?
Solved

Need information about the file "taskun.exe"

Posted on 2004-11-09
17
Medium Priority
?
1,714 Views
Last Modified: 2008-01-09
The OS is Windows 2000, and the path is C:\WINNT\AppPatch\taskun.exe .

It was causing the computer to run very slowly.  When I tried to close the process in the Task Manager it would immediatly restart.

I tried to use the registry editor to remove the startup item from  HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/runonce.Every time I removed it, it was immediatly reinstalled.

I finally restarted Windows in the debugging mode and was able to close the process and remove the registry entry.  Then I was able to delete the file after changing the file settings to show protected system files.

In a Google search I was only able to find one reference to this file at the following link:

http://ccforums.mechnex.net/index.php?s=f65d936aa66061c1406f2d4bad9c7d57&showtopic=5804&st=0&#entry79019

Has anyone else had a problem with this file?
Does anyone know where this file comes from, and what it does?
0
Comment
Question by:caza13
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 21

Assisted Solution

by:jvuz
jvuz earned 200 total points
ID: 12542749
I cannot find any info about this process? Maybe someone else can. Sorry
0
 
LVL 4

Assisted Solution

by:riotz
riotz earned 200 total points
ID: 12546959
there is no file called taskun.exe .. i at least dont know any thats names like that

i would assume that you got hacked and this executable running there is any irc zombie or a ftp daemon

send me a copy to <int21h at gmail.com> and i'll take a look at it

greets
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 1000 total points
ID: 12547288
Its surely a Junk file which is like many others ones, must be a remainanet from a previou infection.... although i cannot find any specific inforamtion on this file... but here is a similar case where user had this file and was suffering from malwares and popups programs >> http://boards.cexx.org/viewtopic.php?t=9689&sid=b269ccbc005301b2eb3f97709396b52b

And everyone recommended to remove this file which was running from C:\Windows\Drivers :)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 27

Expert Comment

by:Asta Cu
ID: 12551010
I found someone else with the exact problem you have here:
http://ccforums.mechnex.net/index.php?s=169ccbdb88b701aef47335101c38e3de&showtopic=5804&st=0&#entry79019

Apparently using all updates to AdAware SE Pro / using the deep scanning and HOSTS file scan, as well as Spybot S&D with all updates and Immunize appeared to help resolve this.  It also kept returning after clearning all lines, including...

Brief excerpt from the above link:
No resource I turn to, no person I ask, knows what this insidious little demon is. It resides at C:\windows\registration\taskun.exe and the related registry entries i've found are as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\run\*taskun
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\run-\*taskun
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\runonce\*taskun
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\runonce-\*taskun

Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12551029
Spybot current download link and detection updates as well as additional anlyzers here:
http://www.safer-networking.org/en/download/index.html
0
 
LVL 6

Author Comment

by:caza13
ID: 12552884
That is an interesting link that SheharyaarSaahil posted.  It looks like that case had the taskun.exe file, and another one (C:\WINDOWS\security\Database\cxml.exe) that was causing pop-ups to appear.  The taskun.exe file only seems to slow down the computer.  It is also interesting that the file seems to appear in different folders on different computers.  I don't know if it is accessing the internet or what else it might be doing to slow the system down so much.  The one thing I know that it is doing is protecting itself.  The link that astaec posted seems like it goes to the same page as the link that I posted in the question.  There doesn't seem to be much information available about this one, so I'll leave the question open for a while longer to see if something else shows up.  Another thing that I should mention is that the spyware and virus scans that I ran couldn't find this file.  The thing that caught my attention is that it kept restarting whenever I tried to close it with the task manager.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12554745
The reason I repeated the link is because the Asker with your problem stated that the Spybot S&D routine appeared to be the solution; when all other processes already used failed to do it.  Spybot S&D, when updated and configured to also use the Immunize function, and AdAware included to scan the HOSTS file make an excellent 1-2-3 combo; and oftentime when running into roadblocks for Viruscan processes as well as spyware processes; Safe Mode works to ensure files that are involved aren't in use by the system.
0
 
LVL 6

Author Comment

by:caza13
ID: 12559939
The questioner in the other forum said that the problem went dormant for a while, and he wondered if the spyware scanners had taken care of it.  But later he said that the problem had returned, and in the end there was no solution.  So far my problem seems to be solved since I deleted the taskun.exe file in the debugging mode, but I'm looking for more information because I fear that I may have more problems later.  I'm wondering if the file and the associated registry entry is everything that was involved.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12560950
I've scoured through the archives of McAfee, Norton, the Spybot site and LavaSoft and just can't find a thing.  Who knows the variants and possibilities, I sure can't find anything whatsoever anywhere else.  
Not sure this is helplful to you, but perhaps may add some insight.
The Microsoft Security Risk Self-Assessment for Midsize Organizations
http://securityguidance.com/

Perhaps escalating the issue to whichever product you've purchased for Viruscan/Firewall protection would help; many have escalation procedures to report new problems and variants.  I've used McAfee and sent Zipped files of problems found in the past and not reported.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12561450
right.... there are numerous variants of the malwares that no one can have FULL records of them =\
0
 
LVL 6

Author Comment

by:caza13
ID: 12571774
I tried to e-mail the file to myself from the infected computer so that I could do some analysis.  The e-mail client somehow recognized it as a dangerous file and rejected it. Even after I renamed it, it was still rejected.  So I copied the file (835 k) to a floppy disk.  I was able to extract some text from the file that might give some clues.  Here is what I found:

This program cannot be run in DOS mode.
Sysupd
Svchost
windowsupd
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
VMNavigatedProp
VMBackProp
VMNavigatedProp
VMForwardProp
VMNavigatedProp
VMGoProp
WorkerW
WorkerA
rerun
open
/FriendlyName
%MODULEGUID%
TypeLib
%APPID%
AppID
Apartment
ThreadingModel
%MODULE%
%MODULETYPE%
Programmable
VersionIndependantProgID
ProgID
CurVer
ATLEvents.ATLEvents
{ED5ABC42-8E4F-4C39-F619D672F}
CLSID
%FriendlyName%
ATLEvents.ATLEvents.1
CATL Events Object
ComboBox
ReBarWindow32
WorkerA
WorkerW
%08x
FlocalServer32
MODULETYPE
InprocServer32
MODULEGUID
Module_Raw
Module
ForceRemove
NoRemove
Delete
AppID
CLSID
Component Categories
FileType
Interface
Hardware
Mime
SAM
SECURITY
SYSTEM
Softwart
TypeLib
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED5ABC42-8E4F-4C39-9972-F0CF619D672F}
VMProcessRestoreMutex
Protector Thread Is Running into %s application.
EventExitVM
hEvent is NULL…
FreeLibrary was called into %s application.
VMNavigatedProp
VMTypingProp
%08x
LoadLibrary was called into %s application.
regshape
.tlb
\ImplementedCategories
\RequiredCategories
CLSID\
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
A buffer overrun has been detected which has corrupted the program’s internal state.  The program cannot safely continue execution and must now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has corrupted the program’s internal state.  The program cannot safely continue execution and must now be terminated.
Unknown security failure detected!
50 P
700WP
( n u l l )
(null)
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
This application cannot run using the active version of the Microsoft.NET runtime.  Please contact the application’s support team for more information.
R6028 – unable to initalize heap
R6027 – not enough space for lowio initialization
R6026 – not enough space for stdio initialization
R6025 – pure virtual function call
R6024 – not enough space for onexit/atexit table
R6019 – unable to open console device
R6018 – unexpected heap error
R6017 – unexpected multithread lock error
R6016 – not enough space for thread data
This application has requested the Runtime to terminate in an unusual way.  Please contact the application’s support team for more information.
R6009 – not enough space for environment
R6008 – not enough space for arguments
R6002 – floating point not loaded
Runtime Error!
Program:
IsProcessorFeaturePresent
KERNEL32
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA user32.dll
GetVersionExA
InterlockedExchange
GetACP
GetLocalInfoA
GetThreadLocale
GetLastError
CloseHandle
SetEvent
CreateEventA
GetVolumeInformationA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InterlockedIncrement
InterlockedDecrement
lstrlenW
lstrlenA
lstrcpyA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
IsDBCSLeadByte
MultiByteToWideChar
lstrcpynA
lstrcmpiA
RaiseException
GetExitCodeProcess
OpenProcess
UnmapViewOfFile
CreateFileMappingA
CreateProcessA
Sleep
ReleaseMutex
FreeLibraryAndExitThread
WaitForSingleObject
OutputDebugStringA
GetCommandLineA
TerminateThread
LoadLibraryA
CreateThread
CreateMutexA
lstrcatA
KERNAL32.dll
DefWindowProcA
CallWindowProcA
SetPropA
GetPropA
GetParent
GetDlgItem
FindWindowExA
CharNextA
SetWindowLongA
CallNextHookEx
GetFocus
SetWindowsHookExA
USER32.dll
RegCloseKey
RegEnumValueA
RegCreateKeyExA
RegSetValueExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ShellExecuteA
SHGetFileInfoA
SHELL32.dll
CoTaskMemFree
StringFromCLSID
StringFromGUID2
CoCreateInstance
ole32.dll
OLEAUT32.dll
PathFindExtensionA
SHLWAPI.dll
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
LocalFree
RtlUnwind
ExitProcess
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
GetOEMCP
GetCPInfo
GetProcAddress
TerminateProcess
GetCurrentProcess
HeapCreate
VirtualFree
IsBadWritePtr
SetHandleCount
GetStdHandle
GetFileType
GetStartupINfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
UnhandledExceptionFilter
WriteFile
IsBadReadPtr
IsBadCodePtr
SetFilePointer
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetStdHandle
FlushFileBuffers
KillHook.dll
DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
InstallHook
Exception@ATL@@
.?AVexception@@
.?AVbad_alloc@std@@
.?AV_com_error@@
.?Avtype_info@@
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12571825
How current is Windows 2000?  Are patches applied?  Re. Buffer Overrun
Windows 2000 Security Patch: Buffer Overrun in Windows Could Lead to Data Corruption
http://www.microsoft.com/downloads/details.aspx?FamilyID=8290dbec-6072-45b9-a91d-e4c1fd93e3e1&displaylang=en
0
 
LVL 27

Assisted Solution

by:Asta Cu
Asta Cu earned 600 total points
ID: 12571840
Windows 2000 Security Patch: Buffer Overrun in Windows Kernel Message Handling Could Lead to Elevated Privileges
http://www.microsoft.com/downloads/details.aspx?FamilyID=cacac8c0-81e9-413e-b565-5d7b3257a733&displaylang=en
Buffer Overrun Occurs When You Start Winhlp32.exe Under NTSD
http://support.microsoft.com/default.aspx?scid=kb;en-us;293338 
Windows 2000 Security Patch: RAS Phonebook Buffer Overrun Vulnerability
http://www.microsoft.com/downloads/details.aspx?FamilyID=199429bf-efb3-456f-b7fe-9734bcabcbcb&displaylang=en
MS03-044: Buffer overrun in Windows Help and Support Center could lead to system compromise
http://support.microsoft.com/default.aspx?scid=kb;en-us;825119
MS03-043: Buffer overrun in Messenger service could allow code execution
http://support.microsoft.com/default.aspx?scid=kb;en-us;828035
Windows 2000 Security Patch: Buffer Overrun In HTML Converter Could Allow Code Execution
http://www.microsoft.com/downloads/details.aspx?FamilyID=ff84e1a5-c90d-40f2-8cf5-23da3ab296b4&displaylang=en

As you see the buffer overrun issue is significant, and the items above show some as program unknonw, etc. so tough to isolate, but would sure check WindowsUpdate and http://www.officeupdate.com for OS and IE as well as Office-related items to get any patches and fixes there.
0
 
LVL 6

Author Comment

by:caza13
ID: 12588094
Judging from files listed in the extracted text (KillHook.dll, Sysupd, windowsupd) it seems like taskun.exe may be related to the GatorClone ( http://sarc.com/avcenter/venc/data/pf/adware.gatorclone.html ) and VirtuMonde ( http://securityresponse.symantec.com/avcenter/venc/data/pf/adware.virtumonde.html )adwares.
0
 
LVL 6

Author Comment

by:caza13
ID: 12608720
Thanks to all who attempted to help me with this problem.  I knew that it would be hard to find information on this one.  In this case it seems that the problem is solved.  It may be that the spyware scanners were able to clean up whatever was left after the taskun.exe file was deleted.  Maybe what we have found here will help someone else who is having problems with this file.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12614185
Thank you, caza13; I'm also hopeful this information can help others who get hit with this problem.  ":0) Asta
0
 
LVL 6

Author Comment

by:caza13
ID: 12825781
Symantec now identifies this file as being associated with Trojan.Vundo

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Read about achieving the basic levels of HRIS security in the workplace.
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question