BleepingComputer.com: Suspicious Tabs in Windows 7 Task Manager

Avira AntiRootkit Tool (1.3.0.1)

========================================================================================================
- Scan started Wednesday, July 27, 2011 - 16:20:55 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 74.53 GB
- Working disk free size : 28.43 GB (38 %)
--------------------------------------------------------------------------------------------------------

Results:
Value type mismatch : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout -> 381b4222-f694-41f0-9685-ff5bb260df2e
Hidden value : HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows CE Services -> symboliclinkvalue

--------------------------------------------------------------------------------------------------------
Files: 0/38120
Registry items: 2/425851
Processes: 0/84
Scan time: 00:02:15
--------------------------------------------------------------------------------------------------------
Active processes:
- System (PID 4)
- svchost.exe (PID 996)
- lsm.exe (PID 720)
- wmpnetwk.exe (PID 216)
- iexplore.exe (PID 5000)
- smss.exe (PID 292)
- avgchsva.exe (PID 352)
- winlogon.exe (PID 852)
- explorer.exe (PID 2168)
- AVGIDSAgent.ex (PID 2768)
- avguard.exe (PID 4280)
- NvXDSync.exe (PID 1468)
- nvvsvc.exe (PID 1480)
- nSvcAppFlt.exe (PID 1088)
- svchost.exe (PID 1296)
- RichVideo.exe (PID 1844)
- avgwdsvc.exe (PID 1952)
- svchost.exe (PID 6112)
- svchost.exe (PID 2100)
- svchost.exe (PID 388)
- LogonUI.exe (PID 540)
- svchost.exe (PID 556)
- svchost.exe (PID 768)
- csrss.exe (PID 568)
- wininit.exe (PID 636)
- services.exe (PID 696)
- avgui.exe (PID 5068)
- lsass.exe (PID 712)
- svchost.exe (PID 1172)
- csrss.exe (PID 668)
- avshadow.exe (PID 2272)
- AVGIDSMonitor. (PID 1924)
- svchost.exe (PID 892)
- nvvsvc.exe (PID 956)
- FABS.exe (PID 2000)
- avgtray.exe (PID 4760)
- audiodg.exe (PID 1100)
- SearchIndexer. (PID 2280)
- LSSrvc.exe (PID 1216)
- rdpclip.exe (PID 1764)
- SUPERAntiSpywa (PID 1196)
- NEGui.exe (PID 1380)
- svchost.exe (PID 1680)
- avirarkd.exe (PID 2656)
- csrss.exe (PID 3980)
- conhost.exe (PID 1544)
- avgnsa.exe (PID 1840)
- spoolsv.exe (PID 1644)
- FlashUtil10e.e (PID 5876)
- taskhost.exe (PID 2700)
- svchost.exe (PID 1916)
- NEService64.ex (PID 1792)
- SASCore64.exe (PID 1860)
- armsvc.exe (PID 1880)
- svchost.exe (PID 4028)
- VSSVC.exe (PID 5176)
- dwm.exe (PID 4004)
- sched.exe (PID 4712)
- nvSCPAPISvr.ex (PID 2128)
- vmware-usbarbi (PID 2200)
- avgemca.exe (PID 1892)
- vmnat.exe (PID 2320)
- svchost.exe (PID 2348)
- nSvcIp.exe (PID 2540)
- iexplore.exe (PID 4428)
- vmware-authd.e (PID 2636)
- vmnetdhcp.exe (PID 2672)
- taskmgr.exe (PID 4984)
- svchost.exe (PID 4328)
- winlogon.exe (PID 2208)
- avgnt.exe (PID 452)
- StikyNot.exe (PID 808)
- svchost.exe (PID 3752)
- soffice.bin (PID 4136)
- conhost.exe (PID 3912)
- ZuneLauncher.e (PID 188)
- soffice.exe (PID 4112)
- vmware-tray.ex (PID 4252)
- PDVDServ.exe (PID 4544)
- CLMLSvc.exe (PID 4604)
- brs.exe (PID 4640)
- avgrsa.exe (PID 5312)
- avgcsrva.exe (PID 5348)
- swzwbglv.exe (PID 5996) (Avira AntiRootkit Tool)
========================================================================================================
- Scan finished Wednesday, July 27, 2011 - 16:23:11 PM
========================================================================================================

Hi tritonsmoon,

That log didn't find anything. I'm still not convinced you don't have a rootkit.

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
  
  
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  
• Open on your desktop.
  
• Click the Report tab.
  
• Click the Scan button.
  
• Check all seven boxes:
  
• Click Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, a logfile will open Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hi Jason,
I get...

Error - Root Repeal does not support 64-bit OSs!

Windows 7 (64 bit)

David

This post has been edited by tritonsmoon: 27 July 2011 - 04:38 PM

Could you take a screenshot of exactly what you're seeing?

If you don't know how to take a screenshot:
Open the Task Manager and make it display what you're seeing. Leave it open.
Click start, search for Snipping Tool.
In the Snipping Tool window, click New.
Click and drag the mouse so that the red box is around the Task Manager. When you let go of the mouse, you'll see a screenshot image.
Click the floppy disk icon (next to New) to save the image to your desktop (give it a name).
Please attach the image to your next reply.

One other question - do you know when you started noticing this?

Task Manager 1


Task Manager 2

This post has been edited by tritonsmoon: 27 July 2011 - 09:36 PM

Hi tritonsmoon,

I think I found the solution.

Please download http://www.mvps.org/sramesh2k/reg/TaskManager_Reset.reg to your desktop.

Double click it, and click on Yes at the prompt. Then restart your computer. Open the Task Manager, and hopefully, both of those odd things you're seeing won't be there anymore.

Hi Jason,

Well, I think we're striking out here. I am on the verge of reloading. It's not something I want to do, but I really don't feel comfortable running this system much longer. I think this weekend I'll try to get started moving old documents.

Unless you can think of anything else?

Thanks very much for your time on this. I appreciate it.

David

*Edit*
I guess to answer your question, I don't exactly know when it started. I did a system restore as far back as I could (just 1 week) and the problem still exists.

This post has been edited by tritonsmoon: 27 July 2011 - 11:37 PM

Hi David,

I'm pretty sure this has to do with a setting in the registry, but because of the limited number of tools allowed in the Am I Infected forum, I can't find a way to query the sections of the registry that control what's seen on the Task Manager.

You could either reformat, or post a topic in the Malware Removal Forum.

At this point, I can't guarantee that you're completely free of malware, so either choice would fix that as well.

I really do appreciate your help Jason!

There are some tools in these posts I otherwise never would have had exposure to.

Thanks for all the direction.

David