Hello everyone... I wouldn't ask for help if I hadnt already tried to find it.
My question/help plead is about taskmg.exe
Not to be confused with taskmgr.exe (which is the Windows Task Manager)
Anyway... I'm on IRC... and I guess it was in a file I downloaded... I have NAV04 scanning compressed archives and when i do a virii scan, nothing turns up, same with AdAware and SpyBot
The online info I could get was from TrendMicro, and it said run their scanner to delete, and I did - but to no avail.
So the info I got was:
Its a keylogger.
Dataminer.
Mini-mail server to call home.
Saves passwords.
I looked at Agnitums log of blocked comm's, and taskmg.exe accounts for almost everything, using every TCP and UDP on the list.
I found where its located: C:|Windows|System 32|taskmg.exe
So I Wiped it with DoD 7 wipe, and when I reboot, it reappears.
I deleted the reg entries Trend says it uses.
So now I'm stuck with an UAV (Unidentifiable Active Virus), at least I kept it from sending my info home to new.optus.nu
Any help with removing this piece of shit is very well appreciated.
My current setup stats (like anyone cares...):
ASUS A8N32-SLI Motherboard
AMD 4400+ Dual-Core CPU
Windows Vista (Ultimate 32bit)
2 GB (2x1GB) Corsair XMS RAM
2x250 GB (in RAID 0) HDDs
EVGA GeForce 7950 GTX 512 MB
Creative X-FI Fatal1ty XtremeGamer
Also sporting a black MacBook
Revision/Release 1
Upgraded to 2GB RAM.
I think you are missing something in this process, be sure to give the registry a going over, and empty anything in your registry under the Run, Run-, Run Services, Run Once. In the Run line, type msconfig and clear that crap from there. Be sure to end your System Restore feature. Search your PC for tasmg and delete any reference that you see.
http://si.trendmicro-europe.com/ente...e=BKDR_DELF.GV
Description:
This memory-resident backdoor program compromises system security by logging keystrokes and stealing other personal information from a target user. It then sends the said stolen data to the remote user via email.
It listens for incoming connections on specified ports and implements the commands on the host machine.
This memory-resident backdoor program arrives as a RAR-packed executable and is compressed by UPX.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process from memory.
Open Windows Task Manager.
On Windows 9x/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
TASKMG.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Gerenciador de Tarefas do Windows
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>WinRAR SFX
In the right panel, locate and delete the entry:
c%%Windows%system
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
Close Registry Editor
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
http://www.trendmicro.com/en/securit...n_me_clean.htm
For Windows XP
Log on as Administrator.
Right-click the My Computer icon on the desktop and click Properties.
Click the System Restore tab.
Select Turn off System Restore.
Click Apply > Yes > OK.
Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Turn off System Restore.
Hey thanks Krell with the early follow-up, glad to see your back.
Anyway, I finally got it solved, but not with those instructions.
I had to do 4 things:
1 Disable Sys Restore like it said.
2 Then I had to go into MSCONFIG and delete the startup entries (theres 2) both named winsockdriver
3 Then I headed into C:|Windows|Sys32| and deleted the ever spawning tskmg.exe
4 I searched the registry and deleted anything with winsockdriver and tskmg in the title, that had anything to do with running itself. (Run, RunOnce, Startup)
Once again thanks for helping, and I hope this helps anyone else out whos been on IRC and was hit.
EDIT: HAPPY TURKEY DAY EVERYONE
My current setup stats (like anyone cares...):
ASUS A8N32-SLI Motherboard
AMD 4400+ Dual-Core CPU
Windows Vista (Ultimate 32bit)
2 GB (2x1GB) Corsair XMS RAM
2x250 GB (in RAID 0) HDDs
EVGA GeForce 7950 GTX 512 MB
Creative X-FI Fatal1ty XtremeGamer
Also sporting a black MacBook
Revision/Release 1
Upgraded to 2GB RAM.
? ? but Hawkburn, that IS the instructions, just in a different order.
Glad you got it handled, good job.
Posting Permissions
Reply With Quote
Bookmarks