Have any of you guys heard of this? I have it. This is a process that installs an apparent 24 byte long executable cleverly named taskmgr.exe in my startup folder. The path is
C:\Documents and Settings\Greg\Start Menu\Programs\Startup askmgr.exe
which is a file that can be easily deleted. The McAfee on demand virus scanner finds this virus in my user area or the user area of others and puts it in quarantine, path
C:\quarantine askmgr.exe.vir
but it installs in my startup path anyway. I can delete the file and the report that appear in quarantine. I ran regedit and found a key with the path to my startup. I deleted the key in the registry. The thing still exists somewhere on my drive and continues to install itself.
The signature is a DOS window that comes up whenever I try to start myself as a user. It indicates that taskmgr can’t find a .FCB file. Sometimes the DOS window goes away, sometimes it doesn’t. I can close the window and delete the files that have been generated.
I have Googled this problem and searched MicroSoft’s “micro” help site. The only info I have found on it is on sites of companies that sell spyware cleaning software. They don’t tell you much other than to buy their product.
Some wise man previously suggested that putting the entire computer in water will disable stuff like this or any other feature.
But if that’s not a suitable solution, then first go to the add/remove programs and uninstall all those unnecessary programs you somehow got convinced to installed, or anything else you will no longer need. Google (or Yahoo…) anything that looks unfamiliar to see if you really need it.
Then run your virus scanner and do a complete scan. Then run a good spyware remover. I haven’t used one in a while, but I’ve used ad-aware in the past.
If that didn’t solve it, send me the quarantined virus file and I’ll see what I can find out about the virus. My email will probably reject it, so best to ftp it somewhere and tell me where it is.
You may have to run the removal programs from safe mode if the nasty keeps coming back. What they do is install about three or more different applications or processes that all keep a look out for each other. When you delete one of them the others notice and recreate the deleted file. You have to kill all of the parts (like killing a Hydra) before it will be gone for good.
I, of course, first tried turning the computer on and running it under water. This virus/worm/trojan is really thirsty and drank all of the water. I was surprised this didn’t work for me.
I turned off system restore and started up in safe mode. I ran my anti-virus software under those conditions. As I said, my anti-virus software is McAfee and it found nothing this time.
The spyware program I have always used is AdAware Personel. I have not run it in safe mode yet. I will see if this little evil one pops up again and perhaps try that. In the mean time I will search through the installed stuff (some of which I don’t install myself) and see if there are things that should go.
I just ran AdAware in safe mode as JC suggested. I have done everything rational that’s easy so far. If it shows its face again I will FTP the quarantined virus file to my site and give you the location. Would you want it zipped, too, if I were to do that? Maybe you plan to just view it on the FTP site?
Try running CWShredder just in case you’ve got a variant of CoolWebSearch. It’s a free scanner/remover that can remove CoolWebSearch and it’s many variants.
Looks like you should try some other scanners which can help further pinpoint which files may be infected and is causing it to reinstall this taskmgr.exe in your start menu. Mcafee only found it to be “Generic Downloader.k” which probably means it doesn’t know anything about this specific strain of the trojan.
Here are some possible virus scanners to try:
Bitdefender labeled it as Dropped:Trojan.Downloader.Agent.AM and they have a free virus scanner at http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html
NOD32 labeled it as "a variant of Win32/TrojanDownloader.Agent.AM". They have a 30-day trial of their virus scanner at http://www.nod32.com/download/trial.htm
Dr.Web labeled it as DLOADER.Trojan and their scanner is at http://download.drweb.com/win/
Right now it looks like my little problem has been solved. I’ll have to wait to see if it re-emerges later. Thanks, Gilby. NOD32 actually found some stuff to delete.