Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

trojan horse BHO.CVX has stolen my computer !!!!!

Register Points Site Spy New Posts Donate Unanswered Posts Search Forum Rules


Reply
< 1 2 3 >
 
LinkBack Thread Tools
  #16  
Old 27th Dec 2007, 10:32 AM
slime's Avatar
slime  United Kingdom
Donor Group
 
slime is offline
 
Join Date: 24th Dec 2007
Last Online: Today 11:49 AM
Posts: 69
iTrader: (0)
slime is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Thanks evilfantasy, I appreciate your efforts.
Re-booted & came up with the following,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:26:06, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1154716096448
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tmwtpqzo - C:\WINDOWS\SYSTEM32\diskcopyv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6973 bytes

I truly hope this helps,
Slime.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #17  
Old 27th Dec 2007, 10:59 AM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 06:46 PM
Posts: 5,338
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default trojan horse BHO.CVX has stolen my computer !!!!!
Open HijackThis and select Do a system scan only then place a check mark next to:


O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll
O20 - Winlogon Notify: tmwtpqzo - C:\WINDOWS\SYSTEM32\diskcopyv.dll


Close all windows except for HijackThis and click Fix checked

----------

Now download The Avenger By Swandog46, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the Input script manually box.
* Click on the Magnifying Glass Icon which will open a new window titled View/edit script
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:WINDOWSSYSTEM32diskcopyv.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE~Browser Helper Objects{2DBB276B-036C-4C52-A8E2-31DC7E8C9597}
Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

* Now click the 'Done' button.
* Click on the Green Light and OK the prompt.
* You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

* It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please add the C:\avenger.txt in your next post along with a new HijackThis log..
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #18  
Old 27th Dec 2007, 11:09 AM
No Avatar
Member Group
 
howardhopkinson is offline
 
Join Date: 17th Sep 2007
Last Online: 24th Jan 2008 05:43 PM
Age: 54
Posts: 108
iTrader: (0)
howardhopkinson is on a distinguished roadhowardhopkinson is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
If, what Evilfantasy has told you to do doesn`t work, you might want to try the following.

Download the DrwebCurit programme from HERE. Be sure to follow the instructions exactly.

Reboot your computer and post a fresh HJT log once done.

Regards Howard :)
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #19  
Old 27th Dec 2007, 12:08 PM
slime's Avatar
slime  United Kingdom
Donor Group
 
slime is offline
 
Join Date: 24th Dec 2007
Last Online: Today 11:49 AM
Posts: 69
iTrader: (0)
slime is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Did as requested but had trouble running Avenger.
The error message I got is shown at the beginning of the log.
The two logs are as follows,

Avenger log :
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_LOCAL_MACHINE~Browser Helper Objects{2DBB276B-036C-4C52-A8E2-31DC7E8C9597}

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\ntykyybl
*******************
Script file located at: \??\C:\Documents and Settings\hhfdfury.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:WINDOWSSYSTEM32diskcopyv.dll not found!
Deletion of file C:WINDOWSSYSTEM32diskcopyv.dll failed!
Could not process line:
C:WINDOWSSYSTEM32diskcopyv.dll
Status: 0xc0000034

Completed script processing.
*******************
Finished! Terminate.


HJT log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:30:56, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1154716096448
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tmwtpqzo - C:\WINDOWS\SYSTEM32\diskcopyv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7006 bytes

Everything is crossed,
again, many thanks,
Slime.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #20  
Old 27th Dec 2007, 12:24 PM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 06:46 PM
Posts: 5,338
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default trojan horse BHO.CVX has stolen my computer !!!!!
Try The Avenger once more with the lines below.


Files to delete:
C:\WINDOWS\SYSTEM32\diskcopyv.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DBB276B-036C-4C52-A8E2-31DC7E8C9597}
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #21  
Old 27th Dec 2007, 12:42 PM
slime's Avatar
slime  United Kingdom
Donor Group
 
slime is offline
 
Join Date: 24th Dec 2007
Last Online: Today 11:49 AM
Posts: 69
iTrader: (0)
slime is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Hi fella,
it seemed to work straight away this time, woo hoo!!
Did Avenger log & HJT log in case you needed that also.

Avenger log,
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\yawfosjv
*******************
Script file located at: \??\C:\Program Files\suenrktu.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\SYSTEM32\diskcopyv.dll deleted successfully.

Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DBB276B-036C-4C52-A8E2-31DC7E8C9597 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DBB276B-036C-4C52-A8E2-31DC7E8C9597 failed!
Status: 0xc0000034

Completed script processing.
*******************
Finished! Terminate.


HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:18, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1154716096448
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tmwtpqzo - diskcopyv.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7016 bytes

Does this look better?
Thanks again,
Slime.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #22  
Old 27th Dec 2007, 12:53 PM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 06:46 PM
Posts: 5,338
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default trojan horse BHO.CVX has stolen my computer !!!!!
I think that got it. We need to do some clean up now.

Open HijackThis and select Do a system scan only then place a check mark next to:


O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll (file missing)
O20 - Winlogon Notify: tmwtpqzo - diskcopyv.dll (file missing)


Close all windows except for HijackThis and click Fix checked

----------

Go to Start > Run and copy and paste next command in the field:

ComboFix /u



Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

----------

Please download OTMoveIt by OldTimer OTMoveIt.exe and place it on your desktop.

1. Double click OTMoveIt.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. You will be prompted to allow the clean up procedure, click Yes
5. When finished exit out of OTMoveIt

----------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All and UNCHECK Cookies.
  • Click the Empty Selected button.

If you use Firefox browser
  • Click Firefox at the top and choose: Select All and UNCHECK Cookies.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
  • Click Opera at the top and choose: Select All and UNCHECK Cookies.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

----------

Let us know how the computer is running now.
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #23  
Old 27th Dec 2007, 12:59 PM
No Avatar
Member Group
 
howardhopkinson is offline
 
Join Date: 17th Sep 2007
Last Online: 24th Jan 2008 05:43 PM
Age: 54
Posts: 108
iTrader: (0)
howardhopkinson is on a distinguished roadhowardhopkinson is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Well done, you`re HJT log is now clean.

Have HJT fix these inactive entries.

O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll (file missing)

O20 - Winlogon Notify: tmwtpqzo - diskcopyv.dll (file missing)

Click the fix checked button and close HJT.

Reboot your system.

I still recommend you run the DrWebCurit programme, just to be on the safe side and post what should hopfeully be a final HJT log.

Regards Howard.

Edit: Sorry mate, our posts have obviously crossed.
Last edited by howardhopkinson : 27th Dec 2007 at 12:59 PM.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #24  
Old 27th Dec 2007, 01:04 PM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 06:46 PM
Posts: 5,338
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default trojan horse BHO.CVX has stolen my computer !!!!!
No problem, the DR.Web should be ran.
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #25  
Old 27th Dec 2007, 03:59 PM
slime's Avatar
slime  United Kingdom
Donor Group
 
slime is offline
 
Join Date: 24th Dec 2007
Last Online: Today 11:49 AM
Posts: 69
iTrader: (0)
slime is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Slight problem fellas!!!
Can't seem to run OTMovelt.exe..........it says it cannot connect to the Internet.
(No Internet connection is one of my main issues).
Should I run ATF Cleaner anyway??
Should I run DrWebCurit??
Starting to panic now!!!

Slime
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #26  
Old 27th Dec 2007, 04:02 PM
evilfantasy's Avatar
Moderator Group
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 15th Jul 2007
Last Online: Today 06:46 PM
Posts: 5,338
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default trojan horse BHO.CVX has stolen my computer !!!!!
No worries, just delete the OTMoveIt icon from the desktop.

Go to C:\SDFix and delete the entire folder.

Run ATF Cleaner then run DR.Web.
__________________
.
.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #27  
Old 27th Dec 2007, 04:03 PM
No Avatar
Member Group
 
howardhopkinson is offline
 
Join Date: 17th Sep 2007
Last Online: 24th Jan 2008 05:43 PM
Age: 54
Posts: 108
iTrader: (0)
howardhopkinson is on a distinguished roadhowardhopkinson is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Run the DrWebCurit and the ATF cleaner, then post a fresh HJT log.

Regards Howard.

Edit: Lol, out posts have crossed yet again.
Last edited by howardhopkinson : 27th Dec 2007 at 04:03 PM.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #28  
Old 27th Dec 2007, 04:27 PM
slime's Avatar
slime  United Kingdom
Donor Group
 
slime is offline
 
Join Date: 24th Dec 2007
Last Online: Today 11:49 AM
Posts: 69
iTrader: (0)
slime is on a distinguished road
Default trojan horse BHO.CVX has stolen my computer !!!!!
Hi Fellas.
Whilst I am running DWeb, (complete scan), can I ask wether or not you think this will give me back my Internet & e-mail capabilities?
I currently use Mozilla Firefox & Thunderbird and have had no problems until now.
Could I have picked up the Trojans during on-line gaming?
Always in your debt,
Slime.
Digg this postDel.icio.us this postReddit this post Stumble this postFacebook this post
Reply With Quote
  #29  
Old 27th Dec 2007, 04:32 PM
No Avatar