taskmagr.exe

Hi, there's no taskmagr.exe running in my process ever again (i think). I start and shut down my computers for two days now and these tow days I didn't see any of that process running.

But today I saw my Symantec Antivirus (SAV 9.0) deleted one trojan (sorry, didn't notice the virus name and this is my fault here). I think the virus try to start the process of taskmagr.exe again but halted by my SAV.

I updated my SAV 9.0 twice a week.

loik

You are all not alone with this issue. It seems to be popping up all over the place and yet no anti-malware software seems to catch it.

So far I've Updated my Flash player because there is a vulnerability in some flash players that allow an attacker to take control of the affected system. See here

I also implemented the host file data from this page
...and blocked

Suspicious files I've found are first, Taskmagr.exe which everyone with this problem seems to have or had. Others are wmdmpmsvc.dll, msftpd.dll, & mspush.dll.... all in the windows\system32 folder.

I have another strange .dll in C:\root called totnp233.dll

I used this amazingly small and super quick search tool called 'Everything' found here to search out all "hexun" related files and deleted them.

Now I don't have the dumb Chinese voices anymore... download this small MP3 (438k) file if you wanna hear what I was getting...

I recorded it using SoundTap to record everything going through the sound card.

BUT... I still have IEXPLORE.EXE loading itself in the background several times a day. It must be loading tons of separate windows because I get hundreds of registry changes wanting to happen re iexplore.exe that get picked up by Ad-Aware - Adwatch and my CPU is running iexplore.exe at 100% capacity!

after deleting Taskmager.exe over a week agoi, it came back a couple of times but has stayed away this time for 3 days. I reckon it is just called something else now.

Anyway, that's all I know at this point.

Ticcer

Thanks for that Ticcer. All this seemed to happen when I installed the update for Flash. Or it told me it was an update.

I was on the net browsing Ozzu when an installer popped-up giving me the file to install. It had two options... "Install" and "Cancel".

I clicked cancel and it still popped-up, I repeated that like ten times until two of those darn things popped-up. I thought if Flash wants me to update it that bad, I might as well, and so I clicked "Install".

After that, I heard music in the background and found the darn taskmagr.exe process running. And some other dll by hijackthis...

That's interesting... I also had some flash message about updating... I always ignore anything like that because I always manually update... windows, flash player... everything! So if the Flash player exploit is the source of the issue then it doesn't matter if you click cancel or install when that popup occours.

Thanks for the reply.. the pieces of the puzzle are falling into place it seems.

Ticcer

EDIT: By the by, I have not had iexplore.exe load all day since I got rid of mspush.dll and totnp233.dll, so fingers crossed.

i had to register to add to this topic. i have/had this same thing, and so has my friend. he actually had it about a week before i did. i thought he as crazy when he told me about the voices etc. coming from his pc.

i don't know where exactly this comes from, it's hard to even find other instances of it on the net via google. i searched symantec but didn't know exactly what search criteria to use.

i have symantec endpoint protection, and my definitions were about a week out of date. after updating virus defs, it automatically found "taskmagr.exe" and deleted it.
then i ran ad-aware pro and it found some other junk. i now have ad-watch running all the time, and also spysweeper. that everything search app is amazing too!

for now, it looks like it's gone, but i don't trust that it's gone forever. i see a format in my future.

hopefully there will be a tool to completely get rid of this thing soon.

until then, this thread has helped me clear it up (at least for now)
thanks to everyone here, Ticcer especially - your tips really helped.

my computer is infected with generic host 32 viruse it stop my loacl file and print sherring and stop services also can anyboby help me i am new at this forum and this is my first post.

Download hijackthis and post a log here

Steps to Take Before Posting your Hijack This Log

I have a strange incarnation of this virus/worm/whatever it is. I first noticed it when I was cleaning (manually as Symantec and Spybot are no longer working [apparently the virus disabled it somehow]) an infection of the Antivirus 2009 malware. Problem was, it blocked me accessing any sights with any real antivirus software or information on the subject of removal.
Edit: other than this forum and google cached versions.

Although they all came at once, as far as I can tell, I have three seperate infections that merged together and (from what I can determine) got in as fake video codecs for adds. The first, was the simple and easily removed antivirus 2009. The second was a as-of-yet unremoved version of the go.google virus. The third is this taskmagr.exe thing that seems dormant other than force loading iexplore every boot (yet no chineese [is it even real chineese?])

Edit: When I log on now, I see a bit of a dos prompt window for a split second, then it disappears. Tried to print screen screen shot it but didn't work. (Wasn't fast enough?)

Any help would be great.

(I must say this is my worst battle with viral activity on the digital plain I've ever endured)

Found the following on another forum after noticing the wmdmpmsvc.dll in my system32 directory without any information.

____________________________________________________
Hello, Im running Windowx XP with SP2 and all security updates.
Ive been getting warnings every day now from Antivir for a while about 4 trojans:

Virus or unwanted program 'TR/Patched.BU.9 [trojan]'
detected in file 'C:\windows\system32\dmserver.dll.

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\WINDOWS\System32\sensct.dll.

Virus or unwanted program 'BDS/Backdoor.Gen [backdoor]'
detected in file 'C:\windows\system32\wmdmpmsvc.dll.

Virus or unwanted program 'TR/StartPage.cyi [trojan]'
detected in file 'C:\WINDOWS\system32\taskmagr.exe.


Additionally when I have Flashget open (Rapidshare download tool) and it tries to update itself I get the warning of a trojan:
Virus or unwanted program 'TR/Hijacker.Gen [trojan]'
detected in file 'E:\Program Files\FlashGet\updates.exe.

--------

I was about to delete all these files using „Gipo@moveonboot“, but decided to ask your advice first. A quick Yahoo! search shows all these files as dubious:

taskmagr.exe,
sensct.dll,
wmdmpmsvc.dll,
except for dmserver.dll which seems to serve a purpose. Will I damage my computer if I delete these files?

----
I downloaded the FIX pack, ran Ccleaner and Malwarebytes. Malwarebytes came up with this:

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 3
18.11.2008 16:47:44
mbam-log-2008-11-18 (16-47-41).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 361858
Time elapsed: 4 hour(s), 21 minute(s), 57 second(s)

Registry Keys Infected: 1
Files Infected: 2
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> No action taken.
Files Infected:
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> No action taken.
----
It says „no action taken“ even though I had all boxes checked when I clicked „remove items“, but just to make sure I scanned these folders again and came up clean.

Thanks in advance

________________________________________________________________


What I forgot to mention in my former post was that I tried to download Malwarebytes and the installer didn't work but if it effected flashget too...
I never thought one infection could cripple so many apps!

Edit: I also have the dmserver.dll thing. But it had properties so I didn't initially think it was malicious. I can't remove either dll as they are apparently running and won't let me delete. (Did easily delete taskmagr.exe after Alt+Ctrl+Del force ending the task.

I forgot about this program until I "refound" it today and used it.

smitfraudfix

I did that and tomorrow I will know the results, but so far, so good.

Update on my deal here...

I just saw my desktop and found a new installer there that I haven't seeing before... bhr.exe... browser hijack recoverer. I checked the properties and it said that it came from another computer and is blocked to protect this computer. That is good.

I get my internet from another computer at my house... it may be from there but I'm not so sure, is there any way I could find out where it came from?

Thanks.

Here is an update and a warning concerning this thing. I just got another pop-up to update my Flash Player thing. I restarted and the pop-up showed up again.

I checked my processes both time and it seems that it is showing because iexplorer.exe is running. So, I guess if those pop-ups are showing up make sure that iexplorer.exe is not running.

Also, if they do pop-up and they seem legit, I recommend to not install and going to the official site and doing it manually that way.

Another thing, I just got my first BSOD (Blue Screen Of Death) today... practically 15 minutes ago. Here are the information I gathered from it.

STOP: 0x0000008E (0xC0000090,0xF7970C5,0xEE9062A8,0x00000000)

senflit.sys - Address F7970C5C base at F7939000, Datestamp 414a45cc

And there's nothing in the event viewer...

No worries. I too see a format in my very near future. Something is still not right as things are a lot slower on my laptop since this thing ravaged the machine.

Yes, that Everything tool amazes me every day lol

Ticcer

Use this little gen of a tool - Unlocker to help with unlocking and deleting files that are used by another process
I can't be without it on any system I use.

taskmagr.exe,
sensct.dll,
wmdmpmsvc.dll,
dmserver.dll

I have deleted all the above files form my computer, except for sensct.dll which I didn't have in the first place. I run XP SP3. I have not had a BSOD. The chinses voices stopped after I removed mspush.dll and totnp233.dll as explained earlier.

As for,

C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon

If you have installed any Trymedia games or programs on your machine these files may be required and may be a false positive. I'd e-mail trymedia and see what they say if I were you.

Ticcer

mine seems to be gone as well.

it looks like M$ have finally realized their new threats to IE and released a critical update for it. (12-17-08)

seems like they're a little late for us.

i've been using unlocker for a while now, and it's become a very handy tool to have at the ready.