Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

next step to remove Trojan Adware.32.EXPDwnldr [CLOSED] [RESOLVED]


  • This topic is locked This topic is locked

#31
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you create these files:

C:\registry070508.reg
C:\OK.doc

Let's try CFScript again...

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

KILLALL::
Rootkit::
cgldeduc
Driver::
cgldeduc
Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\cgldeduc]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

Advertisements


#32
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
1. Yes I created both these files.
C:\registry070508.reg <---- this is the registry backup from one of the instructions you provided
C:\OK.doc <---- This is a word doc of a set of your instuctions.

2. The log is attached from the CFScript being dropped onto Combofix.

thank you.

Attached Files

  • Attached File  log.txt   10.68KB   124 downloads

  • 0

#33
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Whoa...what happened there? They came back again...

Did any of your security programs have problems? Try disabling all of them and removing those entries you did manually before.
  • 0

#34
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi,

1.
I assume you are referring to the two entries in the registry?
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}]
c:\windows\system32\avwavp.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}]
C:\WINDOWS\system32\DX8VBe.dll [BU]

2. If so, they did not come back again. The files are gone. These registry entries were the ones I was unable to delete(you asked me to do this on June 24).

3. I presume I should try to delete these same registry entries again? Would you confirm? thank you.

4. I do not think my security programs are having trouble.
  • 0

#35
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just wanted to confirm if any of the security programs are putting it back.

Yes, please remove those same registry entries again (backup first :)). Then I want you to disable system restore as you did earlier and then enable it back again. Restart the computer and run Combofix again. Post the log here.
  • 0

#36
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I am unable to delete these entries. I get a message that says 'Error while deleting'. I checked the permissions on the folders all the way up the directory tree and I have full control. I tried it on:

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}]
c:\windows\system32\avwavp.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}]
C:\WINDOWS\system32\DX8VBe.dll [BU]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
lznytwib

I made certain mcaffee virus scan was not running and no online programs were running. I had no other visible applications running. Do you have other ideas on how to override this? Can I do regedit in safe mode?
  • 0

#37
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry for the delay in reply....

Try using regedt32 instead of regedit to see if that will allow you to delete those entries.
  • 0

#38
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks for getting back with me. I was going to followup with you Friday anyway.

I tried regedt32 and had the same result. I cannot delete it. Here are more details. I am the computer administrator. Kevin Mayer [DDR93871\Kevin Mayer]. When I click on the permissions for these entries I have to add full control. But I get an error telling me I dont have access. There is a group show in the registry editor called Administrators[DDR83971\Administrators] that has full control. I am the only with access to this computer. Since Windows XP shows me as the computer administrator, do I need somehow to get added to this Administrators group? I thought I was and dont show any groups. Should I try to create an Administrators group? Any other ideas/work arounds?
  • 0

#39
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's confirm this. Right click on My Computer and go to Manage. Then go to Local Users and Groups and expand it. Click on Users and then double click on your name and go to the Members Of tab. Make sure Administrators is listed there. If not, add yourself now.

If that looks ok, give this a try:

Download Registrar Lite at http://www.resplende...oad/reglite.exe and install it.

Copy and paste the follow text into the address bar and hit Go:

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\

and delete:

{256A9C1F-F38D-4E22-BA27-D943236786EC}
{96147EDE-CE4F-4172-A719-80F811DF98CB}


Right click on the above key(s) and select delete. If you get a confirmation question, respond OK then close out the program.
  • 0

#40
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I went to My Computer, right clicked on it, selected manage. There is no option to go to Local Users and Groups. Probably because this is a personal computer used by only one person. All that exists is System Tools, Storage and Services and Applications.

I entered a typographical error last time when I was explaining the permissions for the folders in the registry editor.

This is the following label for the administrator:
Administrators[DDR93871\Administrators]


Should I simply proceed to Download Registrar Lite ?

thank you

Edited by kevin777, 24 July 2008 - 10:05 PM.

  • 0

Advertisements


#41
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Should have double checked your log...you have XP Home Edition. The Local Users and Groups is not available in the Home version.

Yes, proceed with Registrar Lite.
  • 0

#42
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Same results with Registar Lite. ACCESS DENIED on all 3 entries:
256A9C1F-F38D-4E22-BA27-D943236786EC
96147EDE-CE4F-4172-A719-80F811DF98CB
lzyntwib


The owner is DDR93871\Kevin Mayer. The catlegory is <CLSID>

Please advise on next step. I am perplexed as to these permissions preventing me from deleting the entries. thank you for your help.

Edited by kevin777, 27 July 2008 - 08:29 PM.

  • 0

#43
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. Then download a fresh copy again but before you save it, rename it to CFkevin777.exe instead and then save it to your desktop. Double click on it and run the scan. Post the log here. Then do the below again and post that log here:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

KILLALL::
File::
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
Registry::
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#44
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi. I am away from the subject computer for a couple days and will work on this Monday Aug 4. thanks for your help.
  • 0

#45
kevin777

kevin777

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
1. see attached log.txt for step 1.
2. see attached log2 for step 2

thanks for you continued help.

Attached Files

  • Attached File  log.txt   7.55KB   141 downloads
  • Attached File  log2.txt   7.9KB   120 downloads

Edited by kevin777, 05 August 2008 - 10:06 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP