Results 1 to 4 of 4
  1. #1
    Member
    Join Date
    Nov 2007
    Posts
    2
    Points
    0

    Default MM_TMP~1 (Hijackthis log included)

    HEEEEELLLLPPP!!!

    Now that that is outta the way, I'm not really sure how to start this, so here's the rundown of everything so far.

    Problem:

    Upon normal startup, I get 6 command prompt windows. 2 with variants with names like the topic title. (MM_TMP~1 and MM_TMP~2) I also get 4+ windows with variants like mmgr.exe, mmhr.exe. (Oddly no MMMR.exe which I found numerous topics for.) Safe mode operation appears normal. The windows themselves are empty, save a lone cursor bouncing around inside them.

    I am unable to reach the internet with this machine in normal mode. Opening IE causes the window to simply close after ~5 seconds. During Safe mode boot, I get none of this.

    What I have tried:

    Spybot S&D (fully updated & running in safe mode)

    Ad Aware SE personal (fully updated)

    AVG Antivirus (Finds some viruses, removes them, but they appear immediately upon boot up.)

    Turned off system restore to remove viruses from there.

    Combofix.exe (Found numerous entries and removed them, to no avail.)

    CCCleaner (Again, found numerous entries, but nothing has solved this problem.)

    HijackThis! log posted to 2 seperate online analyzers and have removed everything labeled (nasty).

    Manually went through the HijackThis log and removed everything I was comfortable doing.
    --------------------------------------------

    I'm not quite sure where to proceed from here. Attached is my HijackThis! log file. Hopefully someone much smarter than I am can see the issue.

    Thank everyone in advance for your time. Even if you don't reply, I appreciate the time it takes to read this.

    ----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 18:23, on 2007-11-28
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\mmall.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\James Curcuru\Desktop\HijackThis\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    F3 - REG:win.ini: run=C:\WINDOWS\mmall.exe
    O2 - BHO: (no name) - {3ADB9AC0-2222-4A2C-8D9E-03D9867492DD} - C:\Program Files\Microsoft Works\horevoja83122.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
    O4 - HKCU\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O20 - Winlogon Notify: arm32reg - C:\Documents and Settings\All Users\Documents\Settings\arm32.dll (file missing)
    O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
    O20 - Winlogon Notify: winbjv32 - winbjv32.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 6357 bytes

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Turned off system restore to remove viruses from there.
    Not a good idea.... If you crashed the PC, may not be able to do anything

    HijackThis! log posted to 2 seperate online analyzers and have removed everything labeled (nasty).

    Manually went through the HijackThis log and removed everything I was comfortable doing.
    This verges on a really bad idea. I am sure that one the of analyzers you used in a German site, hence it only knows bad things from that area of the world. You are in the USA, not Europe.

    Please post the C:\ComboFix.txt. log.

    BG

  3. #3
    Member
    Join Date
    Nov 2007
    Posts
    2
    Points
    0

    Default

    Update.

    I was able to close down that last virus. Put the drive in another machine so that there weren't any protected files and SAV corp cleaned em out.

    Upon putting them back in the original machine, everything seems A-OK save IE crashing. That should be easy enough to fix.

    Thank you very much for your reply BMG, I apologize for not getting here sooner.

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Are you saying you are no longer seeking help ?

    The filename MMGR.EXE was first seen on Nov 13 2007 in SPAIN.

    It has also been seen in the following geographical regions :-

    BRAZIL on Nov 13 2007
    The EUROPEAN UNION on Nov 27 2007
    The UNITED STATES on Nov 27 2007

    The filename MMGR.EXE refers to many versions of an executable program.


    The most common file size is 36,352 bytes. But the following file size has also been seen:
    33,792 bytes

    The unsafe files using this name are associated with the malware group VB.FL.

    If you still want advice then we need to see the original C:\ComboFix.txt which will now be C:\ComboFix1.txt & a new C:\ComboFix.txt

    steam

    Since there has been no response for a few days, from the poster, this topic is now closed. BG

    (Please contact a Moderator if you need it reopened. Please be advised that the spyware forum will closing down for the Holidays on or about the December 20.)
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -