Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

next step to remove Trojan Adware.32.EXPDwnldr [CLOSED] [RESOLVED]


  • This topic is locked This topic is locked

#1
kevin777

kevin777

    Member

  • Member
  • PipPip
  • 31 posts
I have followed the steps to remove the Trojan Adware.32.EXPDldr. The files from PandaScan is attached. What do I do next? thank you.

Attached Files


Edited by greyknight17, 19 May 2008 - 08:09 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

PeoplePC Online
ISP50
MyWay


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\ISP50\
C:\PROGRAM FILES\MYWAYSA\
C:\WINDOWS\SYSTEM32\APPCERT\WNL32.DLL
C:\WINDOWS\SYSTEM32\APPCERT\WSIL32.DLL
C:\WINDOWS\SYSTEM32\DX8VBE.DLL


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Topic re-opened per user's request...
  • 0

#5
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thank you for reopening this. The combo fix log is attached. Please advise on the next step. The steps you provided seem to have fixed the problem.

Attached Files


Edited by kevin777, 19 May 2008 - 10:38 PM.

  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DirLook::
C:\Documents and Settings\Kevin Mayer\Application Data\cgtzjets
Driver::
cgldeduc
File::
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\drivers\qkotrtbz.dat
C:\WINDOWS\system32\DX8VBe.dll
NetSvc::
rbfbchld
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"24dbio6z05lb"=-
"MSI Configuration"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"24dbio6z05lb"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lznytwib]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#7
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here is the log per the last instructions you provided. please advise as to the next step. I noticed that one of the files listed in your quotebox(avwavp.dll) did not get deleted. thank you

Attached Files

  • Attached File  log.txt   12.88KB   284 downloads

Edited by kevin777, 21 May 2008 - 10:06 PM.

  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We'll take care of that now...

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

KILLALL::
Driver::
cgldeduc
File::
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lznytwib]
Rootkit::
cgldeduc

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#9
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I ran your instructions twice as I saw that avwavp.dll does not appear to be deleted. the logs from both runs are attached. "log1" is from the first run. after the first run, I removed the archive attribute from c:\windows\system32\avwavp.dll. Then I ran the steps you provided a second time. The log from the second run is simply called "log". the avwavp.dll file is still there. Please advise as to the next step. thank you. one other question: when I cut and paste from the quote box, do I include the text at the top that says "QUOTE" ?

Attached Files

  • Attached File  log1.txt   10.62KB   230 downloads
  • Attached File  log.txt   10.65KB   377 downloads

Edited by kevin777, 26 May 2008 - 09:36 AM.

  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't include the word quote...just everything else below that inside the box :)

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_CLASSES_ROOT\CLSID\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run Combofix by double-clicking on it and post the new log here.

How is the computer running so far?

Edited by greyknight17, 26 May 2008 - 06:41 PM.

  • 0

Advertisements


#11
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I ran the instructions as provided. Attached is the _OTMoveit.log(renamed OTMoveit.txt) and the combofix log. The combo fix log is labeled log.txt. The computer is running well. The adware popup's have stopped which was the most evident problem. I am uncertain withat the avwavp.dll is, but it does remain as the logs will show. Thank you for your persistance in working through this with me.

Attached Files


  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Disconnect from the internet and make sure you turn off all the security programs. Try running the fix I gave you earlier again to see if it helps. Post the new logs here again.
  • 0

#13
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
avwavp.dll I cannot delete, even from the recovery console and removing the archive attribute. It is being used by another program but I cannot tell which one. I was disconnected from the internet, I am using dial up. McAfee Security Center automatically keeps running even upon reboot, this is inspite of having it disabled and ending the processes from the taskmgr. It is not flexible in that it cannot be turned off. The samething happens with the Windows Security Center..., having tried to disable it using the GUI, it seems to keep running. Particularly upon reboot. The logs from Moveit and Combofix are attached. Thank you for your help.

Attached Files


  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download VundoFix at http://www.atribune..../click.php?id=4 and save it to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files. Click Yes.
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer. Click OK.
- Post the contents of C:\vundofix.txt here.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears upon rebooting.


Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

  • 0

#15
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I ran vundofix. the log is attached. for vundofix there are only 2 buttons. 'scan for vundo' and 'fix vundo'. there is no 'remove vundo' button. so after is completed scanning I clicked on 'fix vundo' and some text came up that said 'removing.....' But it was like that for 30 minutes and clicking on the taskmgr showed it was doing nothing. so it did not removed itself. how do I remove it properly? I did not run the Malwarebytes steps until I hear back from you concerning the above. thanks.

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP