Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Ie Has Been Hijacked


  • This topic is locked This topic is locked
32 replies to this topic

#16 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 20 June 2006 - 03:55 PM

will do, thanks for the help

BC AdBot (Login to Remove)

 


#17 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 20 June 2006 - 03:57 PM

No Problem. :thumbsup:

#18 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 21 June 2006 - 01:24 PM

Before I do the final scans the system won't let me delete:


C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\winwil32.dll

in safe mode or normal boot up

Edited by peterm41, 21 June 2006 - 01:24 PM.


#19 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 21 June 2006 - 02:01 PM

I assume you were able to delete the others.

Go to HijackThis folder. Locate HijackThis.exe and right click on it. From the menu that appears, click on Rename. Change the name to "HJT.exe". I don't know if a reboot will be needed. Probably not, but If it prompts you to reboot, please do so.

Run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\winwil32.dll

Exit HijackThis.

===================================

Download combofix by sUBs

Please re-start your computer in safe mode - You may want to print the rest of these instructions from here onwards

Then go to Start > Run and copy/paste the following line, exactly as it is, including the quotation marks:

"%userprofile%\desktop\combofix.exe" /v awvts

Press enter to run the tool. Please save the log to post later.

Reboot in Normal Mode.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

====================================

Carry on with the scans.

====================================

Please post back Combofix report, Kaspersky report and a fresh HijackThis log please.

Edited by amateur, 21 June 2006 - 08:47 PM.


#20 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 22 June 2006 - 04:09 AM

I assume you were able to delete the others.

Go to HijackThis folder. Locate HijackThis.exe and right click on it. From the menu that appears, click on Rename. Change the name to "HJT.exe". I don't know if a reboot will be needed. Probably not, but If it prompts you to reboot, please do so.

Run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\winwil32.dll

Exit HijackThis.

===================================

Download combofix by sUBs

Please re-start your computer in safe mode - You may want to print the rest of these instructions from here onwards

Then go to Start > Run and copy/paste the following line, exactly as it is, including the quotation marks:

"%userprofile%\desktop\combofix.exe" /v awvts

Press enter to run the tool. Please save the log to post later.

Reboot in Normal Mode.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

====================================

Carry on with the scans.

====================================

Please post back Combofix report, Kaspersky report and a fresh HijackThis log please.



Hi Amateur,

I am carrying out the scans at the moment so will post them when they are finished, however, I am still unable to delete awvts.dll.

When I run the above fix it tells me it can't run in safe mode and the same happens if I try and run it in normal bootup??? Strange.

Regards

Peter

#21 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 22 June 2006 - 05:45 AM

Hi,

Just do this then:

Go to HijackThis folder. Locate HijackThis.exe and right click on it. From the menu that appears, click on Rename. Change the name to "HJT.exe". I don't know if a reboot will be needed. Probably not, but If it prompts you to reboot, please do so.

Scan with the newly named HijackThis and post the log please.

#22 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 22 June 2006 - 06:35 AM

Hi,

Just do this then:

Go to HijackThis folder. Locate HijackThis.exe and right click on it. From the menu that appears, click on Rename. Change the name to "HJT.exe". I don't know if a reboot will be needed. Probably not, but If it prompts you to reboot, please do so.

Scan with the newly named HijackThis and post the log please.


renamed Hijackthis.exe to HJE.exe

Logfile of HijackThis v1.99.1
Scan saved at 12:33:27, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Peter\My Documents\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9B9F7E-E009-4510-9985-DEB4DD2647DD} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] J:\My old Disk Structure -- 06-03-19 1000PM\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BPS Spyware Remover] C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe /STARTUP
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweakSE2\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweakSE2\PopUp Blocker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)

Again, thanks for your time and help

#23 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 22 June 2006 - 07:10 AM

Hi PeterM,

Thanks. This looks like a new variant of Vundo. Now, they are visible in the HijackThis log. I'll workout a fix and be back soon. :thumbsup:

#24 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 22 June 2006 - 07:49 AM

Please print these instructions so that you'll have access to them while you are in safe mode. Read them first carefully to make sure that you understand each step, then follow them in the same order they are presented without missing any of the steps.

Please disable Windows Defender Real Time Protection as it may interfere with the fix.

To disable Windows Defender:
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Once your log is clean you can re-enable Windows Defender Real Time Protection.

=======================================================

If it's difficult to see the desktop when in Safe Mode, you use the Windows Explorer (right click on Start>click on Explore) to navigate to the Desktop. When you click on Desktop, it will give you a list of all the icons on your desktop.

=======================================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

=======================================================

Please download Dr.Web CureIt to the desktop.

=====================================================

Please download Process Explorer by Systernals.

=======================================================

Also download the Killbox by Option^Explicit to your Desktop.

=======================================================

Then boot into SAFE MODE, following my earlier instructions.

=======================================================

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen, click on each instance of awvts.dll once, and then click the kill button.
Also look for any other dll's with the name in reverse & kill them all as well the same way.

Example: stvwa

After you have killed all of the awvts.dlls and reverse named files under winlogon, click OK.

=====================================

Next run HijackThis (click on HJT.exe), and place a check beside each of the following:

O2 - BHO: (no name) - {0F9B9F7E-E009-4510-9985-DEB4DD2647DD} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)


Now click fix checked and close HijackThis.

=====================================

Now go back to Process Explorer, and and double click on procexp.exe In the top section of the Process Explorer screen. Double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen, right click on each instance of awvts.dll and rename it as awvts.old
Do the same for stvwa.dll , if exists. If a reboot is required, please do so. If not, continue in Safe Mode.

======================================
Now run Killbox.

Copy and paste the following file paths one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No and repeat the process for the next file to delete, at which time you click yes to allow the reboot .

C:\WINDOWS\system32\awvts.old
C:\WINDOWS\system32\stvwa.old


======================================

Run Dr.WebCurit.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Post the DrWeb-log and a new HijackThis-log in this topic. Let me know if how things are now.

#25 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 22 June 2006 - 09:07 AM

Please print these instructions so that you'll have access to them while you are in safe mode. Read them first carefully to make sure that you understand each step, then follow them in the same order they are presented without missing any of the steps.

Please disable Windows Defender Real Time Protection as it may interfere with the fix.

To disable Windows Defender:

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Once your log is clean you can re-enable Windows Defender Real Time Protection.

=======================================================

If it's difficult to see the desktop when in Safe Mode, you use the Windows Explorer (right click on Start>click on Explore) to navigate to the Desktop. When you click on Desktop, it will give you a list of all the icons on your desktop.

=======================================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

=======================================================

Please download Dr.Web CureIt to the desktop.

=====================================================

Please download Process Explorer by Systernals.

=======================================================

Also download the Killbox by Option^Explicit to your Desktop.

=======================================================

Then boot into SAFE MODE, following my earlier instructions.

=======================================================

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen, click on each instance of awvts.dll once, and then click the kill button.
Also look for any other dll's with the name in reverse & kill them all as well the same way.

Example: stvwa

After you have killed all of the awvts.dlls and reverse named files under winlogon, click OK.

=====================================

Next run HijackThis (click on HJT.exe), and place a check beside each of the following:

O2 - BHO: (no name) - {0F9B9F7E-E009-4510-9985-DEB4DD2647DD} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)


Now click fix checked and close HijackThis.

=====================================

Now go back to Process Explorer, and and double click on procexp.exe In the top section of the Process Explorer screen. Double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen, right click on each instance of awvts.dll and rename it as awvts.old
Do the same for stvwa.dll , if exists. If a reboot is required, please do so. If not, continue in Safe Mode.

======================================
Now run Killbox.

Copy and paste the following file paths one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No and repeat the process for the next file to delete, at which time you click yes to allow the reboot .

C:\WINDOWS\system32\awvts.old
C:\WINDOWS\system32\stvwa.old


======================================

Run Dr.WebCurit.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Post the DrWeb-log and a new HijackThis-log in this topic. Let me know if how things are now.


Hi,

Did the above, however couldn't do this:

Now go back to Process Explorer, and and double click on procexp.exe In the top section of the Process Explorer screen. Double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen, right click on each instance of awvts.dll and rename it as awvts.old
Do the same for stvwa.dll , if exists. If a reboot is required, please do so. If not, continue in Safe Mode.

Because awvts or its variants were not shown in the thread as they were the first time and killed as per your instructions.

I am running the DrWeb scan at the moment and writing this on another computer I will post the logs.

Peter

#26 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 22 June 2006 - 09:31 AM

Because awvts or its variants were not shown in the thread as they were the first time and killed as per your instructions.

That only stops the process, it doesn't kill the file. You should be able to see them.

#27 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 22 June 2006 - 09:43 AM

Because awvts or its variants were not shown in the thread as they were the first time and killed as per your instructions.

That only stops the process, it doesn't kill the file. You should be able to see them.


I couldnt see them, as if they werent there.

Anyway I ran the Dr Web scan and it found awvts.dll in Killbox and deleted it then it stopped scanning, so I restarted the computer in normal bootup and checked the system32 folder and there was my friend, awvts.dll :thumbsup: so I thought Id try and right click delete and it worked!!!!! It wouldnt let me do this previously :flowers: emptied my recycle bin and restarted the computer in normal bootup checked system32 and its not there. There has been no more redirect attempts on my IE browser (yet) normally had 1 or 2 by the time it has taken to write this so, so far so good.

Here is the latest Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 15:34:26, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Peter\My Documents\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] J:\My old Disk Structure -- 06-03-19 1000PM\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BPS Spyware Remover] C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe /STARTUP
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweakSE2\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweakSE2\PopUp Blocker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)

Edited by peterm41, 22 June 2006 - 09:45 AM.


#28 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 22 June 2006 - 09:56 AM


Looks clean. Still have problems?


Seems OK, however, I am using IE7 beta and since the above problem started I can not use the tab browsing, when I click to open a new tab the IE just closes and goes back to desktop. Ive tried reinstalling IE7.



And the tab browsing works again :thumbsup:

Thanks again for your help, if there is any further scans etc you need please let me know.

Regards


Peter

#29 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 22 June 2006 - 10:08 AM

Well done. :thumbsup: Good job and good riddance :flowers: Just stopping the process did the trick I guess. The log is clean. You can go ahead and uninstall/delete everything I asked you to download to clean your computer, except Ccleaner and Ewido, which are good tools to keep and use on a regular basis.

Since Ewido is a trial version, you may have to manually update the definition file each time you scan when the trial period is over. This is a new version and I am not sure that they will allow manual updates after the trial, but you can try.

Scan with Ewido again. You can do it in Normal Mode this time. Remember to check for updates before you scan.

Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware SE is 1.06 and Spybot 1.4. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

Post back a fresh HijackThis log and the Ewido log please. If all is well, we can go ahead and secure your system in the next post.

#30 peterm41

peterm41
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 22 June 2006 - 12:40 PM

Well done. :thumbsup: Good job and good riddance :flowers: Just stopping the process did the trick I guess. The log is clean. You can go ahead and uninstall/delete everything I asked you to download to clean your computer, except Ccleaner and Ewido, which are good tools to keep and use on a regular basis.

Since Ewido is a trial version, you may have to manually update the definition file each time you scan when the trial period is over. This is a new version and I am not sure that they will allow manual updates after the trial, but you can try.

Scan with Ewido again. You can do it in Normal Mode this time. Remember to check for updates before you scan.

Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware SE is 1.06 and Spybot 1.4. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

Post back a fresh HijackThis log and the Ewido log please. If all is well, we can go ahead and secure your system in the next post.


Running the scans now




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users