Proceed to Malwarebytes step....
next step to remove Trojan Adware.32.EXPDwnldr [CLOSED] [RESOLVED]
#16
Posted 06 June 2008 - 10:04 AM
Proceed to Malwarebytes step....
#17
Posted 09 June 2008 - 08:19 AM
VundoFix V7.0.5
Scan started at 8:06:18 PM 6/5/2008
Listing files found while scanning....
No infected files were found.
So it looks like it found nothing. I will process to the next steps for the MalwareBytes.
#18
Posted 09 June 2008 - 10:16 PM
Malwarebytes' Anti-Malware 1.16
Database version: 845
10:06:31 PM 6/9/2008
mbam-log-6-9-2008 (22-06-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 91299
Time elapsed: 18 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Please advise what the next step is. Thank you for continuing to work with me on this.
#19
Posted 11 June 2008 - 09:53 AM
Go back to the avenger window and click on the third button on top (Paste Script from Clipboard).Files to delete:
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry keys to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_CLASSES_ROOT\CLSID\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc
- Click the Execute button.
- You will be asked Are you sure you want to execute the current script?
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
- Click Yes.
- Your PC will now be rebooted.
- Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
- Post this log, along with a new HijackThis log in your next reply.
Run Combofix again and post the log here.
#20
Posted 16 June 2008 - 10:14 PM
Error:Invalid regsitry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}"
Only registry keys under HKEY_LOCAL_MACHINE hive are accessible to this program
Skilling line. (Registry key deletion mode
Error:Invalid regsitry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}"
Only registry keys under HKEY_LOCAL_MACHINE hive are accessible to this program
Skilling line. (Registry key deletion mode
Is there an alternative method to do this? thank you.
#21
Posted 17 June 2008 - 07:37 PM
Leave the HKEY_LOCAL_ENTRIES intact there and remove the other registry keys to delete. Then try running the avenger tool again.
Also, retry this step for OTMoveIt2.
#22
Posted 18 June 2008 - 08:15 AM
Files to delete:
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc
#23
Posted 20 June 2008 - 07:54 AM
#24
Posted 22 June 2008 - 08:31 PM
2. Ran otmoveit using same cfscript. Displayed error message: DLL: C:\windows\system32\avwavp.dll is not a valid windows image.
3. removed the part of the script that said delete avwavp.dll and reran. see attached log file 062208.txt.
4. ran combofix again. see attached file labeled log.txt
Please advise as to next step.
thank you
Attached Files
Edited by kevin777, 23 June 2008 - 08:07 AM.
#25
Posted 24 June 2008 - 09:32 PM
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
Are you able to delete them manually via Safe Mode?
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects
Delete the following two keys:
{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}
Next go to:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
and delete the following:
lznytwib
If any of it gives you problems removing them, right click on the folder above it and choose Permissions. Make sure Administrator has full rights (all boxes checked on first column).
#26
Posted 30 June 2008 - 04:51 PM
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
#27
Posted 04 July 2008 - 01:32 PM
#28
Posted 05 July 2008 - 10:03 AM
1. Was able to finally delete c:\windows\system32\avwavp.dll in safe mode. c:\windows\system32\DX8VBe.dll is not there anymore.
2. I cannot delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects
Delete the following two keys:
{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}
I checked the permissions as you described and have full rights
3. Did not try to delete lznytwib depending on what your instructions are concerning step 2.
thank you again.
#29
Posted 05 July 2008 - 05:18 PM
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.
Run combofix again and post the new log here.
#30
Posted 07 July 2008 - 10:53 PM
lznytwib
2. Turned off system restore. Then turned it back on per your instructions.
3. Ran combofix again. The log is attached.
thank you.
Attached Files
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users