windows again.

[Maxx_original]

another one idea.. can you see any file(s) in your Program Files\Alwil software\Avast4\DATA\spool folder?

[paddyc]

i can't find any file with your GUID.. that's really strange

Maxx when you get the suspicious file window with the options - do I have to do anything else other than ensure the box is ticked to send the file to the software virus lab?

I am simply clicking delete and assuming that the file gets sent. Is this correct?

[Ltangelic]

Thanks paddy,

I'll have a look at that run file now.

[Maxx_original]

paddyc: the checkbox allowing the file to be sent is checked by default... the suspicious file are sent while you update your VPS (informations about the file sending could be found in the setup.log file)... anyway - look to the folder mentioned above...