Looking for Michael St. Neitzel Or Help with Taskdir. exe bug

Discussion in 'malware problems & news' started by Neal Lavon, Jan 2, 2007.

Thread Status:
Not open for further replies.
  1. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    I am looking for Michael St. Neitzel who i believe posts here. Or if anyone else knows the answer to this, I would be grateful.

    I downloaded the Michael St. Neitzel sheet on getting rid of the "taskdir.exe" bug which has infected my computer along with the WE32/duel and w32/Duel.dam virus.

    I was able to follow the sheet except for the part where it says, "...find all Win32 Instances which having “taskdir.dll” injected (see screenshot)".

    How do you get to this place where all the .dll infections and programs are listed? How does one "terminate" them? The rest I think I can figure out.

    Thanks for any help.

    Neal Lavon
    Takoma Park, MD
    USA
     
  2. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    You can use Sysinternals ProcessExplorer for it. You have to switch into "List loaded modules" mode in the View-Menu. Then you can see which modules (DLL's) loaded by which app when you click on the application.

    Btw where did u find my removal instructions on this?!
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Here:

    http://www.eset.com/msgs/trojanproxylageraq.htm

    ;):)
     
  4. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    I saw mine through a link from bleeping computer.com. I googled "taskdir.exe" and found it there. It was in a Word document.

    Thanks for the help here. While I've got your attention, when it comes to deleting "all related Registry Keys," are they the:

    HKEY_CURRENT_USER Color Table 19 keys (with the second Color Table 19 key really being Color Table 20) along with

    "taskdir" = "%system32%\taskdir.exe"in the Current Version/Run tree?

    Thanks again!

    Neal Lavon
    Takoma Park, MD
    USA
     
  5. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    As long as the rootkit functionality is running, the second key “ColorTable20” is also displayed as “ColorTable19”, which results in having multiple ColorTable19 registry keys - this would be impossible without using the rootkit tricks.

    In this way you can see if the rootkit is still active ;) If you find 2 "ColorTable19" entries there then the rootkit is still running.
     
  6. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    ...and with the rootkit still running, are those registry keys to be deleted?

    Neal Lavon
    Takoma Park, MD
    USA
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Neal

    Have you tried any botkillers to take down TaskDir.exe ?

    http://superantispyware.com/

    and

    http://www2.grisoft.com/doc/products-avg-anti-spyware/lng/us /tpl/tpl01


    Heres a couple of botkillers that have fully functioning free detection & cleaning engines,the first i have supplied 14x unique MD5's of that very executable since early November 06 when i first found it in a CWS/VX infection.

    Both of them have taken down TaskDir.exe on my machine on most occaisions(SAS has had a higher sucess rate) so there is a good chance they might work for you :)
     
  8. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    Thanks for these. I have AVG on a laptop supplied to me by work.

    On the home machine, I have McAfee which is supplied by my ISP. The strange thing is that McAfee will offer me alert after alert about these viruses (W32/duel and W32/duel.dam, plus the taskdir.exe warning, clean them when they can, and delete them when they can.

    Not all files can be deleted though. But when I run a complete scan (which takes about 2 hours) nothing is detected (even with System Restore off). I did use Spyware Doctor (which found several things but I had to pay to delete them) and I also noticed a vcleaner at AVG so I'll try that as well.

    Thanks so much for the tips, I'll run them tonight (if I can get the kid away from the computer).

    Neal Lavon
    Takoma Park, MD
    USA
     
  9. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Duel.dam means DAMAGED. The virus is able to damage files and such files cannot be repaired. You have to delete them. There is bug in the virus infection routine which produces A LOT of damaged files. So don't be suprised when you have to reinstall the system because as i said it DAMAGES such orginal files and they become unusable and you cannot clean them.
     
  10. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    Ugh, I was hoping that was not the case.

    So far I've been living with it as the box seems to work and do its thing with the annoyance of several virus pop-up messages.

    I'm not sure how long this will continue but given what we have on there, there will have to be lots of backups and clones and reinstallations at some point.

    I'll still try to get rid of the virus but I take your point about the damaged files. If I get a read on them, could they be replaced by copying from the Windows installation disk without going through the entire install and wiped clean hard drive? Hopefully there won't be so many of these files that it doesn't make sense to replace them piecemeal.

    Thanks for the news, bad though it may be.

    Neal Lavon
    Takoma Park, MD
    USA
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Have you tried scanning and cleaning from safe mode?
     
  12. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    Yes. I found a McAfee document which shows how to do this with several DOS commands. The mode was Safe with Command Prompt.

    Took about two hours and change but according to the McAfee pop-ups, the damn thing is still there. I get the alerts when signing on or when desktops are changed (Windows XP Home).

    I didn't see them this morning but then I didn't sign on. I'll find out later if they are still there.

    Thanks for the query,

    Neal Lavon
    Takoma Park, MD
    USA
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Neal

    With reguards rootkit/trojan problem

    If possible could you download and run the following free RK diagnostic tool.

    http://www.rku.xell.ru/?l=e&a=dl

    **Do not use unless instructed as it detects legitimate stuff as well as supsicious**

    Can you C&P the results of a *Hidden files detector* scan and a *Code hook detection* scan for review.
     
  14. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    Sure, it may take awhile but I'll post here ASAP.

    Thanks!

    Neal Lavon
    Takoma Park, MD
    USA
     
  15. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    I downloaded the Russian Program and here is the Code Hook Detection scan:


    That's it. Any light you can shed would be gratefully appreciated!

    Thank you.

    Neal Lavon
    Takoma Park, MD
    USA
     

    Attached Files:

    Last edited by a moderator: Jan 5, 2007
  16. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Neal

    The good news is that there are no malware RK's&RK activity showing in the RKU log,just a lot of legitimate activity/hooks/hidden files being reported :)

    RKU has detected Taskdir.exe on numerous occaisions(as hidden file and some system hooks) when it has been on my 'puter so i'm 90% sure that the malware is no longer active.

    BTW Did you give the 2 Botkillers(SAS free+AVG free) a run out & did they find anything ?
     
  17. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    Hey, that's good news. I did run both bots in a manner of speaking. I ran AVG Anti-virus and it picked up 230 pieces of adware.

    I had run Super Spyware earlier. It had found a bunch of things but as I recall, to delete the files, I would have had to purchase the program.

    Each Saturday, I run an udpated AdAware and Spybot and check the Registry with SystemWorks WinDoctor which I run off the CD.

    Just now when I logged on, I got no virus alerts from McAfee--at least not at the moment.

    I am glad to hear that it appears that the malware is inactive. Thanks for checking. I'll keep monitoring and post if my wife and son find viruses on their desktops.

    I really appreciate your efforts.

    Neal Lavon
    Takoma Park, MD
    USA
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Neal

    That software has a free fully functioning detection & cleaning engine so i'm not quite sure why you have found this the case.The pay for version provides realtime protection but the botkiller is free:D
    http://superantispyware.com/superantispywarefreevspro.html

    Anyhows you will find that the trusted *old* pairing of Adaware & SpyBot are failing often recently against most of the new emerging malware.Their inability to unpack certain packers,lack of kernel hook and infrequency of updates have equated to major loss in overall effectiveness against todays malware threats.

    It would be advisable to either replace/add an *extra* botkiller or 2 to your security arrangement that are more upto the job against the new stuff :)

    All the best:)
     
  19. Neal Lavon

    Neal Lavon Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    11
    Perhaps I misunderstood what the window was telling me. Or I may have downloaded the wrong application (the professional one) I have it downloaded on the system and will run it again.

    Thanks for your suggestions. I will go ahead and follow your advice.

    Neal Lavon
    Takoma Park, MD
    USA
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.