C:\windows\system32\taskmon.exe

Viruses and worms
101

You can try sending me a PM and attach it. See if that’s possible.

102

Sorry Ltangelic but PM does not allow a file attachment and this forum only allows a file of 192k to be attached

103

Hi guys and girls I use Mediafire as an upload base

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

104

Maxx, I have done the update and Avast is still finding the suspicious file every time I reboot. It says that it was found using heuristics and that it is a rootkit hidden. It still offers me delete or ignore but is now advising me to ignore which I don’t like to do so I delete it.

The taskmon.exe file cannot be found and you will see elsewhere on this thread that virus scan could not find it on a browse. However, Avast says that it is sending a copy back to Avast each time I get the warning.

My point is that Avast should be receiving at least one copy a day of this file from me so why can’t they tell me what they have received? At the very least they should tell Ltangelic so that she can assist me.

We have done so much log posting over the last couple of weeks without identifying anything that I am beginning to believe that it’s Avast software that is screwed up and that it is not really finding anything.

Help me out here :cry:

105

Ltangelic & Essexboy

Here is the link

http://www.mediafire.com/

106

paddyc: ook, try this…

start → run → “cmd” → ENTER
“c:” → ENTER
"cd " → ENTER
“cd windows\system32” → ENTER
“attrib -r -s -h taskmon.exe” → ENTER

can you see the file now?

107

Maxx did the above and got nothing but I figured that I had already deleted the file so did a reboot and waited til the suspicious message came up. I am looking at the cmd screen and the suspicious message together and cmd screen says “file not found - taskmon.exe” but Avast says it’s there and type is Rootkit:hidden process. Available actions are delete now or Ignore with option to not tell about this file in future. The recommended action is ignore. Submission box is ticked to submit file to ALWIL Software virus lab for further analysis.

This is what I have been saying all along.

108

Since it is a rootkit, you will not see the file by changing the attributes of it.
Get and run THIS

109

Eddy

have already run rootkit reveal and Macfee Rootkit Detective - why will this one be any different?

110

Eddy

I run sophos and it came up clean although I am still sitting with the avast suspicious warning on screen.

Maxx
What I need is for someone to give me a definitive answer on whether or not Avast is sending this file to ALWIL software virus lab and if so what have they got? It is not a difficult question!

111

paddyc: can you send me your installation GUID via PM? you can obtain it in the Program Files\Alwil software\Avast4\Setup\setup.ini file…

112

ok. C:\windows\system32\taskman.exe is a legitimate windows file (unless it is altered ofcourse) and should show if you navigate to it through explorer (=my computer)

Visit JOTTI and type (or copy/paste) C:\windows\system32\taskmon.exe and hit the submit button. What happens? Getting an error? If so, what is the error?

Also let me know how you installed XP. Was it a upgrade from windows98? A clean install?
And last (for now) right click my computer, properties an look at the number there.
It will look like: XXXXX-YYY-YYYXXX-XXXX
Tell me what is says about the YYY-YYY part

113

Eddy

Taskmon.exe is NOT a legitimate file in Windows XP although it is in 98. Besides it should appear in the windows directory not system 32. WE have already tried to send the file to virus scan and it could not find it. This discussion has already been made in this thread. My installation of XP came preloaded with the computer and has all the latest updates. The number you want is
OEM-001.

114

i can’t find any file with your GUID… that’s really strange ???

115

I’m wondering… Get a live cd (list of live cd’s) and see if you can find the file with it.

btw, do you have avast home or pro? If pro, how/where did you register it?

I also wonder about the use of fat32 instead of ntfs. Normally XP is installed on ntfs. FAT32 can be a indication that it is not a clean install of XP but a upgrade from 98.

Did you get a XP cd rom with your system or is there a recovery partition or something?

116

Eddy you are going to have to explain the live cd thing to me as I don’t understand what this is about.

Using Avast Home 4.8.1296

System says FAT32

As stated earlier the windows xp came preloaded with the computer. I do have a recovery disc which is about 5 years old which is why I was reluctant to simply reformat as it would be a monumental pain to update windows again.

117

another one idea… can you see any file(s) in your Program Files\Alwil software\Avast4\DATA\spool folder?

118

Maxx when you get the suspicious file window with the options - do I have to do anything else other than ensure the box is ticked to send the file to the software virus lab?

I am simply clicking delete and assuming that the file gets sent. Is this correct?

119

Thanks paddy,

I’ll have a look at that run file now. :slight_smile:

120

paddyc: the checkbox allowing the file to be sent is checked by default… the suspicious file are sent while you update your VPS (informations about the file sending could be found in the setup.log file)… anyway - look to the folder mentioned above…