Results 1 to 7 of 7

Thread: taskmgr.exe

  1. #1
    Join Date
    Jun 2002


    Hi, does anybody know something about a trojan or virus with the name taskmgr.exe?
    I found that there is a taskmgr.exe trying to connect to internet, and when i run task manager(the real taskmgr.exe) i've found at least 2 process running, one of them isn't the task manager because when i kill it the task manager stays on.
    See image for the search results on taskmgr.exe

    Tanks in advance,
    -Mamma... Mamma... I want to let school !!! - kid
    -Why my dear? - Mom
    -Because i heard in television that some guy was killed because he knew to much!!!-Kid

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Hrmm, call me dumb, but you either copied them, or their can be a serious problem. I think there could be a problem for a few reasons, one being that mostly all of them are in the System folder, which only one should be in. I'd scan those file's for bugs, Virii, Trojans, Spyware, etc.
    Space For Rent.. =]

  3. #3
    Senior Member
    Join Date
    Apr 2002
    It looks like :


    More info there :

    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

  4. #4
    Senior Member
    Join Date
    Apr 2002
    here i found this at this link http://www.utexas.edu/cc/ds/infobase...e_explorer.php

    Remote Explorer Virus Alert

    First posted: December 22, 1998

    The sophisticated "Remote Explorer" virus can take advantage of remote management tools in Windows NT Servers and NT Workstations to propagate itself through networks autonomously. Infection takes place in EXE files, which the virus compresses, making them unusable. Data files, including TXT and HTML files, are destroyed by encrypting them.

    Remote Explorer was discovered at a Network Associates (NAI) customer site on December 17, 1998. At least one large site, MCI/WorldCom, has been "obliterated". See articles at CNNFN, MSNBC and ZDNet.

    Windows NT Server or Workstation -- infects and propagates

    Windows 95/98 -- infects files but does not propagate

    Other operating systems -- can host infected files

    1. Open up the Services applet in the NT Control Panel. If you find "Remote Explorer" listed as a service, this system is infected.
    2. Through the Start Menu, run TASKMGR.EXE. When viewing the Processes tab, if IE403R.SYS or TASKMGR.SYS (not EXE) are listed as processes, the system is infected.
    3. The virus is a large (~124KB) file infector that resides in memory. Detection must take place after the system has been powered down and booted from a clean system disk.


    The virus compresses EXE files and encrypts random data files, including TXT and HTML, rendering them useless. At this writing (December 22, 1998), there is no way to remove the virus or to undo the compression of executables or the encryption of data files.

    The virus can also infect other Windows machines, but is not propagated further.

    Remote Explorer installs itself on a server by making a copy of itself, called IE403R.SYS, in the NT Driver directory. It then installs itself as a service called "Remote Explorer." A DLL is installed that is used in the encryption and compression process. The DLL will be recopied if it is deleted.

    Propagation to other servers occurs when the virus logs in through domain administration controls. It then sends copies of itself to other servers and workstations that access those servers. Only NT resources are utilized; the virus does not spread through Unix or NetWare networks. Through the use of a timer mechanism, the virus is most active between 3:00 PM Saturday to 6:00 AM Sunday of each week.

    To protect against the "Remote Explorer" infection, isolate NT Workstations and Servers from the network until they can be protected by anti-virus software that can detect and prevent infection.

    Cleaning up an infected System:

    1. Shut down the infected NT Server or NT Workstation.
    2. Isolate the machine from the network by disconnecting its network cable.
    3. Determine which other NT Servers and Workstations this system has primary contact, especially in a trust relationship. Isolate those potentially affected machines from the network.
    4. As an added precaution, disconnect infected network segments from the campus network.
    5. Scan all computer systems after booting from a clean system disk. The virus is memory resident, so it is imperative that the system be booted from clean system disks to prevent the virus from going resident in memory again and possibly avoiding detection. Systems other than Windows NT (e.g., Windows 9x, Unix, NetWare, and Macintosh) can carry infected files, although the virus is only propagaged from Windows NT systems, so their files should be scanned as well.
    6. After the scan and cleaning or removal of all infected files, bring the system up normally. Keep the system off the network and separate from other machines.
    7. Install an anti-virus product that can detect and clean the virus.
    8. Activate the virus scanner's "on-access" feature to prevent re-infection.
    9. Reconnect the system to the network.
    10. Check for virus definition updates weekly and deploy updated definitions to all systems. Update to the latest anti-virus engine as new versions are released.

    For More Information

    Remote Explorer it the first virus that requires no user intervention to transport itself between servers. It is distinguished from a worm such as the Morris Internet Worm in that it infects files, rather than being a strictly stand-alone process.

    Since the NAI site says it was detected on the 17th, other security organizations may not have seen it yet.

    The Remote Explorer virus has been mentioned on news: alt.comp.virus.

    Network Associates (NAI) Remote Explorer Alert: http://www.nai.com/products/antiviru...e_explorer.asp

    Microsoft Security: http://www.microsoft.com/security/bulletins/current.asp

    CERT (Carnegie Mellon Software Engineering Institute): http://www.cert.org/

    CIAC (Computer Incident Advisory Capability): http://ciac.llnl.gov/

    Computer Security Center: http://www.csc.se/

    Henri Delger's Virus Help and Information: http://pages.prodigy.com/virushelp/

    Ken Dunham's anti-virus page: http://antivirus.miningco.com/

    Edinburgh University's PC virus page: http://mft.ucs.ed.ac.uk/pcvirus/pcvirus.htm

    HAVS (Joe Hartmann's Anti-Virus Site): http://www.psnw.com/~joe/

    David Harley's page (Macintosh viruses): http://webworlds.co.uk/dharley/

    David Hull -- Computer Viruses and Security: http://www.einet.net/galaxy/Engineer...ull/galaxy.htm

    ICSA (International Computer Security Association): http://www.icsa.net/

    Indianapolis University Computer Virus Research Centre: http://www.indyweb.net/~cvhd/

    Mike Lambert's virus information site: http://www.frontiernet.net/~mlambert/

    Mac Virus: http://www.macvirus.com/

    Mailander's Den: http://www.agora.stm.it/htbin/wwx?fi^N.Ferri

    Doug Muth's (anti)virus homepage: http://www.ezweb.net/dmuth/virus/index.html

    NH (Norman Hirsch and Associates): http://www.nha.com/

    NIST/CSL: http://csrc.ncsl.nist.gov/virus/

    Open University anti-virus page: http://www-tec.open.ac.uk/casg/avone.html

    Oxford University Computing Services AV page: http://info.ox.ac.uk/OUCS/micros/virus/

    Penn State Anti-Virus page: http://cac.psu.edu/~santoro/cac/virus.html

    Rob Rosenberger's 'Computer Virus Myths' page: http://www.kumite.com/myths/

    Sandrin anti-virus connection: http://members.home.net/sandrin/

    Slovak Antivirus Centre: http://ftp.elf.stuba.sk/packages/pub/pc/

    Thomas Jefferson University's Virus Information page: http://www.tju.edu/tju/dis/ic/virus/

    Virus Bulletin: http://www.virusbtn.com/

    The VHC (Virus Help Centre) in Sweden (English language): http://www.vhc.se/index2.html

    The Virus Research Unit at the University of Tampere, Finland: http://www.uta.fi/laitokset/virus

    The VTC (Virus Test Center) at the University of Hamburg, Germany: http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm

    West Coast Publishing (Secure Computing magazine and Checkmark certification): http://www.westcoast.com/

    Mark West's anti-virus site: http://www.hitchhikers.net/av.shtml

    Eddy Willems' anti-virus site: http://www.club.innet.be/~ewillems/

    Last updated August 11th, 2000
    Copyright The University of Texas, 2001.
    i hope this is some help

    EDIT i found this to http://www.avast.at/winnt-remexp.htm


    The RemExp virus has been found in one large US company in December 1998. It is the first virus which stays resident as a NT system service when executed with administrator priviledges. It infects Windows executable files (PE) and is able to spread over the local NT network when the administrator is logged in.

    To determine whether the RemExp service is active, you can use the Services applet in the NT Control Panel. If there is "Remote Explorer" listed as a service, the system is infected. If the TASKMGR.EXE contains IE403R.SYS or TASKMGR.SYS in the Processes tab, the system is infected.

    Targets of infection:
    RemExp scans local and shared remote drives. It looks for EXE files and infects them. It compresses the host files, so they are not functional anymore. When infected file is run, virus decompresses the original file into temprary file, runs it and then deletes it.

    How Infection works:
    Virus does not infect the files which are executed. Instead, it searches the files randomly every ten minutes. The virus infection works with much higher priority in non-working hours.
    heh you can never have enough info when trying to remove a pesky virus

    EDITED AGAIN :/ here's a pdf file i had lying around it could be of some help to you and other people to i present to you computer viruses the technical leap
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work

  5. #5
    Join Date
    Jun 2002
    hi, i didn't copid them and my AV don't detect anything.

    i'm using

    H+BEDV AV;
    Sygate firewall;
    norton firewall.

    -Mamma... Mamma... I want to let school !!! - kid
    -Why my dear? - Mom
    -Because i heard in television that some guy was killed because he knew to much!!!-Kid

  6. #6
    Senior Member
    Join Date
    Oct 2002
    In that case, follow the link that prodikal provided to you and try doing some research about it on http://www.google.com I hope that you fix it and best of luck.
    Space For Rent.. =]

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Look for these entries in your registry :

    CurrentVersion\Run taskmgr.exe="%SYSTEM%\taskmgr.exe"

    CurrentVersion\Run taskmgr.exe=%SYSTEM%\taskmgr.exe"

    If they are there, I am positive it is : TROJ_JUNTADOR.G

    It is related to the following Backdoor : BKDR_MIMIC.T

    And it does the following :

    The Trojan, TROJ_JUNTADOR.G, installs this backdoor (BKDR_MIMIC.T) as an Internet Relay Chat (mIRC) client. Unauthorized remote users may access machines infected with this malware through mIRC channels and then use them to launch a Distributed Denial of Service (DDoS) attack.
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts