Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

task manager wont open

Started by THX 1138 , Jun 09 2005 04:52 AM

  • Please log in to reply

#1
THX 1138
Posted 09 June 2005 - 04:52 AM

THX 1138

    New Member

  • Member
  • Pip
  • 8 posts
well my task manager wont open.apart from dat i also have some other problems like cant open files thru the browser of softwares like windows media player etc .it usually gets hung.even hijack this works only on safe mode.anyways i ran a scan in this is wat it gave me

Logfile of HijackThis v1.99.1
Scan saved at 3:56:07 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Shankar Kaimal\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [netdaemon] C:\WINDOWS\System32\netdaemon /v
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\PROGRA~1\McAfee\MANAGE~1\VScan\Splash.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKLM\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RediffBOL] C:\Program Files\rediff.com\messenger\Bol.exe hide
O4 - HKCU\..\Run: [Eatu] C:\Documents and Settings\Shankar Kaimal\Application Data\weur.exe
O4 - HKCU\..\Run: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102838155703
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEDB6EB9-B213-428C-880C-C8B6A7E24761}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.624.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Animation Stuff 3d Software\Maya 6\docs\Wrapper.exe" -s "D:\Animation Stuff 3d Software\Maya 6\docs/Wrapper.conf (file missing)
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Pixar NetRenderMan Server 2.0 - Unknown owner - D:\Animation Stuff 3d Software\Pixar\Servers 2.0\alfserver.exe
O23 - Service: Digital Origin 1394 Bus Manager (RdBusManager) - Digital Origin, Inc. - C:\WINDOWS\System32\RadBmSvc.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\System32\ServiceM.exe

looking for a reply soon cos this is really screwing up my pc.
cheers
  • 0

Advertisements

#2
Metallica
Posted 09 June 2005 - 05:08 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi THX 1138,

I moved your thread to the Malware forum since it looks as if you have a brandnew virus there.

See HERE for how to show hidden files.

Then do a Find Files for xpspz.exe

Can you surf to:
http://virusscan.jotti.org/
and upload that file there.
Let me know the results.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [netdaemon] C:\WINDOWS\System32\netdaemon /v

O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKLM\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe

O4 - HKCU\..\Run: [Eatu] C:\Documents and Settings\Shankar Kaimal\Application Data\weur.exe
O4 - HKCU\..\Run: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe

Reboot into safe mode and delete:
C:\Program Files\AdTools Service <= entire folder
C:\WINDOWS\System32\netdaemon

Then boot back to normal and follow instructions here to get rid of NewDotNet:
http://www.newdotnet.com/removal.html

Post back with a new HijackThis log.

Regards,
  • 0

#3
THX 1138
Posted 09 June 2005 - 07:46 AM

THX 1138

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hey metallica firstly thanx a lot man.u really saved my pc.ok i uploaded the file xpspz.exe n this is wat i got from the site

Statistics
Last piece of malware found was Trojan-Spy.Win32.SCKeyLog.v in PvpIce.rar, detected by:

Scanner Malware name
AntiVir Worm/Procil.a.1
ArcaVir Trojan.Spy.Sckeylog.V
Avast Win32:Keylog-016
AVG Antivirus X
BitDefender Trojan.SCKeyLog.20
ClamAV X
Dr.Web Trojan.MulDrop.2114
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan-Spy.Win32.SCKeyLog.v
NOD32 X
Norman Virus Control X
VBA32 Trojan-Spy.Win32.SCKeyLog.v

apart from dat there was no netdaemon file in C:\WINDOWS\System32\netdaemon.ya i did activate the show hidden folders too.

btw this is the new log file

Logfile of HijackThis v1.99.1
Scan saved at 7:09:45 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Animation Stuff 3d Software\Maya 6\docs\Wrapper.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Rscmpt.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
D:\Animation Stuff 3d Software\Maya 6\docs\jre\bin\java.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shankar Kaimal\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\PROGRA~1\McAfee\MANAGE~1\VScan\Splash.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RediffBOL] C:\Program Files\rediff.com\messenger\Bol.exe hide
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102838155703
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEDB6EB9-B213-428C-880C-C8B6A7E24761}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.624.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Animation Stuff 3d Software\Maya 6\docs\Wrapper.exe" -s "D:\Animation Stuff 3d Software\Maya 6\docs/Wrapper.conf (file missing)
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Pixar NetRenderMan Server 2.0 - Unknown owner - D:\Animation Stuff 3d Software\Pixar\Servers 2.0\alfserver.exe
O23 - Service: Digital Origin 1394 Bus Manager (RdBusManager) - Digital Origin, Inc. - C:\WINDOWS\System32\RadBmSvc.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\System32\ServiceM.exe

the pc seems to be working fine again.again thanx a lot man.i really wanted my pc fixed up cos had some important work to do.
cheers
  • 0

#4
THX 1138
Posted 09 June 2005 - 07:50 AM

THX 1138

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
oh ya totally forgot one thing.the link http://www.newdotnet.com/removal.html dusnt seem to open man.
  • 0

#5
Metallica
Posted 09 June 2005 - 08:17 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Works for me I'll copy the info you need:

PROCEDURE 1 (Add/Remove Programs):
Click on Start.
Click on Settings.
Click on Control Panel.
From the Control Panel, double-click on Add/Remove Programs.
Click on the Install/Uninstall tab in the Add/Remove Programs Properties window.
Locate either New.net Application or New.net Domains and select it.
Click on the Add/Remove button.
After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
If this does not fully remove our software, please proceed to PROCEDURE 2.

Note: you really need to change every password and other important data you have on that computer.
There is no way to find out how much information was captured and to whom the Keylogger fed it.

I'd like you to scan one more file at jotti's:
C:\WINDOWS\System32\ServiceM.exe
Let me know the results.

Regards,
  • 0

#6
THX 1138
Posted 09 June 2005 - 09:14 AM

THX 1138

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ok here are the results

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

also one more thing i cant find the Install/Uninstall tab in the Add/Remove Programs Properties window.

one more thing i had the same problem a few minutes back again.checked the log file n saw that some of them were the same as mentioned above n hence deleted them .now the pc seems to be working fine again.

can u tell me a way to prevent the virus from entering the system.i have mcafee,stinger n adaware.
  • 0

#7
Metallica
Posted 09 June 2005 - 12:15 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can we please do this one step at a time and can you try to consider that english is not my first language, so reading your abbreviations is sometimes confusing.

First I want to know ServiceM.exe is or does.

Can you find the file, rightclick it and look on the version tab what you can find out.

Under Add/Remove Software if you highlight a program the buttons don't show up at all or is only the one for NewDotNet missing?

Regards,
  • 0

#8
THX 1138
Posted 09 June 2005 - 12:39 PM

THX 1138

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
yes i can find the file ServiceM.exe.the path as you mentioned is C:\WINDOWS\System32\ServiceM.exe.

i right-clicked on it but i dont know how to find the version tab.

under the add/remove section i can see 4 buttons namely change or remove programs,add new programs,add/remove windows components,set program access n defaults.also i cannot see any newdotnet in the list.

cheers
  • 0

#9
Metallica
Posted 09 June 2005 - 01:06 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK Not listed in Add/Remove Software:

PROCEDURE 2 (Uninstall from Hard Drive):
Double-click on My Computer.
Double-click on the C: drive.
Double-click on the Program Files folder.
Locate and double-click on the NewDotNet folder. If there is no folder, please proceed to PROCEDURE 3.
Locate and double-click on the uninstall executable; it will be labeled uninstallX_XX.exe. (“X” represents the version number of the uninstaller and you should always use the latest version)
After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
If this does not fully remove our software, please proceed to PROCEDURE 3.

Please surf to
http://www.thespykil...x.php?topic=5.0
and follow the instructions there to upload
C:\WINDOWS\System32\ServiceM.exe
I'd like to have a look for myself.

Regards,
  • 0

#10
THX 1138
Posted 09 June 2005 - 01:55 PM

THX 1138

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
alright i have uninstalled NewDotNet like you mentioned.ServiceM.exe has been uploaded to the link too.

cheers
  • 0

#11
Metallica
Posted 09 June 2005 - 02:18 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Click Start > Run type services.msc > OK
In the list of services find:
ServiceM
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.

We will have a good look at the file, but it is packed, so it will take a little longer.
This way the file will at least not run until we know what it does.

Regards,
  • 0

#12
THX 1138
Posted 09 June 2005 - 02:26 PM

THX 1138

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
alright i have done as you mentioned.one more thing i would like to add is that i just uploaded xpspz.exe on http://virusscan.jotti.org/ and this is the result i got

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Crypt.d
NOD32 Found Win32/Rbot
Norman Virus Control Found nothing
VBA32 Found nothing
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP