Topic: Unknown File Found ( xxywvvwx.dll )

[blodflekk]

I have recently been looking around on my PC because it has been acting a little odd...I have scanned with HiJack This! and it has found an unknown BHO "xxywvvwx.dll" and it wont be removed, I also tried uninstalling it through Spybot S&D but still no luck, Does anyone have any ideas how to remove this nasty pest?

[Samker]

Hi Blodflekk,

I think that best thing is to scan your PC with Kaspersky Online Scan or some other AV: http://scforum.info/index.php/topic,734.0.html

Probably Kaspersky will identificate that malware and after that we will easily find cleaning solution.

Regards,

Samker

P.S.

Don't forget to provide us logs from HJT and Kaspersky. 

[blodflekk]

Its on an older computer used for photo editing and such....It has no Internet connection, The file must have come in through my portable hard drive which I save all my downloaded software onto. I there any other way?

[Samker]

Of course, we will do our best.

Please first provide us HJT log so we can start with analyze. After that provide us information did that PC have installed any AntiVirus, AntiSpyware solution?

[blodflekk]

Here is the HiJack This log file, No Anti-Virus or spyware products are installed, I have a wide range of software I COULD install, But I would have no way of updating the definitions:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:36 p.m., on 20/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Installed\Applications\Windows Media Player\wmplayer.exe
D:\Installed\Applications\Adobe Photoshop\Adobe Photoshop CS3\Photoshop.exe
D:\Installed\Applications\Ulead Systems\Ulead GIF Animator 5\ga_main.exe
D:\Installed\Applications\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {B82F29E4-8368-4B14-9C00-5138C0D94034} - C:\WINDOWS\system32\xxywvvwX.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\INSTAL~1\APPLIC~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "D:\Installed\Applications\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\INSTAL~1\APPLIC~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://D:\Installed\Applications\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\INSTAL~1\APPLIC~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\INSTAL~1\APPLIC~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\INSTAL~1\APPLIC~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\INSTAL~1\APPLIC~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: xxywvvwX - C:\WINDOWS\SYSTEM32\xxywvvwX.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3427 bytes

[Samker]

Here is the HiJack This log file, No Anti-Virus or spyware products are installed, I have a wide range of software I COULD install, But I would have no way of updating the definitions:

Don't worry about update, we have possibility to manually update most of AntiViruses or AntiSpywares.

But I'm concerned with something else... if this PC is infected via Memory stick or something similar probably you use same m. stick for other PC-s in that case all of them are infected with same sheet. Is this possible?

Now I'll take a look at this HJT log and your "job" is to download Kaspersky to your stick and after that install them to your PC without connection. After that notify me so I'll give you instruction for manually update (if we need that). Download link: http://scforum.info/index.php/topic,1709.0.html

That's all for now, I'll wait your reply.

S.

[manual2100]

you have to remove it first from the services and remove its linked files in the hdd with special tools...

[krrjhn]

Hi Blodflekk,

I think that best thing is to scan your PC with Kaspersky Online Scan or some other AV: http://scforum.info/index.php/topic,734.0.html

Probably Kaspersky will identificate that malware and after that we will easily find cleaning solution.

Regards,

Samker

P.S.

Don't forget to provide us logs from HJT and Kaspersky. 

I agree with you kaspersky is the best solution to remove any type of virus from our PC!!