System1060 virus

[mikul]

Hi
My first visit to your site, so if I make any mistakes or am a bit slow on the uptake, my apologies

My question is this: For a few weeks now I have been plagued with a ?virus which is detected by the excellent Spybot.

This ?virus is called (by Spybot) System1060:auto run settings and System1060:program file (yep there are two!

They disguise themselves as Microsoft system files Taskmgr.exe and Twunk 64 and when one looks at the file it looks exactly like the proper Microsoft file (wording as well).

What it actually does is to dial home (I do not know which home) every time you start up the computer.

Sorry this is so long but am coming to the end shortly.

unfortunately it keeps coming back even after Spybot has deleted it. Soooooo I was wondering if you had any solution for keeping this at bay.

Thanx a lot, and many thanx for providing this site!

Mikul :'(

[Pieter_Arntz]

Hi mikul,

Welcome at Wilders.
Please follow the steps described here (obviously you can skip the one where you have to scan with Spybot S&D):
http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

[mikul]

Many thanx Pieter I will let you know what happens

Kind regards Mikul

[mikul]

Hi

My question is this: For a few weeks now I have been plagued with a ?virus which is detected by the excellent Spybot.

This ?virus is called (by Spybot) System1060:auto run settings and System1060:program file (yep there are two!

They disguise themselves as Microsoft system files Taskmgr.exe and Twunk_64.exe and when one looks at the file it looks exactly like the proper Microsoft file (wording as well).

What it actually does is to dial home (I do not know which home) every time you start up the computer.

I have run Spybot which detects and deletes these files.
Unfortunately it keeps coming back even after Spybot has deleted it.

Adaware does not seem to find them (but I have only just started using it so it may be me)

Hijackthis finds one of the files which is: O4 - HKLM\..\Run: [TaskMgr] C:\PROGRA~1\INTERN~1\tskmgr32.exe.

I have attached a Hijackthis log file. Please help!

Thanx a lot, and many thanx for providing this site!

Mikul

[Unzy]

Hi mikul,

That is indeed a baddy, a homepage hijacker.

Have hijackthis fix it while staying offline :

O4 - HKLM\..\Run: [TaskMgr] C:\PROGRA~1\INTERN~1\tskmgr32.exe

Reboot after doing so and remove manualy :

C:\PROGRA~1\INTERN~1\tskmgr32.exe <- this file

Hope this helps,

Cheers,

[Gavin - DiamondCS]

Is this a trojan ? if you still have it, send it to submit@diamondcs.com.au for analysis

This might be a good idea for ALL unknown things in peoples logs We are happy to provide the analysis and then detection of course

[mikul]

Hi

For your information regarding ?virus system 1060.

This little devil sits in the C:\Program files\Internet explorer folder and is called tskmgr32.exe. What it does is to dial home every time you start up your computer, (I do not know where 'home' is except that it isn't mine!) however I, (and anyone unlucky enough to get infected with it) will be charged for the calls. Following instructions I attempted to get rid of it with Spybot SD, Hijackthis, and Adaware.

There are actually two files 1. System1060: autorun settings which is in the Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmgr32.exe and the second is in C:\ Program files\Internet explorer folder on my C drive.

Spybot SD managed to pick up the files and appeared to fix the problem, however the 'virus' kept coming back. Hijackthis is exactly the same result.

As instructed I attempted to get rid of this file by getting Hijack this to eradicate it however the file was still there. (I did this both online and offline) I then rebooted and attempted to get rid of the file manually, the system would not allow me to do this so I deleted it via DOS apparantly successfully.

I also manually deleted the line HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmgr32.exe.

Spybot SD does get rid of both files. However I am still losing my hair because the second I went back online it instantly reinfected my computer.

Help! What can I do to get rid of this parasite!

I use Mcaffee antivirus program which doesn't stop it either, nothing appears to stop this.

I am sure there must be an answer somewhere, so anyone reading this I would appreciate an answer to this very annoying (not to mention costly) problem.

Thanx for your help thus far

Mikul

[Paul Wilders]

Try disabling system restore first, and perform the cleaning actions once more. After doing so, you can safely enable system restore again.

regards.

paul

[mikul]

Hi Paul

I have tried all of the above and its no longer a problem to get these files off my hard drive. Spybot SD does that perfectly.

however, as soon as I log onto the Internet back they come!

I would be grateful if anyone reading this has some idea of how I can stop this happening.

Cheers Mikul

[TonyKlein]

Here are some tips on prevention:

So how did I get infected with all that spyware in the first place?

Cheers,

[mikul]

Hi

Attached is an answer I received from Symantec after I sent them a copy of the System1060. In short they determine this to be a Trojan.

IMPORTANT! Spyguard will block this from executing should you be infected with it.

My thanx to all who have helped me in this and I sincerely hope this will help anyone else unfortunate enough to get infected with this.

Recommended reading: "So how did I get infected with all that spyware in the first place?" from Tony Klein which also has all the necessary links for Spyguard and a host of other programs - thanx Tony!


Cheers Mike

[TonyKlein]

You're welcome, Mikul.

Glad to hear the information in the article was useful to you.

[mikul]

Hi

Sorry folks in my first attempt to make a reply to above subject, I made it a 'new topic' instead, so there are two of these running, covering the same topic.

THE OTHER ONE HAS MORE INFORMATION AND SOLUTIONS!

Cheers Mikul

[Pieter_Arntz]

Quote:

quoting: mikul link=board=17;threadid=16290;start=0#msg102339 date=1069170692]
Hi

Sorry folks in my first attempt to make a reply to above subject, I made it a 'new topic' instead, so there are two of these running, covering the same topic.

THE OTHER ONE HAS MORE INFORMATION AND SOLUTIONS!

Cheers Mikul

I merged the two threads, so everything is in one place. It may look a bit odd, because they were sorted according to the time they were posted.

Regards,

Pieter

[mikul]

Hi

Thanks for merging the two threads.

I noticed at the bottom of my Hijackthis.log was this line: O17 - HKLM\System\CCS\Services\Tcpip\..\{E2C125D2-1E74-43ED-8A3F-103FB0C68150}: NameServer = 195.50.80.131 195.50.80.132

I ran a search of my Registry which could not find this line...does anyone know what this is for or if it could be dodgy?

Thanx again, and again, and again...ad infinitum!

Mikul

[Pieter_Arntz]

You will probably find these DNS servers in the properties of your internet-connection.

Regards,

Pieter

[mikul]

Its me again re the hklm line above.

I used a program called nslookup to check the IP address and it worked beautifully and came up with the address of my ISP.

Anyone any idea why the ISP would have its address in my Registry, or is that just normal on installing?

One does hear of some ISPs doing dodgy things. Would this enable them to be able to read my hard drive?

Cheers Mikul

[TonyKlein]

It resolves to BOLTBLUE-UK, which I take it is your provider.

No harm there...

[mikul]

Aggggh!

It goes on and on etc...

I had deleted the file from my computer BEFORE switching off.

I then switched on again and BEFORE going on to the internet I thought I would just check to see if it was still gone... and lo and behold, there it was, as bold as brass, sitting in my Internet explorer folder.

So I now have to assume that somewhere there is another file on my computer which is reinstalling this on startup, even after it has been deleted.

Anyone any ideas?

Mikul

[subratam]

if u think something else is autostarting and installing the syware or mayb trojan... i think you can try this

1-) Autostart Folder Methode :-

The Autostart folder is located in C:\Windows\Start Menu\Programs\start
and any file put there will start automatically when windows start

2-) Win.ini Methode :

open the win.ini file and if you found
[windows]
load= trojan
run= trojan
NullPort=None
BaseCodePage=1256
so your PC is batched and you have trojan , so delete anything after the "="
sign

3-) System.ini Methode :

Same as win.ini file .. open up system.ini
if you find shell=Explorer.exe trojan.exe , the trojan will start after
explorer start
and as your desktop is an explorer , so it will start every time windows
start

4-) The registry methode :

Registry is often used in various auto-starting methods. Here are some known
ways:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Info"="c:\directory\Trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Info"="c:\directory\Trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Info"="c:\directory\Trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Info="c:\directory\Trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Info"="c:\directory\Trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Info"="c:\directory\Trojan.exe"

- Registry Shell Open

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

A key with the value "%1 %*" should be placed there and if there is some
executable file placed there, it will be executed each time you open a
binary file. It's used like this: trojan.exe "%1 %*"; this would restart
the trojan.