When windows starts, the taskbar never shows up. So i try running explorer.exe through task manager. Sometimes when I actually get explorer(aka windows) to run, i get a buffer over run error. Also I have problems booting in safe mode. The taskbar does not load, and when i hit CTRL+ALT+DEL to run task manager, my system freezes. Any help is much appreciated. From the look of it my problem lies in: O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 4:49:23 AM, on 5/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\Program Files\Comodo\common\CAVASpy\cavasm.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll O20 - Winlogon Notify: pmnmmjg - C:\WINDOWS\SYSTEM32\pmnmmjg.dll O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 3933 bytes
My God! That's a Vundo infection if I've ever seen one! Download this older version of HijackThis to your Desktop. Extract it from its archive (it is either a .zip or .rar, can't remember which). Now, right-click on the file and select "Rename". Rename it to asdf.exe. Do not use it just yet. Please download VundoFix.exe to your desktop. * Double-click VundoFix.exe to run it. * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. VundoFix should have also generated a log that sits either on your Desktop or in the C: drive (more likely). Copy and paste the contents of that logfile in your reply. Also, open HijackThis and do a scan. Save a log and post that in your reply as well.
Here is the hijack this log(not that i already ran it once and removed O2 - BHO: (no name) - {0A90D44E-CDE8-4607-A2A7-D5A940164467} - C:\WINDOWS\system32\vtstt.dll ) As for O2 - BHO: (no name) - {E8A71124-FC63-436D-80D5-9E10282195F1} - C:\WINDOWS\system32\pmnmmjg.dll as you see it remains, but windows did boot up 100% proper this time. EDIT: hijack this requested internet access and comodo firewal prompted me about 2 ports, 20 and something like 1080, after allowing these connections my task bar went away again!
Please don't quote logfiles, it makes things harder to read HijackThis shouldn't ask for Internet access; that could be a problem. For now, if you don't know what is being blocked by Comodo, deny it. Let's see... possibly... probably not, but just to be safe, we should rule out rootkit-Vundo. Please download and run F-Secure BlackLight. Do a scan and save a log. Post that log back here. Next, download and install Unlocker. If it doesn't automatically start, then start it from the Start Menu. Disable System Restore on all your local drives. You will get one or two warnings, this is normal. Now, go to My Computer > C > WINDOWS > System32 (or system32). Press the letter "p" on your keyboard; it should automatically scroll you to the first thing that starts with a "p". Keep doing it until you arrive at pmnmmjg.dll. Now, right-click on pmnmmjg.dll and select "Unlocker". It shows a list of things; click on "Unlock All". Now, right-click again on pmnmmjg.dll and select "Delete". It should delete without resistance. If it doesn't, Unlocker will pop up again. Just select everything that points you in the general direction of deleting the file. If Unlocker cannot delete it, it will prompt you to delete it on reboot. Accept that. Empty your Recycle Bin, reboot your computer, and post me another HijackThis log.
Ok well here is what I have come up with... Blacklight found nothing. System Restore was already off(but will make sure it did not get switched back on maybe by the virus). pmnmmjg.dll does not exist in the system32 dir, BUT i did a registry search for "pmnmmjg.dll" and came up with this: HKEY_CLASSES_ROOT->CLSID->{E8A71124-FC63-436D-80D5-9E10282195F1}->InprocServer32-> Here there is a key named "Default" which has the type set to REG_SZ and the data field is listed as "C:\WINDOWS\system32\pmnmmjg.dll" Also after my edit yesterday i ran vundo fix again, and it came up with files that appeared to be related to pmnmmjg.dll, so i rebooted but yet it still coming back as my taskbar continues to disappear from time to time.
Never disable your system restore if your computer has still ugly stuff inside! Nasty backup-restore is still better than without any restore-point! Now if something goes wrong, you don't have any ace-in-the-hole with your computer.