|
|
|
no taskbar-hijackthis log included
|
|
|
Xplorer4
Senior Member
4 product reviews
|
13. May 2007 @ 02:02 |
Link to this message
|
When windows starts, the taskbar never shows up. So i try running explorer.exe through task manager. Sometimes when I actually get explorer(aka windows) to run, i get a buffer over run error. Also I have problems booting in safe mode. The taskbar does not load, and when i hit CTRL+ALT+DEL to run task manager, my system freezes. Any help is much appreciated.
From the look of it my problem lies in:
O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:49:23 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll
O4 - HKLM\..\Run: [COMODO firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O20 - Winlogon Notify: pmnmmjg - C:\WINDOWS\SYSTEM32\pmnmmjg.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 3933 bytes
|
|
Advertisement
|
|
|
|
Member
|
13. May 2007 @ 07:38 |
Link to this message
|
My God! That's a Vundo infection if I've ever seen one!
Download this older version of HijackThis to your Desktop. Extract it from its archive (it is either a .zip or .rar, can't remember which). Now, right-click on the file and select "Rename". Rename it to asdf.exe. Do not use it just yet.
Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
VundoFix should have also generated a log that sits either on your Desktop or in the C: drive (more likely). Copy and paste the contents of that logfile in your reply.
Also, open HijackThis and do a scan. Save a log and post that in your reply as well.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
Xplorer4
Senior Member
4 product reviews
|
13. May 2007 @ 19:00 |
Link to this message
|
Here is the hijack this log(not that i already ran it once and removed O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll )
As for O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll
as you see it remains, but windows did boot up 100% proper this time.
EDIT: hijack this requested internet access and comodo firewal prompted me about 2 ports, 20 and something like 1080, after allowing these connections my task bar went away again!
Quote:
Logfile of HijackThis v1.99.1
Scan saved at 9:55:15 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Crimson Editor\cedt.exe
C:\Program Files\Gran Paradiso\firefox.exe
C:\Documents and Settings\David\Desktop\asdf.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll
O4 - HKLM\..\Run: [COMODO firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O20 - Winlogon Notify: pmnmmjg - C:\WINDOWS\SYSTEM32\pmnmmjg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Quote:
VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 9:26:30 PM 5/13/2007
Listing files found while scanning....
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\vtstt.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!
Performing Repairs to the registry.
Done!
This message has been edited since posting. Last time this message was edited on 13. May 2007 @ 19:04
|
Member
|
14. May 2007 @ 10:45 |
Link to this message
|
Please don't quote logfiles, it makes things harder to read :)
HijackThis shouldn't ask for Internet access; that could be a problem.
For now, if you don't know what is being blocked by Comodo, deny it.
Let's see... possibly... probably not, but just to be safe, we should rule out rootkit-Vundo.
Please download and run F-Secure BlackLight. Do a scan and save a log. Post that log back here.
Next, download and install Unlocker. If it doesn't automatically start, then start it from the Start Menu.
Disable System Restore on all your local drives. You will get one or two warnings, this is normal. Now, go to My Computer > C > WINDOWS > System32 (or system32). Press the letter "p" on your keyboard; it should automatically scroll you to the first thing that starts with a "p". Keep doing it until you arrive at pmnmmjg.dll. Now, right-click on pmnmmjg.dll and select "Unlocker". It shows a list of things; click on "Unlock All". Now, right-click again on pmnmmjg.dll and select "Delete". It should delete without resistance. If it doesn't, Unlocker will pop up again. Just select everything that points you in the general direction of deleting the file. If Unlocker cannot delete it, it will prompt you to delete it on reboot. Accept that.
Empty your Recycle Bin, reboot your computer, and post me another HijackThis log.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
Xplorer4
Senior Member
4 product reviews
|
14. May 2007 @ 13:34 |
Link to this message
|
|
Ok well here is what I have come up with...
Blacklight found nothing.
System Restore was already off(but will make sure it did not get switched back on maybe by the virus).
pmnmmjg.dll does not exist in the system32 dir, BUT i did a registry search for "pmnmmjg.dll" and came up with this:
HKEY_CLASSES_ROOT->CLSID->{E8A71124-FC63-436D-80D5-9E10282195F1}->InprocServer32->
Here there is a key named "Default" which has the type set to REG_SZ and the data field is listed as "C:\WINDOWS\system32\pmnmmjg.dll"
Also after my edit yesterday i ran vundo fix again, and it came up with files that appeared to be related to pmnmmjg.dll, so i rebooted but yet it still coming back as my taskbar continues to disappear from time to time.
|
Member
|
14. May 2007 @ 15:38 |
Link to this message
|
Try these steps, directly taken from BleepingComputer.com:
Quote:
1. Download VirtumundoBegone and save it to your desktop.
2. Now reboot into Safe Mode.
1. This can be done tapping the F8 key as soon as you start your computer
2. You will be brought to a menu where you can choose to boot into safe mode.
3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.
4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,
3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.
4. Exit when it has finished, and reboot back to normal mode.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
|
Advertisement
|
|
|
Member
|
14. May 2007 @ 21:41 |
Link to this message
|
|
Never disable your system restore if your computer has still ugly stuff inside!
Nasty backup-restore is still better than without any restore-point!
Now if something goes wrong, you don't have any ace-in-the-hole with your computer.
Virustorjunta.net asiantuntevaa palvelua ilman peeloilua.
Hjt-lokit tänne |
|
