imgole.exe process
pokesquid808
SO CAL
has anyone ever heard of this process? it's running on my friends computer and seems to be slowing everything down (using 100% usage). i've tried to walk her through as much as I know but dont' know what else to do. She previously had virus but i was able to clean that off for her. I had to do it over the phone as we are currently in differnet areas. i've searched a multitude of search engines but nothing comes up at all! could someone help me out?
so far this is a list of what we have tried:
1. searched for imgole on her entire computer including hidden files and registry. went into safemode and did the same.
2. imgole was linked to a lot of google type of files i'm guessing in her temp file. we cleared all that and ended the process. restarted it was still there.
3. went to msconfig and turned everything off. did not work
4. ran adaware, virus scan, search and destroy, nothing came up that resemebled imgole
5. disconnected from the internet as i was thinking maybe she was helping in some kind of dos attack as the virus was a backdoor trojan so someone had access to her files.
6. her other accounts, the process is not running which leads me to assume that it has something to do with her profile. she is in the process of trying to saving her docs and pics and then she will delete the account and see what happens.
thats about it. sorry about it being so long. let me know if you know anything about this. thanks all
so far this is a list of what we have tried:
1. searched for imgole on her entire computer including hidden files and registry. went into safemode and did the same.
2. imgole was linked to a lot of google type of files i'm guessing in her temp file. we cleared all that and ended the process. restarted it was still there.
3. went to msconfig and turned everything off. did not work
4. ran adaware, virus scan, search and destroy, nothing came up that resemebled imgole
5. disconnected from the internet as i was thinking maybe she was helping in some kind of dos attack as the virus was a backdoor trojan so someone had access to her files.
6. her other accounts, the process is not running which leads me to assume that it has something to do with her profile. she is in the process of trying to saving her docs and pics and then she will delete the account and see what happens.
thats about it. sorry about it being so long. let me know if you know anything about this. thanks all
0
Comments
thanks all
Logfile of HijackThis v1.98.2
Scan saved at 8:28:09 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\Web\imgole.exe
C:\hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.yahoo.com/homestarrunner/dvddvddvd.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\jtpruzml.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\jtpruzml.slt\prefs.js)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - (no file)
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\CHARIT~1\LOCALS~1\Temp\elogmi.dat
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [*infodos] C:\WINDOWS\Config\infodos.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [*imgole] C:\WINDOWS\Web\imgole.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.8.4.24/gin/gin-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.4.24/flinger/flinger-ob-assets.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.clarkcolor.com/ClarkUpload.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096188487255
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
http://www.short-media.com/forum/forumdisplay.php?f=57
I think I might do a WindowsUpdate from that box, as one of the things that has been fixed-- which affects image handling-- has been patched fairly recently. For starters. Second, I would kill all the entries for http://www.websearch.com/. THEN I would restart XP and and rescan with HJT. IF it is still there, then it exists or is an alias for something else. To see it, you need to be able to view and run things as admin and have a search with results from hidden and system folders included to see it, probably. Once you find it, click right mouse button on it, and look at properties choice, tell me what that dialog says as far as version and publisher, and as far as date info, all three lines worth with labels. I can check it out from there with that info. RIGHT-CLICK does not run the thing, it lets you see what Windows knows about it without running it.
My guess is this: Something is using many copies of it at once, and the imgole.exe is not the thing using it. BUT, I need version and date info to tell for sure before I say its bad or good-- the only thread or page a Google search yields is THIS one (!!). Which means it is not doced yet. To take it to MS's Security Team as a validation query or look it up in a crawl through MS's KB and a few AV publisher's KB's and viral info encyclopedias and to query a couple AV publishers myself, I need THAT info about it at minimum, and might need a copy to send them or one of the AV publishers. I'd handle that as a client need thing, without any ID of client given. The only ohter thing I can say is this: See if Symantec has a Zafi.D killer available yet, that might nto happen for a few days yet. ZAFI.D uses semirandom names and attachments that are supposedly graphics. It was discovered here in the US yesterday evening by MessageLabs in volume, LOTS of volume in a short time. SO, could be an undocumented new thing, or the result of a semirandom name viral that is the real culprit and that imgole.exe is legit but needs a fix that is part of a security patch and that folks have not written about it yet.
FROM the version and date and name, I can at least find out in about 24 hours to 36 hours max if the thing is a known legit process as far as MS knows. To know if it is infected I'd almost have to submit the thing. One place I'd send it is to Kaspersky Labs, another would be Symantec, possible third would be Authentium or F-Prot, OR I could scan it for viral knowns that F-Prot knows here. If you want it analyzed, let me know here in this thread with a reply, if not and if doing what I said above does not kill it, then the right-click and info from it would be very much appreciated.