1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

no taskbar-hijackthis log included

Discussion in 'Windows - Virus and spyware problems' started by Xplorer4, May 13, 2007.

  1. Xplorer4

    Xplorer4 Active member

    Joined:
    Apr 13, 2006
    Messages:
    1,080
    Likes Received:
    0
    Trophy Points:
    66
    When windows starts, the taskbar never shows up. So i try running explorer.exe through task manager. Sometimes when I actually get explorer(aka windows) to run, i get a buffer over run error. Also I have problems booting in safe mode. The taskbar does not load, and when i hit CTRL+ALT+DEL to run task manager, my system freezes. Any help is much appreciated.

    From the look of it my problem lies in:
    O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll
    O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll



    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 4:49:23 AM, on 5/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O20 - Winlogon Notify: pmnmmjg - C:\WINDOWS\SYSTEM32\pmnmmjg.dll
    O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

    --
    End of file - 3933 bytes
     
  2. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    My God! That's a Vundo infection if I've ever seen one!

    Download this older version of HijackThis to your Desktop. Extract it from its archive (it is either a .zip or .rar, can't remember which). Now, right-click on the file and select "Rename". Rename it to asdf.exe. Do not use it just yet.

    Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.



    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
    Scan for Vundo button." when VundoFix appears at reboot.

    VundoFix should have also generated a log that sits either on your Desktop or in the C: drive (more likely). Copy and paste the contents of that logfile in your reply.

    Also, open HijackThis and do a scan. Save a log and post that in your reply as well.
     
  3. Xplorer4

    Xplorer4 Active member

    Joined:
    Apr 13, 2006
    Messages:
    1,080
    Likes Received:
    0
    Trophy Points:
    66
    Here is the hijack this log(not that i already ran it once and removed O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll )

    As for O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll
    as you see it remains, but windows did boot up 100% proper this time.

    EDIT: hijack this requested internet access and comodo firewal prompted me about 2 ports, 20 and something like 1080, after allowing these connections my task bar went away again!


     
    Last edited: May 13, 2007
  4. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Please don't quote logfiles, it makes things harder to read :)

    HijackThis shouldn't ask for Internet access; that could be a problem.

    For now, if you don't know what is being blocked by Comodo, deny it.

    Let's see... possibly... probably not, but just to be safe, we should rule out rootkit-Vundo.

    Please download and run F-Secure BlackLight. Do a scan and save a log. Post that log back here.

    Next, download and install Unlocker. If it doesn't automatically start, then start it from the Start Menu.

    Disable System Restore on all your local drives. You will get one or two warnings, this is normal. Now, go to My Computer > C > WINDOWS > System32 (or system32). Press the letter "p" on your keyboard; it should automatically scroll you to the first thing that starts with a "p". Keep doing it until you arrive at pmnmmjg.dll. Now, right-click on pmnmmjg.dll and select "Unlocker". It shows a list of things; click on "Unlock All". Now, right-click again on pmnmmjg.dll and select "Delete". It should delete without resistance. If it doesn't, Unlocker will pop up again. Just select everything that points you in the general direction of deleting the file. If Unlocker cannot delete it, it will prompt you to delete it on reboot. Accept that.

    Empty your Recycle Bin, reboot your computer, and post me another HijackThis log.
     
  5. Xplorer4

    Xplorer4 Active member

    Joined:
    Apr 13, 2006
    Messages:
    1,080
    Likes Received:
    0
    Trophy Points:
    66
    Ok well here is what I have come up with...

    Blacklight found nothing.
    System Restore was already off(but will make sure it did not get switched back on maybe by the virus).
    pmnmmjg.dll does not exist in the system32 dir, BUT i did a registry search for "pmnmmjg.dll" and came up with this:
    HKEY_CLASSES_ROOT->CLSID->{E8A71124-FC63-436D-80D5-9E10282195F1}->InprocServer32->
    Here there is a key named "Default" which has the type set to REG_SZ and the data field is listed as "C:\WINDOWS\system32\pmnmmjg.dll"

    Also after my edit yesterday i ran vundo fix again, and it came up with files that appeared to be related to pmnmmjg.dll, so i rebooted but yet it still coming back as my taskbar continues to disappear from time to time.
     
  6. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Try these steps, directly taken from BleepingComputer.com:

     
  7. Etzo

    Etzo Regular member

    Joined:
    Feb 8, 2007
    Messages:
    489
    Likes Received:
    0
    Trophy Points:
    26
    Never disable your system restore if your computer has still ugly stuff inside!

    Nasty backup-restore is still better than without any restore-point!
    Now if something goes wrong, you don't have any ace-in-the-hole with your computer.
     

Share This Page