|
| ||
| spyware problem, popups Hi I am new to this site. I have been having problems with popups on my computer. When I click on a link to view a page another window pops open with some kind of advertisement. I have tried to fix this problem by reading the posts on this site. I have hjt and vundofix, it seemed to work for a day but I am not an expert on which files to delete on hjt. Here is a copy of the log below. Any ideas on how to fix this would be greatly appreciated. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:26:11 AM, on 7/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe C:\WINDOWS\System32\dmadmin.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\colin\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkklmnm.dll O2 - BHO: (no name) - {2BE1AD57-F3EB-46C6-8477-E06A4362D20D} - C:\WINDOWS\system32\jkhfc.dll (file missing) O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll O2 - BHO: (no name) - {32CA693A-64F2-42BA-AE65-F8EBB199E39B} - C:\WINDOWS\system32\ddayy.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {9904FA2D-1DFA-4D6E-9BB9-AA17A8EC0B66} - C:\WINDOWS\system32\pmnlj.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ivgdpnon.dll",forkonce O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll O20 - Winlogon Notify: jkklmnm - C:\WINDOWS\SYSTEM32\jkklmnm.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe -- End of file - 6466 bytes |
| ||
| Re: spyware problem, popups My personal recommendation for cleanup softwares are : Adware SE and spyware be-gone. With regards to pop-ups, have you tried simply using a pop-up blocker? |
| ||
| Re: spyware problem, popups These popups are not the same as the ones you get while browsing, they are doing it on all the sites no matter where I visit. I have a popup blocker that doesnt block these ones. I was just browsing this site and found other poeple to have similar problems thought maybe someone here would be able to help. I downloaded CCleaner and found a bunch of programs on the add remove tool that I had no idea were there. I think it had to do with a message that I got on MSN. trymedia popped up on a window it seemed to message everyone that was online, they thought I was saying something to them. That seemed to be the turning point that started all of this. Spybot seemingly got rid of it but the problems persist. |
| ||
| Re: spyware problem, popups Pop up blockers whilst good, leave you with an infected pc. Can you please do the following. =============== Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning. Repost your log after following the steps below. This version has features that might be more helpful in 'cleaning' up your system. Also, rename hijackthis.exe to analysethis before scanning please and posting back the log. =============== Scan with HijackThis and then place a check next to all the following, if present: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkklmnm.dll O2 - BHO: (no name) - {2BE1AD57-F3EB-46C6-8477-E06A4362D20D} - C:\WINDOWS\system32\jkhfc.dll (file missing) O2 - BHO: (no name) - {32CA693A-64F2-42BA-AE65-F8EBB199E39B} - C:\WINDOWS\system32\ddayy.dll O2 - BHO: (no name) - {9904FA2D-1DFA-4D6E-9BB9-AA17A8EC0B66} - C:\WINDOWS\system32\pmnlj.dll (file missing) O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ivgdpnon.dll",forkonce O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll O20 - Winlogon Notify: jkklmnm - C:\WINDOWS\SYSTEM32\jkklmnm.dll Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked". =============== 1. Please download The Avenger by Swandog46 to your Desktop.
2. Copy all the text (including the 'Files to delete') contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C: Quote:
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop.
|
| ||
| Re: spyware problem, popups Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:18:06 AM, on 7/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cisvc.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe C:\WINDOWS\System32\dmadmin.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for avenger.zip\avenger.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe -- End of file - 4604 bytes I did download The Avenger and did what you asked me to do with copying the files. It came up with a message saying it couldnt do it because they didnt exist. I have posted the hjt log. I also noticed that when I reinstalled Windows Live it makes the computer very slow. So far I am not getting the popups now I am just experiencing a slow computer. |
| ||
| Re: spyware problem, popups ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Error: selected file does not appear to be a valid script. Error code: 0 This is the saved text message I got on the Avenger |
| ||
| Re: spyware problem, popups It may be that because you are running The Avenger from a temporary folder and not the desktop as requested, that the error occurred. It may not be either :). Can you confirm for me that you entered everything here into the Avenger window; Files to delete: C:\WINDOWS\system32\jkklmnm.dll C:\WINDOWS\system32\ddayy.dll C:\WINDOWS\system32\ivgdpnon.dll including the Files to delete: line. =============== Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread. If you have a script blocking program, please allow the file to run. It is not malicious. |
| ||
| Re: spyware problem, popups "Silent Runners.vbs", revision R51, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."] "DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"] "Vrmon" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main" ["HAURI"] "VrSchedule" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe" ["(C)HAURI"] "dwStart" = "C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe" ["NextAisle"] "HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."] HKLM\Software\Microsoft\Active Setup\Installed Components\ <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub" \StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {183192EB-6382-4915-95B3-6B6BCC31F258}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\vturr.dll" [null data] {1FB63E52-4D6E-48C1-A08F-F630FE50F337}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."] {E7A403E1-47F8-4316-8C1B-9FA283FBA31E}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\mllmj.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {HKLM...CLSID} = "Universal Plug and Play Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt" -> {HKLM...CLSID} = "RecordNow! SendToExt" \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{1FB63E52-4D6E-48C1-A08F-F630FE50F337}" = "*b" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [null data] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ "load" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] <<!>> jkklmnm\DLLName = "jkklmnm.dll" [null data] <<!>> vturr\DLLName = "C:\WINDOWS\system32\vturr.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}" -> {HKLM...CLSID} = "WipeShlExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}" -> {HKLM...CLSID} = "WipeShlExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}" -> {HKLM...CLSID} = "WipeShlExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 09 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] ViRobot Expert Monitoring, vrmonsvc, "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe" ["HAURI"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"] LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"] ---------- (launch time: 2007-07-26 09:18:16) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 70 seconds, including 26 seconds for message boxes) I did exactly as you asked with The Avenger, I have no idea why it didnt work |
| ||
| Re: spyware problem, popups Quote:
|
| ||
| Re: spyware problem, popups I had to download Firefox to get back on here, everytime I kept starting IE it was telling me about a dll file that was causing it to shutdown. ihvmrslw.dll Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\noetavbx ******************* Script file located at: \??\C:\WINDOWS\yvlmxeub.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\jkklmnm.dll deleted successfully. File C:\WINDOWS\system32\ddayy.dll not found! Deletion of file C:\WINDOWS\system32\ddayy.dll failed! Could not process line: C:\WINDOWS\system32\ddayy.dll Status: 0xc0000034 File C:\WINDOWS\system32\ivgdpnon.dll not found! Deletion of file C:\WINDOWS\system32\ivgdpnon.dll failed! Could not process line: C:\WINDOWS\system32\ivgdpnon.dll Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. "Silent Runners.vbs", revision R51, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."] "DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"] "Vrmon" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main" ["HAURI"] "VrSchedule" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe" ["(C)HAURI"] "dwStart" = "C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe" ["NextAisle"] "HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."] "VrBootScan" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe" [empty string] HKLM\Software\Microsoft\Active Setup\Installed Components\ <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub" \StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {05D18DB3-CF90-4C48-AB69-E95B60C4FB5C}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\pmnnk.dll" [null data] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {1FB63E52-4D6E-48C1-A08F-F630FE50F337}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [file not found] {316AEF8D-3C37-423E-9E6E-13820A9DC37A}\(Default) = "Farstone Url Blocker" -> {HKLM...CLSID} = "EyeOnIE Class" \InProcServer32\(Default) = "C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll" [empty string] {4E24CA9C-F841-4CF9-BAA4-CD2C01E9119B}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\vturr.dll" [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."] {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\ihvmrslw.dll" [null data] {E22F9B9D-1A1F-473E-BED6-D8BC152441F4}\(Default) = "Farstone Popup Blocker" -> {HKLM...CLSID} = "PopupBlocker Class" \InProcServer32\(Default) = "C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL" [null data] {E7A403E1-47F8-4316-8C1B-9FA283FBA31E}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\mllmj.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {HKLM...CLSID} = "Universal Plug and Play Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt" -> {HKLM...CLSID} = "RecordNow! SendToExt" \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{1FB63E52-4D6E-48C1-A08F-F630FE50F337}" = "*Z" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [file not found] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ "load" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] <<!>> jkklmnm\DLLName = "jkklmnm.dll" [file not found] <<!>> pmnnk\DLLName = "C:\WINDOWS\system32\pmnnk.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ViRobot Expert\(Default) = "{734028e4-d909-4130-92ed-74f1d8e0b9dc}" -> {HKLM...CLSID} = "Copyright (c) 1998 - 2001 HAURI All Rights Reserved" \InProcServer32\(Default) = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrshex.dll" ["(C) HAURI"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}" -> {HKLM...CLSID} = "WipeShlExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ViRobot Expert\(Default) = "{734028e4-d909-4130-92ed-74f1d8e0b9dc}" -> {HKLM...CLSID} = "Copyright (c) 1998 - 2001 HAURI All Rights Reserved" \InProcServer32\(Default) = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrshex.dll" ["(C) HAURI"] WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}" -> {HKLM...CLSID} = "WipeShlExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}" -> {HKLM...CLSID} = "WipeShlExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 09 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] ViRobot Expert Monitoring, vrmonsvc, "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe" ["HAURI"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"] LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"] ---------- (launch time: 2007-07-27 01:20:33) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 64 seconds, including 19 seconds for message boxes) |
| All times are GMT -4. The time now is 3:08 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC