• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
crocodile_tech7

msnmsgr.exe???

12 posts in this topic

Here it is my hijack log, I know i can see some file that need to be deleted which are the simple ones, but msnmsgr still comes up after restart.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:06:44 PM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

E:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe

O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7964.3795601852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

Share this post


Link to post
Share on other sites

asked client to get update to hijackthis and uninstall datemanager and GMT.

 

Client is using a USB drive (E: for hijackthis)

Share this post


Link to post
Share on other sites

this is the updated one Logfile of HijackThis v1.97.7

Scan saved at 4:43:47 PM, on 7/15/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

E:\HijackThis.exe

 

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe

O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7964.3795601852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

Share this post


Link to post
Share on other sites

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.

OR

Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.

 

CMESys.exe

msnmsgr.exe

DateManager.exe

GMT.exe

 

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

 

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe

O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe

O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

 

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Or items 8 & 9 from this link :

http://www.russelltexas.com/malware/faqhijackthis.htm )

 

Folder > C:\Program Files\Common Files\CMEII\

File > > msnmsgr.exe (you will need to search to find it)

Folder > C:\Program Files\Date Manager\

Folder > C:\Program Files\Common Files\GMT\

 

Then Reboot and post a fresh log for me to check.

Share this post


Link to post
Share on other sites

Chris,

 

Well Chris from what I see, its seems that it worked, unless you see something else in this new log. I update the version. The only thing is that I had to delete one at a time because it doesnt let you work with hijack for that long. So I had to speed through it "Scan, search, check, fix, for each one" just enough time before it would kick me out and I would have to restart hijack but it worked. I had tried deleting first through safe mode because it will allow me run hijack with no problem, and i was deleting them. However when I had restarted in normal mode they reappeared. Then I read that you had said to only boot in safe mode after you end process through highjack. However it seems to be working well. Here is the log. And once again you have been very helpful. I give you here 2 logs both with updated version one log to view before I made changes and the other after I made them. 1 question how often give or take to new ver. come out?

 

 

 

 

this is before changes

 

Logfile of HijackThis v1.98.0

Scan saved at 9:10:22 AM, on 7/16/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\msnmsgr.exe

C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\PrecisionTime\PrecisionTime.exe

C:\WINNT\System32\svchost.exe

C:\Documents and Settings\smlab.CACERES\Desktop\HijackThis\HijackThis.exe

 

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Windows Login] msnmsgr.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\RunServices: [Windows Login] msnmsgr.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

 

 

This is afterwards

 

Logfile of HijackThis v1.98.0

Scan saved at 9:33:20 AM, on 7/16/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\Program Files\PrecisionTime\PrecisionTime.exe

E:\HijackThis\HijackThis.exe

 

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC69199-C4AF-4AF9-A89B-09262908E6BC}: NameServer = 10.107.0.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caceres.donna.k12.tx.us

Share this post


Link to post
Share on other sites

Chris,

 

One more thing could explain to me how datemanger, gmt , cmeii work with msnmsgr.exe? Im was just wondering if you can tell me who it all works. Because once I tell the other techs how to get rid of this msnmsgr, there gonna ask me and I dont want to sound stupid, and say "UH i dont know."

thanks

Share this post


Link to post
Share on other sites

The best answer is that they are not necessarily connected.

 

This is the database (one of) that we use to look up our data

http://www.sysinfo.org/startuplist.php

 

This is the data on DateManager.

http://www.sysinfo.org/startuplist.php?fil...DateManager.exe

====quote=======

Date Manager

X

datemanager.exe

Date Manager - calender program. Spyware/adware based provided by The Gator Corporation

===============

The X tells me it is bad - so I get you to remove. This one is provided by the Gator advertising network. (They have since renamed)

 

It may be that your virus came in at the same time - who knows.

 

Do you still have problems with hijackthis closing ?

Share this post


Link to post
Share on other sites

Fabuleuse, that is not the MSNmessenger file! Same filename, but it's in the wrong location, and the name of the process is wrong! Look at the log, and you will see that it is showing as Windows Login.

Definitely a nasty!

 

The normal entry for MSNmessenger is

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

Share this post


Link to post
Share on other sites

And also if your administrator password is blank you must change to a actual password. If not it will come back and be knocking at you door step again.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0