Configure your machine to view hidden files:
Windows XP
- Click Start.
- Open My Computer..
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the "Hidden files and folders" heading select Show hidden files and folders.
- Uncheck the Hide Protected Operating System Files Option.
- Click Yes to confirm.
- Click OK.
I want you to please submit some files HERE for experts to take a look at..
Fill in the information needed in the appropriate boxes..
Under "Topic Where File Was Requested:" copy and paste this: http://forums.spybot.info/showthread...9414#post59414
Under the "files to submit," on the first box, click browse then navigate to this file: C:\WINDOWS\system32\awvst.dll
Hit open.
Finally, click the "Send file" button on the bottom part of the page.
___________________________
*Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
*Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
- Copy&Paste the 2 entries below into the top 2 boxes.
- C:\WINDOWS\system32\awvst.dll
- C:\WINDOWS\SYSTEM32\tsvwa.*
- Click Add Files and click Close Window.
- Click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES.
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
*Run AVG Anti-Spyware- From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Exit AVG Anti-Spyware. DO NOT scan yet.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
O2 - BHO: (no name) - {5B034173-5390-4C1A-811E-531CC979B131} - C:\WINDOWS\system32\awvst.dll
O2 - BHO: (no name) - {7FA8828D-AE3F-485F-BDC0-2333C6163E0A} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delservices.bat in the File name and save it to your desktop.
Code:
@echo off
sc stop "COM+ Messages"
sc delete "COM+ Messages"
Do not use it yet!!
*You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Locate delservices.bat on your Desktop and double-click on it.
*Using Windows Explorer, find and delete these files:
C:\WINDOWS\system32\ibgiyhbp.dll
C:\WINDOWS\Downloaded Program Files\fcplugin.dll
C:\WINDOWS\system32\win_i.dll
C:\WINDOWS\system32\windmh32.dll
C:\WINDOWS\SYSTEM32\efcdbby.dll
C:\WINDOWS\SYSTEM32\nnlml.dll
C:\WINDOWS\system32\svchosts.exe <<Important!: There is a legit file called svchost.exe present in the same folder as the infected file. The infected file that we want to delete is svchosts.exe , please be careful in deleting the file.
Empty your recycle bin.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.- Launch AVG AntiSpyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following: - If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
- Close AVG AntiSpyware.
- Reboot to normal mode.
*On your next reply, please post the contents of C:\avenger.txt & C:\rustbfix\pelog.txt , C:\vundofix.txt , AVG Antispyware log, and a fresh HijackThis log.