Another Task Manager Killer

Hi,
I'm having similar problems to what Plastic Squirrel had (Evil little thing , except that mine isn't killing Hijack This.

It Is killing the Task Manager, and regedit. They both will pop up long enough to see the window once, then disappear never to be seen again until I reboot.

I've followed all of the instructions in http://forums.majorgeeks.com/showthread.php?t=35407 with the exception of step 2 of "Getting Prepared;" - services.msc won't come up either.

I've also run Hijack This, and got rid of ap9h4qmo.exe. If I remember right, this is the SHA virus.

I've gotten rid of everything that I am currently comfortable with but I still cannot get regedit or task manager to work, so need more expertise!

Thanks,
Dan

 

Here's my latest logfile.

I've just found another something: since I ran the scan (I have not rebooted or anything) I now have something trying to open the following web address: http://searchmiracle.com/ads/ad.php?. Since I'm using a proxy server, I can stop it before it gets there, but I've "fixed" this before using Hijack This, and it keeps coming back!

Help!!!

 

Hold that last; I found out about the ETRemover, and ran it - it appears to have eliminated the search "miracle" problem.

So here is a new log file.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:


Viewpoint

Media Pass


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

TeaTimer.exe
Note: End this process because it will affect some of the removal steps.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Are you familiar with this entry?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Note: If you want emachines.com to be your start page, then leave this entry. If you do not then fix this entry as well.

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
O16 - DPF: {F55C25D3-D16A-11D3-81DF-00A0C91F5E7D} (Gtek Print Control) - http://www.kiddonet.com/kiddonet/GtekPrt.ocx
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\Program Files\Media Pass ←–– Delete this whole folder if it exist!



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

BJ has you

 

Thanks bj,

Here's the results.
I had both Viewpoint manager, and Viewpoint Media Player - both gone.
Media Pass was not in the program list.

Task Manager still will not run on it's own. I had to use procexp, but TeaTimer was not listed there. (Task Manager will run once I've run procexp).

hsremove is gone.

Is our "clean sites" service; I need to keep it, as well as the override.

I occasionally tinker with my webpage, and this line instructs the proxy to not redirect through dilligence for local machine pages.

I did not find this entry, but did find an entry for TeaTimer.exe - I fixed it also

The emachines site only opens when I select the "help and support" link on the start menu.

I fixed the 5 O16 items.
Spybot did not find anything.

Even after all of this, Task Manager will only stay open for less than a second before shutting down.

Here's the latest log file:

Thanks again,
Dan

 

Log looks clean to me!

Lets try the below first, just to make sure.

1) TrendMicro Online Virus Scan

2) CWShredder 2.13

3) Download TrojanHunter

a) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

b) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.


After you do this, reboot and let me know how things are shaping up for you now.

 

1) TrendMicro Online Virus Scan
trendmicro found TROJ SMALL.X0 on 2 files, and 2 spyware. Fixed both.

2) CWShredder 2.13
Downloaded CWshredder, ran it; and found nothing.

a) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!
Downloaded and ran TrojanHunter. Found 8 trojans, including 3 CoolWebSearch, 4 Elite, and 1 Elitum. Cleaned them.

After you do this, reboot and let me know how things are shaping up for you now.[/QUOTE]
Rebooted, and had to lookup some info for the wife - ran IE, and had problems with the Elite Toolbar again!
Ran ETRemover, rebooted, and ran HJT.

And here we are.

One question while you're looking this last one over - I'm seeing this,

and am wondering: is this normal for AIM to run? My daughter uses it constantly, and I'm wondering if part of my re-infection might be coming from this?

Anyway thanks,
Dan

 

These are entries relating to the AOL software, not related to AOL Messenger.

Log is clean!

Have HJT fix this last entry and we're done. Be sure all browsers are closed.

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Are you currently experiencing any further problems?

 

Quote:
O4 - HKLM\..\Run: [AOL 9.0 Optimized] AOLCLIENT.EXE
O4 - HKCU\..\RunOnce: [AOL 9.0 Optimized] AOLCLIENT.EXE


These are entries relating to the AOL software, not related to AOL Messenger.

Since I'm not running (and no intention of) AOL, then no problem killing them, right?

 

If you do NOT use the AOL software then go into Add/Remove Programs in Control Panel and remove it this way.

 

It's not showing up in the Add/Remove Programs list, but I'm seeing several AOL folders and AOLAOD applications.

Since I've never installed AOL, I'm not sure how it got there - unless the daughter did something when she installed the messenger.

 

Thats werid, it should be in there. Its up to you what you want to delete. If you want to remove the AOL software then you can delete the directories you mentioned and fix those 2 entries with HJT.

Let me know!

Are you currently having any further problems?

 

OK, cleaned both of them out, and I'll be clearing it all out shortly (as I find it).

Everything looks good so far - Task Manager works again, but I'll need to let the kids at it tommorow, and post a final update tommorow night.

Thanks for all of the help, I really appreciate it.
Dan

 

Task Manager shouldnt be used unless a program is not responding or is causing problems. Glad everything is good right now

You should see this article on How to Protect yourself from malware!

 

Thanks Chas!

 

I'll second that! I'm surprised that AOLCLIENT.exe hung in there so long with all of the scans I've done in the last few days.

Actually, I rarely open Task Manager at all; it wasn't until after I started working on the virus problem that I even noticed what was happening, and it seemed like an easy measuring stick to my progress.

My final AAR is that everything is working as expected again. I did have a minor glitch when my wife was unable to log in to her excite email account; I finally found where the cookie exceptions had been set to always block excite.com. There seems to be a huge list of sites in there, which I'm leaving in place, but will remember if I ever see this problem again.

I"ve been running Firefox for a few months now, and have implemented the recommendations in the article (actually did that a few days ago - before we actually got everything cleaned out.)

I'm also going to keep in mind that none of the antivirus software seems to catch everything all the time. I set Norton's to auto for once a week, and have spybot set to immunize, but it still got through.

Thanks again for all the help - this stuff is clearly harder than rocket science (I should know, since I am one )

Dan

 

Glad things are back to normal!

To stay Malware free, please see this thread on How to Protect yourself from malware!

Browse Safely!