taskmagr.exe

  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

I just hijackthis scanned my computer and found out I had taskmagr.exe running as a process. I checked it's properties and it was created on Wednesday, August 04, 2004, 4:00:00 AM, last modified on Sunday, April 13, 2008, 6:12:08 PM and accessed today, November 26, 2008, 10:52:36 PM. I googled that process and found out that it is a worm.

The reason I decided to scan my computer because the process iexplorer.exe starts at random and starts running some flash video. I can't see anything, it's in the background, but I hear voices/music. Whatever... and it starts to repeat over and over.

Any help here? Thanks so much.


It's safe to remove taskmagr.exe... right? The address to it on my computer is C:/WINDOWS/system32/taskmagr.exe ... it's safe right? I mean google says it's a worm, hijackthis.de says it's extremely nasty, I had never had this process running (Or that I have noticed) and now that it is (or now that I did notice it) I have problems with my computer). Everything points to favor deleting it... I just want to get a second approval.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Alright... I just did a more in-depth scan of my computer and found the following infections.

Spyware Doctor found:

Trojan-Downloader.Agent!sd6 (C:/WINDOWS/System32/dmserv.dll)
Trojan.Agent!sd6 (C:/WINDOWS/System32/wmdmpmsvc.dll)

Both of those are running under svchost.dll

PrevX CSI found:

c:/WINDOWS/System32/dmserv.dll
c:/WINDOWS/System32/wmsmpmsvc.dll
c:/WINDOWS/System32/mspdtc.dll
c:/WINDOWS/System32/taskmagr.exe
c:/WINDOWS/System32/msfontsew.dll

Since both copies are unregistered copies, I can't remove them and I don't have the money to buy the license right now.

Is it safe for me to just delete those files? Or will the trojans/worms stay within the registry and still hurt my computer?

- Thanks
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

I just scanned with spyware doctor again and it came up with two additional trojans.

Trojan.Startpage!sd6
Trojan-Downloader.Agent!sd5

Along with the two found yesterday. I scanned my computer with Ad-Aware 2008 and removed 5 threats, two of which were high risk, and I guess those were the ones not found by spyware doctors. ANy help or ideas here? Thanks.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

No one? No help? Googling those things doesn't help, because anything that may be of some use that comes up on google is the different names used by which spyware/virus scanners and googling them brings me about the same results.

Here's my hijackthis file in case I forgot something.

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:52 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\wamp\wampmanager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 9737 bytes


The taskmagr.exe was at the running processes then. I ended the process, but I still have that in system32 folder.
  • Lansman
  • Born
  • Born
  • Lansman
  • Posts: 2

Post 3+ Months Ago

You are not alone. I got Chinese language voice and sounds in IE (which I am forced to use against my will by certain services)and having been alerted to this prob. I have found my last two days absorbed in finding a way to clean up.

iexplore.exe process would not quit, and I could overwrite or delete c:\iexplore.exe but it would reappear. I searched the registry for iexplore.exe and deleted every item knowing I may have to rebuild from a new install of the XP OS.

I had a copy of minipe and tried to clean up with that, but I think the most effective download was Norman. http://www.norman.com/ I put it in "Outbreak Mode" and a couple of hours later it found "taskmagr.exe". At the same time I downloaded IE version 7 and SP 3 and installed those... figuring the updates might cover infected files.

I just finished the reboot. I will return and let ya know if it did not work.
  • Lansman
  • Born
  • Born
  • Lansman
  • Posts: 2

Post 3+ Months Ago

so far so good
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Thanks but no thanks. After installing Norman and restarting my computer it took me 30 minutes to get the computer on and 9 minutes to get firefox open to find out Norman was blocking internet itself.

It took me another 25 minutes and two trials to uninstall Norman and then after I uninstalled Norman and restarted my computer went back to Normal. I mean, before Norman normal, not normal as computers should be :lol:

Thanks though, you were trying to help :D

Anything else?
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Well, this isn't so helpful :(

[EDIT:] I checked the event viewer and the following is under system:

TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

But still... nothing major. I don't think that even that would be anything of a problem. Is there any good virus scanners/removers that could be recommended? I don't have one except for Ad-Aware 2008 and for others that see these things I need to pay for them, and at the moment, money is tight... tighter than a deadly knot :roll:

~ Thanks
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

Bogey wrote:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

mswindows-forum/tcp-has-reached-the-security-limit-imposed-t78665.html

That type of message indicates that some process is opening a lot of outgoing network connections on your computer. Run 'netstat -a -b' to track down which process is creating all of them. Alternatively, you can use a program like CurrPorts if you prefer a GUI-based tool.
  • VideoRipper
  • Novice
  • Novice
  • VideoRipper
  • Posts: 15

Post 3+ Months Ago

As an added feature of this worm, you lose focus on the window you're working on (not very nice)...

You can get rid of the constant pop-ups/playing flash in the background, by adding the following entries
to your hosts-file:
Code: [ Select ]
127.0.0.1   itv.hexun.com
127.0.0.1   www.hexun.com
127.0.0.1   www.zhenip.com
  1. 127.0.0.1   itv.hexun.com
  2. 127.0.0.1   www.hexun.com
  3. 127.0.0.1   www.zhenip.com
Mind that this is not a solution to the problem, just a quick fix to stop the pop-ups!

Greetz,

Peter.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

the 'netstat -a -b' found the epmap thing that is listening, and googling that thing told me that it's a blaster worm on port 135 (according to some forum)

The problem is, I don't know how to find from which port it really is coming from... PID or something else?
  • loik
  • Born
  • Born
  • loik
  • Posts: 2

Post 3+ Months Ago

Hi, i experience the same. Just a moment ago, my Internet Explorer got crazy and rapidly keep open, just a minutes before the happening, i heard in my speaker a chatting or some Chinese voice. And I check my process in task manager, i see there's two taskmanager process running, i end the taskmagr.exe process and google it, which lead me here.

I delete the taskmagr.exe file in windows, and right now there's no problem after i restarted.

If i see any weird again, I'm gonna post it here. sorry that I can't really help.

regards,
loik
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Actually, you did help me a little bit. Thanks for posting.
  • bricklayer
  • Born
  • Born
  • bricklayer
  • Posts: 1

Post 3+ Months Ago

I've been experiencing this since around Thanksgiving... The first time I simply deleted taskmagr.exe from system32. However, last night I had an IE process running that was taking up over 400MB of memory. Needless to say, I deleted taskmagr.exe again (it was in my process list), but I am starting to think this is only a temporary fix. If anyone has a permanent solution, please post here. Thanks!
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

You have to scan your computer for any downloader.Agent! trojans. I got two of those but don't have any utility that would remove them.

After removing those trojans, make sure that taskmagr.exe is removed, if not, remove it manually. We will see from there.
  • loik
  • Born
  • Born
  • loik
  • Posts: 2

Post 3+ Months Ago

Hi, there's no taskmagr.exe running in my process ever again (i think). I start and shut down my computers for two days now and these tow days I didn't see any of that process running.

But today I saw my Symantec Antivirus (SAV 9.0) deleted one trojan (sorry, didn't notice the virus name and this is my fault here). I think the virus try to start the process of taskmagr.exe again but halted by my SAV.

I updated my SAV 9.0 twice a week.

loik
  • Ticcer
  • Newbie
  • Newbie
  • Ticcer
  • Posts: 5

Post 3+ Months Ago

You are all not alone with this issue. It seems to be popping up all over the place and yet no anti-malware software seems to catch it.

So far I've Updated my Flash player because there is a vulnerability in some flash players that allow an attacker to take control of the affected system. See here
Code: [ Select ]
http://www.adobe.com/support/security/b ... 07-12.html


I also implemented the host file data from this page
Code: [ Select ]
http://www.mvps.org/winhelp2002/hosts.htm

...and blocked
Code: [ Select ]
http://www.zhenip.com & news.hexun.com with the hosts file, but will definatley add itv.hexun.com & http://www.hexun.com to the list


Suspicious files I've found are first, Taskmagr.exe which everyone with this problem seems to have or had. Others are wmdmpmsvc.dll, msftpd.dll, & mspush.dll.... all in the windows\system32 folder.

I have another strange .dll in C:\root called totnp233.dll

I used this amazingly small and super quick search tool called 'Everything' found here
Code: [ Select ]
http://www.voidtools.com/
to search out all "hexun" related files and deleted them.

Now I don't have the dumb Chinese voices anymore... download this small MP3 (438k) file if you wanna hear what I was getting...
Code: [ Select ]
http://www.mediafire.com/?sharekey=def1 ... 09e595c4aa


I recorded it using SoundTap to record everything going through the sound card.

BUT... I still have IEXPLORE.EXE loading itself in the background several times a day. It must be loading tons of separate windows because I get hundreds of registry changes wanting to happen re iexplore.exe that get picked up by Ad-Aware - Adwatch and my CPU is running iexplore.exe at 100% capacity!

after deleting Taskmager.exe over a week agoi, it came back a couple of times but has stayed away this time for 3 days. I reckon it is just called something else now.

Anyway, that's all I know at this point.

Ticcer
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Thanks for that Ticcer. All this seemed to happen when I installed the update for Flash. Or it told me it was an update.

I was on the net browsing Ozzu when an installer popped-up giving me the file to install. It had two options... "Install" and "Cancel".

I clicked cancel and it still popped-up, I repeated that like ten times until two of those darn things popped-up. I thought if Flash wants me to update it that bad, I might as well, and so I clicked "Install".

After that, I heard music in the background and found the darn taskmagr.exe process running. And some other dll by hijackthis...
  • Ticcer
  • Newbie
  • Newbie
  • Ticcer
  • Posts: 5

Post 3+ Months Ago

That's interesting... I also had some flash message about updating... I always ignore anything like that because I always manually update... windows, flash player... everything! So if the Flash player exploit is the source of the issue then it doesn't matter if you click cancel or install when that popup occours.

Thanks for the reply.. the pieces of the puzzle are falling into place it seems.

Ticcer

EDIT: By the by, I have not had iexplore.exe load all day since I got rid of mspush.dll and totnp233.dll, so fingers crossed.
  • kenrippy
  • Born
  • Born
  • kenrippy
  • Posts: 2

Post 3+ Months Ago

i had to register to add to this topic. i have/had this same thing, and so has my friend. he actually had it about a week before i did. i thought he as crazy when he told me about the voices etc. coming from his pc.

i don't know where exactly this comes from, it's hard to even find other instances of it on the net via google. i searched symantec but didn't know exactly what search criteria to use.

i have symantec endpoint protection, and my definitions were about a week out of date. after updating virus defs, it automatically found "taskmagr.exe" and deleted it.
then i ran ad-aware pro and it found some other junk. i now have ad-watch running all the time, and also spysweeper. that everything search app is amazing too!

for now, it looks like it's gone, but i don't trust that it's gone forever. i see a format in my future.

hopefully there will be a tool to completely get rid of this thing soon.

until then, this thread has helped me clear it up (at least for now)
thanks to everyone here, Ticcer especially - your tips really helped.
  • fayyaz32
  • Born
  • Born
  • fayyaz32
  • Posts: 2

Post 3+ Months Ago

my computer is infected with generic host 32 viruse it stop my loacl file and print sherring and stop services also can anyboby help me i am new at this forum and this is my first post.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Download hijackthis and post a log here

Steps to Take Before Posting your Hijack This Log
  • sonictm
  • Newbie
  • Newbie
  • sonictm
  • Posts: 5

Post 3+ Months Ago

I have a strange incarnation of this virus/worm/whatever it is. I first noticed it when I was cleaning (manually as Symantec and Spybot are no longer working [apparently the virus disabled it somehow]) an infection of the Antivirus 2009 malware. Problem was, it blocked me accessing any sights with any real antivirus software or information on the subject of removal.
Edit: other than this forum and google cached versions.

Although they all came at once, as far as I can tell, I have three seperate infections that merged together and (from what I can determine) got in as fake video codecs for adds. The first, was the simple and easily removed antivirus 2009. The second was a as-of-yet unremoved version of the go.google virus. The third is this taskmagr.exe thing that seems dormant other than force loading iexplore every boot (yet no chineese [is it even real chineese?])

Edit: When I log on now, I see a bit of a dos prompt window for a split second, then it disappears. Tried to print screen screen shot it but didn't work. (Wasn't fast enough?)

Any help would be great.

(I must say this is my worst battle with viral activity on the digital plain I've ever endured)
  • sonictm
  • Newbie
  • Newbie
  • sonictm
  • Posts: 5

Post 3+ Months Ago

Found the following on another forum after noticing the wmdmpmsvc.dll in my system32 directory without any information.

____________________________________________________
Hello, Im running Windowx XP with SP2 and all security updates.
Ive been getting warnings every day now from Antivir for a while about 4 trojans:

Virus or unwanted program 'TR/Patched.BU.9 [trojan]'
detected in file 'C:\windows\system32\dmserver.dll.

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\WINDOWS\System32\sensct.dll.

Virus or unwanted program 'BDS/Backdoor.Gen [backdoor]'
detected in file 'C:\windows\system32\wmdmpmsvc.dll.

Virus or unwanted program 'TR/StartPage.cyi [trojan]'
detected in file 'C:\WINDOWS\system32\taskmagr.exe.


Additionally when I have Flashget open (Rapidshare download tool) and it tries to update itself I get the warning of a trojan:
Virus or unwanted program 'TR/Hijacker.Gen [trojan]'
detected in file 'E:\Program Files\FlashGet\updates.exe.

--------

I was about to delete all these files using „Gipo@moveonboot“, but decided to ask your advice first. A quick Yahoo! search shows all these files as dubious:

taskmagr.exe,
sensct.dll,
wmdmpmsvc.dll,
except for dmserver.dll which seems to serve a purpose. Will I damage my computer if I delete these files?

----
I downloaded the FIX pack, ran Ccleaner and Malwarebytes. Malwarebytes came up with this:

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 3
18.11.2008 16:47:44
mbam-log-2008-11-18 (16-47-41).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 361858
Time elapsed: 4 hour(s), 21 minute(s), 57 second(s)

Registry Keys Infected: 1
Files Infected: 2
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> No action taken.
Files Infected:
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> No action taken.
----
It says „no action taken“ even though I had all boxes checked when I clicked „remove items“, but just to make sure I scanned these folders again and came up clean.

Thanks in advance

________________________________________________________________


What I forgot to mention in my former post was that I tried to download Malwarebytes and the installer didn't work but if it effected flashget too...
I never thought one infection could cripple so many apps!

Edit: I also have the dmserver.dll thing. But it had properties so I didn't initially think it was malicious. I can't remove either dll as they are apparently running and won't let me delete. (Did easily delete taskmagr.exe after Alt+Ctrl+Del force ending the task.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

I forgot about this program until I "refound" it today and used it.

smitfraudfix

I did that and tomorrow I will know the results, but so far, so good.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Update on my deal here...

I just saw my desktop and found a new installer there that I haven't seeing before... bhr.exe... browser hijack recoverer. I checked the properties and it said that it came from another computer and is blocked to protect this computer. That is good.

I get my internet from another computer at my house... it may be from there but I'm not so sure, is there any way I could find out where it came from?

Thanks.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8397
  • Loc: USA

Post 3+ Months Ago

Here is an update and a warning concerning this thing. I just got another pop-up to update my Flash Player thing. I restarted and the pop-up showed up again.

I checked my processes both time and it seems that it is showing because iexplorer.exe is running. So, I guess if those pop-ups are showing up make sure that iexplorer.exe is not running.

Also, if they do pop-up and they seem legit, I recommend to not install and going to the official site and doing it manually that way.

Another thing, I just got my first BSOD (Blue Screen Of Death) today... practically 15 minutes ago. Here are the information I gathered from it.

STOP: 0x0000008E (0xC0000090,0xF7970C5,0xEE9062A8,0x00000000)

senflit.sys - Address F7970C5C base at F7939000, Datestamp 414a45cc

And there's nothing in the event viewer...
  • Ticcer
  • Newbie
  • Newbie
  • Ticcer
  • Posts: 5

Post 3+ Months Ago

kenrippy wrote:
i see a format in my future.

hopefully there will be a tool to completely get rid of this thing soon.

until then, this thread has helped me clear it up (at least for now)
thanks to everyone here, Ticcer especially - your tips really helped.


No worries. I too see a format in my very near future. Something is still not right as things are a lot slower on my laptop since this thing ravaged the machine.

Yes, that Everything tool amazes me every day lol

Ticcer
  • Ticcer
  • Newbie
  • Newbie
  • Ticcer
  • Posts: 5

Post 3+ Months Ago

sonictm wrote:

taskmagr.exe,
sensct.dll,
wmdmpmsvc.dll,
except for dmserver.dll which seems to serve a purpose. Will I damage my computer if I delete these files?

----
I downloaded the FIX pack, ran Ccleaner and Malwarebytes. Malwarebytes came up with this:

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 3
18.11.2008 16:47:44
mbam-log-2008-11-18 (16-47-41).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 361858
Time elapsed: 4 hour(s), 21 minute(s), 57 second(s)

Registry Keys Infected: 1
Files Infected: 2
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> No action taken.
Files Infected:
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> No action taken.
----
It says „no action taken“ even though I had all boxes checked when I clicked „remove items“, but just to make sure I scanned these folders again and came up clean.

Thanks in advance

________________________________________________________________


What I forgot to mention in my former post was that I tried to download Malwarebytes and the installer didn't work but if it effected flashget too...
I never thought one infection could cripple so many apps!

Edit: I also have the dmserver.dll thing. But it had properties so I didn't initially think it was malicious. I can't remove either dll as they are apparently running and won't let me delete. (Did easily delete taskmagr.exe after Alt+Ctrl+Del force ending the task.


Use this little gen of a tool - Unlocker to help with unlocking and deleting files that are used by another process
Code: [ Select ]
http://ccollomb.free.fr/unlocker/

I can't be without it on any system I use.

taskmagr.exe,
sensct.dll,
wmdmpmsvc.dll,
dmserver.dll

I have deleted all the above files form my computer, except for sensct.dll which I didn't have in the first place. I run XP SP3. I have not had a BSOD. The chinses voices stopped after I removed mspush.dll and totnp233.dll as explained earlier.

As for,

C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon

If you have installed any Trymedia games or programs on your machine these files may be required and may be a false positive. I'd e-mail trymedia and see what they say if I were you.

Ticcer
  • kenrippy
  • Born
  • Born
  • kenrippy
  • Posts: 2

Post 3+ Months Ago

mine seems to be gone as well.

it looks like M$ have finally realized their new threats to IE and released a critical update for it. (12-17-08)
Code: [ Select ]
http://www.computerworld.com/action/art ... rc=hm_list


seems like they're a little late for us.

i've been using unlocker for a while now, and it's become a very handy tool to have at the ready.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 31 posts
  • Users browsing this forum: No registered users and 56 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.