Maxx definitely no update of the vps - that was done this morning at 10:37 and last entry in the set up log is 10:37. That is why I was astonished when I could not find the file in spooler.
I can access the hdd of my desk top from my Laptop
Maxx,Essexboy,
I did a search of my desktop hdd via my laptop and could not find taskmon.
I have now discovered that I do have recovery console xp installed on my hard drive. I have no idea how to use this but if you give me instructions I will use this to search for taskmon.
The only way via recovery console is to do a manual search from the command prompt.
Likely areas are
C:\
C:\Windows
C:\Windows\System32
To use the dos prompt change to the directory by typing
CD Windows
Dir /P
Will then page by page the file in that directory
Having checked there then
CD System32
Dir /p
and again page by page through it
Once you find it it is just a matter then of typing
del taskmon.exe
Then exit
Essexboy,
Did that but could find no trace of taskmon in any of the directories. :-X
I did find 3 copies of taskman.exe in windows, system32 and system32\Dllcache all of which say they are by microsoft and are all 15,360k. Only other likely candidate is taskmgr.exe in system32 which is 135,680k and says it is microsoft.
If taskmon is being disguised do you have a list of likely file names that I could search for - or is this unlikely?
it can’t be another (similar) name, but the exact one… the files aren’t read always through ntfs.sys while doing the antirootkit scan, but i don’t know what can cause the difference between our driver and default ntfs driver…
Well where do I go from here?
i don’t know ATM… is there any MFT validating tool?
The only MFT checker as far as I know is checkdisc
Maxx,
Why would you want a MFT checker - my system is fat32 see previous email.
aah, you’re right, sorry… hmmm are you able to access your drive in raw mode and do some lookups (WinHex should be able to do that)?
Maxx which Winhex should I look for ? There seems to be a few of them about.
maxx can’t get this loaded as the set up constantly hangs and I have to cancel via task manager.
Hi paddyc,
Let’s do this next to fix your Task Manager problem.
Please download from.http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg and save it to your desktop
A blue-white cubicle icon will appear…
Double-click on it and when it asks you if you want to merge the contents to the registry, click “Yes” or “OK”. You should receive a message that it was successful.
REBOOT afterwards… really important!
pol
Before I go and do that I need to report that I used internet to get a list of all known files that might be associated with taskmon and decided to check out my system and see if I found any.
Rundll32.exe was named as a possible and I have found 3 copies of it on my system. A scan with Avast produced nothing but a scan with spybot hueristics said smitfraud-c on 2 and win32.delf.rtk on the other.
I used Jotti Viruscan on system 32\rundll32.exe and this was the report
canner Malware name
A-Squared Trojan-PWS.Win32.LdPinch!IK
AntiVir TR/Crypt.PEPM.Gen
ArcaVir X
Avast Win32:LdPinch-NO
AVG Antivirus PSW.Ldpinch
BitDefender Trojan.PWS.LDPinch.TIK
ClamAV Trojan.Dropper.Agent-106
CPsecure Troj.PSW.W32.LdPinch.beo
Dr.Web Trojan.Packed.1197
F-Prot Antivirus W32/LdPinch.K.gen!Eldorado
F-Secure Anti-Virus Trojan-PSW.Win32.LdPinch.dlt
G DATA X
Ikarus Trojan-PWS.Win32.LdPinch
Kaspersky Anti-Virus Trojan-PSW.Win32.LdPinch.dlt
NOD32 a variant of Win32/PSW.LdPinch.NCB
Norman Virus Control Sandbox: W32/Malware
Panda Antivirus Trj/Ldpinch.gen
Sophos Antivirus Troj/LdPinch-PZ
VirusBuster Rootkit.LDPinch.Gen.4
VBA32 MalwareScope.Trojan-PSW.Pinch.1
I then scanned windows$NTServicePackUninstall$\rundll32.exe and this was produced by Jotti
Last file scanned at least one scanner reported something about: ChamaleonButton.ocx (MD5: a73cd21288945e3045502bd47131034e, size: 102400 bytes), detected by:
Scanner Malware name
A-Squared HackTool.Win32.MadMSN!IK
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA X
Ikarus HackTool.Win32.MadMSN.40
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
I finally submitted windows\ServicePackFiles\i386\rundll32.exe and Jotti came up with following
Last file scanned at least one scanner reported something about: Webmail_Hack_2.3.zip (MD5: c2779e69591e6351aa877f8350e6447a, size: 231849 bytes), detected by:
Scanner Malware name
A-Squared Trojan-Clicker.MSIL.Xone!IK
AntiVir TR/Click.MSIL.Xone.AC
ArcaVir Trojan.Downloader.Small.Dug
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender Trojan.Generic.358370
ClamAV Trojan.Clicker-2249
CPsecure Troj.Clicker.MSIL.Xone.ac
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Clicker.MSIL.Xone.ac
G DATA X
Ikarus Trojan-Clicker.MSIL.Xone.ac
Kaspersky Anti-Virus Trojan-Clicker.MSIL.Xone.ac
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan-Clicker.MSIL.Xone.ac
What should I do about these? There were also a bunch of.pf files in prefetch referenced back to rundll32.exe but spybot said they were clear.
Polonus this link opens text on the browser and does not offer a file to be saved ???
OK got this to work by using internet explorer instead of firefox!!
Can anyone help me with the rundll32/.exe problems ???
Guys,
I really need some help to sort out this rundll32.exe problems.
I have done full scans of my system using Avast, Spybot, SAS, MBAM, Dr Web CureIt, F Secure Backlight,
including bootscan and safe mode but none of them are picking up the viruses in the rundll32.exe files.
Rundll32.exe is not showing as a running process on the computer and there does not appear to be anything going amiss with my computer.
I am tempted to simply delete the offending files using command mode but internet search says that Rundll32.exe is a required file and that it should be in windows\system 32 - which it is even though it appears to be infected. Is there a way to delete these files and reinstate a proper rundll32.exe file without screwing up my computer?
Even though the complete scans are not picking up anything, if I do a file scan using Spybot it does flag viruses on all three copies of the file.
Spybot is finding the virus via heuristics and Avast is finding Taskmon using the same technique although Taskmon does not appear to exist. Is it possible that Avast is seeing the same file but thinks it is something else?
I really need some help here as I don’t know what else to try :-\
The rundll32.dll doesn’t show in the Task Manager if that is where you are looking, if not where are you looking (as it is an essential file used to register other dll files) ?
Effectively the only way to remove (replace it with the correct version for your OS version) it is when windows isn’t running. I have never tried this and it could be fraught with danger.
DavidR,
I am not talking about a rundll32.dll I do not appear to have one of those on my hard disk. I am talking about rundll32.exe which resides in windows\system32 and two other directories. A search using explorer reveals them and then a scan of each file reveals viruses. I looked to see if this file was running in task manager, msconfig startup and services.
What I don’t understand is if it’s an active file and it’s corrupt then why is it not affecting my system and why have none of the scanners picked it up?