AWVVT.DLL .... please help

[dubzter]

Hi Everyone,

my computer has been infected with the AWVVT.DLL file and I've tried removing the bugger using hijack this but it keeps coming back. Microsoft Antispyware detects the file and removes it be it also keeps coming back.

My Hijackthis log file is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:53 AM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\jetsuite\jsdaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\awvvt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O20 - Winlogon Notify: awvvt - C:\WINDOWS\SYSTEM32\awvvt.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\m2460chsef460.dll
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe






When I run VX2 Finder, I get the following log:

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
awvvt
Run


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{C19F8413-0F5A-2D59-6760-57AA02B52319}

I've tried using VundoFix in safe mode (without internet attached) but I keep getting the message that it can't access the process because it is being used by another process.

I've tried running killbox and typing in the file manually and selecting delete on reboot and end explorer shell while killling file but then I get the following message: "PendingFileRenameOperationsRegistryData has been removed by External Processes".

Is there something that I can do to get rid of this? I'm getting pop ups galore and also flash ad pop ups which has never happened before.

Can Anyone help me PLEASE?

thanks,

[Le Boule]

Suggest you read this thread and other similar threads in DSL Reports:

http://www.dslreports.com/forum/remark,14673165

You can possibly adapt those instructions to help you; if not you can probably get some of the "gooroos" on Virtual Doctor to help you.

It's tough to get rid of....took me several days with help from knowledgable folks.

BTW, further research by others indicates the presence of Sun Java file J2SE 1.4.2_03 is a common denominator to infection by Vundo/WinFixer. If it's in your system you need to update to the new version J2SE Runtime Environment and then delete/uninstall the older version; if both are in your system then uninstall the older version (presence of both is another common denominator). The old version seems to have an "exploit" being used to allow VUNDO into the operating systems.

Symantec has also updated their Vundo removal tool; it might work for your version of Vundo:

http://www.symantec.com/avcenter/ven...oval.tool.html

BTW, I was infected first time on October 8th and removed it; infected second time October 27th - still had that Sun Java File J2SE 1.4.2_03 and it got me again. Be sure you run Housecall, Panda Activescan or similar program after removing the bad files and disable system restore and reboot then re-enable system restore. Sys Restore sometimes keeps a copy of the trojan/virus or whatever...

[dubzter]

Suggest you read this thread and other similar threads in DSL Reports:

http://www.dslreports.com/forum/remark,14673165

You can possibly adapt those instructions to help you; if not you can probably get some of the "gooroos" on Virtual Doctor to help you.

It's tough to get rid of....took me several days with help from knowledgable folks.

BTW, further research by others indicates the presence of Sun Java file J2SE 1.4.2_03 is a common denominator to infection by Vundo/WinFixer. If it's in your system you need to update to the new version J2SE Runtime Environment and then delete/uninstall the older version; if both are in your system then uninstall the older version (presence of both is another common denominator). The old version seems to have an "exploit" being used to allow VUNDO into the operating systems.

Symantec has also updated their Vundo removal tool; it might work for your version of Vundo:

http://www.symantec.com/avcenter/ven...oval.tool.html

BTW, I was infected first time on October 8th and removed it; infected second time October 27th - still had that Sun Java File J2SE 1.4.2_03 and it got me again. Be sure you run Housecall, Panda Activescan or similar program after removing the bad files and disable system restore and reboot then re-enable system restore. Sys Restore sometimes keeps a copy of the trojan/virus or whatever...

Hi LeBoule!

Thanks for your reply. I've tried following the other posts you suggested but my problem is that they all seem to require that I use the VundoFix tool and everytime I use it in safe mode, it says that it can't access the process b/c it is being used by another process. If only I could start my computer in DOS but I was told this is not possible with WIN XP home.

I'm updating my Java as we speak.

When you were infected, did you also get flash pop ups?

Thanks for your help so far!

[lgbpop]

Not sure you have Vundo; it usually shows as an O2 MS Events object.

Your biggest need right now, though, is to download HJT into its own folder, in Program Files for example. Temp file locations are discouraged because they miss some items sometimes; also because if the backup file is ever wiped clean you could be in major unjoy. Once cleaned out, your next biggest need is to install SP2 and patch the holes in your security.

Read this, following all instructions; then post a new HJT log here.

[Le Boule]

http://discussions.virtualdr.com/forumdisplay.php?f=71

Read the rules for posting HJT files on VDoc and also see if there are other threads to help you here at Virtual Doctor. Suggest you get current version Hijack This, download and run it and follow the recommended procedure for posting HJT logs and then post ENTIRE log on VDoc HJT Forum along with quick synopsis of what you've done so far. I'm sure someone will help you - might take a little time though so be patient.

I got all sort of pop-ups when I had Winfixer; I couldn't even read DSL Reports, PCQandA or Virtual Doctor for the *&%#* pop-ups! And it happened over and over....was very frustrating.

I don't think I have sufficient expertise to give you more specific guidance.

Good luck!

====================

Suggest you follow guidance of lgbpop. I share the concern that "MS Events" did not show in your HJT log but that BHO listed under "02" looks very similar to the file listed under "20." I recall such similarities in the log files when I had Vundo/Virtumonde/Winfixer.

[crunchie]

dubzter, I believe your pc is still infected. Could you please post another log in it's entirety. If you are receiving help from any other forums, please let me know.