System1060 virus

Discussion in 'adware, spyware & hijack cleaning' started by mikul, Nov 10, 2003.

Thread Status:
Not open for further replies.
  1. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Hi
    My first visit to your site, so if I make any mistakes or am a bit slow on the uptake, my apologies

    My question is this: For a few weeks now I have been plagued with a ?virus which is detected by the excellent Spybot.

    This ?virus is called (by Spybot) System1060:auto run settings and System1060:program file (yep there are two!

    They disguise themselves as Microsoft system files Taskmgr.exe and Twunk 64 and when one looks at the file it looks exactly like the proper Microsoft file (wording as well).

    What it actually does is to dial home (I do not know which home) every time you start up the computer.

    Sorry this is so long but am coming to the end shortly.

    unfortunately it keeps coming back even after Spybot has deleted it. Soooooo I was wondering if you had any solution for keeping this at bay.

    Thanx a lot, and many thanx for providing this site!

    Mikul :'(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mikul,

    Welcome at Wilders. :)
    Please follow the steps described here (obviously you can skip the one where you have to scan with Spybot S&D):
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  3. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Many thanx Pieter I will let you know what happens

    Kind regards Mikul :)
     
  4. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    System 1060 virus

    Hi

    My question is this: For a few weeks now I have been plagued with a ?virus which is detected by the excellent Spybot.

    This ?virus is called (by Spybot) System1060:auto run settings and System1060:program file (yep there are two!

    They disguise themselves as Microsoft system files Taskmgr.exe and Twunk_64.exe and when one looks at the file it looks exactly like the proper Microsoft file (wording as well).

    What it actually does is to dial home (I do not know which home) every time you start up the computer.

    I have run Spybot which detects and deletes these files.
    Unfortunately it keeps coming back even after Spybot has deleted it.

    Adaware does not seem to find them (but I have only just started using it so it may be me)

    Hijackthis finds one of the files which is: O4 - HKLM\..\Run: [TaskMgr] C:\PROGRA~1\INTERN~1\tskmgr32.exe.

    I have attached a Hijackthis log file. Please help!

    Thanx a lot, and many thanx for providing this site!

    Mikul
     

    Attached Files:

  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Re:System 1060 virus

    Hi mikul,

    That is indeed a baddy, a homepage hijacker.

    Have hijackthis fix it while staying offline :

    O4 - HKLM\..\Run: [TaskMgr] C:\PROGRA~1\INTERN~1\tskmgr32.exe

    Reboot after doing so and remove manualy :

    C:\PROGRA~1\INTERN~1\tskmgr32.exe <- this file

    Hope this helps,

    Cheers,
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Re:System 1060 virus

    Is this a trojan ? if you still have it, send it to submit@diamondcs.com.au for analysis

    This might be a good idea for ALL unknown things in peoples logs ;) We are happy to provide the analysis and then detection of course :)
     
  7. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Re:System 1060 virus

    Hi

    For your information regarding ?virus system 1060.

    This little devil sits in the C:\Program files\Internet explorer folder and is called tskmgr32.exe. What it does is to dial home every time you start up your computer, (I do not know where 'home' is except that it isn't mine!) however I, (and anyone unlucky enough to get infected with it) will be charged for the calls. Following instructions I attempted to get rid of it with Spybot SD, Hijackthis, and Adaware.

    There are actually two files 1. System1060: autorun settings which is in the Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmgr32.exe and the second is in C:\ Program files\Internet explorer folder on my C drive.

    Spybot SD managed to pick up the files and appeared to fix the problem, however the 'virus' kept coming back. Hijackthis is exactly the same result.

    As instructed I attempted to get rid of this file by getting Hijack this to eradicate it however the file was still there. (I did this both online and offline) I then rebooted and attempted to get rid of the file manually, the system would not allow me to do this so I deleted it via DOS apparantly successfully.

    I also manually deleted the line HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmgr32.exe.

    Spybot SD does get rid of both files. However I am still losing my hair because the second I went back online it instantly reinfected my computer.

    Help! What can I do to get rid of this parasite!

    I use Mcaffee antivirus program which doesn't stop it either, nothing appears to stop this.

    I am sure there must be an answer somewhere, so anyone reading this I would appreciate an answer to this very annoying (not to mention costly) problem.

    Thanx for your help thus far

    Mikul
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:System 1060 virus

    Try disabling system restore first, and perform the cleaning actions once more. After doing so, you can safely enable system restore again.

    regards.

    paul
     
  9. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Re:System 1060 virus

    Hi Paul

    I have tried all of the above and its no longer a problem to get these files off my hard drive. Spybot SD does that perfectly.

    however, as soon as I log onto the Internet back they come!

    I would be grateful if anyone reading this has some idea of how I can stop this happening.

    Cheers Mikul :doubt:
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  11. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Re:System 1060 virus

    Hi

    Attached is an answer I received from Symantec after I sent them a copy of the System1060. In short they determine this to be a Trojan.

    IMPORTANT! Spyguard will block this from executing should you be infected with it.

    My thanx to all who have helped me in this and I sincerely hope this will help anyone else unfortunate enough to get infected with this.

    Recommended reading: "So how did I get infected with all that spyware in the first place?" from Tony Klein which also has all the necessary links for Spyguard and a host of other programs - thanx Tony!


    Cheers Mike :D
     

    Attached Files:

  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:System 1060 virus

    You're welcome, Mikul.

    Glad to hear the information in the article was useful to you. :)
     
  13. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Hi

    Sorry folks in my first attempt to make a reply to above subject, I made it a 'new topic' instead, so there are two of these running, covering the same topic.

    THE OTHER ONE HAS MORE INFORMATION AND SOLUTIONS!

    Cheers Mikul
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I merged the two threads, so everything is in one place. It may look a bit odd, because they were sorted according to the time they were posted.

    Regards,

    Pieter
     
  15. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Hi

    Thanks for merging the two threads.

    I noticed at the bottom of my Hijackthis.log was this line: O17 - HKLM\System\CCS\Services\Tcpip\..\{E2C125D2-1E74-43ED-8A3F-103FB0C68150}: NameServer = 195.50.80.131 195.50.80.132

    I ran a search of my Registry which could not find this line...does anyone know what this is for or if it could be dodgy?

    Thanx again, and again, and again...ad infinitum!

    Mikul
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    You will probably find these DNS servers in the properties of your internet-connection.

    Regards,

    Pieter
     
  17. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Its me again re the hklm line above.

    I used a program called nslookup to check the IP address and it worked beautifully and came up with the address of my ISP.

    Anyone any idea why the ISP would have its address in my Registry, or is that just normal on installing?

    One does hear of some ISPs doing dodgy things. Would this enable them to be able to read my hard drive?

    Cheers Mikul
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It resolves to BOLTBLUE-UK, which I take it is your provider.

    No harm there...
     
  19. mikul

    mikul Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    10
    Aggggh!

    It goes on and on etc...

    I had deleted the file from my computer BEFORE switching off.

    I then switched on again and BEFORE going on to the internet I thought I would just check to see if it was still gone... and lo and behold, there it was, as bold as brass, sitting in my Internet explorer folder.

    So I now have to assume that somewhere there is another file on my computer which is reinstalling this on startup, even after it has been deleted.

    Anyone any ideas?

    Mikul :doubt:
     
  20. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    if u think something else is autostarting and installing the syware or mayb trojan... i think you can try this

    1-) Autostart Folder Methode :-

    The Autostart folder is located in C:\Windows\Start Menu\Programs\start
    and any file put there will start automatically when windows start

    2-) Win.ini Methode :

    open the win.ini file and if you found
    [windows]
    load= trojan
    run= trojan
    NullPort=None
    BaseCodePage=1256
    so your PC is batched and you have trojan , so delete anything after the "="
    sign

    3-) System.ini Methode :

    Same as win.ini file .. open up system.ini
    if you find shell=Explorer.exe trojan.exe , the trojan will start after
    explorer start
    and as your desktop is an explorer , so it will start every time windows
    start

    4-) The registry methode :

    Registry is often used in various auto-starting methods. Here are some known
    ways:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Info"="c:\directory\Trojan.exe"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Info"="c:\directory\Trojan.exe"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Info"="c:\directory\Trojan.exe"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    "Info="c:\directory\Trojan.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Info"="c:\directory\Trojan.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Info"="c:\directory\Trojan.exe"

    - Registry Shell Open

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

    A key with the value "%1 %*" should be placed there and if there is some
    executable file placed there, it will be executed each time you open a
    binary file. It's used like this: trojan.exe "%1 %*"; this would restart
    the trojan.
     
Thread Status:
Not open for further replies.