UseNext Account Generator v1.2 msmgsd.exe HELP!

[RazRazRaz]

Hi, this process (UseNext Account Generator v1.2 ) starts on boot.

I dont know what it is and cant get rid of it.

The executable (msmgsd.exe) is in c:\windows. if I delete it, it is recreated within a couple of minutes.

I'm not sure this is doing any damage, but cannot find any information anywhere as to how to remove it.

adaware and avast do not pick it up as malware or virus

Please help

 

[BadBigBen]

msmgsd.exe - is the Microsoft Messenger... so it is no wonder that AdAware nor Avast pick it up...

I suggest two things:

1. Download HiJackThis from the TrendMicro website, run a scan with LOG and paste this log here for our perusal...

TrendMicro's HiJackThis

http://free.antivirus.com/hijackthis/

2. Download MBAM and SuperAntiSpyware, run a scan with both...

MBAM

http://www.malwarebytes.org/mbam.php

SuperAntiSpyware

http://www.superantispyware.com/

NOTE: if the apps will not install, try renaming them to TEST1.EXE, then try to install again... or just go on the safe side and when you DL them rename them at that time...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[RazRazRaz]

Thanks - I'll try these and post the log file back.

btw - I though msmsgs.exe was the messenger process not msmgsd.exe?

Kind Regards

Raz

 

[smah]

You are correct, Windows Messenger is msmsgs.exe. This is something else and sounds like spyware. As BadBigBen mentioned, Malwarebytes Antimalware & SuperAntispyware would be the place to start.

 

[goombawaho]

That's right - if the OP didn't make a mistake (msmgsd.exe) then it's something to worry about, but I'd think that MBAM or SAS will take care of it as mentioned above. Run them and let them clean what they find.

 

[BadBigBen]

My mistake, I was in a rush this morning, and I mistook the said file for the Messenger Service...

IT is obviously NOT the case, and that file is 99.9% malware, or should be taken for malware...

Another tip, before cleaning out malware, make sure that SYSTEM RESTORE is turned OFF, a lot of malware hide in there and can respawn from that location...

Still do post a HiJackThis LOG, and DO scan with MBAM and SAS (both as the one finds stuff the other does not)...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[goombawaho]

I would like to add that system restore can be turned off after the malware has been removed and the PC is rebooted once to make sure that the PC is still bootable. Then you can turn the Sys Rest OFF and do another quick scan if you're paranoid.

I'm wary about turning system restore off unless the system is very stable because once you turn it off, there's no easy way to restore the registry, etc.

It IS a good idea though with nasty malware. Most "normal" malware it's not required - Personal Antivirus, XP Antivirus 2009 - those sort of mild infections.

Root kits and Trojans (TDSS) that keep trying to come back are once to concerned with

 

[RazRazRaz]

You guys are brilliant. Really helpful.

I do apologise for not doing all the stuff you have recomended yet. I have an interview next week for a new job and preparing for this is taking up all my time. I have to a presentation!!!

I'm using a different PC at the moment and will try all your suggestions just as soon as I can.

One again, thanks fr your help and positive reaction to a relative newbe.

Raz

 

[RazRazRaz]

HI helpful people,

her is teh log file from Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40:24, on 24/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\program files\mozilla firefox\firefox.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Andrew\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0509&m=aspire_6930g

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0509&m=aspire_6930g

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0509&m=aspire_6930g

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0509&m=aspire_6930g

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [VitaKeyPdtWzd] C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [12113466] C:\Windows\msmgsd.exe
O4 - HKLM\..\RunOnce: [*12113466] C:\Windows\msmgsd.exe
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [12113466] C:\Windows\msmgsd.exe
O4 - HKCU\..\RunOnce: [*12113466] C:\Windows\msmgsd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: spba - C:\Program Files\Common Files\SPBA\homefus2.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10937 bytes


What do I do now?

Many Thanks

 

[BadBigBen]

The following need to be removed, using HJT:

O4 - HKLM\..\Run: [12113466] C:\Windows\msmgsd.exe
O4 - HKCU\..\Run: [12113466] C:\Windows\msmgsd.exe
O4 - HKCU\..\RunOnce: [*12113466] C:\Windows\msmgsd.exe

other than that the LOG is clean...

Keep us posted!!!

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[kjv1611]

Once you've followed Ben's suggestions, just to be sure, it wouldn't hurt doing this:

1. Reboot
2. Scan with the 2 programs he mentioned earlier - Malwarebytes and SuperAntispyware.
3. Reboot
4. Turn off System Restore
5. Reboot
6. Turn back on System Restore
7. Download, install, and run Advanced System Care.
- The nifty little app will check practically everything.
- Here's how I suggest running it: After you install it, it'll open itself for the first time, allowing you to customize a thing or two, then it'll start its first scan. I would suggest stopping the scan, then hit the big button to the left on the application screen. That way, it'll run through the entire process, including a good defrag.
8. After you finish all of that, reboot again.
9. If no issues, you're all done for now..

Of course, you could do other things as well, but should be all set.

Also, make sure you've got good active protection, and basically this setup as a minimum:
1. Hardware firewall (a router between you and your internet connection (modem)
2. Software Firewall - Comodo Internet Security or Online Armor (Online Armor currently does not run on 64-bit, I hope it will soon)
3. Good Active Antivirus - Avira Antivir my current #1 choice, and I believe at least Ben agrees there.

Well, that should cover it, I believe.

--

"If to err is human, then I must be some kind of human!" -Me

 

[BadBigBen]

KJV, good advice, and yes I agree with AntiVir, it's been my choice of AV for years with no problems at all...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[RazRazRaz]

Hi,

Tried deleting teh entire as suggested. They just come back after a reboot.

SuperantiSPyWare identifies 2 TRojan.Agant/Gen entries in teh registry. I deal with these, and tehy come back again after a reboot.

Will try Advanced System Care, but seriously considering a rebuild.

Thanks Guys

 

[kjv1611]

Okay, here's another method that's often forgot about, that I've used very successfully (assuming it finds the same or related entries):
[ol][li]Download and run Mwav Antivirus.[/li]
[li]Manually delete anything it finds - or if you want, you can pay to have it delete anything it finds, but I found I was able to look up the entries manually, delete them, and that took care of some issues.[/li]
[li]Reboot[/li]
[li]Run SuperAntispyware again to see if finding the same entries still, or if they are gone - if find them again, let it try to remove it... this time, hopefully it won't have it's support group there, so it'll die easier. [/li]
[li]And reboot again[/li]
[li]If you want to do some more checking/scanning, it might not hurt to also try the DrWeb LiveCD for scanning your machine outside of Windows. Just be forewarned, that thing can be slow as Christmas.[/li]
[/ol]

Of course, after all said and done, disable the System Restore functions, reboot, and re-enable.

Also, as you said, this is why oftentimes I find it's less time consuming, and frankly a much easier task to just wipe everything clean, and reinstall Windows.


--

"If to err is human, then I must be some kind of human!" -Me

 

[smah]

Here's a guess. Use Autoruns from the sysinternals suite

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Look at what's running. In particular (and my guess) look at userint - does autoruns tell you that the publisher is Microsoft? Most antimalware tools won't examine this file because simply removing it or cleaning it can render your system unbootable. If my guess is correct, you can [!]copy[/!] userinit.exe to some other name and scan it with MBAM or SAS to find out what you have. Then, (if my guess is proven correct), you can expand a fresh copy of userinit.exe from your installation media.

 

[RazRazRaz]

Hi guys,

Tried all of these solutions and still couldn't get rid of the blasted thing.

Half the producst didn't even recognise it as malware/spyware.

Bit the bullet last night and rebuilt the system after doing a low level format on the disk.

Many thanks to all you guys for your help. You all rock!

Raz