MSNI32.EXE, TASKMGRU.EXE...Removal?

Upon doing a basic google search I came into contact with these files and they set my microsoft spyware off. I ordered it to block all url changes/file changes etc. (also set my AVG software on alert for a virus). Well although everything said it protected against the hijack attempt low and behold Here these files are and no information can be found as to how to remove them. My husband has tried NUMEROUS methods to clean our systems that have worked well in the past. I have run ad-aware, spybot, microsoft spyware detection, AVG, and Housecall... also done this in safe mode. I can't even get onto the internet anymore without being redirected to some other site. They have allowed other changes such as webcruiser.cc, bhoass.dll.. and numerous others to be put on my machine as well. Has ANYONE come into contact with these and is there any way to save my machine besides a complete format (due to information on it this would be highly undesireable.)

If there is any information you need please let me know and I will get it to you as soon as I possibly can.

TIA!!!

 

have you already gone through this sticky if not please do so. . .
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal:
if you have double check everything and make sure you did do everything
and all software is up to date

and run through this before attaching a log
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting:
*Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis! Please do this!!!*

 

Here is the Hijack this log. I have ran the programs listed and none of them find these files /sigh. I tried correcting them through hijack this but unfortunately they came back when I restarted... any and all help would be appreciated.

TIA!!!

 

if you didn't disable system restore, it will continue to come back
mak sure it is disabled
Disable And Enable System Restore

I will look at your log now

 

yes system restore is disabled. I haven't a clue as to where this one is buried. I have also tried googling the names of the files and nothing comes up.. no spyware/virus cleaner will pick them up... I am wondering if it is a new version of something (doubtful but hey it is just my luck). Thank you for taking the time to look it over.

 

run the anti spyware programs again
if you didn't have system restore disabled

open the task mngr ( Ctrl>alt>del)
end these process's
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\system32\MSIMN32.EXE
find and remove them manually(make sure you can view hidden files)
and also find and remove
C:\WINDOWS\bhoass.dll

have hjt fix
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\system32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\system32\MSIMN32.EXE


that is what I believe to be the problem

 

oops

reboot
and let me know

 

They are still there!!! /whimper... any other ideas?

 

*hubby of cillygirl

Just for the record...im pretty decent at finding and fix'n stuff like this and man...this thing is a PITA!

I verified that the above instructions were followed.... ie deleted files ran hjt scan and fixed problems (system restore off)....and it definately comes back...

some info:
Whenever you end process in the Windows XP taskmanager on either of these 2 files....it starts the file up as soon as it ends....

Also...if ya go into the registry and kill all of the stuff that has anything to do with starting these programs....when you finish editing the registry ....the keys are already edited back in. So something is putting them back in as fast as you can take them out....very odd....imho

if you can get the files stopped by some strange chance in the Windows Taskmanager....and delete all 3 of them....then run the fix in hjt....(kill the prefetch files also) they are upon reboot restored to thier prior location and back at square one....


So, it would seem to me there is another master calling them and writing them from another location....

anyhow...just wanted to add my 2cp....I am about out of ideas....ive done plenty of searching......but have found no info....and have pretty much exausted my troubleshooting brain....so any help would be fantastic...

thx

 

have you done all that in safe mode?

 

Yes, all of this has been done in both regular mode and safe mode.

 

one thing that i have found is that if the files are stopped in the Windows taskmgr.....Once i try and start Internet Explorer the files will populate Windows Taskmgr....

I have managed to get the files to stop running in Windows Taskmgr by ending the tree process .......but sometimes it takes a couple go's to get them to stop...

Edit: i did replace the Internet Explorer file in case it was corrupt....(noticed a small difference in size from my others.....but that was to no avail)

imma keep peckin and see what i can blow up

 

ok new log

edit: If it wasnt so interesting to try and figure out what this junk is doing....i coulda reloaded my computer by now lol

think Im gonna have to hit the sack for tonight though.....get some coffee and go at it in the morning.....

TIA

:end edit

 

Just as an update yes i am getting desktop hijacks/wallpaper changes now. Getting ready to run through the steps you posted below again.

 

new file attached. Followed to letter although securityigaurd is nowhere to be found. files are still back.

 

open task manager
and end process tree for all four below
MSIMN32.EXE
MSIMN32.EXE
TASKMGRU.EXE
TASKMGRU.EXE

Download
Pocket KillBox
(run in safe mode)and remove
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\bhoass.dll
(there are two of each)

reboot(back into safe mode)
then run HJT

check
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\system32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\system32\MSIMN32.EXE


close everything,all windows, browsers. .then click fix
check the reg keys and make sure they where removed

reboot


scan each of theses files here it need be, I am confused abit myself. I hope this helps

 

The problem is that you cannot kill them in task manager. They just repopulate themslves in a matter of seconds. The files have been deleted repeatedly and continue to come back, we are thinking there is another file buried somewhere... the question is where. I will try those two programs and see if it helps.

 

there are four, not two
that is one of the problems

 

Ok...this is getting nutz...I mean NUTZ

Followed your instructions as listed....worked fine....no trouble that is....

yup there are/were dup's and i got em all off...

Also the virustotal file scans are still running....bout 30 mins now..and still going so i would imagine that its not gonna happen.

The process eliminated all reg references, except the following ones which i just deleted:

(this one had the bhoass.dll in it)
HKEY_CLASSES_ROOT\TypeLib\{236F257D-A248-4F38-BAED-829D3EF8AE79}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSIMN32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TASKMGRU

Registry scan came up totally clean when searched for:
taskmgru
taskmgru.exe
bhoass
bhoass.dll
msimn32
msimn32.exe

Absolutely no files remained on the system in the form listed on drives C:\ and d:\:
(show hidden files on and the other stuff also)
taskmgru
taskmgru.exe
bhoass
bhoass.dll
msimn32
msimn32.exe

none nowhere gone.....one would think.

This is where I lack skill i guess....where would i even begin to look for files launching the above files, thus enabling them to be rewritten to my disks and registry.

Everything in the msconfig startup is recognized and is normal stuff...
Everything in the registry microsoft/windows/currentversion/run (etc) is recognized as valid by me.

It is pretty obvious to me at this point that there has to be another file launching them. But I guess I dont really know where to look....any suggestions on how windows boots up and where stuff like this would be
launched from?

 

Again, I am at a loss. .I looked online
and found a few dutch, german and Italian sites(no english) that had similer issues. .they appear to be trojans?
one german suggestion(as follows)

that kinda scares me abit, I dont want to recommend it
but where there uninstall strings?
just curious

I would like a FINDnFIX log for the smart guys here to look at
but I cannot find a valid dl link. . .
I'll ask around

 

its cool....all help is very much appreciated.....very much!

Im thinkin it must be a semi new virus based on only 2 google hits per yesterday and now a few more...so....i think we just got lucky here lol.

However, I think my other half is about at the point of recovering the good info from that machine and shred'n the drive (so to say).

Spent a lot of time tryin to remove this junk only to get the browser hijacks removed and where it should be a "stable system"...then reboot and blamo!

So, I think I am at a loss also lol. Gonna do some more research and see what i can find....but...its not lookin good.

thanks again

not sure about the uninstal strings....