Jump to content


Photo

msnmsgr.exe???


  • Please log in to reply
11 replies to this topic

#1 crocodile_tech7

crocodile_tech7

    Computer Tech/Computer Network Specialist

  • Full Member
  • Pip
  • 6 posts

Posted 15 July 2004 - 04:05 PM

Here it is my hijack log, I know i can see some file that need to be deleted which are the simple ones, but msnmsgr still comes up after restart.

Logfile of HijackThis v1.97.7
Scan saved at 4:06:44 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...d=ie&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7964.3795601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

#2 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 15 July 2004 - 04:08 PM

Client being helped in chat

I am checking post now.
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#3 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 15 July 2004 - 04:17 PM

asked client to get update to hijackthis and uninstall datemanager and GMT.

Client is using a USB drive (E: for hijackthis)
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#4 crocodile_tech7

crocodile_tech7

    Computer Tech/Computer Network Specialist

  • Full Member
  • Pip
  • 6 posts

Posted 15 July 2004 - 04:44 PM

this is the updated one Logfile of HijackThis v1.97.7
Scan saved at 4:43:47 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
E:\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7964.3795601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

#5 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 15 July 2004 - 05:04 PM

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.
[color = red]OR[/color]
Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.


CMESys.exe
msnmsgr.exe
DateManager.exe
GMT.exe

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe
O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.n...1916458,00.html
Or items 8 & 9 from this link :
http://www.russellte...qhijackthis.htm )

Folder > C:\Program Files\Common Files\[color=red]CMEII\[/color]
File > > [color=red]msnmsgr.exe[/color] (you will need to search to find it)
Folder > C:\Program Files\[color=red]Date Manager\[/color]
Folder > C:\Program Files\Common Files\[color=red]GMT\[/color]

Then Reboot and post a fresh log for me to check.
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#6 crocodile_tech7

crocodile_tech7

    Computer Tech/Computer Network Specialist

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 10:06 AM

Chris,

Well Chris from what I see, its seems that it worked, unless you see something else in this new log. I update the version. The only thing is that I had to delete one at a time because it doesnt let you work with hijack for that long. So I had to speed through it "Scan, search, check, fix, for each one" just enough time before it would kick me out and I would have to restart hijack but it worked. I had tried deleting first through safe mode because it will allow me run hijack with no problem, and i was deleting them. However when I had restarted in normal mode they reappeared. Then I read that you had said to only boot in safe mode after you end process through highjack. However it seems to be working well. Here is the log. And once again you have been very helpful. I give you here 2 logs both with updated version one log to view before I made changes and the other after I made them. 1 question how often give or take to new ver. come out?




this is before changes

Logfile of HijackThis v1.98.0
Scan saved at 9:10:22 AM, on 7/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\msnmsgr.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\smlab.CACERES\Desktop\HijackThis\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us


This is afterwards

Logfile of HijackThis v1.98.0
Scan saved at 9:33:20 AM, on 7/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
E:\HijackThis\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

#7 crocodile_tech7

crocodile_tech7

    Computer Tech/Computer Network Specialist

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 10:14 AM

Chris,

One more thing could explain to me how datemanger, gmt , cmeii work with msnmsgr.exe? Im was just wondering if you can tell me who it all works. Because once I tell the other techs how to get rid of this msnmsgr, there gonna ask me and I dont want to sound stupid, and say "UH i dont know."
thanks

#8 crocodile_tech7

crocodile_tech7

    Computer Tech/Computer Network Specialist

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 10:16 AM

sorry i meant how not who. I know u what i meant. just had to say it.

#9 ChrisRLG

ChrisRLG

    Malware Remover

  • Retired Staff
  • PipPipPipPipPip
  • 703 posts

Posted 16 July 2004 - 11:32 AM

The best answer is that they are not necessarily connected.

This is the database (one of) that we use to look up our data
http://www.sysinfo.org/startuplist.php

This is the data on DateManager.
http://www.sysinfo.o...DateManager.exe
====quote=======
Date Manager
X
datemanager.exe
Date Manager - calender program. Spyware/adware based provided by The Gator Corporation
===============
The X tells me it is bad - so I get you to remove. This one is provided by the Gator advertising network. (They have since renamed)

It may be that your virus came in at the same time - who knows.

Do you still have problems with hijackthis closing ?
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

#10 fabuleuse

fabuleuse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 11:46 AM

I'm probably being stupid here, but why are you trying to get rid of msnmsgr.exe = MSN Messenger?

#11 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 16 July 2004 - 02:24 PM

Fabuleuse, that is not the MSNmessenger file! Same filename, but it's in the wrong location, and the name of the process is wrong! Look at the log, and you will see that it is showing as Windows Login.
Definitely a nasty!

The normal entry for MSNmessenger is
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#12 crocodile_tech7

crocodile_tech7

    Computer Tech/Computer Network Specialist

  • Full Member
  • Pip
  • 6 posts

Posted 20 July 2004 - 04:29 PM

And also if your administrator password is blank you must change to a actual password. If not it will come back and be knocking at you door step again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button