TASKMGRU.EXE, MSIMN32.EXE, BHOASS.DLL help!!!!!!!!!

deebo2005 · 04-15-2005, 10:45 AM

I have this new virus on my computer that nobody seems to know anything about. No anti-virus software detects it. I have done everything to try to get rid of the files but they keep comming back every time I start Explorer. The only thing I could find on this virus was 1 German site that wasn't much help. I've tried Ad-Ware, Hijackthis, Microsoft's Ant-Spyware, and the German site says Killbox doesn't work. My Log is below. Please help, this virus has taken over everything!!!

Logfile of HijackThis v1.96.0
Scan saved at 1:41:49 PM, on 4/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\explorer.exe
C:\WINNT\Mixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\system32\MSIMN32.EXE
C:\MOZILL~1\MOZILL~1\MOZILL~1.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator.YAM-BAG\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINNT\System32\mstask.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSIMN32] C:\WINNT\system32\MSIMN32.EXE
O4 - HKCU\..\Run: [TASKMGRU] C:\WINNT\system32\TASKMGRU.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/de.../GSManager.cab
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...1F/wmvadvd.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/co...y/iesnoopy.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...428.8826736111
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...ed/install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...6/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

**POADB** · 04-15-2005, 11:17 AM

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

You have an outdated version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Navigate to these two files:

C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE

Right click each one, and go to Properties > View tab and tell me as much about each file as you can, including it's size, date etc...

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. G

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

eClicks

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...eed/install.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\System32\blank.htm
C:\WINNT\bhoass.dll

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

deebo2005 · 04-15-2005, 07:26 PM

Ok I did everything you said and I even went through and deleted some other regitry values such as the clsid value for bhoass and some values in the Internet Explorer\Main\ in the Local Machine. They still came back after I rebooted. Here is the following information you requested:

MSIMN32.EXE - size: 30.5kb, size on disk: 32kb, Created: June 19, 2003 03:05:04, Modified June 19, 2003 03:05:04, Accessed: April 15, 2005 10:21:49.

TASKMGRU.EXE - size: 30.5kb, size on disk: 32kb, Created: June 19, 2003 03:05:04, Modified June 19, 2003 03:05:04, Accessed: April 15, 2005 10:21:49.

The Hijackthis analyized log is:

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:12:21 PM, on 4/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\system32\MSIMN32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\system32\MSIMN32.EXE
C:\Cannibus\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINNT\System32\mstask.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [TASKMGRU] C:\WINNT\system32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINNT\system32\MSIMN32.EXE
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/de.../GSManager.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/co...y/iesnoopy.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...6/dlhelper.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe

End of KRC HijackThis Analyzer Log.
====================================================================

There has to be a file that regenerates all these files but I can't figure out what it is. Also I know that these files weren't created June 19, 2003.

greyknight17 · 04-16-2005, 08:18 AM

Give us these three logs:

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

deebo2005 · 04-17-2005, 07:31 AM

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = "C:\Program Files\Steam\Steam.exe -silent" ["Valve Corporation"]
"AIM" = "C:\Program Files\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MSIMN32" = "C:\WINNT\system32\MSIMN32.EXE" [null data]
"TASKMGRU" = "C:\WINNT\system32\TASKMGRU.EXE" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1A1488CB-8028-49ba-AD19-18D13CDC650F}\(Default) = "BHDP Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\bhoass.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v7"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender Professional Edition\bdshellex.dll" [file not found]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

INFECTION WARNING! G:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]

Enabled Scheduled Tasks:
------------------------

"WinTV (0)" -> launches: "C:\PROGRA~1\WinTV\WinTV2K.EXE -c26 -ntod -startr:WinTV_(0)###.mpg -qvcd -limit:1800" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
iprip, iprip, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\system32\bss.dll" [file not found]}

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,326 items found: 1,326 files, 0 directories.
Total of file sizes: 266,550,388 bytes 254.20 M

Administrator Account = True

--------------------End log---------------------

greyknight17 · 04-17-2005, 09:31 AM

Where's the TDS-3 log?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ and delete {1A1488CB-8028-49ba-AD19-18D13CDC650F}

Next go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete MSIMN32 and TASKMGRU

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\system32\bss.dll
C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE

Restart and give us a log for these again: HijackThis, Silent Runners and also the following:

Download this virus checker and tool from eScan
Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it
continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here

deebo2005 · 04-17-2005, 08:39 PM

Ok i fixed it. All you need to do is delete the following files if you have them, then serch the registry for the files listed below and delete their registries. Also you have to delete the CSLID for bhoass.dll and some other CLSID vales listed under BHO(something)- you can't miss them once u naviagte to the b section of the CLSID registry. You also need to delete registry vales in Local Machine\Software\Microsoft\Internet Explorer\Main- all the ones that start with BHO. Run Hijackthis and it should take care of the rest. Just click on the entries with bhoass.dll, taskmgru.exe and msimn32.exe. If you have any questions I'll check back to see.

File C:\WINNT\bhoass.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\WINNT\explorer32dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\WINNT\iexplore_dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\MSIMN32.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\TASKMGRU.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINNT\ghj infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\WINNT\lbbho.dll infected by "not-a-virus:AdWare.ToolBar.Neon.a" Virus. Action Taken: No Action Taken.

File C:\WINNT\mfcvi.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\csh4tb.exe infected by "Trojan-Downloader.Win32.Agent.gd" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\mseggo.gif infected by "Trojan-Spy.Win32.Delf.dx" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\msfaol.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\msiaih.dll infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\msnimk.gif infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\_huytam_java.exe infected by "Trojan-Dropper.Win32.Small.mu" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-135009-405.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-214237-447.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-222726-205.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-225803-516.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-225825-322.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-231219-369.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050415-002646-888.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\TEMPOR~1\Content.IE5\619A32H8\LBAss012345678[1].txt infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\TEMPOR~1\Content.IE5\8XEZKX2V\tb[1].txt infected by "not-a-virus:AdWare.ToolBar.ToolBand.a" Virus. Action Taken: No Action Taken.

greyknight17 · 04-17-2005, 11:05 PM

So I assume that you deleted all those files and also emptied out your temp folder right?

Any problems now?

deebo2005 · 04-17-2005, 11:15 PM

yep and no problems, i'm back to using explorer and evrything seems to run alright.

04-15-2005, 10:45 AM	#1 (permalink)
deebo2005 Registered User Join Date: Apr 2005 Posts: 5 OS: Win2000	TASKMGRU.EXE, MSIMN32.EXE, BHOASS.DLL help!!!!!!!!! I have this new virus on my computer that nobody seems to know anything about. No anti-virus software detects it. I have done everything to try to get rid of the files but they keep comming back every time I start Explorer. The only thing I could find on this virus was 1 German site that wasn't much help. I've tried Ad-Ware, Hijackthis, Microsoft's Ant-Spyware, and the German site says Killbox doesn't work. My Log is below. Please help, this virus has taken over everything!!! Logfile of HijackThis v1.96.0 Scan saved at 1:41:49 PM, on 4/15/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\explorer.exe C:\WINNT\Mixer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Steam\Steam.exe C:\Program Files\AIM95\aim.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINNT\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\system32\TASKMGRU.EXE C:\WINNT\system32\MSIMN32.EXE C:\MOZILL~1\MOZILL~1\MOZILL~1.EXE C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Administrator.YAM-BAG\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm O2 - BHO: (no name) - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file) O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINNT\System32\mstask.exe O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MSIMN32] C:\WINNT\system32\MSIMN32.EXE O4 - HKCU\..\Run: [TASKMGRU] C:\WINNT\system32\TASKMGRU.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/de.../GSManager.cab O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...1F/wmvadvd.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/co...y/iesnoopy.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...428.8826736111 O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...ed/install.cab O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...6/dlhelper.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

04-16-2005, 08:18 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Give us these three logs: Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-17-2005, 09:31 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Where's the TDS-3 log? Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ and delete {1A1488CB-8028-49ba-AD19-18D13CDC650F} Next go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete MSIMN32 and TASKMGRU If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINNT\system32\bss.dll C:\WINNT\bhoass.dll C:\WINNT\system32\MSIMN32.EXE C:\WINNT\system32\TASKMGRU.EXE Restart and give us a log for these again: HijackThis, Silent Runners and also the following: Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file Note If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-17-2005, 11:05 PM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	So I assume that you deleted all those files and also emptied out your temp folder right? Any problems now? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-15-2005, 11:17 AM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,420 OS: XP SP2	Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted. You have an outdated version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe and run it. Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Navigate to these two files: C:\WINNT\system32\MSIMN32.EXE C:\WINNT\system32\TASKMGRU.EXE Right click each one, and go to Properties > View tab and tell me as much about each file as you can, including it's size, date etc... Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. G Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. eClicks Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm O2 - BHO: (no name) - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file) O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...eed/install.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\System32\blank.htm C:\WINNT\bhoass.dll Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

04-15-2005, 07:26 PM	#3 (permalink)
deebo2005 Registered User Join Date: Apr 2005 Posts: 5 OS: Win2000	Ok I did everything you said and I even went through and deleted some other regitry values such as the clsid value for bhoass and some values in the Internet Explorer\Main\ in the Local Machine. They still came back after I rebooted. Here is the following information you requested: MSIMN32.EXE - size: 30.5kb, size on disk: 32kb, Created: June 19, 2003 03:05:04, Modified June 19, 2003 03:05:04, Accessed: April 15, 2005 10:21:49. TASKMGRU.EXE - size: 30.5kb, size on disk: 32kb, Created: June 19, 2003 03:05:04, Modified June 19, 2003 03:05:04, Accessed: April 15, 2005 10:21:49. The Hijackthis analyized log is: Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:12:21 PM, on 4/15/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\system32\TASKMGRU.EXE C:\WINNT\system32\MSIMN32.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Steam\Steam.exe C:\WINNT\system32\TASKMGRU.EXE C:\WINNT\system32\MSIMN32.EXE C:\Cannibus\Hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINNT\System32\mstask.exe O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent O4 - HKCU\..\Run: [TASKMGRU] C:\WINNT\system32\TASKMGRU.EXE O4 - HKCU\..\Run: [MSIMN32] C:\WINNT\system32\MSIMN32.EXE O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/de.../GSManager.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/co...y/iesnoopy.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...6/dlhelper.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe End of KRC HijackThis Analyzer Log. ==================================================================== There has to be a file that regenerates all these files but I can't figure out what it is. Also I know that these files weren't created June 19, 2003.

04-17-2005, 07:31 AM	#5 (permalink)
deebo2005 Registered User Join Date: Apr 2005 Posts: 5 OS: Win2000	"Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = "C:\Program Files\Steam\Steam.exe -silent" ["Valve Corporation"] "AIM" = "C:\Program Files\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."] "MSIMN32" = "C:\WINNT\system32\MSIMN32.EXE" [null data] "TASKMGRU" = "C:\WINNT\system32\TASKMGRU.EXE" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {1A1488CB-8028-49ba-AD19-18D13CDC650F}\(Default) = "BHDP Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\bhoass.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 DragDrop Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Property Sheet Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" [file not found] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v7" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender Professional Edition\bdshellex.dll" [file not found] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is enabled. HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" Autostart via AUTORUN.INF on local fixed drives: ------------------------------------------------ INFECTION WARNING! G:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"] Enabled Scheduled Tasks: ------------------------ "WinTV (0)" -> launches: "C:\PROGRA~1\WinTV\WinTV2K.EXE -c26 -ntod -startr:WinTV_(0)###.mpg -qvcd -limit:1800" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 30 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ -> {CLSID}\(Default) = "&Yahoo! Messenger" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ -> {CLSID}\(Default) = "&Yahoo! Messenger" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ -> {CLSID}\(Default) = "Real.com" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."] iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] iprip, iprip, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\system32\bss.dll" [file not found]} ---------- This report excludes default entries except where indicated. To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1,326 items found: 1,326 files, 0 directories. Total of file sizes: 266,550,388 bytes 254.20 M Administrator Account = True --------------------End log---------------------

04-17-2005, 08:39 PM	#7 (permalink)
deebo2005 Registered User Join Date: Apr 2005 Posts: 5 OS: Win2000	Ok i fixed it. All you need to do is delete the following files if you have them, then serch the registry for the files listed below and delete their registries. Also you have to delete the CSLID for bhoass.dll and some other CLSID vales listed under BHO(something)- you can't miss them once u naviagte to the b section of the CLSID registry. You also need to delete registry vales in Local Machine\Software\Microsoft\Internet Explorer\Main- all the ones that start with BHO. Run Hijackthis and it should take care of the rest. Just click on the entries with bhoass.dll, taskmgru.exe and msimn32.exe. If you have any questions I'll check back to see. File C:\WINNT\bhoass.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\WINNT\explorer32dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\WINNT\iexplore_dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\MSIMN32.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\TASKMGRU.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINNT\ghj infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\WINNT\lbbho.dll infected by "not-a-virus:AdWare.ToolBar.Neon.a" Virus. Action Taken: No Action Taken. File C:\WINNT\mfcvi.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\csh4tb.exe infected by "Trojan-Downloader.Win32.Agent.gd" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\mseggo.gif infected by "Trojan-Spy.Win32.Delf.dx" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\msfaol.dll infected by "not-a-virus:AdWare.ClientMan" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\msiaih.dll infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\msnimk.gif infected by "not-a-virus:AdWare.Ipend" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken. File C:\WINNT\system32\_huytam_java.exe infected by "Trojan-Dropper.Win32.Small.mu" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-135009-405.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-214237-447.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-222726-205.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-225803-516.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-225825-322.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050414-231219-369.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\Temp\backup-20050415-002646-888.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\TEMPOR~1\Content.IE5\619A32H8\LBAss012345678[1].txt infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1.YAM\LOCALS~1\TEMPOR~1\Content.IE5\8XEZKX2V\tb[1].txt infected by "not-a-virus:AdWare.ToolBar.ToolBand.a" Virus. Action Taken: No Action Taken.

04-17-2005, 11:15 PM	#9 (permalink)
deebo2005 Registered User Join Date: Apr 2005 Posts: 5 OS: Win2000	yep and no problems, i'm back to using explorer and evrything seems to run alright.