0

Hi I am new to this site. I have been having problems with popups on my computer. When I click on a link to view a page another window pops open with some kind of advertisement. I have tried to fix this problem by reading the posts on this site. I have hjt and vundofix, it seemed to work for a day but I am not an expert on which files to delete on hjt. Here is a copy of the log below. Any ideas on how to fix this would be greatly appreciated.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:26:11 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\colin\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkklmnm.dll
O2 - BHO: (no name) - {2BE1AD57-F3EB-46C6-8477-E06A4362D20D} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: (no name) - {32CA693A-64F2-42BA-AE65-F8EBB199E39B} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9904FA2D-1DFA-4D6E-9BB9-AA17A8EC0B66} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ivgdpnon.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: jkklmnm - C:\WINDOWS\SYSTEM32\jkklmnm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

--
End of file - 6466 bytes

3
Contributors
19
Replies
20
Views
10 Years
Discussion Span
Last Post by crunchie
0

My personal recommendation for cleanup softwares are : Adware SE and spyware be-gone. With regards to pop-ups, have you tried simply using a pop-up blocker?

0

These popups are not the same as the ones you get while browsing, they are doing it on all the sites no matter where I visit. I have a popup blocker that doesnt block these ones. I was just browsing this site and found other poeple to have similar problems thought maybe someone here would be able to help. I downloaded CCleaner and found a bunch of programs on the add remove tool that I had no idea were there. I think it had to do with a message that I got on MSN. trymedia popped up on a window it seemed to message everyone that was online, they thought I was saying something to them. That seemed to be the turning point that started all of this. Spybot seemingly got rid of it but the problems persist.

0

Pop up blockers whilst good, leave you with an infected pc.

Can you please do the following.

===============

Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning. Repost your log after following the steps below. This version has features that might be more helpful in 'cleaning' up your system.
Also, rename hijackthis.exe to analysethis before scanning please and posting back the log.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkklmnm.dll
O2 - BHO: (no name) - {2BE1AD57-F3EB-46C6-8477-E06A4362D20D} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: (no name) - {32CA693A-64F2-42BA-AE65-F8EBB199E39B} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: (no name) - {9904FA2D-1DFA-4D6E-9BB9-AA17A8EC0B66} - C:\WINDOWS\system32\pmnlj.dll (file missing)

O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ivgdpnon.dll",forkonce

O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: jkklmnm - C:\WINDOWS\SYSTEM32\jkklmnm.dll


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text (including the 'Files to delete') contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\jkklmnm.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ivgdpnon.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:06 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for avenger.zip\avenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

--
End of file - 4604 bytes

I did download The Avenger and did what you asked me to do with copying the files. It came up with a message saying it couldnt do it because they didnt exist. I have posted the hjt log. I also noticed that when I reinstalled Windows Live it makes the computer very slow. So far I am not getting the popups now I am just experiencing a slow computer.

0

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: selected file does not appear to be a valid script.
Error code: 0

This is the saved text message I got on the Avenger

0

It may be that because you are running The Avenger from a temporary folder and not the desktop as requested, that the error occurred. It may not be either :).
Can you confirm for me that you entered everything here into the Avenger window;

Files to delete:
C:\WINDOWS\system32\jkklmnm.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ivgdpnon.dll

including the Files to delete: line.

===============

Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

0
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:
---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"Vrmon" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main" ["HAURI"]
"VrSchedule" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe" ["(C)HAURI"]
"dwStart" = "C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe" ["NextAisle"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]


HKLM\Software\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath   = "C:\WINDOWS\system32\ieudinit.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{183192EB-6382-4915-95B3-6B6BCC31F258}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\vturr.dll" [null data]
{1FB63E52-4D6E-48C1-A08F-F630FE50F337}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]
{E7A403E1-47F8-4316-8C1B-9FA283FBA31E}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\mllmj.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{1FB63E52-4D6E-48C1-A08F-F630FE50F337}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [null data]


HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> jkklmnm\DLLName = "jkklmnm.dll" [null data]
<<!>> vturr\DLLName = "C:\WINDOWS\system32\vturr.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}"
-> {HKLM...CLSID} = "WipeShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}"
-> {HKLM...CLSID} = "WipeShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}"
-> {HKLM...CLSID} = "WipeShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string]



Group Policies {policy setting}:
--------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:
-----------------------------


Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:
---------------------


HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS]



Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]



Winsock2 Service Provider DLLs:
-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 09
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11



Toolbars, Explorer Bars, Extensions:
------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]



Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------


Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
ViRobot Expert Monitoring, vrmonsvc, "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe" ["HAURI"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:
---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"]



---------- (launch time: 2007-07-26 09:18:16)
<<!>>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 70 seconds, including 26 seconds for message boxes)

I did exactly as you asked with The Avenger, I have no idea why it didnt work

Edited by happygeek: fixed formatting

0

I did exactly as you asked with The Avenger, I have no idea why it didnt work

Apart from running it from the zip folder :). Try running it from the desktop and it might work correctly.

0

I had to download Firefox to get back on here, everytime I kept starting IE it was telling me about a dll file that was causing it to shutdown. ihvmrslw.dll

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\noetavbx


*******************


Script file located at: \??\C:\WINDOWS\yvlmxeub.txt
Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


File C:\WINDOWS\system32\jkklmnm.dll deleted successfully.



File C:\WINDOWS\system32\ddayy.dll not found!
Deletion of file C:\WINDOWS\system32\ddayy.dll failed!


Could not process line:
C:\WINDOWS\system32\ddayy.dll
Status: 0xc0000034


File C:\WINDOWS\system32\ivgdpnon.dll not found!
Deletion of file C:\WINDOWS\system32\ivgdpnon.dll failed!


Could not process line:
C:\WINDOWS\system32\ivgdpnon.dll
Status: 0xc0000034



Completed script processing.


*******************


Finished!  Terminate.


"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:
---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"Vrmon" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main" ["HAURI"]
"VrSchedule" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe" ["(C)HAURI"]
"dwStart" = "C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe" ["NextAisle"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"VrBootScan" = "C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe" [empty string]


HKLM\Software\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath   = "C:\WINDOWS\system32\ieudinit.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{05D18DB3-CF90-4C48-AB69-E95B60C4FB5C}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\pmnnk.dll" [null data]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1FB63E52-4D6E-48C1-A08F-F630FE50F337}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [file not found]
{316AEF8D-3C37-423E-9E6E-13820A9DC37A}\(Default) = "Farstone Url Blocker"
-> {HKLM...CLSID} = "EyeOnIE Class"
\InProcServer32\(Default) = "C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll" [empty string]
{4E24CA9C-F841-4CF9-BAA4-CD2C01E9119B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\vturr.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]
{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ihvmrslw.dll" [null data]
{E22F9B9D-1A1F-473E-BED6-D8BC152441F4}\(Default) = "Farstone Popup Blocker"
-> {HKLM...CLSID} = "PopupBlocker Class"
\InProcServer32\(Default) = "C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL" [null data]
{E7A403E1-47F8-4316-8C1B-9FA283FBA31E}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\mllmj.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{1FB63E52-4D6E-48C1-A08F-F630FE50F337}" = "*Z" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkklmnm.dll" [file not found]


HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> jkklmnm\DLLName = "jkklmnm.dll" [file not found]
<<!>> pmnnk\DLLName = "C:\WINDOWS\system32\pmnnk.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ViRobot Expert\(Default) = "{734028e4-d909-4130-92ed-74f1d8e0b9dc}"
-> {HKLM...CLSID} = "Copyright (c) 1998 - 2001  HAURI All Rights Reserved"
\InProcServer32\(Default) = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrshex.dll" ["(C) HAURI"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}"
-> {HKLM...CLSID} = "WipeShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ViRobot Expert\(Default) = "{734028e4-d909-4130-92ed-74f1d8e0b9dc}"
-> {HKLM...CLSID} = "Copyright (c) 1998 - 2001  HAURI All Rights Reserved"
\InProcServer32\(Default) = "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrshex.dll" ["(C) HAURI"]
WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}"
-> {HKLM...CLSID} = "WipeShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
WipeAllCom\(Default) = "{2D7D2770-1C6E-442C-857F-9F285495863F}"
-> {HKLM...CLSID} = "WipeShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WIPEAL~1.DLL" [empty string]



Group Policies {policy setting}:
--------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:
-----------------------------


Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:
---------------------


HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS]



Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]



Winsock2 Service Provider DLLs:
-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 09
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11



Toolbars, Explorer Bars, Extensions:
------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]



Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------


Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
ViRobot Expert Monitoring, vrmonsvc, "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe" ["HAURI"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:
---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"]



---------- (launch time: 2007-07-27 01:20:33)
<<!>>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 64 seconds, including 19 seconds for message boxes)

Edited by happygeek: fixed formatting

0

Run The Avenger again and enter the following;

Files to delete:
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\ihvmrslw.dll

Follow previous instructions for running Avenger.

==================

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

0

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 12:00:52 AM 7/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini
C:\windows\system32\lrvfrprp.exe
C:\WINDOWS\system32\pmnnk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini Has been deleted!

Attempting to delete C:\windows\system32\lrvfrprp.exe
C:\windows\system32\lrvfrprp.exe Has been deleted!

Performing Repairs to the registry.
Done!


O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\mhbuefmo.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: jkklmnm - jkklmnm.dll (file missing)
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

--
End of file - 5770 bytes


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wrofoqia

*******************

Script file located at: \??\C:\Documents and Settings\gndmjfsa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\pmnnk.dll deleted successfully.
File C:\WINDOWS\system32\ihvmrslw.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

0

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

I just read up about Java, I didnt know that having older versions installed could bear an effect on the security. I uninstalled one of the versions but the add remove couldnt remove the other one.

0

I need to see the entire hijackthis log please.
You need to download the latest version of Java too.
How is the PC going?

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:32 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkklmnm.dll (file missing)
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: (no name) - {3D3AEBF3-E68A-4B8B-8E78-D82EC298F6DC} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {4E24CA9C-F841-4CF9-BAA4-CD2C01E9119B} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\ubygtmws.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O2 - BHO: (no name) - {E7A403E1-47F8-4316-8C1B-9FA283FBA31E} - C:\WINDOWS\system32\mllmj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\mhbuefmo.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: jkklmnm - jkklmnm.dll (file missing)
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

--
End of file - 5770 bytes

oops sorry about that. I have Java version 6 update 1. Is there a newer one?

0

I have Java version 6 update 1. Is there a newer one?

It is Version 6 Update 2 now.

====

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkklmnm.dll (file missing)
O2 - BHO: (no name) - {3D3AEBF3-E68A-4B8B-8E78-D82EC298F6DC} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {4E24CA9C-F841-4CF9-BAA4-CD2C01E9119B} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\ubygtmws.dll
O2 - BHO: (no name) - {E7A403E1-47F8-4316-8C1B-9FA283FBA31E} - C:\WINDOWS\system32\mllmj.dll (file missing)

O20 - Winlogon Notify: jkklmnm - jkklmnm.dll (file missing)
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

==

Use the Avenger to delete the following;

Files to delete:
C:\WINDOWS\system32\ubygtmws.dll

Follow previous instructions. Run VundoFix once more then post the logs please.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:59 PM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\mhbuefmo.dll",sitypnow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

--
End of file - 5295 bytes


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ermqslag

*******************

Script file located at: tfixalyg

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:02:57 PM 7/28/2007

Listing files found while scanning....

No infected files were found.

0

So far so good. :) I dont seem to be experiencing any slowdowns or popups so far. I have been using Firefox more but while using IE I have not had any problems. Apart from the Java issue, I think it had to do with the fact that this computer is running IE 6 and not IE 7. This is my mums computer and she is not the easiest to convince to upgrade to IE 7.

I really appreciate your help through this :) you have been a great help! Thank you

0

You are welcome :).

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
  3. Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.