BHO.CVX Trojan / Downloader.Small.33.BS

It is quite possible that your tcpip.sys file has become corrupted. The date I see on it is 12/23/2007 which is probably the date your problems began.

Click Start, Run and enter sfc /scannow and click OK. This will perform a System File Check to look for missing or corrupt Windows files and will attempt to repair them. It may ask for your Windows CD, so be prepared to insert it into your CD drive if requested.

No matter what happens while trying to do the above, continue on with the below anyway.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [v8m3] C:\WINDOWS\system32\v8m3.exe
O4 - HKCU\..\Run: [v8m3] C:\WINDOWS\system32\v8m3.exe

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!


Once you have internet access back, you need to do the below.

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

 

This is not a problem. It is just something in the Quarantine folder created when ComboFix was run. My final steps below will remove all of this.

Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

System Idle Process is not a real process. It is a measure of the time your CPU is doing nothing. Thus the larger the number for System Idle Process the better.

However explorer.exe should not normally be using lots of CPU time unless you are actively running things that are accessing the system shell.

Questions:

1. Does it happen if no browsers are open?
2. Does it happen if no browsers are open and you have physically unplugged your cable to the internet?
3. Does it happen if you shut down your AVG Antivirus which could be actively running a scan at various times of the day based on what you scheduled it to do?
4. Does the samething happen in safe mode?
5. Have you uninstalled/deleted the MGtools folder yet? If not, don't. I may be asking you for a new MGlogs.zip file if issues still remain.

 

Yes I would like two copies of MGlogs.zip.

• Please get one after booting in safe mode and attach it first.
• Then reboot into normal mode and run C:\MGtools\GetLogs.bat which will create a new MGlogs.zip file and attach it.

 

It does not appear to be a malware issue. It is more than likely just due to what you are running.

I would begin by uninstalling the below and then tell me how things look. Make sure you have the CD or files required for reinstalling (later) Norton Ghost if you really use that program. Make your you reboot after uninstalling.

AVG Antispyware
LiveReg (Symantec Corporation)
Norton Ghost 10.0
ZoneAlarm Spy Blocker
ZoneAlarm

Then run this to make sure Norton is properly removed because often it is not: Norton Removal Tool (SymNRT)


Now reboot. How are things now? Attach a new MGlogs.zip file now!

 

AVG Antispyware is only a trial program and does not provide any realtime protection after the trial is over. It then becomes an after the fact scanner/removal tool. You can reinstall the ZoneAlarm items now but leave Symantec out for a bit longer. And do the below.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Automatic Updates
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Any change in the response/CPU useage right now?


Now Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp

After clicking Fix, exit HJT.

Then reboot and after reboot run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created

 

We have gone as far as we can go in this forum. You either have hardware or software issues.

Based on the below quote of yours from message # 4, I would expect software issues:

You should post in the Software Forum. Other alternatives are to get a real full copy of Windows XP Media Center since I believe the OEM version is not adequate because it is customized by the manufacturer. You could be looking at a reinstall or maybe a repaid would work but a repair will not work without a proper original copy of Windows Media Center.

Note: You can enable and set to automatic, the Automatic Updates service that I had you stop and disable.

 

Yes!

You also need a realtime antispyware blocking tool per the information in How to Protect yourself from malware!

Yes you should definitely put in a link for this thread because someone is more than likely going to tell you that you have a malware problem.

You're welcome and thanks.

 

Sorry about missing that one! You will need to get Avenger and MGtools.exe again if already deleted.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

This was the wrong answer. Avenger was trying to install a driver inorder to properly get the malware deleted. Your antivirus or antispyware program was warning you about something it did not recognize but this was due to what we were doing. The net result as you noticed was there was no avenger.txt file and the folder was not deleted.

Again some of this could have been caused by existing protection software. Tools like Avenger and ComboFix are kernel level type tools and are going to be viewed by all protection software as potentionally dangerous/malicious.

You can delete tmp.txt and tmp.reg which may be files from Avenger. The other two folders are normal and part of Windows.

As long as things are working better now then all is good. Now your logs should really be clean. Sorry I missed that folder last time. As I stated I had already clean up PCs with this problem folder and files but did not notice the folder in yours since the DLL files had not shown up anywhere in your original logs.

I would need to see a Spybot log to see exactly what it is finding. Often times, things in ZoneMap are things in the Restricted Zone and they are typically added by programs just like Spybot's Immunize to protect you. Zonemap is not a directory/folder. It is part of your registry.

 

You're welcome.

Yes it can be confusing. That is why very often we have to ask people to shutdown and even uninstall other protection software to get things fixed. They get in the way of removing the real malware.

No. That file was created by Avenger and was being loading as a driver to make it possible for Avenger to load very early in your boot process and delete the malware files before they could run.

It's up to you. If you want to be sure, just attach the Spybot log (right click in the scan window to see save options).

You should not do all of what was in my final steps given in message number 6.