1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: awvus.dll that I can't delete! Adware-Virtumondo maybe!?

Discussion in 'Virus & Other Malware Removal' started by jeremyl, Nov 10, 2007.

Thread Status:
Not open for further replies.
  1. jeremyl

    jeremyl Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    1
    Hi

    I have Trend Micro PC-cillin Internet Security 2007.

    I have a problem that results in it constantly telling me that there are suspicious changes being detected - they are varied, but most of the time they relate to an IE BHO and mention awvus.dll

    Trend's customer support people have been useless.

    I have run and sent them hijackthis logs, and they've made my PC even worse! (including telling me to delete elements of the Vista OS so I now no longer have a sidebar!)

    I've tried booting in safe mode and deleting awvus.dll, which didn't work - it tells me it's in use by another program. Killbox doesn't get rid of it either.

    I'm stuck! Please help... Hijackthis log follows - thanks in anticipation.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:52:21 AM, on 11/11/2007
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16546)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
    C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Protector Suite QL\psqltray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Users\JMLM\Desktop\HiJackThis.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: ::1 localhost
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [aeba4df4] rundll32.exe "C:\Windows\system32\lcwswncr.dll",b
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8B84D206-123D-427C-8923-9BD94D311627}: Domain = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95D15053-4A70-4F2B-8E91-4F73C8FCA215}: Domain = vic.bigpond.net.au
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    I tried running virtumonodobegone.exe but without joy. This is the VGB log... it spotted awvus.dll but didn't do anything about deleting it. Didn't rename anything as *.vir either. Further system scan didn't make any difference.


    [11/11/2007, 11:00:54] - VirtumundoBeGone v1.5 ( "C:\Users\JMLM\Desktop\VirtumundoBeGone.exe" )
    [11/11/2007, 11:01:01] - Detected System Information:
    [11/11/2007, 11:01:01] - Windows Version: 6.0.6000,
    [11/11/2007, 11:01:01] - Current Username: JMLM (Admin)
    [11/11/2007, 11:01:01] - Windows is in NORMAL mode.
    [11/11/2007, 11:01:01] - Searching for Browser Helper Objects:
    [11/11/2007, 11:01:01] - BHO 1: {00920859-5496-4A05-991C-E7F3263AABD1} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - Checking for HKLM\...\Winlogon\Notify\awvus
    [11/11/2007, 11:01:01] - Key not found: HKLM\...\Winlogon\Notify\awvus, continuing.
    [11/11/2007, 11:01:01] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [11/11/2007, 11:01:01] - BHO 3: {22B59144-6614-4963-A528-7C67C8EF16C3} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - Checking for HKLM\...\Winlogon\Notify\awvus
    [11/11/2007, 11:01:01] - Key not found: HKLM\...\Winlogon\Notify\awvus, continuing.
    [11/11/2007, 11:01:01] - BHO 4: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
    [11/11/2007, 11:01:01] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [11/11/2007, 11:01:01] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - No filename found. Continuing.
    [11/11/2007, 11:01:01] - BHO 7: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - Checking for HKLM\...\Winlogon\Notify\cwhwwlza
    [11/11/2007, 11:01:01] - Found: HKLM\...\Winlogon\Notify\cwhwwlza - This is probably Virtumundo.
    [11/11/2007, 11:01:01] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
    [11/11/2007, 11:01:01] - BHO list has been changed! Starting over...
    [11/11/2007, 11:01:01] - BHO 1: {00920859-5496-4A05-991C-E7F3263AABD1} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - Checking for HKLM\...\Winlogon\Notify\awvus
    [11/11/2007, 11:01:01] - Key not found: HKLM\...\Winlogon\Notify\awvus, continuing.
    [11/11/2007, 11:01:01] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [11/11/2007, 11:01:01] - BHO 3: {22B59144-6614-4963-A528-7C67C8EF16C3} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - Checking for HKLM\...\Winlogon\Notify\awvus
    [11/11/2007, 11:01:01] - Key not found: HKLM\...\Winlogon\Notify\awvus, continuing.
    [11/11/2007, 11:01:01] - BHO 4: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
    [11/11/2007, 11:01:01] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [11/11/2007, 11:01:01] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [11/11/2007, 11:01:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:01] - No filename found. Continuing.
    [11/11/2007, 11:01:01] - BHO 7: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
    [11/11/2007, 11:01:01] - ALERT: Found MSEvents Object!
    [11/11/2007, 11:01:01] - Finished Searching Browser Helper Objects
    [11/11/2007, 11:01:01] - *** Detected MSEvents Object
    [11/11/2007, 11:01:01] - Trying to remove MSEvents Object...
    [11/11/2007, 11:01:02] - Terminating Process: IEXPLORE.EXE
    [11/11/2007, 11:01:02] - Terminating Process: RUNDLL32.EXE
    [11/11/2007, 11:01:03] - Disabling Automatic Shell Restart
    [11/11/2007, 11:01:03] - Terminating Process: EXPLORER.EXE
    [11/11/2007, 11:01:03] - Suspending the NT Session Manager System Service
    [11/11/2007, 11:01:03] - Terminating Windows NT Logon/Logoff Manager
    [11/11/2007, 11:01:03] - Re-enabling Automatic Shell Restart
    [11/11/2007, 11:01:03] - File to disable: C:\Windows\system32\cwhwwlza.dll
    [11/11/2007, 11:01:03] - Renaming C:\Windows\system32\cwhwwlza.dll -> C:\Windows\system32\cwhwwlza.dll.vir
    [11/11/2007, 11:01:03] - File successfully renamed!
    [11/11/2007, 11:01:03] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
    [11/11/2007, 11:01:03] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
    [11/11/2007, 11:01:03] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
    [11/11/2007, 11:01:03] - Deleting ATLEvents/MSEvents Registry entries
    [11/11/2007, 11:01:03] - Removing HKLM\...\Winlogon\Notify\cwhwwlza
    [11/11/2007, 11:01:03] - Searching for Browser Helper Objects:
    [11/11/2007, 11:01:03] - BHO 1: {00920859-5496-4A05-991C-E7F3263AABD1} ()
    [11/11/2007, 11:01:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:03] - Checking for HKLM\...\Winlogon\Notify\awvus
    [11/11/2007, 11:01:03] - Key not found: HKLM\...\Winlogon\Notify\awvus, continuing.
    [11/11/2007, 11:01:03] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [11/11/2007, 11:01:03] - BHO 3: {22B59144-6614-4963-A528-7C67C8EF16C3} ()
    [11/11/2007, 11:01:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:03] - Checking for HKLM\...\Winlogon\Notify\awvus
    [11/11/2007, 11:01:03] - Key not found: HKLM\...\Winlogon\Notify\awvus, continuing.
    [11/11/2007, 11:01:03] - BHO 4: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
    [11/11/2007, 11:01:03] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [11/11/2007, 11:01:03] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [11/11/2007, 11:01:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [11/11/2007, 11:01:03] - No filename found. Continuing.
    [11/11/2007, 11:01:03] - Finished Searching Browser Helper Objects
    [11/11/2007, 11:01:03] - Finishing up...
    [11/11/2007, 11:01:03] - A restart is needed.
    [11/11/2007, 11:01:14] - Attempting to Restart via STOP error (Blue Screen!)


    Any ideas please? Starting to get desperate.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650362

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice