Jump to content


Photo

HijackThis Sabotaged


  • Please log in to reply
3 replies to this topic

#1 Reed_Richards

Reed_Richards

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 April 2007 - 06:52 AM

I have the same problem, namely that Internet Explorer has a rogue Browser Helper Object that reloads as Enabled each time Windows starts after I set it to Disabled

BUT

The Hijackthis log shows no Browser Helper Objects AT ALL, even the good ones are loaded and that I want to be there. The malware creator seems to have found a way of concealing the means by which the BHOs are loaded. Can anyone tell me how this is done and how to undo it?

(Forgive me if I offended protocol by posting on somebody elses topic but I thought the key feature of the Hijackthis log was that it DOES NOT show any BHOs).

I moved the post you made in someone elses topic and merged it into the topic you already started.
Please do not post in someone elses topic to avoid confusion.
Also read the Forum FAQ in order to find out what info we need so we can help you. In your case, you may want to rename HijackThis.exe and post the log. This will show all info we need.

Edited by miekiemoes, 20 April 2007 - 03:39 PM.


#2 Reed_Richards

Reed_Richards

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 April 2007 - 10:04 AM

I have a computer infected with a IE Browser Helper Object that I cannot get rid of. When I run HijackThis:

1) The program fails to list ANY BHOs
2) The program terminates if I select the delete file on reboot option.

It seems the malware has managed to defeat HijackThis. The same copy of HijackThis runs perfectly on an uninfected computer.

#3 Reed_Richards

Reed_Richards

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 April 2007 - 05:16 AM

My problem was identified as VirtuMonde by Active Virus Shield (a free version of kaspesky Antivirus).

There were two dlls in the Windows/System32 folder. One was called tuvtuvs.dll and the other was a randomly named file. Both installed themselves as both Browser Helper Objects and under Winlogon Notify.

The malware prevented HijackThis v 1.99 from displaying any entries in either category and terminated the program when you tried to delete a file on Windows startup. HijackThis v 2.0 beta was able to display the startup entries but could not remove them or delete them on startup.

I tried VundoFix.exe and this found and removed the randomly named dll but not tuvtuvs.dll. A new randonly named dll was created after the first one was removed. Active Virus Shield identified tuvtuvs.dll but missed the randomly named dll.

To fix the problem I removed the hard drive and installed it as a second hard drive on another computer in order to delete both dlls.

If you have a similar problem:

Download and run HijackThis version 2 (beta) from Trend Micro.
Look for any files that install as both BHOs and under Winlogon
Find a way of deleting these without starting Windows


#4 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,521 posts

Posted 23 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button