there’s also a possibility that the file is renewed from somewhere…

Hey Abraxas,

Ah, I missed something important. :knocksheadagainstwall: This taskmon.exe IS a malicious file because a legit taskmon.exe should have been in Windows folder. Look at this:

http://www.bleepingcomputer.com/startups/taskmon.exe-5665.html

I have already advised paddy to post a HijackThis log in one of the free tech help sites so as to get his computer cleaned up in this other topic he started:

http://forum.avast.com/index.php?topic=40244.0

His Avast just found a backdoor trojan recently and I’m thinking that he has more malware hidden on his computer. The best way would be to reformat, but paddy doesn’t want to do so, so the next best thing he can do is let an expert clean up his computer.

True …
Ltangelic:

His Avast just found a backdoor trojan recently and I'm thinking that he has more malware hidden on his computer. The best way would be to reformat, but paddy doesn't want to do so, so the next best thing he can do is let an expert clean up his computer.

Seems Format or try expert malware cleaning help is best . Interesting , but nasty :o

Hey Maxx,

You are right, it is replicating itself, because it is a type of worm. (W32/Mydoom.a@MM)

As said here:

http://vil.nai.com/vil/content/v_100983.htm

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* contains a [b]backdoor component[/b] (see below)
* contains a Denial of Service payload</blockquote>

paddy also has a backdoor on his computer (._file(1).exe), most likely it is created by this worm (just a guess).

The virus uses a DLL that it creates in the Windows System directory:

*  %SysDir%\shimgapi.dll (4,096 bytes)</blockquote>

This should be the file that is regenerating taskmon.exe.

I wonder if paddy did download some attachment from an email that delivered this worm.

Hi Guys

You have all got me really worried now.

I did a search for shimgapi.dll and found nothing.

As I said at the beginning I am new to this and did not realise that the trojans could replicate or that they could be associated with each other.

As well as the ._file[1].exe which is discussed on a separate thread I now realise that I should have mentioned that there is another file in the chest which was picked up at the same time as ._file[1].exe.
This file is called A0177674.exe and was found in my system restore folders. Avast identifies it as win32:trojan-gen (other). I do use Limewire and I did download a file that contained a generic trojan that AVG8 said it caught but AVG did not report the two files that Avast has found so I wonder if it caught everything it should have.

Does this help ???

I have not cleared anything out of the chest yet but I am presuming that while they are in the chest they cannot continue to function -is this correct?

Ltangelic re your post on the other thread Avast does not offer me a quarantine facility -simply delete the file or ignore it. However it returns the next time I boot up and even a boot scan does not identify anything.

Hey paddyc,

Alright, even though I’m tight for time, let’s see if I can help you fix your problem. Please follow my instructions carefully and reply ONLY to THIS thread with the logs I ask you to post.

For now, please do the following:

Click here to download HJTInstall.exe

[*]Save HJTInstall.exe to your desktop.
[*]Doubleclick on the HJTInstall.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Ltangelic here is part 1 of the Hijack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:10, on 25/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Ltangelic here is part 2

Hey paddyc,

Thanks for the logs. They look alright from what I see, let’s try a stronger tool.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I’m going offline now because it’s late here, do post the logs on here and I’ll have a look tomorrow. Thanks for understanding.

Ltangelic It is late here too! I will do this in the morning and post back to you

Thanks for the help

Ltangelic

Well I have run Combofix and it appears to have deleted three files. As requested I am attaching the log. This is part 1

ComboFix 08-11-23.02 - Paddy 2008-11-25 6:54:58.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.567 [GMT 9:00]
Running from: c:\documents and settings\Paddy\Desktop\ComboFix.exe

• Created a new restore point
  .

(

Ltangelic

This is part 2

Ltangelic

This is part 3

Ltangelic,

Whatever Combofix did has not resolved the problem.

After posting the log to you I did another reboot as this file only gets picked up after the reboot and sure enough Avast came back with the same suspicious file warning. I did a delete and then a boot scan which found nothing. As soon as the boot scan was finished and the rest of my files came up there was the same suspicious warning again. This time I just did the delete. Copies of the files should have been sent back to Avast.

Just for your info the suspicious file warning was active when I switched on this morning when I went to download Combofix but I left it there while I did the Combofix as I figured that if Avast was seeing the file then so would Combofix but I guess not.

I will wait to hear what you think about the log.

Hey paddyc,

I don’t see much in that log, we need to run some other tools.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run CFScript

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll:

File::
c:\program files\Uninstall_CDS.exe

Folder::
c:\program files\FrostWire
c:\documents and settings\Paddy\Application Data\FrostWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt

2) Run RootkitRevealer

Please download Rootkit Revealer (It should be part of the Top 10 Downloads list)
[*]Unzip it to your desktop.
[*]Open the rootkitrevealer folder and double-click rootkitrevealer.exe
[*]Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
[*]Click the Scan button (bottom right)
[*]It may take a while to scan (don’t do anything while it’s running)
[*]When it’s done, go up to File > Save. Choose to save it to your desktop.
[*]Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

3) Run RSIT

[*]Download random’s system information tool (RSIT) by random/random from here and save it to your desktop.
[*]Double click on RSIT.exe to run RSIT.
[*]Click Continue at the disclaimer screen.
[*]Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Next reply (please include):

Note: Please do NOT attach the logs and post ONE log in each post

RSIT log.txt and info.txt
RootkitRevealer log
ComboFix.txt

Hi Ltangelic,

I have run everything that you asked for and I am ready to post it up. I will start with Combofix.txt - this is part 1

ComboFix 08-11-24.01 - Paddy 2008-11-25 17:36:34.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.443 [GMT 9:00]
Running from: c:\documents and settings\Paddy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paddy\Desktop\CFScript.txt

• Created a new restore point

Ltangelic

Ltangelic,

Part 3 of Combofix.txt

Ltangelic,

Here is rootkitrevealer.txt

Hey please post me the RSIT logs as well. I mean the log.txt and info.txt.