?
Solved

netmgsno.exe

Posted on 2007-07-23
19
Medium Priority
?
760 Views
Last Modified: 2007-12-19
Hi,

following http:Q_22710342.html

netmgsno.exe

Any ideas on how to get rid of it?

I have some scan reports, too long to put them here, I'll put them online hopefully by tomorrow (ftp access problems).

Points will be upped if solved, I will ask for deletion if I'll have to reinstall, as I know that is the alternative.

Thank you.
0
Comment
Question by:keneso
19 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 19551757
Could you provide us another Hijack This logfile, from your current setup?

And can you find the file, and rt click it>properties, and tell us what is under the Version tab?

Last but not least (to start with anyway...)

Jotti's malware scan 2.99
http://virusscan.jotti.org/

upload it to see if it is detected as malicious....
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19552898
Hi,
In your other thread, I thought you were able to rename it(I could've read it wrong).

I would like to try Avenger on that file. If avenger fails then that means there is a bootlever driver protecting that file from deletion, or maybe it deletes pendingfilerename operations, or maybe another file/files are respawning it.

Can we please see the combofix log?
Can we also ask to see the latest Kaspersky scan result,  to see the files being locked, it would help.
Also a hijackthis log as John suggested would help, thanks.

If no joy, we'll use another diagnostic tool to find the culprit driver.
0
 
LVL 32

Expert Comment

by:r-k
ID: 19553619
Try this:

(1) Right click on the file i(c:\windows\system32\netmgsno.exe) n Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Close all windows.
(6) Reboot

After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone. The file will still be there but leave it alone for now, it should not be running or causing any harm.

You should follow up with some logs that show what else might be running. HJT is a good start, but I also suggest an Autoruns log as follows:

(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 7

Author Comment

by:keneso
ID: 19555463
>>In your other thread, I thought you were able to rename it(I could've read it wrong).

You read fine, indeed the file is now netmgsno_old, just can't delete it.

Here you can have the last scans
http://www.internetetc.it/ee_stuff/keneso/filippini.html

the top one being the most recent, and last one the oldest
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19555940
Let's try Killbox with these first and see, if it can not then we'll use another tool.
      
*Open Killbox
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\netmgsno_old.exe
C:\WINDOWS\Tasks\agea.job
C:\WINDOWS\Tasks\apjlpjz.job      
C:\WINDOWS\Tasks\btvjk.job      
C:\WINDOWS\Tasks\ckjieg.job      
C:\WINDOWS\Tasks\cnt.job      
C:\WINDOWS\Tasks\czepi.job      
C:\WINDOWS\Tasks\dcehg.job      
C:\WINDOWS\Tasks\dgmynqu.job      
C:\WINDOWS\Tasks\eduksddi.job      
C:\WINDOWS\Tasks\fffpjvl.job      
C:\WINDOWS\Tasks\fzdegykl.job      
C:\WINDOWS\Tasks\izh.job      
C:\WINDOWS\Tasks\izo.job      
C:\WINDOWS\Tasks\jaiyvmg.job      
C:\WINDOWS\Tasks\ksdilanl.job      
C:\WINDOWS\Tasks\ktvotgyj.job      
C:\WINDOWS\Tasks\kvifulpe.job      
C:\WINDOWS\Tasks\mjuzqd.job      
C:\WINDOWS\Tasks\ncf.job      
C:\WINDOWS\Tasks\nxzs.job      
C:\WINDOWS\Tasks\obzd.job      
C:\WINDOWS\Tasks\odjaoaes.job      
C:\WINDOWS\Tasks\pzmv.job      
C:\WINDOWS\Tasks\spuhh.job      
C:\WINDOWS\Tasks\sxiou.job      
C:\WINDOWS\Tasks\uezdlglh.job      
C:\WINDOWS\Tasks\ulssyoap.job      
C:\WINDOWS\Tasks\vhsdpn.job      
C:\WINDOWS\Tasks\wbhkkyy.job      
C:\WINDOWS\Tasks\wobav.job      
C:\WINDOWS\Tasks\ycfu.job      
C:\WINDOWS\Tasks\yxecg.job

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.
0
 
LVL 7

Author Comment

by:keneso
ID: 19556120
>>r-k

I've done what you suggested
"(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove""
was already unchecked.

In the advanced section of the Programs tab it's this:
Windows PIF settings:
Autoexec name:   %SYSTEMROOT%\SYSTEM32\AUTOEXEC.NT
Config name:        %SYSTEMROOT%\SYSTEM32\CONFIG.NT

>>johnb6767

It says:
"the file you uploaded is 0 bytes, it's very likely a firewall, or a piece of malware is prohibiting you from uploading this file."
0
 
LVL 7

Author Comment

by:keneso
ID: 19556139
Hadn't refreshed from my last post, I'll try that.
0
 
LVL 7

Author Comment

by:keneso
ID: 19556365
>>Let's try Killbox with these first and see, if it can not then we'll use another tool.

No luck.

It gives this message:

PendingFileRenameOperations Registry Data Has Been Removed by External Process
0
 
LVL 7

Author Comment

by:keneso
ID: 19556379
I also tried "single file", and "normal kill", but no way.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19556392
Can you also run these please?(I'll check back tomorrow first thing, it's midnight here now)

1. Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2. This one below won't remove any bad files, it will just scan and produces a log.
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
In the Files Created Within group click "30 days"
In the Files Modified Within group select "30 days"
In the File String Search group select "Non-Microsoft"
Now click the "Run Scan" button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked.
If it is then click on it to uncheck it.
Upload the report so we can look at it, please.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1600 total points
ID: 19556492
Oh I see. Killbox failed.

Let's use Avenger,
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text/characters inside the lines below):

-----------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\system32\netmgsno_old.exe
C:\WINDOWS\Tasks\agea.job
C:\WINDOWS\Tasks\apjlpjz.job      
C:\WINDOWS\Tasks\btvjk.job      
C:\WINDOWS\Tasks\ckjieg.job      
C:\WINDOWS\Tasks\cnt.job      
C:\WINDOWS\Tasks\czepi.job      
C:\WINDOWS\Tasks\dcehg.job      
C:\WINDOWS\Tasks\dgmynqu.job      
C:\WINDOWS\Tasks\eduksddi.job      
C:\WINDOWS\Tasks\fffpjvl.job      
C:\WINDOWS\Tasks\fzdegykl.job      
C:\WINDOWS\Tasks\izh.job      
C:\WINDOWS\Tasks\izo.job      
C:\WINDOWS\Tasks\jaiyvmg.job      
C:\WINDOWS\Tasks\ksdilanl.job      
C:\WINDOWS\Tasks\ktvotgyj.job      
C:\WINDOWS\Tasks\kvifulpe.job      
C:\WINDOWS\Tasks\mjuzqd.job      
C:\WINDOWS\Tasks\ncf.job      
C:\WINDOWS\Tasks\nxzs.job      
C:\WINDOWS\Tasks\obzd.job      
C:\WINDOWS\Tasks\odjaoaes.job      
C:\WINDOWS\Tasks\pzmv.job      
C:\WINDOWS\Tasks\spuhh.job      
C:\WINDOWS\Tasks\sxiou.job      
C:\WINDOWS\Tasks\uezdlglh.job      
C:\WINDOWS\Tasks\ulssyoap.job      
C:\WINDOWS\Tasks\vhsdpn.job      
C:\WINDOWS\Tasks\wbhkkyy.job      
C:\WINDOWS\Tasks\wobav.job      
C:\WINDOWS\Tasks\ycfu.job      
C:\WINDOWS\Tasks\yxecg.job
C:\WINDOWS\Tasks\xonc.job
-----------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.


I have to go, can't stay up any longer.
0
 
LVL 7

Author Comment

by:keneso
ID: 19558759
SDFix, and WinPFind3U scans added here
http://www.internetetc.it/ee_stuff/keneso/filippini.html

Will try avenger tomorrow.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19562245
Thanks for the logs. I was looking for some hidden drivers that could possibly be the culprit. Didn't find. I added one more of those random jobs to be deleted.
I've seen Lop infections installed random jobs but this one is surely different.
It's kinda weird.
0
 
LVL 7

Author Comment

by:keneso
ID: 19566388
>>Thanks for the logs

Thank YOU.

Ok, avenger did deleted them.

I ran kaspersky again after avenger, and it keeps reporting a couple of viruses, and dozen files infected.
Please take a look here at the last log
http://www.internetetc.it/ee_stuff/filippini/

*** NOTICE *** the above link is different than the previous, as I changed it.
0
 
LVL 7

Author Comment

by:keneso
ID: 19566624
>>did deleted

Too many dd on my keyboard.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19571433
>>I ran kaspersky again after avenger, and it keeps reporting a couple of viruses, and dozen files infected.<<

The Kaspersky log, it is normal for some files to be locked.
index.dat is normal to be locked, and if you want to delete index.dat files, it can be removed using third party tools like Index.Dat Suite (which is the one I use)
It's also normal for some programs's files to be locked.
just as protected system files would also be locked.

The infected files that Kaspersky reported are all located in Norton's quarantine folder -->C:\Programmi\Norton AntiVirus\Quarantine
they are in quarantine, I think you can delete them via Norton feature to clear/delete/empty the quarantine folder.

What I would worry about is IF those random jobs in the windows\tasks folder have respawn themselves.
Can I please ask you to check the C:\Windows\tasks folder? see if any jobs has respawn.
Thanks!
0
 
LVL 7

Author Comment

by:keneso
ID: 19584101
Thank you.

I deleted norton's quarantine, and ran again kaspersky, and 0 virus.
I have a question about the index.dat files here, if you'd like to check http:Q_22726104.html

Upped the points (250 > 400) to show my appreciation.

Thank you all for the time and effort.
0
 
LVL 7

Author Comment

by:keneso
ID: 19584105
>>Can I please ask you to check the C:\Windows\tasks folder? see if any jobs has respawn.

Forgot to answer: no, they're gone.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19584500
They didn't respawn that's great!

And thank you for the points, very kind of you, I very much appreciate it.

Thanks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
This is an article on how to answer questions, earn points and become an expert.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question