Windows XP Task Manager starts and instantly teminates

This is going to be a long, long thread, 6 pages already. I'm in, as soon as he post the new log, I see if I can help.

I still see these items in the running processes section:

C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\System32\hdrmmzie.exe
C:\WINDOWS\system32\MSCRON.EXE

This time, stay online and do this:

Start > Run: cmd.exe
Enter these commands one at a time:


Let me know if you receive any errors when you execute these commands.

Run hijack this again and post the log.

Howdy Labrego! One of those tasks that are running is causing the problem. They should have been deleted but are still present. The newest log looks substantially better than the original, however.

this is what it says when i run cmd with those commands

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Lauren>Taskkill /F /IM MWWRQOEBN.EXE
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>Taskkill /F /IM MWWRQOEBN.EXE
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>Taskkill /F /IM hdrmmzie.exe
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>Taskkill /F /IM MSCRON.EXE
'Taskkill' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Lauren>
C:\Documents and Settings\Lauren>Attrib -s -r -h C:\WINDOWS\system32\MWWRQOEBN.E
XE

C:\Documents and Settings\Lauren>attrib -s -r -h C:\WINDOWS\System32\hdrmmzie.ex
e

C:\Documents and Settings\Lauren>attrib -s -r -h C:\WINDOWS\system32\MSCRON.EXE


C:\Documents and Settings\Lauren>
C:\Documents and Settings\Lauren>Del C:\WINDOWS\system32\MWWRQOEBN.EXE
C:\WINDOWS\system32\mwwrqoebn.exe
Access is denied.

C:\Documents and Settings\Lauren>Del C:\WINDOWS\System32\hdrmmzie.exe
C:\WINDOWS\System32\hdrmmzie.exe
The process cannot access the file because it is being used by another process.

C:\Documents and Settings\Lauren>Del C:\WINDOWS\system32\MSCRON.EXE

Ah, okay. That explains it. Taskkill is not present.

Okay Download this tool, unzip it and place pskill.exe in your system32 folder (C:\windows\system32\).

http://members.aol.com/jrzycrim01/misc/pskill.zip

run these commands:


Run hijack this, scan and fix the following items:
O4 - HKLM\..\Run: [Yahoo Instant Messenger] MWWRQOEBN.EXE
O4 - HKLM\..\Run: [ygrtrlyklbe] C:\WINDOWS\System32\hdrmmzie.exe
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE

Run hijack this, scan, save log, post here:

sorry for so many posts, i just want to thank you in advance for helping me solve this problem

Howdy Jim, I see what I can do to help without disturb (man I hate this darn laptop keyboards)

dthames0702 how do yo manage to run taskkill before?, Jim ask you to run it two or three posts before

No worries. Sometimes it takes a few run-throughs to get things sorted.

Your not a disturbance. Your input is always helpful.

I'm wondering why taskkill is not there. As far as I know it should be available in XP home/PRO as well as 2000. Maybe something nasty happened to it.

hey thanks everything works fine now, here is the log

Logfile of HijackThis v1.98.2
Scan saved at 12:50:09 AM, on 9/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\aolmsngr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05f352d0bde ... xIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://zeus.findlay.edu:8011/webapps/co ... _1-win.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

hehe, Thanks. Don't relally know what happen... maybe the path... maybe he started cmd.exe some other way... I am thinking.

mmm I always miss the real action

Great. Glad it's working now.

Here's a couple of things for you to do:

Go to internet options (from the control panel or tools menu of IE) and click delete cookies, delete files. That will ensure nothing nasty is left in your cache.

Also, I recommend Spywareblaster for preventing future infections:
http://www.javacoolsoftware.com/spywareblaster.html

Download and install it. Make sure to keep it updated and enable all protection.

And stay away from questionable web sites.

Good luck

Oh yeah, update your virus definitions and do a full scan just to be careful. check this thread later, there are a couple of things I want to look up that may need fixing.

I noticed an entry relating to Wild Tangent:
http://techrepublic.com.com/5208-6239-0 ... dID=157036

It doesn't really seem to be harmful but if you don't use it, you might consider uninstalling it. Read through that thread and decide if you need it or not.

Don't worry, I think there is going to be plenty of action pretty soon. More and more people are going to be directed to Ozzu via google. I'm sure that's how people are finding this thread.

Normally, taskkill is found in the system32 directory. System32 is in the command path and anything in it should be accessible from the command prompt no matter where you are.

There is also a backup in system32\dllcache which Windows File Protection keeps track of incase the original get's trashed.

That's why I said this looks like a long thread. I am learning from your skills, now I know what spyware names to look for

It's good to see people comming here from google, is incredible how many infected computers are out there