Awol antivirus popups ad popups

Please follow the instructions in the below link and be sure to attach the 2 requested logs exactly when requested:

Removing Zlob aka SmitFraud, SpySheriff, Infections


After running the above, it is advisable to continue on with the below even if your problems appear to be fixed.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

I repeat part of my previous instructions

 

I need the log from ComboFix!

Also your infection may have caused some problems with getting a proper log from MGtools. Please do the below where I will ask for another tool to be run which is necessary due to your infection.

• Download and save to RenV.exe from following link to Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

 

RenV.exe and MGtools.exe did not run properly. It could be due to your infection or it could be due to not following instructions or watching for error messages mentioned on the Using MGtools download page. Do not rerun anything yet. Just follow the below steps and complete them in the order given. Also please answer all questions.

1. Is RenV.exe on your Desktop as specified?
   • Did you wait for it to finish running?
2. Is MGtools.exe in your C:\ folder?
   • Do you have a c:\MGtools folder now?
   • Did you see any error messages when trying to run this?
3. Is your Symantec Antivirus software still installed and has it been working? It looks like it is broken.

You must disable Spybot's Teatimer as we requested in the READ ME.

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Uninstall the below old versions of software:
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.1_02
Spybot - Search & Destroy 1.3
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Also uninstall AVG Antispyware now. It became infected during the installation due to the malware already on your PC.

Your AIM instant messenger is infected too! Do not use it until we fix all your malware.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

IMPORTANT: Make sure you tell me whether you receive a success message (or not) about adding the above to the registry.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F3 - REG:win.ini: load=C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.exe
O2 - BHO: (no name) - {348C27A2-07A0-4063-939F-CFFAE822766A} - (no file)
O2 - BHO: (no name) - {C592B446-E976-4C43-A0C2-CA70176C8E5E} - C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [hoxypug] C:\Program Files\Windows NT\hoxypug77798.exe
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service .exe
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [Iov] C:\WINDOWS\?dobe\w?nlogon.exe
O4 - HKCU\..\Run: [Slrs] "C:\DOCUME~1\Owner\MYDOCU~1\PPPATC~1\tracert.exe" -vt ndrv
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: ljjhgee - ljjhgee.dll (file missing)

After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it:

Code:

File::
C:\Program Files\QuickTime\qttask                                        .exe
C:\Documents and Settings\Owner\MYDOCU~1\PPPATC~1\tracert.exe
C:\Documents and Settings\Shane\Local Settings\Temp\pmkji.exe
C:\Program Files\Windows NT\hoxypug77798.exe
C:\WINDOWS\?dobe\w?nlogon.exe
C:\WINDOWS\system32\service  .exe
C:\WINDOWS\system32\ljjhgee.dll
 
Folder:
C:\Program Files\QdrPack
 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"TkBellExe"=-
"QuickTime Task"=-
"hoxypug"=-
"MDNS"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjhgee]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE]
  

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

• Now run RenV.exe again and make sure you wait for it to complete.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
• Now run the C:\MGtools\VunFind.bat file by double clicking on it and be patient while it scans your whole hard disk.
• Then attach the below new logs:
  • C:\ComboFix.txt
  • RenV log.txt file
  • C:\MGlogs.zip

 

See the fixes given for Error Message Types 1 & 2 in the below link and apply them. Using MGtools

Yes that's because it has been infected along with many of your other applications (including your antivirus program). DO NOT TRY to fix this right now. In fact make sure that you do not try to install or download anything unless we ask you to do so. Anything that you download and/or install may get infected.

I need to work thru your logs and create a fix but I wanted to give you the above information right away.

 

Okay it looks like many of the fixes did not work from the last fix. Even Spybot's Teatimer still shows as running in the logs. Please uninstall Spybot now.

Now make sure you have applied those two fixes from the Using MGtools link for the Error Message Types. This is critical to enable GetRunKey, ShowNew and RunV to work properly. They currently are not. DO NOT go any further unless you have done this.


This last time RunV.exe did produce a Log.txt file which we are going to use now. The Log.txt file should be on your Desktop. Drag the Log.txt file on top of the RenV.exe file which is also on your Desktop. When it finishes, it will produces a new Log.txt file that I will ask for at the end of the below procedure.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe


After killing all the above processes, click Back. Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.exe
O2 - BHO: (no name) - {57F23DDA-FB46-4A2A-B9FF-AFACEDEEBC9B} - C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

After clicking Fix, exit HJT.

Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it:

Code:

File::
C:\Documents and Settings\Owner\Application Data\uraza.exe
C:\Documents and Settings\Owner\Application Data\gyks.exe
C:\Documents and Settings\Owner\Application Data\esjz.exe
C:\Documents and Settings\Owner\Application Data\ubktdhsfdjq.exe
C:\Documents and Settings\Owner\Application Data\dnhmgurt.exe
C:\Documents and Settings\Owner\Application Data\bunc.exe
C:\Documents and Settings\Owner\Application Data\tivycz.exe
C:\Documents and Settings\Owner\Application Data\duulkw.exe
C:\Documents and Settings\Owner\Application Data\lhbrfojsog.exe
C:\Documents and Settings\Owner\Application Data\huzvrq.exe
C:\Documents and Settings\Owner\Application Data\iclulkz.exe
C:\Documents and Settings\Owner\Application Data\ywapzevltg.exe
C:\Documents and Settings\Owner\Application Data\cux.exe
C:\Documents and Settings\Owner\Application Data\spljb.exe
C:\Documents and Settings\Owner\Application Data\ecmmtn.exe
C:\Documents and Settings\Owner\Application Data\fdoj.exe
C:\Documents and Settings\Owner\Application Data\jssxoxppxk.exe
C:\Documents and Settings\Owner\Application Data\ifxeftdrcr.exe
C:\Documents and Settings\Owner\Application Data\jbxwg.exe
C:\Documents and Settings\Owner\Application Data\e6414b143e76a5f4372cafa028232d000ba1e2bc.dat
C:\Program Files\Common Files\remove_tools.html
C:\Documents and Settings\Shane\Local Settings\Temp\pmkji.exe
C:\Documents and Settings\Shane\Local Settings\Temp\pmkji.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\mrofinu1000106.exe.tmp
 
Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
 
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe (just like last time).
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

• Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
• Now run the C:\MGtools\VunFind.bat file by double clicking on it and be patient while it scans your whole hard disk.

Then attach the below new logs:

• C:\ComboFix.txt
• Log.txt file from RunV
• C:\MGlogs.zip

IMPORTANT: DO NOT REBOOT or power down your PC after attaching these logs are the malware could spread and changes names thus making my next steps incorrect.

 

That's because it is the same log since I forgot to give you a piece of the fix that I wanted to run. Sorry about that. I will create that part and post it as soon as I'm done.

 

Open Notepad and copy/paste the text in the below quote box into it. Save it as Log.txt to your desktop

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a log names Log.txt on your Desktop which will overwrite the one you just made. Attach the new Log.txt to your next reply.

Now Uninstall the below software:
Ad-aware 6 Personal <-- Very outdated and not supported anymore
Kazaa Media Desktop 2.0.2 <-- should have been uninstalled in step 0 of the READ ME


Now click Start, Run and enter sfc /scannow and click OK. This may ask you for your Windows XP CD so have it reaady.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {C96E1C69-E6C6-467B-A113-5D1C7177D228} - C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.dll (file missing)

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
Now run the C:\MGtools\VunFind.bat file by double clicking on it.
Then attach the below new logs:

• C:\MGlogs.zip
• C:\avenger.txt
• Log.txt from RenV (on your Desktop).

Make sure you tell me how things are working now!

 

Clear your browser cache and click refresh a couple of times. If that does not help, try another browser if you have another installed (like FireFox).

 

I did not say sfc\scannow
I said sfc /scannow

Note the direction of the slash. Also note the space between sfc and the /

 

Yes! I needed it to be run before you did the other steps. Thus you will have to get a new MGlogs.zip file after running sfc.

 

Please look in the below folder:

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}

Tell me if you see more than one file that has the name PIFSvc in it. For example there is at least this one: PIFSvc .exe note the single space between the c and the .exe.

If you see more files with PIFSvc in the name, tell me the exact file names, file date and the exact file size in bytes. You can get the file size in bytes by right clicking on the file and selecting Properties. Give me the both the Size: and the Size on disk.


Now let's continue on with your malware removal. There is still alot to do.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DomainService
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.exe
O2 - BHO: (no name) - {6DE31E34-73F0-4E47-A7D6-DFBFF7E16DA9} - C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.dll
O2 - BHO: {c21ddeae-c64e-127a-d774-424bd5b7191d} - {d1917b5d-b424-477d-a721-e46ceaedd12c} - C:\WINDOWS\system32\yxyejrch.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:
\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [d83edaa9] rundll32.exe "C:\WINDOWS\system32\pjfhuxfl.dll",b
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file
missing) (HKCU)

After clicking Fix, exit HJT.

Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe (just like last time).
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

• Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
• Now run the C:\MGtools\VunFind.bat file by double clicking on it and be patient while it scans your whole hard disk.

Then attach the below new logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

IMPORTANT: DO NOT REBOOT or power down your PC after attaching these logs are the malware could spread and changes names thus making my next steps incorrect.

 

Okay it appears that you Symantec Antivirus program as become totally corrupted by this infection. Please uninstall anything you see in Add/Remove Program related to Symantec or Norton. Then run the below application:

Norton Removal Tool (SymNRT)


Then reboot your PC. DO NOT attempt to reinstall Symantec right now. We must get all malware removed first.

Now delete any of the below folders if they remain:
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton AntiVirus

• Now download MGtools.exe to your C:\ folder. This is a newer version of MGtools.
• Now run MGtools.exe by double clicking on it.
• Now attach the new C:\MGlogs.zip file

At this point you must not shutdown, reboot, .....etc your PC. You must keep it running to make sure conditions do not change before I post another fix. Just wait for my next fix.

 

You need to get another new MGlogs.zip file but this time do not stop it before it finishes running. You stopped it last time and as a result some of your logs are not up to date. In fact, before running C:\MGtools\GetLogs.bat again, first delete the current copy of C:\MGlogs.zip.

It does look like we got your problem fixed but I need to all new logs to be sure.

 

Okay it appears that you are still infected and we have more to do. ComboFix was not able to remove some of the registry keys for a few of your infections. We will use Avenger this time.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DomainService
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below Service (if you do not find them or get any errors, just continue):
  • Symantec Core LC
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: {828a8065-94dd-6709-7ba4-0c78731de623} - {326ed137-87c0-4ab7-9076-dd495608a828} - C:\WINDOWS\system32\emvtatqe.dll
O2 - BHO: (no name) - {E9ADAD17-7057-4B67-9D8C-0046BD96BC33} - C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.dll
O4 - HKLM\..\Run: [d83edaa9] rundll32.exe "C:\WINDOWS\system32\askndfgn.dll",b

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Owner\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

You must attach the log from ComboFix so I can see what it did.

I don't know why you are referring to Logs.txt

 

You are still very badly infected. I think your malware is changing names on each reboot. From now on, you must make sure that you DO NOT REBOOT OR POWER DOWN after attaching your logs. Otherwise my fixes will not be correct.

Was this what it really said. Did it say wxyz.sys?

 

I'm sorry..... I meant to say the log from Avenger.

 

Since you apparently logged off before reading all of this we will have to start over again.

Attach the previous log from Avenger!
Then attach a NEW MGLogs.zip file.

Then DO NOT REBOOT OR POWER DOWN. Wait for the next fix to be posted.

I'm noticing hundreds of file with names like below:

Code:

[B]pos1fe.tmp    Jan 12 2008        8033  "pos1FE.tmp"[/B]
[B]pos1ff.tmp    Jan 12 2008       10033  "pos1FF.tmp"[/B]
[B]pos200.tmp    Jan 12 2008        6033  "pos200.tmp"[/B]
[B]pos201.tmp    Jan 12 2008       12033  "pos201.tmp"[/B]
[B]pos202.tmp    Jan 12 2008        7033  "pos202.tmp"[/B] 

being created in multiple folders. They are appearing these folders:
C:\
C:\Documents and Settings\Owner\My Documents\

These are probably being created by your infection which is a form of Vundo. Delete all of these files.

 

You missed a very important part of message # 37! You need to attach a new MGlogs.zip file that is current. And you must not reboot or power down your PC after getting the log and attaching it. If you already reboot your PC after obtaining a log you are about to post, then don't attach the log until you get a new one.


Then what I want you to immediately do is to install the below programs NOW!!

AVG Free Edition

Comodo Personal Firewall


If they tell you need to reboot, don't do the reboot. We will do it during my next fix which I will post after getting a current log.

 

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dvruvcbz.dll
O2 - BHO: (no name) - {E9ADAD17-7057-4B67-9D8C-0046BD96BC33} - C:\DOCUME~1\Shane\LOCALS~1\Temp\pmkji.dll (file missing)
O2 - BHO: {19f0b8a9-cf71-d78a-fd84-4c7dd4cc4e9f} - {f9e4cc4d-d7c4-48df-a87d-17fc9a8b0f91} - C:\WINDOWS\system32\fglutyto.dll
O20 - Winlogon Notify: dvruvcbz - C:\WINDOWS\SYSTEM32\dvruvcbz.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

REMEMBER - DO NOT REBOOT OR POWER DOWN NOW.

 

Looks like AVG Antivirus and Comodo are not installed properly based on your logs. We will have to fix this later.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dvruvcbz.dll (file missing)
O20 - Winlogon Notify: dvruvcbz - dvruvcbz.dll (file missing)

After clicking Fix, exit HJT.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Download the attached CFScript.txt file and Save it to your Desktop (it must be on your Desktop). Yes overwrite the previous file you saved there.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe (just like last time).
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

• Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below new logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

How are things working?

 

Your logs are clean. If you are not longer having any malware problems, I suggest that you uninstall AVG Free Edition and Comodo Personal Firewall now and then reboot. Then reinstall them, get all updates, allow them to reboot as necessary during installation ....etc. Then move on to the below.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I would not recommed it. Use what is in the link I gave you: How to Protect yourself from malware!

If you feel you need it. It is not malware, but don't let it load at startup unless you are always going to be using it.