taskbarmngr.exe - Dangerous

%windir%\taskbarmngr.exe

Fix it immediately:

Manual removal instructions:

Antivirus Report of %windir%\taskbarmngr.exe:

%windir%\taskbarmngr.exe	Malware
%windir%\taskbarmngr.exe	Dangerous
%windir%\taskbarmngr.exe	High Risk

%windir%\taskbarmngr.exe

taskbarmngr.exe is rootkit W32/Rbot-ZO.
taskbarmngr.exe is used to hide files, processes and registry.
taskbarmngr.exe is a kernel mode rootkit.
Rootkit contacts remote hacker server using HTTP session.
taskbarmngr.exe spreads via open network shares.
taskbarmngr.exe opens a back door on IRC channels.
taskbarmngr.exe tries to terminate antiviral programs installed on a user computer.
taskbarmngr.exe monitors user Internet activity and private information.
It sends stolen data to a hacker site.
Related files:
%WinDir%\taskbarmngr.exe
%SysDir%\drivers\haxdrv.sys

haxdrv.sys created new system drivers:
service name: " haxdrv"
display name: " haxdrv"
Added to registry:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000
Class
LegacyDriver

ClassGUID
(random Class ID)

ConfigFlags
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000\Control
*NewlyCreated*
dword:00000000

ActiveService
haxdrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000
DeviceDesc
haxdrv

Legacy
dword:00000001

Service
haxdrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV
NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
DisplayName
haxdrv

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Enum
0
Root\\LEGACY_HAXDRV\\0000

Count
dword:00000001

NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
ErrorControl
dword:00000001

ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Security
Security

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
Start
dword:00000003

Type
dword:00000001

taskbarmngr.exe created new system drivers:
service name: "taskbarmngr"
display name: "Windows Taskbar Manager"
Added to registry:
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
Type
dword:00000110
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
Start
dword:00000002
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
ErrorControl
dword:00000000
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
DisplayName
Windows Taskbar Manager
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
ObjectName
LocalSystem
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
FailureActions

HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr
Description
Moniters Windows Services And Processes
HKLM\SYSTEM\CurrentControlSet\Services\wtaskbarmngr\Security
Security

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTASKBARMNGR\0000
Class
LegacyDriver
ClassGUID
(random Class ID)
ConfigFlags
dword:00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTASKBARMNGR\0000\Control
*NewlyCreated*
dword:00000000
ActiveService
wtaskbarmngr
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTASKBARMNGR\0000
DeviceDesc
Windows Taskbar Manager
Legacy
dword:00000001
Service
wtaskbarmngr
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTASKBARMNGR
NextInstance
dword:00000001

Added to registry:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
dword:00000001

AntiVirusOverride
dword:00000001

FirewallDisableNotify
dword:00000001

FirewallOverride
dword:00000001

UpdatesDisableNotify
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
dword:00000001

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time

Record

MeltMe

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
dword:00000004

W32/Rbot-ZO also changes the following registry entries from the default Windows values:

from:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
dword:00000002

to:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
dword:00000004

from:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
dword:00000002

to:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
dword:00000004

from:
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
dword:00000003

to:
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
dword:00000004

from:
HKLM\Software\Microsoft\OLE
EnableDCOM
Y

to:
HKLM\Software\Microsoft\OLE
EnableDCOM
N

from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0

to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

from:
HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout
20000

to:
HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout
7000

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
dword:00000000

AutoShareWks
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
dword:00000000

AutoShareWks
dword:00000000

The worm can change the Internet Explorer Start page by changing the following registry entry:

HKLM\Software\Microsoft\Internet Explorer\Main
Start Page

Remove taskbarmngr.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.

taskbarmngr.exe - Dangerous

%windir%\taskbarmngr.exe

Fix it immediately:

Manual removal instructions:

Dmitry Sokolov:

Testimonials

Download for free

Links

Select