Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Bhos Detected By Hijackthis


  • Please log in to reply
4 replies to this topic

#1 matt h

matt h

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 December 2007 - 04:01 AM

I've already posted to this forum to ask help with deleting a leftover of Virtumonde (system32\pmnlk.dll), but I have a more specific related problem: HijackThis will not detect any of my BHOs (one of which is infected with pmnlk.dll), even though I know it's in there from my registry scan with Autoruns. What gives? Anyone ever have this problem? I ran the scan both with IE running and without, no difference.

A big reason I'm asking is that there's a good-looking fix for my problem, but one of the last steps is using HijackThis to fix the BHO and other specific infections--which would require HijackThis to find them!!! (it also can't detect that pmnlk.dll has infiltrated my system32\lsass.exe process as a module--again, I know it has, thanks to Autoruns and Spybot-S&D, which can't kill it without crashing the system).

Thanks in advance,
MH

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:58 PM

Posted 08 December 2007 - 10:10 PM

Hi Matt,

If you ran ComboFix, then you should be able to see the BHOs now. Please post a new HijackThis log and the ComboFix report and I'll help you finish up if you don't have another thread going elsewhere. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 matt h

matt h
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 11 December 2007 - 10:13 AM

Hi Tea,

Thanks for your quick reply. I'd initially tried to use Combofix, but couldn't get it to install ("corrupted file" error). Not sure if this was really bad form (I'm new to these forums), but I'd posted my problem to another forum (MajorGeeks), and they helped me get started (tho I've been waiting a few days for a reply to my logs). They had me fix some items using HJT immediately, deactivate Spybot's Tea Timer, and run CCleaner, then install Combofix. (After running CCleaner on my Administrator profile and rebooting into my User profile in Normal mode, my on-board AV scanner [AVAST] intercepted two new adware infections in the TEMP folders of IE and Local Setting\Temp\ynltyogv.dll. I deleted 'em.) Combofix installed OK then, and you're right, it found a bunch of crud. A Spybot scan then found another new instance of Virtumonde in C:\WINDOWS\system32\jtgnlkxg.exe, which I deleted and purged. An AVG scan came up clean. They had me use their MGTools, which included a HJT scan--it now shows the BHOs, and the ones I know contained pmnlk.dll (from Spybot's BHO scan) are now empty. So, at this point I'm just waiting for someone to tell me what to do next. I know I'll need to fix some entries using HJT, but I don't know what else. If you're curious, I've posted the Combofix and HJT logs (the latter is in MGlogs.zip--I didn't want to replace my original HJT scan log yet by saving a new one).

Thanks again,
Matt H

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:58 PM

Posted 11 December 2007 - 11:23 AM

Hello,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {19E92E80-CBBE-48D1-B61F-18B5BC399FB8} - (no file)
O2 - BHO: (no name) - {99B0848C-6BC4-4198-A4C4-0A855ACADC60} - (no file)
O2 - BHO: (no name) - {C3D151E3-CD2D-4CDA-923A-582E78208048} - (no file)
O2 - BHO: (no name) - {F5B0656A-EE0D-479F-8EA0-5440F87ADFDB} - (no file)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".


Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
I need for you to please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. ComboFix has been updated, so we need a fresh one :

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Before you run it, go offline and disable all your protection programs so they don't hinder ComboFix when it runs. After it's done, please be sure to re enable everything before you come back online. :thumbsup:

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 matt h

matt h
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 13 December 2007 - 08:11 AM

Hi Tea,

When it rains it pours! The same time I received your response, the folks at Major Geeks got back to me. They had pretty much the same instructions, as well as some edits to the registry using Avenger. Things are all good now, and I've just installed Spyware Blaster, and am about to load up a some resident real-time anti-spyware protection (I've left Spybot's Tea Timer disabled, but kept Spybot as an after-the-fact scanner and for the Immunization feature).

Thanks so much for your help!

Matt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users