TechSpot

Smitfraud and HJT help needed

By 686
Dec 5, 2006
  1. I got infected with all that fake security/anti-virus junk and SmitfraudFix was able to remove 99.9% of it all but I still get the IE popups...

    This is my HJT log (I've highlighted an entry that I'm suspicious about):



    The "M-Audio" entry is safe - that is a driver for some hardware that I have here.


    Your assistance will be greatly appreciated.


    Thank you.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. 686

    686 TS Rookie Topic Starter

    Thanks for the welcome.

    Here is my HJT log. I did an in-depth scan with my existing NOD32 instead of AVG and it didn't find any viruses.

    I noticed that whenever I'm plugged into the network with internet access - I start getting popups in IE again. Whenever I disconnect my network cable after doing all the cleaning - it seems to be fine. There seems to be something still left over that connects to the internet and downloads the whole malware package again.


    Thanks for your help.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In your next post I want to see an AVG antispyware log.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {A0AFDCB3-77F6-46D3-8386-49AFC1BDD841} - C:\WINDOWS\system32\pmnnl.dll

    O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\nnnlkig.dll

    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O20 - Winlogon Notify: nnnlkig - C:\WINDOWS\SYSTEM32\nnnlkig.dll

    O20 - Winlogon Notify: pmnnl - C:\WINDOWS\system32\pmnnl.dll

    O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    C:\WINDOWS\SYSTEM32\wineil32.dll
    C:\WINDOWS\system32\pmnnl.dll
    C:\WINDOWS\SYSTEM32\nnnlkig.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Let me know how your system is running.

    Regards Howard :)

    This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. 686

    686 TS Rookie Topic Starter

    EDIT:

    Sorry, you posted before this - I will do everything you said now and will report back. :)
     
  6. 686

    686 TS Rookie Topic Starter

    Hi howard - I'm having some difficulties with KillBox. I attached the error message I keep on getting each time I click to delete those files on reboot.

    And the HTJ step where I had to remove those entries - they don't go away after the removal.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s nothing to worry about, it`s just saying it can`t find the files cause they`ve already been deleted.

    Post the logs I asked for after you`ve completed the instructions.

    Regards Howard :)

    This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. 686

    686 TS Rookie Topic Starter

    I'm going to run HJT for the next log for you and an AVG scan and will post my results!

    Killbox wasn't able to remove these two files though:
    C:\WINDOWS\system32\pmnnl.dll
    C:\WINDOWS\SYSTEM32\nnnlkig.dll

    The registry items for them are gone but the files are still there - so is it OK to proceed with the new HJT log and AVG scan while those two files are still there?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, post the log files and if those files still show up, I`ll find another way of deleting them.

    Regards Howard :)

    This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. 686

    686 TS Rookie Topic Starter

    Here are my AVG and HJT logs.

    In AVG, there wasn't a direct Save Report button because it didn't find anything - so I just exported the results into notepad if that's OK.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete into the spaces provided and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    These are the filepaths you need to enter into Vundofix.

    C:\WINDOWS\system32\pmnnl.dll
    C:\WINDOWS\SYSTEM32\nnnlkig.dll

    Post a fresh HJT log, only after doing the above.

    Regards Howard :)

    This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. 686

    686 TS Rookie Topic Starter

    Here is the requested log.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    By eck you were quick lol.

    That`s got `em, your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of 686 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. 686

    686 TS Rookie Topic Starter

    Thank you VERY MUCH Howard! You have no idea how frustrated I was last night and only went to bed at 5:30am...

    I just want to say for you to keep up the job you're doing - this is what I personally consider to be one of the hardest jobs to do cause it can get boring and sometimes even difficult but nevertheless you're doing it and that is just respect.


    Cheers!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...