C:\windows\system32\taskmon.exe

[paddyc]

it can't be another (similar) name, but the exact one... the files aren't read always through ntfs.sys while doing the antirootkit scan, but i don't know what can cause the difference between our driver and default ntfs driver..

Well where do I go from here?

[Maxx_original]

i don't know ATM.. is there any MFT validating tool?

[essexboy]

The only MFT checker as far as I know is checkdisc

[paddyc]

Maxx,

Why would you want a MFT checker - my system is fat32 see previous email.

[Maxx_original]

aah, you're right, sorry... hmmm are you able to access your drive in raw mode and do some lookups (WinHex should be able to do that)?

[paddyc]

aah, you're right, sorry... hmmm are you able to access your drive in raw mode and do some lookups (WinHex should be able to do that)?

Maxx which Winhex should I look for ? There seems to be a few of them about.

[Maxx_original]

http://www.x-ways.com/winhex/index-m.html

[paddyc]

http://www.x-ways.com/winhex/index-m.html

maxx can't get this loaded as the set up constantly hangs and I have to cancel via task manager.

[polonus]

Hi paddyc,

Let’s do this next to fix your Task Manager problem.

Please download from.http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to your desktop
A blue-white cubicle  icon will appear..
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

REBOOT afterwards.... really important!

pol

[paddyc]

Hi paddyc,

Let’s do this next to fix your Task Manager problem.

Please download from.http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to your desktop
A blue-white cubicle  icon will appear..
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

REBOOT afterwards.... really important!

pol

Before I go and do that I need to report that I used internet to get a list of all known files that might be associated with taskmon and decided to check out my system and see if I found any.

Rundll32.exe was named as a possible and I have found 3 copies of it on my system. A scan with Avast produced nothing but a scan with spybot hueristics said smitfraud-c on 2 and win32.delf.rtk on the other.

I used Jotti Viruscan on system 32\rundll32.exe and this was the report

canner      Malware name
A-Squared    Trojan-PWS.Win32.LdPinch!IK
AntiVir    TR/Crypt.PEPM.Gen
ArcaVir    X
Avast    Win32:LdPinch-NO
AVG Antivirus    PSW.Ldpinch
BitDefender    Trojan.PWS.LDPinch.TIK
ClamAV    Trojan.Dropper.Agent-106
CPsecure    Troj.PSW.W32.LdPinch.beo
Dr.Web    Trojan.Packed.1197
F-Prot Antivirus    W32/LdPinch.K.gen!Eldorado
F-Secure Anti-Virus    Trojan-PSW.Win32.LdPinch.dlt
G DATA    X
Ikarus    Trojan-PWS.Win32.LdPinch
Kaspersky Anti-Virus    Trojan-PSW.Win32.LdPinch.dlt
NOD32    a variant of Win32/PSW.LdPinch.NCB
Norman Virus Control    Sandbox: W32/Malware
Panda Antivirus    Trj/Ldpinch.gen
Sophos Antivirus    Troj/LdPinch-PZ
VirusBuster    Rootkit.LDPinch.Gen.4
VBA32    MalwareScope.Trojan-PSW.Pinch.1

I then scanned windows\$NTServicePackUninstall$\rundll32.exe and this was produced by Jotti

Last file scanned at least one scanner reported something about: ChamaleonButton.ocx (MD5: a73cd21288945e3045502bd47131034e, size: 102400 bytes), detected by:

Scanner    Malware name
A-Squared    HackTool.Win32.MadMSN!IK
AntiVir    X
ArcaVir    X
Avast    X
AVG Antivirus    X
BitDefender    X
ClamAV    X
CPsecure    X
Dr.Web    X
F-Prot Antivirus    X
F-Secure Anti-Virus    X
G DATA    X
Ikarus    HackTool.Win32.MadMSN.40
Kaspersky Anti-Virus    X
NOD32    X
Norman Virus Control    X
Panda Antivirus    X
Sophos Antivirus    X
VirusBuster    X
VBA32    X

I finally submitted windows\ServicePackFiles\i386\rundll32.exe and Jotti came up with following

Last file scanned at least one scanner reported something about: Webmail_Hack_2.3.zip (MD5: c2779e69591e6351aa877f8350e6447a, size: 231849 bytes), detected by:

Scanner    Malware name
A-Squared    Trojan-Clicker.MSIL.Xone!IK
AntiVir    TR/Click.MSIL.Xone.AC
ArcaVir    Trojan.Downloader.Small.Dug
Avast    Win32:Trojan-gen {Other}
AVG Antivirus    X
BitDefender    Trojan.Generic.358370
ClamAV    Trojan.Clicker-2249
CPsecure    Troj.Clicker.MSIL.Xone.ac
Dr.Web    X
F-Prot Antivirus    X
F-Secure Anti-Virus    Trojan-Clicker.MSIL.Xone.ac
G DATA    X
Ikarus    Trojan-Clicker.MSIL.Xone.ac
Kaspersky Anti-Virus    Trojan-Clicker.MSIL.Xone.ac
NOD32    X
Norman Virus Control    X
Panda Antivirus    X
Sophos Antivirus    X
VirusBuster    X
VBA32    Trojan-Clicker.MSIL.Xone.ac

What should I do about these?  There were also a bunch of.pf files in prefetch referenced back to rundll32.exe but spybot said they were clear.

[paddyc]

Hi paddyc,

Let’s do this next to fix your Task Manager problem.

Please download from.http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to your desktop
A blue-white cubicle  icon will appear..
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

REBOOT afterwards.... really important!

pol

Polonus this link opens text on the browser and does not offer a file to be saved

[paddyc]

Hi paddyc,

Let’s do this next to fix your Task Manager problem.

Please download from.http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to your desktop
A blue-white cubicle  icon will appear..
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

REBOOT afterwards.... really important!

pol

Polonus this link opens text on the browser and does not offer a file to be saved

OK got this to work by using internet explorer instead of firefox!!


Can anyone help me with the rundll32/.exe problems

[paddyc]

Guys,

I really need some help to sort out this rundll32.exe problems.

I have done full scans of my system using Avast, Spybot, SAS, MBAM, Dr Web CureIt, F Secure Backlight,
including bootscan and safe mode but none of them are picking up the viruses in the rundll32.exe files.

Rundll32.exe is not showing as a running process on the computer and there does not appear to be anything going amiss with my computer.

I am tempted to simply delete the offending files using command mode but internet search says that Rundll32.exe is a required file and that it should be in windows\system 32 - which it is even though it appears to be infected. Is there a way to delete these files and reinstate a proper rundll32.exe file without screwing up my computer?

Even though the complete scans are not picking up anything, if I do a file scan using Spybot it does flag viruses on all three copies of the file.

Spybot is finding the virus via heuristics and Avast is finding Taskmon using the same technique although Taskmon does not appear to exist. Is it possible that Avast is seeing the same file but thinks it is something else?

I really need some help here as I don't know what else to try

[DavidR]

The rundll32.dll doesn't show in the Task Manager if that is where you are looking, if not where are you looking (as it is an essential file used to register other dll files) ?

Effectively the only way to remove (replace it with the correct version for your OS version) it is when windows isn't running. I have never tried this and it could be fraught with danger.

[paddyc]

The rundll32.dll doesn't show in the Task Manager if that is where you are looking, if not where are you looking (as it is an essential file used to register other dll files) ?

Effectively the only way to remove (replace it with the correct version for your OS version) it is when windows isn't running. I have never tried this and it could be fraught with danger.

DavidR,

I am not talking about a rundll32.dll I do not appear to have one of those on my hard disk. I am talking about rundll32.exe which resides in windows\system32 and two other directories. A search using explorer reveals them and then a scan of each file reveals viruses. I looked to see if this file was running in task manager, msconfig startup and services.

What I don't understand is if it's an active file and it's corrupt then why is it not affecting my system and why have none of the scanners picked it up?