Smitfraud and HJT help needed

[686]

I got infected with all that fake security/anti-virus junk and SmitfraudFix was able to remove 99.9% of it all but I still get the IE popups...

This is my HJT log (I've highlighted an entry that I'm suspicious about):



The "M-Audio" entry is safe - that is a driver for some hardware that I have here.


Your assistance will be greatly appreciated.


Thank you.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[686]

Thanks for the welcome.

Here is my HJT log. I did an in-depth scan with my existing NOD32 instead of AVG and it didn't find any viruses.

I noticed that whenever I'm plugged into the network with internet access - I start getting popups in IE again. Whenever I disconnect my network cable after doing all the cleaning - it seems to be fine. There seems to be something still left over that connects to the internet and downloads the whole malware package again.


Thanks for your help.

 

[howard_hopkinso]

In your next post I want to see an AVG antispyware log.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {A0AFDCB3-77F6-46D3-8386-49AFC1BDD841} - C:\WINDOWS\system32\pmnnl.dll

O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\nnnlkig.dll

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: nnnlkig - C:\WINDOWS\SYSTEM32\nnnlkig.dll

O20 - Winlogon Notify: pmnnl - C:\WINDOWS\system32\pmnnl.dll

O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

C:\WINDOWS\SYSTEM32\wineil32.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\SYSTEM32\nnnlkig.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log as well as an AVG Antispyware log.

Let me know how your system is running.

Regards Howard

This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[686]

EDIT:

Sorry, you posted before this - I will do everything you said now and will report back.

 

[686]

Hi howard - I'm having some difficulties with KillBox. I attached the error message I keep on getting each time I click to delete those files on reboot.

And the HTJ step where I had to remove those entries - they don't go away after the removal.

 

[howard_hopkinso]

That`s nothing to worry about, it`s just saying it can`t find the files cause they`ve already been deleted.

Post the logs I asked for after you`ve completed the instructions.

Regards Howard

This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[686]

I'm going to run HJT for the next log for you and an AVG scan and will post my results!

Killbox wasn't able to remove these two files though:
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\SYSTEM32\nnnlkig.dll

The registry items for them are gone but the files are still there - so is it OK to proceed with the new HJT log and AVG scan while those two files are still there?

 

[howard_hopkinso]

Yes, post the log files and if those files still show up, I`ll find another way of deleting them.

Regards Howard

This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[686]

Here are my AVG and HJT logs.

In AVG, there wasn't a direct Save Report button because it didn't find anything - so I just exported the results into notepad if that's OK.

 

[howard_hopkinso]

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete into the spaces provided and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

These are the filepaths you need to enter into Vundofix.

C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\SYSTEM32\nnnlkig.dll

Post a fresh HJT log, only after doing the above.

Regards Howard

This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[686]

Here is the requested log.

 

[howard_hopkinso]

By eck you were quick lol.

That`s got `em, your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[686]

Thank you VERY MUCH Howard! You have no idea how frustrated I was last night and only went to bed at 5:30am...

I just want to say for you to keep up the job you're doing - this is what I personally consider to be one of the hardest jobs to do cause it can get boring and sometimes even difficult but nevertheless you're doing it and that is just respect.


Cheers!