taskmagr.exe

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

November 26th, 2008, 9:56 pm

I just hijackthis scanned my computer and found out I had taskmagr.exe running as a process. I checked it's properties and it was created on Wednesday, August 04, 2004, 4:00:00 AM, last modified on Sunday, April 13, 2008, 6:12:08 PM and accessed today, November 26, 2008, 10:52:36 PM. I googled that process and found out that it is a worm.

The reason I decided to scan my computer because the process iexplorer.exe starts at random and starts running some flash video. I can't see anything, it's in the background, but I hear voices/music. Whatever... and it starts to repeat over and over.

Any help here? Thanks so much.

It's safe to remove taskmagr.exe... right? The address to it on my computer is C:/WINDOWS/system32/taskmagr.exe ... it's safe right? I mean google says it's a worm, hijackthis.de says it's extremely nasty, I had never had this process running (Or that I have noticed) and now that it is (or now that I did notice it) I have problems with my computer). Everything points to favor deleting it... I just want to get a second approval.

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

November 26th, 2008, 9:56 pm

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

November 26th, 2008, 10:32 pm

Alright... I just did a more in-depth scan of my computer and found the following infections.

Spyware Doctor found:

Trojan-Downloader.Agent!sd6 (C:/WINDOWS/System32/dmserv.dll)
Trojan.Agent!sd6 (C:/WINDOWS/System32/wmdmpmsvc.dll)

Both of those are running under svchost.dll

PrevX CSI found:

c:/WINDOWS/System32/dmserv.dll
c:/WINDOWS/System32/wmsmpmsvc.dll
c:/WINDOWS/System32/mspdtc.dll
c:/WINDOWS/System32/taskmagr.exe
c:/WINDOWS/System32/msfontsew.dll

Since both copies are unregistered copies, I can't remove them and I don't have the money to buy the license right now.

Is it safe for me to just delete those files? Or will the trojans/worms stay within the registry and still hurt my computer?

- Thanks

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

November 27th, 2008, 9:41 am

I just scanned with spyware doctor again and it came up with two additional trojans.

Trojan.Startpage!sd6
Trojan-Downloader.Agent!sd5

Along with the two found yesterday. I scanned my computer with Ad-Aware 2008 and removed 5 threats, two of which were high risk, and I guess those were the ones not found by spyware doctors. ANy help or ideas here? Thanks.

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

November 28th, 2008, 11:57 am

No one? No help? Googling those things doesn't help, because anything that may be of some use that comes up on google is the different names used by which spyware/virus scanners and googling them brings me about the same results.

Here's my hijackthis file in case I forgot something.

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:52 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\wamp\wampmanager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 9737 bytes

The taskmagr.exe was at the running processes then. I ended the process, but I still have that in system32 folder.

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

Lansman
Born
Joined: Nov 28, 2008
Posts: 2
Status: Offline

November 28th, 2008, 11:55 pm

You are not alone. I got Chinese language voice and sounds in IE (which I am forced to use against my will by certain services)and having been alerted to this prob. I have found my last two days absorbed in finding a way to clean up.

iexplore.exe process would not quit, and I could overwrite or delete c:\iexplore.exe but it would reappear. I searched the registry for iexplore.exe and deleted every item knowing I may have to rebuild from a new install of the XP OS.

I had a copy of minipe and tried to clean up with that, but I think the most effective download was Norman. http://www.norman.com/ I put it in "Outbreak Mode" and a couple of hours later it found "taskmagr.exe". At the same time I downloaded IE version 7 and SP 3 and installed those... figuring the updates might cover infected files.

I just finished the reboot. I will return and let ya know if it did not work.

Lansman
Born
Joined: Nov 28, 2008
Posts: 2
Status: Offline

November 29th, 2008, 2:09 am

so far so good

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

November 29th, 2008, 12:03 pm

Thanks but no thanks. After installing Norman and restarting my computer it took me 30 minutes to get the computer on and 9 minutes to get firefox open to find out Norman was blocking internet itself.

It took me another 25 minutes and two trials to uninstall Norman and then after I uninstalled Norman and restarted my computer went back to Normal. I mean, before Norman normal, not normal as computers should be :lol:

Thanks though, you were trying to help

Anything else?

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

December 2nd, 2008, 10:14 pm

Well, this isn't so helpful

[EDIT:] I checked the event viewer and the following is under system:

TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

But still... nothing major. I don't think that even that would be anything of a problem. Is there any good virus scanners/removers that could be recommended? I don't have one except for Ad-Aware 2008 and for others that see these things I need to pay for them, and at the moment, money is tight... tighter than a deadly knot :roll:

~ Thanks

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

spork
Brewmaster
Joined: Sep 22, 2003
Posts: 6129
Loc: Seattle, WA
Status: Offline

December 2nd, 2008, 10:54 pm

Bogey wrote:

TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

mswindows-forum/tcp-has-reached-the-security-limit-imposed-t78665.html

That type of message indicates that some process is opening a lot of outgoing network connections on your computer. Run 'netstat -a -b' to track down which process is creating all of them. Alternatively, you can use a program like CurrPorts if you prefer a GUI-based tool.

The Beer Monocle. Classy.

VideoRipper
Novice
Joined: Dec 03, 2008
Posts: 15
Status: Offline

December 3rd, 2008, 1:15 am

As an added feature of this worm, you lose focus on the window you're working on (not very nice)...

You can get rid of the constant pop-ups/playing flash in the background, by adding the following entries
to your hosts-file:

Code: [ Select ]

127.0.0.1 itv.hexun.com
127.0.0.1 www.hexun.com
127.0.0.1 www.zhenip.com

127.0.0.1 itv.hexun.com
127.0.0.1 www.hexun.com
127.0.0.1 www.zhenip.com

Mind that this is not a solution to the problem, just a quick fix to stop the pop-ups!

Greetz,

Peter.

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

December 3rd, 2008, 3:22 pm

the 'netstat -a -b' found the epmap thing that is listening, and googling that thing told me that it's a blaster worm on port 135 (according to some forum)

The problem is, I don't know how to find from which port it really is coming from... PID or something else?

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

loik
Born
Joined: Dec 05, 2008
Posts: 2
Status: Offline

December 5th, 2008, 11:10 pm

Hi, i experience the same. Just a moment ago, my Internet Explorer got crazy and rapidly keep open, just a minutes before the happening, i heard in my speaker a chatting or some Chinese voice. And I check my process in task manager, i see there's two taskmanager process running, i end the taskmagr.exe process and google it, which lead me here.

I delete the taskmagr.exe file in windows, and right now there's no problem after i restarted.

If i see any weird again, I'm gonna post it here. sorry that I can't really help.

regards,
loik

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

December 6th, 2008, 8:51 pm

Actually, you did help me a little bit. Thanks for posting.

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

bricklayer
Born
Joined: Dec 08, 2008
Posts: 1
Status: Offline

December 8th, 2008, 8:17 pm

I've been experiencing this since around Thanksgiving... The first time I simply deleted taskmagr.exe from system32. However, last night I had an IE process running that was taking up over 400MB of memory. Needless to say, I deleted taskmagr.exe again (it was in my process list), but I am starting to think this is only a temporary fix. If anyone has a permanent solution, please post here. Thanks!

Bogey
Bogey
Joined: Jul 14, 2005
Posts: 8211
Loc: USA
Status: Offline

December 8th, 2008, 8:59 pm

You have to scan your computer for any downloader.Agent! trojans. I got two of those but don't have any utility that would remove them.

After removing those trojans, make sure that taskmagr.exe is removed, if not, remove it manually. We will see from there.

"Bring forth therefore fruits meet for repentance:" Matthew 3:8

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

December 8th, 2008, 8:59 pm

1, 2, 3

To Reply to this topic you need to LOGIN or REGISTER. It is free.

Post Information

Total Posts in this topic: 31 posts
Users browsing this forum: No registered users and 191 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

taskmagr.exe

Post Information

Sponsored Links

Other Languages

Website Development

Graphics

OS & Hardware

Internet Marketing

Marketplace

Community Area

Ozzu Maintenance

Forum Network

Forum Partners

Other Information