my computer has been infected with the AWVVT.DLL file and I've tried removing the bugger using hijack this but it keeps coming back. Microsoft Antispyware detects the file and removes it but it also keeps coming back.
My Hijackthis log file is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 11:51:53 AM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\jetsuite\jsdaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\awvvt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O20 - Winlogon Notify: awvvt - C:\WINDOWS\SYSTEM32\awvvt.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\m2460chsef460.dll
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
When I run VX2 Finder, I get the following log:
Log for VX2.BetterInternet File Finder (ALL)
Files Found---
Additional Files---
Keys Under Notify---
awvvt
Run
Guardian Key--- is called:
Guardian Key--- :
User Agent String---
{C19F8413-0F5A-2D59-6760-57AA02B52319}
I've tried using VundoFix in safe mode (without internet attached) but I keep getting the message that it can't access the process because it is being used by another process.
My VundoFix log is as follows:
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was c:\WINDOWS\system32\awvvt.dll
The second filepath entered was c:\WINDOWS\system32\tvvwa.dll
--------------------------------------------------------------------------------------
Log from Process
--------------------------------------------------------------------------------------
Killing PID 136 'smss.exe'
Error 0x6 : The handle is invalid.
Killing PID 580 'explorer.exe'
Killing PID 580 'explorer.exe'
Killing PID 504 'rundll32.exe'
Killing PID 212 'winlogon.exe'
Error 0x6 : The handle is invalid.
--------------------------------------------------------------------------------------
Could not delete c:\WINDOWS\system32\awvvt.dll.
c:\WINDOWS\system32\tvvwa.dll Deleted sucessfully.
Fixing Registry
--------------------------------------------------------------------------------------
I've tried running KILLBOX and typing in the file manually and selecting delete on reboot and end explorer shell while killling file but then I get the following message: "PendingFileRenameOperationsRegistryData has been removed by External Processes".
Is there something that I can do to get rid of this? I'm getting pop ups galore (spotresults.com and starware.com and a few others) and also flash ad pop ups which has never happened before.
Can Anyone help me PLEASE?
thanks so much,
Edited by dubzter, 28 November 2005 - 11:36 AM.