[greyknight17]

When you ran the scan, did it find any vundo infected files?

Proceed to Malwarebytes step....

[Advertisements]

I attached the log in my last reply. Here is what is says:
VundoFix V7.0.5



Scan started at 8:06:18 PM 6/5/2008



Listing files found while scanning....



No infected files were found.


So it looks like it found nothing. I will process to the next steps for the MalwareBytes.

[kevin777]

I attached the log in my last reply. Here is what is says:
VundoFix V7.0.5



Scan started at 8:06:18 PM 6/5/2008



Listing files found while scanning....



No infected files were found.


So it looks like it found nothing. I will process to the next steps for the MalwareBytes.

[kevin777]

Here are the results of the MalwareBytes scan:

Malwarebytes' Anti-Malware 1.16
Database version: 845

10:06:31 PM 6/9/2008
mbam-log-6-9-2008 (22-06-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91299
Time elapsed: 18 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Please advise what the next step is. Thank you for continuing to work with me on this.

[greyknight17]

Download The Avenger at http://swandog46.gee...r2/download.php and save it to your Desktop. Unzip/extract the file contents. Double click on avenger.exe to run it. Click OK to agree. Copy all of the text in the below textbox by highlighting it and then pressing Ctrl + C.

Files to delete:
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry keys to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_CLASSES_ROOT\CLSID\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc

Go back to the avenger window and click on the third button on top (Paste Script from Clipboard).

- Click the Execute button.
- You will be asked Are you sure you want to execute the current script?
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
- Click Yes.
- Your PC will now be rebooted.
- Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
- Post this log, along with a new HijackThis log in your next reply.

Run Combofix again and post the log here.

[kevin777]

After cutting and pasting the text in avenger, then exceuting, the following errors are displayed:

Error:Invalid regsitry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}"
Only registry keys under HKEY_LOCAL_MACHINE hive are accessible to this program
Skilling line. (Registry key deletion mode

Error:Invalid regsitry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}"
Only registry keys under HKEY_LOCAL_MACHINE hive are accessible to this program
Skilling line. (Registry key deletion mode


Is there an alternative method to do this? thank you.

[greyknight17]

Disconnect from the internet and disable ALL your security programs now. I want to be sure they are not somehow interfering with the fixes here.

Leave the HKEY_LOCAL_ENTRIES intact there and remove the other registry keys to delete. Then try running the avenger tool again.

Also, retry this step for OTMoveIt2.

[kevin777]

Please confirm the following is correct before I run this again. thanks!

Files to delete:
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc

[greyknight17]

Those are fine...run them in the CFScript file...then proceed with the OTMoveIt2 step again from my previous reply.

[kevin777]

1. Ran avenger using cfscript above. RUN Successful. No logs were provided

2. Ran otmoveit using same cfscript. Displayed error message: DLL: C:\windows\system32\avwavp.dll is not a valid windows image.

3. removed the part of the script that said delete avwavp.dll and reran. see attached log file 062208.txt.

4. ran combofix again. see attached file labeled log.txt

Please advise as to next step.
thank you

Attached Files

•  062208.txt   1.02KB   128 downloads
•  log.txt   10.56KB   165 downloads

Edited by kevin777, 23 June 2008 - 08:07 AM.

[greyknight17]

OK, this one is a pesky little fellow. Can you confirm if the following file exists:

C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll

Are you able to delete them manually via Safe Mode?

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects

Delete the following two keys:

{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}

Next go to:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

and delete the following:

lznytwib

If any of it gives you problems removing them, right click on the folder above it and choose Permissions. Make sure Administrator has full rights (all boxes checked on first column).

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[greyknight17]

Topic re-opened per user's request...

[kevin777]

Thank you for reopening this!

1. Was able to finally delete c:\windows\system32\avwavp.dll in safe mode. c:\windows\system32\DX8VBe.dll is not there anymore.

2. I cannot delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects

Delete the following two keys:

{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}

I checked the permissions as you described and have full rights

3. Did not try to delete lznytwib depending on what your instructions are concerning step 2.

thank you again.

[greyknight17]

Delete that entry in step 3 that you posted....

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.

Run combofix again and post the new log here.

[kevin777]

1. Could not delete HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

lznytwib

2. Turned off system restore. Then turned it back on per your instructions.

3. Ran combofix again. The log is attached.

thank you.

Attached Files

•  log.txt   9.35KB   171 downloads