Task Manager shuts down (W2K) [Archive] - PC Tools Community Forum

cricketcrazy

05-09-2004, 05:33 AM

My windows task manager shuts down when I try to open it. Someone suggested that I run "Hijack This". Here is my report. I appreciate any inputs. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 7:04:01 PM, on 5/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\wuauserv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINNT\SYSTEM32\gwrbf.exe
C:\WINNT\system32\syscall.exe
C:\WINNT\SYSTEM32\jjkdqs.exe
C:\WINNT\system32\msclock.exe
C:\WINNT\SYSTEM32\kgvgws.exe
C:\WINNT\SYSTEM32\fdscvsa.exe
C:\WINNT\system32\gfeqzvq.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\jaggi\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\gwrbf.exe
O4 - HKLM\..\Run: [Micosoft Startup] syscall.exe
O4 - HKLM\..\Run: [QoS Packet Scheduler Service] qossvc.exe
O4 - HKLM\..\Run: [Auto Started] winsME.exe
O4 - HKLM\..\Run: [Windows NNT] C:\WINNT\SYSTEM32\jjkdqs.exe
O4 - HKLM\..\Run: [Microsoft Digital Clock] msclock.exe
O4 - HKLM\..\Run: [VidiaDrivers] C:\WINNT\SYSTEM32\kgvgws.exe
O4 - HKLM\..\Run: [Vidsdriver] C:\WINNT\SYSTEM32\fdscvsa.exe
O4 - HKLM\..\Run: [Mcsoft] gfeqzvq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [QoS Packet Scheduler Service] qossvc.exe
O4 - HKLM\..\RunServices: [Auto Started] winsME.exe
O4 - HKLM\..\RunServices: [Microsoft Digital Clock] msclock.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://world.chamberlaingroup.com/ZChambZ1E7C1910BB733AF06D46F6C98D49CAD98E1217C8709 1CE59BF5A13AD/ZChambZ0/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37965.5979398148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05777C83-202B-4525-BEA4-2E544D8D3242}: NameServer = 151.164.1.8,206.13.28.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{05777C83-202B-4525-BEA4-2E544D8D3242}: NameServer = 151.164.1.8,206.13.28.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{05777C83-202B-4525-BEA4-2E544D8D3242}: NameServer = 151.164.1.8,206.13.28.12

dtriplet

05-11-2004, 01:33 AM

Okay, you are definitely infected by AT LEAST a variant of CoolWebSearch, which can be cleaned by grabbing CWShredder from the same place you got HijackThis. You may also have caught some others, as well. A trimmed and commented copy of your log with only the suspicious entries follows:

Logfile of HijackThis v1.97.7
Scan saved at 7:04:01 PM, on 5/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
{NOTE: Some are definitely viruses, some I'n not sure of, just suspicious}
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\wuauserv.exe
C:\WINNT\SYSTEM32\gwrbf.exe
C:\WINNT\system32\syscall.exe
C:\WINNT\SYSTEM32\jjkdqs.exe
C:\WINNT\system32\msclock.exe
C:\WINNT\SYSTEM32\kgvgws.exe
C:\WINNT\SYSTEM32\fdscvsa.exe
C:\WINNT\system32\gfeqzvq.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\system32\wuauclt.exe

{The R1 entries are from Yahoo Messenger}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
{This is suspicious, using a local proxy, but explained if PC-Cillan has proxy software included}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
{This is a definite infection entry, and appears to pint to CoolWebSearch}
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
{Possible secondary infection entry, but certainly suspicious}
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
{Definite virus entries, possibly CWS, but maybe not}
O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\gwrbf.exe
O4 - HKLM\..\Run: [Micosoft Startup] syscall.exe
O4 - HKLM\..\Run: [Auto Started] winsME.exe
O4 - HKLM\..\Run: [Windows NNT] C:\WINNT\SYSTEM32\jjkdqs.exe
O4 - HKLM\..\Run: [Microsoft Digital Clock] msclock.exe
O4 - HKLM\..\Run: [VidiaDrivers] C:\WINNT\SYSTEM32\kgvgws.exe
O4 - HKLM\..\Run: [Vidsdriver] C:\WINNT\SYSTEM32\fdscvsa.exe
O4 - HKLM\..\Run: [Mcsoft] gfeqzvq.exe
O4 - HKLM\..\RunServices: [Auto Started] winsME.exe
O4 - HKLM\..\RunServices: [Microsoft Digital Clock] msclock.exe
{Fake nameserver entries to hijack browsing and keep you away from the CWShredder program}
O17 - HKLM\System\CCS\Services\Tcpip\..\{05777C83-202B-4525-BEA4-2E544D8D3242}: NameServer = 151.164.1.8,206.13.28.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{05777C83-202B-4525-BEA4-2E544D8D3242}: NameServer = 151.164.1.8,206.13.28.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{05777C83-202B-4525-BEA4-2E544D8D3242}: NameServer = 151.164.1.8,206.13.28.12

You definitely need CWShredder, but unfortunately, I can't remeber the alternate link you will need to reach it.

ZC