advapi3.dll Trojan

Viruses and worms
1

Hello,

I was infected with a Trojan that left advapi3.dll on my machine. Avast home addition and Disinfectant can’t remove it. I keep getting an access denied error when Avast or I try to delete it. How can I remove this infected file?

Thanks,

Dave D

2

Hi Dave_D,

Go here and take the steps proposed without the aid of a malware fighter:
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
If remnants of this malware (spyware.bzub) remain, post a hijackthis log here,

You can find a combofix log for this kind of malware here:
http://forum.aumha.org/viewtopic.php?p=173234
You will need another for your particular situation, so

  1. Download but do not yet run ComboFix
    Exclamation If you have a previous version of Combofix.exe, delete it and download a fresh copy.
    Download this file – to your Desktop – from either of these two sources:
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
    http://subs.geekstogo.com/Beta/ComboFix.exe

Attach a combofix log here,

polonus

3

Hello polonus,

I have the Win32:BHO-KD [trj] trojan in the advapi3.dll file. I also ran ccleaner on both the file system and the registry. Here is the log from Hijackthis:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Money\System\urlmap.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file)
O2 - BHO: (no name) - {47b92419-1066-4ef0-af4c-fc38a061bea4} - C:\WINDOWS\System32\hxtvdnev.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O2 - BHO: (no name) - {68F427E5-9E80-4D09-8637-351757C5231B} - C:\WINDOWS\System32\advapi3.dll
O2 - BHO: (no name) - {786560da-3528-4552-93be-c481b0012245} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\6Yu11oql.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: (no name) - {9C6E4645-889B-45AB-A8BE-7F203AD1FF49} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {ec3acb3a-1dd1-11b2-a6f7-e5b590a869db} - C:\WINDOWS\afixyvgh.dll
O2 - BHO: (no name) - {ED3755D3-F993-4B5B-8441-B3896E48DFB2} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM..\Run: [VerizonServicepoint.exe] “C:\Program Files\Verizon\VSP\VerizonServicepoint.exe” /AUTORUN
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [shcbotgx] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\shcbotgx.dll”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [3ceeeeaa] rundll32.exe “C:\WINDOWS\System32\tyenmqga.dll”,b
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm128YYUS
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rosa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199669006125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O20 - AppInit_DLLs: c:\windows\system32\awtsqrp.dll
O20 - Winlogon Notify: igfnfg - igfnfg.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe


End of file - 9489 bytes

Thanks again. I’m looking forward to your response.
Dave D

4

Hi Dave_D,

The evaluation of your hijackthis log, the following entries can be fixed:

O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
[Y] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - AcroIEhelper.ocx, AcroIEhelper.dll - Adobe Acrobat reader, http://www.adobe.com/products/acrobat/re adstep2.html
[N] O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. Starware.dll, Starware***.dll (* = random digit) - Starware, http://www.symantec.com/security_respons e/writeup.jsp?docid=2005-050313-4341-99 adware variant - also see here, http://vil.nai.com/vil/content/v_135504. htm and here, http://www.siteadvisor.
[?] O2 - BHO: (no name) - {47b92419-1066-4ef0-af4c-fc38a061bea4} - C:\WINDOWS\System32\hxtvdnev.dll - Unknown application.
[N] O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. AdWare.BHO.MegaSearch.b
[?] O2 - BHO: (no name) - {68F427E5-9E80-4D09-8637-351757C5231B} - C:\WINDOWS\System32\advapi3.dll - Unknown application.
[N] O2 - BHO: (no name) - {786560da-3528-4552-93be-c481b0012245} - (no file) - Unknown application.Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\6Yu11oql.dll - Must be fixed! xmlhelper.dll - Parasite detected by Kaspersky, http://www.kaspersky.com/ antivirus as not-a-virus:AdWare.Win32.Agent.db
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll - Must be fixed! QdrDrive8.dll - “Hyperlinks Rotator” aka ISMonitor adware hailing from zredirector.com - installs a “Internet Speed Monitor” sidebar - file detected by Kaspersky, http://www.kaspersky.com/ antivirus as AdWare.Win32.AdBand.b
[N] O2 - BHO: (no name) - {9C6E4645-889B-45AB-A8BE-7F203AD1FF49} - (no file) - Unknown application.Unnecessary (deactivated) entry that can be fixed.
[[?] O2 - BHO: (no name) - {ec3acb3a-1dd1-11b2-a6f7-e5b590a869db} - C:\WINDOWS\afixyvgh.dll - Unknown application.
[N] O2 - BHO: (no name) - {ED3755D3-F993-4B5B-8441-B3896E48DFB2} - (no file) - Unknown application.Unnecessary (deactivated) entry that can be fixed.
[N] O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. AdWare.BHO.MegaSearch.b
[ O4 - HKLM..\Run: [VerizonServicepoint.exe] “C:\Program Files\Verizon\VSP\VerizonServicepoint.exe” /AUTORUN - It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
[?] O4 - HKLM..\Run: [shcbotgx] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\shcbotgx.dll” - Fuzzy Algorithmcheck (3.08 / 5.00), Neutral
[Y] O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime - Not dangerous, but unnecessary. QuickTime
[Y] O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” - Not dangerous, but unnecessary.
[?] O4 - HKLM..\Run: [3ceeeeaa] rundll32.exe “C:\WINDOWS\System32\tyenmqga.dll”,b - Unknown application.
[ O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm128YYUS - The entry &Search has been identified as nasty.
[N] O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rosa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) - Unnecessary (deactivated) entry that can be fixed. The entry Run IMVU has been identified as safe.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab - Should be fixed. This entry is possibly nasty.
[?] O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O20 - AppInit_DLLs: c:\windows\system32\awtsqrp.dll -
[N] O20 - Winlogon Notify: igfnfg - igfnfg.dll (file missing) - Unnecessary (deactivated) entry that can be fixed.

polonus

5

hello polonus,

can u also help me in my virus problem?.. my forum post is http://forum.avast.com/index.php?topic=32589.0

6

Hello,

Comofix.exe fixed my problem. I reran AVAST and found no viruses and also no longer have c:\windows\system32\advapi3.dll.

Thanks!!!

7

So much the better,

Damian