awvvt.dll infected --- unable to remove

**erice** · 2007-05-05, 06:53

Hi,

awvvt.dll got infected with Trojan Horse virus. I have attempted to remove the DLL with VundoFix but removal failed. Here is the VundoFix log:

VundoFix V6.3.21

Checking Java version...

Scan started at 11:29:26 PM 5/4/2007

Listing files found while scanning....

C:\WINNT\system32\awturrp.dll
C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\qlvnxaym.dll
C:\WINNT\system32\rqrollk.dll
C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\rqrollk.dll
C:\WINNT\system32\rqrollk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvt.dll
C:\WINNT\system32\awvvt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Another attempt at removal failed after reboot.

Please help!!!

**tashi** · 2007-05-05, 07:44

Hello.

Please see the procedure for this forum: "BEFORE you POST" Mandatory Steps Before Requesting Assistance

Copy the information requested into this topic, and a helper will advise you when available.

Regards.

**erice** · 2007-05-09, 06:03

Hi,

Here is what I have done:

1. Results of eTrust Antivirus Web Scanner:

Scan Results: 118303 files scanned. 10 viruses were detected.

File Infection Status Path

wr-1-2000219.exe Win32/Matcash.W
deleted C:\Documents and Settings\Eric\Local Settings\Temp\

netmon.exe Win32/NetMon.A
cannot delete C:\Program Files\Network Monitor\

Click Here.exe Win32/Luder.AG
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

Read More.exe Win32/Luder.AG
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

Read More1.exe Win32/Luder.AG
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

With Love.exe Win32/Luder.AF
deleted C:\Program Files\Qualcomm\Eudora\Embedded\

awvvt.dll.bad Win32/Vundo!generic
infected C:\VundoFix Backups\

rqrollk.dll.bad Win32/Chisyne!generic
infected C:\VundoFix Backups\

retadpu2000219.exe.tmp Win32/Matcash.U
deleted C:\WINNT\

awvvt.dll Win32/Vundo!generic
cannot delete C:\WINNT\system32\

2. Results of running Spybot-S&D:

I reboted and re-run Spybot-S&D several times but it was not able to remove Smitfraud-C.Toolbar888 in C:\WINNT\system32\awvvt.dll

3. HiJackThis log

I tried several times running HiJackThis. Scan would complete, but every time I would press "Save Log", HiJackThis just terminates without generating a log.

Thank you for your help.

**erice** · 2007-05-09, 06:09

I have rerun HijackThis and instead of selecting "None of the above...", selected "Do a system scan and save a logfile". The program crashed with and error log

Here is the error log generated:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:23 AM, on 5/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINNT\system32\?racle\?ti2evxx.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\TEXTPA~1\TextPad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
M:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINNT\system32\oobadhjs.dll",realset
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe

**Shaba** · 2007-05-13, 13:52

Hi erice

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please

**erice** · 2007-05-15, 06:00

Hi Shaba,

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:58:54 PM, on 5/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
C:\Dev\Tools\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nutsrv4.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\OSITIS~1\WINPRO~1\WinProxy.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Dev\Tools\IBM\SQLLIB\bin\db2fmp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\ACT\ACTLDR.EXE
C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\?racle\?ti2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
M:\Downloads\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43EBA266-14F6-3C76-F24F-6CE33BE3F9BB} - C:\WINNT\system32\zqkv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {62234B8E-E8AA-4472-8EBD-87507BEC052D} - C:\WINNT\system32\awvvt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINNT\system32\wmjdfhsb.dll
O2 - BHO: (no name) - {FDE2C2F4-1C2A-4379-9CFA-22AD886539A0} - C:\WINNT\system32\xwswmhos.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\DEV\TOOLS\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QBCD Autorun] F:\autorun.exe restart 5 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\mqwopmyr.dll",realset
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\program files\Rogers\SelfHealing\RogersAgent.exe
O4 - HKCU\..\Run: [Hela] "C:\DOCUME~1\Eric\APPLIC~1\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Sgjec] "C:\Documents and Settings\Eric\My Documents\?icrosoft\d?dplay.exe"
O4 - HKCU\..\Run: [Ctrzan] C:\WINNT\system32\?racle\?ti2evxx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\Program Files\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Dev\Tools\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Quicken Startup.lnk = E:\Program Files\Intuit\QUICKENW\QWDLLS.EXE
O4 - Global Startup: startupb.lnk = C:\Bin\startupb.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://pix.futureshop.ca/en/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futureshop.ca/en/ulcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7610B4-D8BE-4BF4-A1F0-DFBF8350A6ED}: NameServer = 24.153.22.195,24.153.22.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winamerica.worldinsure.com
O20 - Winlogon Notify: awturrp - awturrp.dll (file missing)
O20 - Winlogon Notify: awvvt - C:\WINNT\system32\awvvt.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Dev\Tools\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Dev\Tools\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM HTTP Administration 1.3.26 (IBMHTTPAdministration1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM HTTP Server 1.3.26 (IBMHTTPServer1.3.26) - Unknown owner - C:\Dev\Tools\IBM\IBMHttpServer\apache.exe" --ntservice (file missing)
O23 - Service: IBM WebSphere Application Server V5 - server1 (IBMWAS5Service - server1) - Unknown owner - C:\Dev\Tools\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\System32\nutsrv4.exe
O23 - Service: OracleOraHome081ClientCache - Unknown owner - C:\Dev\Tools\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Dev\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_CompaqWI_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_CompaqWI_server1) - Unknown owner - C:/Dev/Tools/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: WinProxy - Unknown owner - C:\PROGRA~1\OSITIS~1\WINPRO~1\WPService.exe

Thank you.

Thread: awvvt.dll infected --- unable to remove

Thread Tools

Display

Hybrid View

awvvt.dll infected --- unable to remove

Posting Permissions