Re: Top Left corner of my screen is "dead". WTF?????

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


On Thu, 25 Feb 2010 15:41:41 -0800, "Greg Russell"

Quoted text here. Click to load it

Well, I'm back and reporting that the problem reappeared.  However, I
think this time I actually killed it, and it IS a virus.  Oddly enough
I can not find anything about this virus online.  Here's what
happened:

I went to Safe Mode (VGA).  In Safe mode, I found a small webpage
loaded in that corner of the screen.  The page had no CLOSE or
MINIMIZE bottons, just a small screen with an error message (regular
error saying I am not online).  I'm on dialup and I only let the
computer connect manually.  I found that RIGHT clicking did work and
gave me the option to scroll left, scroll down, scroll right, scroll
up.  I was able to right click, select PROPERTIES ,and this lead me to
this link:
http://cpk.51ku.cn/count/count.asp?mac=xxxxxxxxxxx&ver=100101

(the xxxxx's are actually the name of my computer in windows, which I
replaced with x's).  And this is NOT a Macintosh (mac)?

Ok, I ran "Hijack This".  I found a reference to a file located in
C:\RECYCLED and called taskhit.exe.  The file had an attribute of
Hidden and System.  I had to go to Dos and type ATTRIB to find it.
Oddly enough, Win2k is installed on my D: partition, and I never send
anything to the recycle bin, I have it set to automatically delete.  I
have Win98 on C: Win98 was not affected at all.

I manually removed this file, and the problem is gone.  However,
Hijack This continues to try to load it, but says "file missing".

This is cut from a Hijack This log file (below)
O23 - Service: Updata Service Device (UpdatesService) - Unknown owner
- c:\Recycled\taskhit.exe (file missing)

The problem is gone.  My whole screen works again.  That webpage was
sitting there the whole time, but invisible.  I could mouse over it,
but not click on the normal desktop items.

Searching for "taskhit.exe" on Google does not bring up anything
helpful about this.  Yet, I know for fact that it's some sort of
malware.  Maybe it's very new??????

I am crossposting this to alt.comp.anti-virus and alt.comp.virus
Maybe someone on there has an answer.



Re: Top Left corner of my screen is "dead". WTF?????



On Feb 26, 8:36=A0am, smi...@invalid.com wrote:

Quoted text here. Click to load it

There you go.

You still use Win2k?

Must be an old machine.

RL


Re: Top Left corner of my screen is "dead". WTF?????



On Thu, 25 Feb 2010 22:52:18 -0800 (PST), RayLopez99

Quoted text here. Click to load it

It's a computer from 2000.  It would likely run XP, but nothing
higher.  (1ghz processor. 512megs ram). I do not like XP.

Actually, most of the time I run Win98se.  I like it the best.
I only have Win2000 installed because some USB items dont work on 98,
and some of the latest Adobe Flash stuff wont work.  Had I been using
Win98, I probably would not have gotten this virus.  I was too lazy to
reboot !!!  I'm using Win98 now.

By the way, I did a search for that URL, and came up with this
article.  This is exactly what I was infested with, but under a
different filename.  Here is the (long) article:

*** FROM THE WEBSITE ***
http://www.threatexpert.com/report.aspx%3Fmd5%3Dc59e4be30b2c974936afff38de2d086c

*** THE ARTICLE***

Visit ThreatExpert web site
 
Submission Summary:
Submission details:
Submission received: 17 February 2009, 04:55:45
Processing time: 8 min 12 sec
Submitted sample:
File MD5: 0xC59E4BE30B2C974936AFFF38DE2D086C
File SHA-1: 0x2ED82188E211D7A7DCC263BFD7CF017334D94059
Filesize: 241,152 bytes
Alias & packer info:
Trojan-Downloader.Win32.Delf.qks [Kaspersky Lab]
Trojan.Buzus.iij [Ikarus]
packed with: UPX [Kaspersky Lab]
Summary of the findings:
What's been found Severity Level
Creates an executable file in the fake Recycle Bin folder with the
purpose of concealing its presence in the system.  
Downloads/requests other files from Internet.  
Contains characteristics of an identified security risk.  


 

Technical Details:
 

 Possible Security Risk

Attention! The following threat category was identified:
Threat Category Description
 A program that downloads files to the local computer that may
represent security risk


 

 File System Modifications

The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:\RECYCLER\taskts.exe
[file and pathname of the sample #1]  241,152 bytes MD5:
0xC59E4BE30B2C974936AFFF38DE2D086C
SHA-1: 0x2ED82188E211D7A7DCC263BFD7CF017334D94059
Trojan-Downloader.Win32.Delf.qks [Kaspersky Lab]
Trojan.Buzus.iij [Ikarus]
packed with UPX [Kaspersky Lab]
2 %System%\[filename of the sample #1 without extension].bat  120
bytes MD5: 0xAB7411F18E91B1C49430F4D99C0FDE52
SHA-1: 0xF268C0D52DCEF744259EC1A36622F5C2619FABBE (not available)


Note:
%System% is a variable that refers to the System folder. By default,
this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows XP).
 

 Memory Modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
taskts.exe c:\recycler\taskts.exe 544,768 bytes
[filename of the sample #1] [file and pathname of the sample #1]
544,768 bytes


There was a new service created in the system:
Service Name Display Name Status Service Filename
TCencerVer Safe Center Service "Running" c:\RECYCLER\taskts.exe


 

 Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER00\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER00\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Enum
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER00\Control]
*NewlyCreated* = 0x00000000
ActiveService = "TCencerVer"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER00]
Service = "TCencerVer"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = ""
DeviceDesc = "Safe Center Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Enum]
0 = "Root\LEGACY_TCENCERVER00"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "c:\RECYCLER\taskts.exe"
DisplayName = "Safe Center Service"
ObjectName = "LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER00\Control]
*NewlyCreated* = 0x00000000
ActiveService = "TCencerVer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER00]
Service = "TCencerVer"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = ""
DeviceDesc = "Safe Center Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Enum]
0 = "Root\LEGACY_TCENCERVER00"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "c:\RECYCLER\taskts.exe"
DisplayName = "Safe Center Service"
ObjectName = "LocalSystem"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
NotifyDownloadComplete = "yes"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
ProxyEnable = 0x00000000
The following Registry Value was deleted:
[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
(Default) = "%SystemRoot%\media\Windows XP Start.wav"
The following Registry Values were modified:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders]
Cookies = "%Profiles%\LocalService\Cookies"
Local AppData = "%Profiles%\LocalService\Local Settings\Application
Data"
History = "%Profiles%\LocalService\Local Settings\History"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones]
1601 = 0x00000000
 

 Other details

To mark the presence in the system, the following Mutex object was
created:
CritOpMutex
The following port was open in the system:
Port Protocol Process
1037 UDP taskts.exe (c:\RECYCLER\taskts.exe)


The following Internet Connection was established:
Server Name Server Port Connect as User Connection Password
cpk.51ku.cn 80 (null) (null)


The following GET requests were made:
count/count.asp?mac=COMPUTERNAME&ver=090205
count/index.jpg
myxy.asp




Re: Top Left corner of my screen is "dead". WTF?????






| Well, I'm back and reporting that the problem reappeared.  However, I
| think this time I actually killed it, and it IS a virus.  Oddly enough
| I can not find anything about this virus online.  Here's what
| happened:

| I went to Safe Mode (VGA).  In Safe mode, I found a small webpage
| loaded in that corner of the screen.  The page had no CLOSE or
| MINIMIZE bottons, just a small screen with an error message (regular
| error saying I am not online).  I'm on dialup and I only let the
| computer connect manually.  I found that RIGHT clicking did work and
| gave me the option to scroll left, scroll down, scroll right, scroll
| up.  I was able to right click, select PROPERTIES ,and this lead me to
| this link:
| http://cpk.51ku.cn/count/count.asp?mac=xxxxxxxxxxx&ver=100101

| (the xxxxx's are actually the name of my computer in windows, which I
| replaced with x's).  And this is NOT a Macintosh (mac)?

| Ok, I ran "Hijack This".  I found a reference to a file located in
| C:\RECYCLED and called taskhit.exe.  The file had an attribute of
| Hidden and System.  I had to go to Dos and type ATTRIB to find it.
| Oddly enough, Win2k is installed on my D: partition, and I never send
| anything to the recycle bin, I have it set to automatically delete.  I
| have Win98 on C: Win98 was not affected at all.

| I manually removed this file, and the problem is gone.  However,
| Hijack This continues to try to load it, but says "file missing".

| This is cut from a Hijack This log file (below)
| O23 - Service: Updata Service Device (UpdatesService) - Unknown owner
| - c:\Recycled\taskhit.exe (file missing)

| The problem is gone.  My whole screen works again.  That webpage was
| sitting there the whole time, but invisible.  I could mouse over it,
| but not click on the normal desktop items.

| Searching for "taskhit.exe" on Google does not bring up anything
| helpful about this.  Yet, I know for fact that it's some sort of
| malware.  Maybe it's very new??????

| I am crossposting this to alt.comp.anti-virus and alt.comp.virus
| Maybe someone on there has an answer.




Please submit a sample of  "taskhit.exe"  to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Top Left corner of my screen is "dead". WTF?????



On Fri, 26 Feb 2010 06:35:13 -0500, "David H. Lipman"

Quoted text here. Click to load it

I shoud have saved a copy of it, but it's gone.  I would have liked to
get it analyzed too.  I thought I had saved a copy, after changing the
.exe to .txt, (filename) but because it was in the recycle bin, it was
not saved.
From what I recall, the file size was the same as the file listed in
the article I posted.  Probably the same file under another name.



Re: Top Left corner of my screen is "dead". WTF?????





Quoted text here. Click to load it

MAC = Media Access Control address.  All network interfaces (such as
an ethernet card) have a unique MAC address which supposedly differs
from every other individual nework interface in the world.
I'm guessing your virus is keeping track of the MAC address of your
computer, for it's own virulent purposes.

Quoted text here. Click to load it

Go to Start Button/Programs/Administrative Tools/Services.
See if a service of that name is present.  If so, STOP it if
it's started, then set it to Disabled.

Then delete the service entirely:

1. Run "C:\WINNT\regedit.exe".
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
3. If there's a folder in there that you can clearly identify
   as being your virus, delete it.

WARNING: Deleting stuff from this part of your registry is like
performing brain surgery.  If for some reason you mess things up
so bad you can no longer boot, you can revert by booting with
Windows 2000 install CD, "Repair an Installation", "Repair Console".
Go into C:\WINNT\system32\config and do these two commands:
ren SYSTEM SYSTEM.BAD
copy SYSTEM.ALT SYSTEM
That reverts to last known good copy of your system hive.

--
Cheers,
Robbie Hatley
lonewolf at well dot com
www dot well dot com slant tilde lonewolf slant



Re: Top Left corner of my screen is "dead". WTF?????




Quoted text here. Click to load it

|| = Machine Address Code

Quoted text here. Click to load it

Unless one has the tools and knows hows to program such things ... it's too
easy.



Site Timeline