C:\windows\system32\taskmon.exe

[DavidR]

Sorry my error, should indeed have been rundll32.exe, but same problem in replacing an essential file in use, infected or otherwise.

This file if corrupt should have an impact on your system.

What is the MD5 of your file ?
Mine on XP Pro SP3 (it would differ for different os/version) is:
rundll32.exe

MD5:
037B1E7798960E0420003D05BB577EE6

[paddyc]

Sorry my error, should indeed have been rundll32.exe, but same problem in replacing an essential file in use, infected or otherwise.

This file if corrupt should have an impact on your system.

What is the MD5 of your file ?
Mine on XP Pro SP3 (it would differ for different os/version) is:
rundll32.exe

MD5:
037B1E7798960E0420003D05BB577EE6

Mine is 037B1E7798960E0420003D05BB577EE6 which is right as my os is xp home edition  service pack 3

[DavidR]

So essentially it is the same as mine, if it were modified in any way the MD5 would be different and I don't know if that would also be true if it were corrupt, but I would have thought so as the corrupted file is essentially changed.

Where that leaves us now is the question, whilst I have been following this at a distance, can you expand on the rundll32.exe problems that you mentioned (without me having to root through 13 pages) ?

[paddyc]

Where that leaves us now is the question, whilst I have been following this at a distance, can you expand on the rundll32.exe problems that you mentioned (without me having to root through 13 pages) ?

DavidR,

Full explanation is on page 12 half way down reply #174

[DavidR]

First I have to say I prefer the virustotal scanner as a) it has currently 37 different scanners and b) it uses the windows version of avast, so it more in keeping with what you have.

The main thing is that the important version of rundll32.exe in system32 is OK. Well lets put it this way it is the same as mine and a) I don't get any detection by avast and b) I have no apparent dll issues which would be apparent if it were infected or corrupt.

The versions in the other locations are likely to be different but for S&D to get detections on all I find highly suspect. But then again there are the jotti results

Personally I would probably discount the S&D results and go with a) not experiencing any rundll32.exe problems, e.g. other dlls not running properly, b) suspicious behaviour, pop-up ads, redirects or attempts to open web sites you didn't request, etc.

So I have decided to upload my version of rundll32.exe to virustotal and there are zero hits from 38 different scanners, http://www.virustotal.com/analisis/1bd0ad1185cf0ffb35facbf1ec6a43e5. Since the MD5 of your file is the same you can assume yours too is clean.

[paddyc]

So I have decided to upload my version of rundll32.exe to virustotal and there are zero hits from 38 different scanners, http://www.virustotal.com/analisis/1bd0ad1185cf0ffb35facbf1ec6a43e5. Since the MD5 of your file is the same you can assume yours too is clean.

DavidR,

What would be interesting is for you to submit your file to Jotti and see if it tells you that it's corrupt and also test your file with Spybot. If you get the same reactions as me then I think we can definitely say that it's a false positive

[DavidR]

Zero detections.

I don't have S&D I abandoned it ages ago and sorry I'm not prepared to download it in dial-up. I prefer to take the word of a) the 38 scanners on VT and b) the 20 scanners on Jotti (some will be the same as VT).

Getting close to 3.am. here and I have had enough for the day

[paddyc]

Zero detections.

I don't have S&D I abandoned it ages ago and sorry I'm not prepared to download it in dial-up. I prefer to take the word of a) the 38 scanners on VT and b) the 20 scanners on Jotti (some will be the same as VT).

Getting close to 3.am. here and I have had enough for the day

DavidR

Thanks for your help - I have rerun jotti and virustotal and both have come up zero!! I don't know why Jotti gave me false reports first time round

I will now discount any problems with rundll32.exe as being a false alarm but still leaves me with Avast reporting Taskmon as a suspicious file and yet it does not exist.

[DavidR]

You're welcome.

I would continue to allow it to be sent to avast if it continues to be detected and select Ignore. If nothing else it will bump the analysis of the 'non-existent' file, which it can't be, it has to exist, why you can't find it is beyond me.

[paddyc]

You're welcome.

I would continue to allow it to be sent to avast if it continues to be detected and select Ignore. If nothing else it will bump the analysis of the 'non-existent' file, which it can't be, it has to exist, why you can't find it is beyond me.

But nothing gets sent to Avast as we have already established that nothing ends up in the spooler file so nothing gets uploaded to Avast. We have even done a test with eicar to check that the spooler works. Taskmon.exe is not a running process, no other rootkit program picks it up, no scans by any other virus program picks it up including an online Karspersky. Even done a line by line check of all windows directories via recovery console and found nothing. Maxx wanted me to try winhex but I can't get it to install it just freezes and I then need to cancel the setup application.

[DavidR]

Well I don't know how it can detect nothing and is a mystery.

Taskmon.exe is a win98/ME file in XP this is taskmgr.exe XP equivalent. Did you ever have win98/ME on this system ?

http://www.google.co.uk/search?q=Taskmon.exe The first few hits on here also mention malware association on this file name.

http://www.auditmypc.com/process/taskmon.asp

You should treat this process with caution. Examples of viruses that go by the name taskmon.exe are the Novarg, MyDoom and MiMail.

taskmon.exe is considered to be a security risk, not only because antivirus programs flag Possible Virus / Taskmanager as a virus, but also because a number of users have complained about its performance.

http://www.threatexpert.com/files/taskmon.exe.html

So outside of this I don't know what else to suggest.

[paddyc]

DavidR,

I have checked out all the possible files shown in threatexpert and have even run the threat expert program. Have tested for all forms of taskmon, taskmgr and taskmanager. If the file is there then it is very well hidden.

[DavidR]

Sorry but I'm running on empty as to what else to suggest.

[paddyc]

Guys,

Has anything been changed on Avast in the last couple of days?

My suspicious file message has suddenly stopped appearing - been like this for a couple of days and I have done several reboots without it appearing.

Very strange but very welcome

[Maxx_original]

Vlk did some small changes to verifying routine of the suspicious files.. it could solve this strange problem, but it was not made specially to do that...