I was infected with a Trojan that left advapi3.dll on my machine. Avast home addition and Disinfectant can’t remove it. I keep getting an access denied error when Avast or I try to delete it. How can I remove this infected file?
I have the Win32:BHO-KD [trj] trojan in the advapi3.dll file. I also ran ccleaner on both the file system and the registry. Here is the log from Hijackthis:
The evaluation of your hijackthis log, the following entries can be fixed:
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com - Must be fixed!
[Y] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - AcroIEhelper.ocx, AcroIEhelper.dll - Adobe Acrobat reader, http://www.adobe.com/products/acrobat/re adstep2.html
[N] O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. Starware.dll, Starware***.dll (* = random digit) - Starware, http://www.symantec.com/security_respons e/writeup.jsp?docid=2005-050313-4341-99 adware variant - also see here, http://vil.nai.com/vil/content/v_135504. htm and here, http://www.siteadvisor.
[?] O2 - BHO: (no name) - {47b92419-1066-4ef0-af4c-fc38a061bea4} - C:\WINDOWS\System32\hxtvdnev.dll - Unknown application.
[N] O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. AdWare.BHO.MegaSearch.b
[?] O2 - BHO: (no name) - {68F427E5-9E80-4D09-8637-351757C5231B} - C:\WINDOWS\System32\advapi3.dll - Unknown application.
[N] O2 - BHO: (no name) - {786560da-3528-4552-93be-c481b0012245} - (no file) - Unknown application.Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\6Yu11oql.dll - Must be fixed! xmlhelper.dll - Parasite detected by Kaspersky, http://www.kaspersky.com/ antivirus as not-a-virus:AdWare.Win32.Agent.db
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll - Must be fixed! QdrDrive8.dll - “Hyperlinks Rotator” aka ISMonitor adware hailing from zredirector.com - installs a “Internet Speed Monitor” sidebar - file detected by Kaspersky, http://www.kaspersky.com/ antivirus as AdWare.Win32.AdBand.b
[N] O2 - BHO: (no name) - {9C6E4645-889B-45AB-A8BE-7F203AD1FF49} - (no file) - Unknown application.Unnecessary (deactivated) entry that can be fixed.
[[?] O2 - BHO: (no name) - {ec3acb3a-1dd1-11b2-a6f7-e5b590a869db} - C:\WINDOWS\afixyvgh.dll - Unknown application.
[N] O2 - BHO: (no name) - {ED3755D3-F993-4B5B-8441-B3896E48DFB2} - (no file) - Unknown application.Unnecessary (deactivated) entry that can be fixed.
[N] O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. AdWare.BHO.MegaSearch.b
[ O4 - HKLM..\Run: [VerizonServicepoint.exe] “C:\Program Files\Verizon\VSP\VerizonServicepoint.exe” /AUTORUN - It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
[?] O4 - HKLM..\Run: [shcbotgx] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\shcbotgx.dll” - Fuzzy Algorithmcheck (3.08 / 5.00), Neutral
[Y] O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime - Not dangerous, but unnecessary. QuickTime
[Y] O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” - Not dangerous, but unnecessary.
[?] O4 - HKLM..\Run: [3ceeeeaa] rundll32.exe “C:\WINDOWS\System32\tyenmqga.dll”,b - Unknown application.
[ O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm128YYUS - The entry &Search has been identified as nasty.
[N] O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Rosa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) - Unnecessary (deactivated) entry that can be fixed. The entry Run IMVU has been identified as safe.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab - Should be fixed. This entry is possibly nasty.
[?] O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
[?] O20 - AppInit_DLLs: c:\windows\system32\awtsqrp.dll -
[N] O20 - Winlogon Notify: igfnfg - igfnfg.dll (file missing) - Unnecessary (deactivated) entry that can be fixed.