Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

next step to remove Trojan Adware.32.EXPDwnldr [CLOSED] [RESOLVED]


  • This topic is locked This topic is locked

#16
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
When you ran the scan, did it find any vundo infected files?

Proceed to Malwarebytes step....
  • 0

Advertisements


#17
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I attached the log in my last reply. Here is what is says:
VundoFix V7.0.5



Scan started at 8:06:18 PM 6/5/2008



Listing files found while scanning....



No infected files were found.


So it looks like it found nothing. I will process to the next steps for the MalwareBytes.
  • 0

#18
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here are the results of the MalwareBytes scan:

Malwarebytes' Anti-Malware 1.16
Database version: 845

10:06:31 PM 6/9/2008
mbam-log-6-9-2008 (22-06-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91299
Time elapsed: 18 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Please advise what the next step is. Thank you for continuing to work with me on this.
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download The Avenger at http://swandog46.gee...r2/download.php and save it to your Desktop. Unzip/extract the file contents. Double click on avenger.exe to run it. Click OK to agree. Copy all of the text in the below textbox by highlighting it and then pressing Ctrl + C.

Files to delete:
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry keys to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_CLASSES_ROOT\CLSID\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc

Go back to the avenger window and click on the third button on top (Paste Script from Clipboard).

- Click the Execute button.
- You will be asked Are you sure you want to execute the current script?
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
- Click Yes.
- Your PC will now be rebooted.
- Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
- Post this log, along with a new HijackThis log in your next reply.

Run Combofix again and post the log here.
  • 0

#20
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
After cutting and pasting the text in avenger, then exceuting, the following errors are displayed:

Error:Invalid regsitry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{256A9C1F-F38D-4E22-BA27-D943236786EC}"
Only registry keys under HKEY_LOCAL_MACHINE hive are accessible to this program
Skilling line. (Registry key deletion mode

Error:Invalid regsitry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{256A9C1F-F38D-4E22-BA27-D943236786EC}"
Only registry keys under HKEY_LOCAL_MACHINE hive are accessible to this program
Skilling line. (Registry key deletion mode


Is there an alternative method to do this? thank you.
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Disconnect from the internet and disable ALL your security programs now. I want to be sure they are not somehow interfering with the fixes here.

Leave the HKEY_LOCAL_ENTRIES intact there and remove the other registry keys to delete. Then try running the avenger tool again.

Also, retry this step for OTMoveIt2.
  • 0

#22
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Please confirm the following is correct before I run this again. thanks!

Files to delete:
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Those are fine...run them in the CFScript file...then proceed with the OTMoveIt2 step again from my previous reply.
  • 0

#24
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
1. Ran avenger using cfscript above. RUN Successful. No logs were provided

2. Ran otmoveit using same cfscript. Displayed error message: DLL: C:\windows\system32\avwavp.dll is not a valid windows image.

3. removed the part of the script that said delete avwavp.dll and reran. see attached log file 062208.txt.

4. ran combofix again. see attached file labeled log.txt

Please advise as to next step.
thank you

Attached Files


Edited by kevin777, 23 June 2008 - 08:07 AM.

  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, this one is a pesky little fellow. Can you confirm if the following file exists:

C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll


Are you able to delete them manually via Safe Mode?

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects

Delete the following two keys:

{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}


Next go to:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

and delete the following:

lznytwib

If any of it gives you problems removing them, right click on the folder above it and choose Permissions. Make sure Administrator has full rights (all boxes checked on first column).
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#27
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Topic re-opened per user's request...
  • 0

#28
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thank you for reopening this!

1. Was able to finally delete c:\windows\system32\avwavp.dll in safe mode. c:\windows\system32\DX8VBe.dll is not there anymore.

2. I cannot delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects

Delete the following two keys:

{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}

I checked the permissions as you described and have full rights

3. Did not try to delete lznytwib depending on what your instructions are concerning step 2.

thank you again.
  • 0

#29
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete that entry in step 3 that you posted....

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.

Run combofix again and post the new log here.
  • 0

#30
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
1. Could not delete HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

lznytwib

2. Turned off system restore. Then turned it back on per your instructions.

3. Ran combofix again. The log is attached.

thank you.

Attached Files

  • Attached File  log.txt   9.35KB   128 downloads

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP