Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Not Remove Camocxq.dll


  • This topic is locked This topic is locked
2 replies to this topic

#1 VvvJRvvV

VvvJRvvV

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 08 May 2008 - 01:46 PM

A friend brought his computer to me and it was in pretty nasty shape. I removed adware 2007. I have AVG installed and updated. It found 10 different trojans. It removed all of them, however, everytime I try to open Windows Explorer or Internet Explorer, AVG pops up with a Threat Detected notification. The two files it is finding is camocxq.dll and dswaveh.dll. The camocxq.dll threat occurs every time you open any program or Windows Explorer. The dswaveh.dll and the camocxq.dll both occur when you open Internet Explorer. That is the only time the dswaveh.dll occurs.

Below is the hijackthis.log from that computer.

Thank you for any help you can provide,
JR

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:39 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {84031396-CFFB-4E58-95C4-AF00AB77094D} - C:\WINDOWS\system32\camocxq.dll
O2 - BHO: (no name) - {9A0B6E54-B589-4750-83D4-AD06E7032F86} - c:\windows\system32\dswaveh.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [tosqa3] C:\WINDOWS\system32\tosqa3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [tosqa3] C:\WINDOWS\system32\tosqa3.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Monitor.lnk = C:\Program Files\Onssi\NetDVMS\Monitor.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} (S7w]c" sZˎ`4[o<Íy]g$8af5G.\HZ]=dW;XS5~=M]:֙{aFu/
FPRhL/ф&T@f9J!CʽGzgmj=ztl+fA5(J?RzuǘGrVOrM_Vj
Te# Ma,M@?NؓPǣ[݀ixIjGfpd	+|Q(L_G),;	FK8[=j4LpPa4D	=OOL97Gt6ڻt;*kߦjWIId$Гln	o>Z톑ZvEME^]MÛiRhk^ގ%F> t,!޻Fw#t/rKӡVa]>ϟkO/K
PZG0|>mp!Ѓ`h3~={.wOn87~b;4 |섏m`
CxDbj
ioq!,yx4L[/7^!/1s9`KA+[p>A$3DߥCU{҉
!bX<#x{n*x
[7G$-ij%Un4Vʵ|96$xk_۞gtVmN])	-vY:H6FZ{v,ac?v`M:Cw($׎C,/7ya{iI8;9džD؇a^T^@q~VFԠJj#.;~i*2jHa
V
?"9s-h0j>m?m lI2t

endstream
endobj
411 0 obj<</Font<</F12 774 0 R/F18 268 0 R/F5 269 0 R/F6 272 0 R/F8 267 0 R/F9 271 0 R>>/ProcSet[/PDF/Text]/ExtGState<</GS2 265 0 R>>>>
endobj
412 0 obj<</Length 1516/

Thanks,
JR

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:08 AM

Posted 30 May 2008 - 10:48 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:08 AM

Posted 04 June 2008 - 04:44 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users