expand32xp.dll
This article aliays the expand32xp.dll samples we received. According to the samples detected report, the expand32xp.dll virus file is a threat and we advice you remove this file.
expand32xp.dll sample submitted on 2010-08-15 and identified as a threat.
expand32xp.dll Alias:
Threat File: expand32xp.dll
Submit time: 2010-08-15
Excute time: 1 min 56 sec
Level of Spread: 5
Level of Threat: 1
type:Win32.Trafrox
Filesize:93K Bytes
Files type
expand32xp.dll is a A dynamic-link library,which acts as a shared library of functions.
MD5:7h2ttoV6YuKowIsevPh0BV7r8C35X30L
SHA1..:15Oc07wYh1lp2ka4eq5JjwE0HkSWgRInL8p3311h
Path:
C:\Documents and Settings\All Users\Application Data\expand32xp.dll
C:\Windows\expand32xp.dll
Report Countries:
Mexico
Norway
Korea-South
Antivirus Program Report:
DrWeb : Backdoor.Win32.Generic
Vexira : Trojan-Dropper.Agent.TWC
BitDefender : Backdoor.MSIL.Agent
Vexira : Adware.Win32.Owlforce
AntiVir: Adware.Win32.Kwsearchguide, Trojan.Agent/Gen-FakeAV
Related Viruses:
Need help? Post you problem on Free Malware Remove Help forum
expand32xp.dll Summary
1.Temporarily Disable System Restore;2.Reboot computer in SafeMode;3.delte expand32xp.dll virus files and kill expand32xp.dll file task process(if have);4.Delete/Modify any values added to the registry by expand32xp.dll ;5.delete IE temp files,restart the computer and run a whole scan with AVG, Kaspersky. expand32xp.dll virus files as following:
I found this virus on my computer on aug 18 2010 follows the Spybot report:
SpySheriff: [SBI $9302253C] Impostazioni (Modifica al registro, nothing done)
HKEY_USERS\S-1-5-21-57989841-1801674531-682003330-42035\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
Microsoft.Windows.ActiveDesktop: [SBI $99FAD8A8] Impostazioni utente (Modifica al registro, nothing done)
HKEY_USERS\S-1-5-21-57989841-1801674531-682003330-42035\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
Microsoft.Windows.Explorer: [SBI $1931FF4D] Impostazioni (Modifica al registro, nothing done)
HKEY_USERS\S-1-5-21-57989841-1801674531-682003330-42035\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Impostazioni (Modifica al registro, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
Virtumonde.prx: [SBI $99CC2F62] Impostazioni di avvio automatico (Xyeyeg) (Valore di registro, nothing done)
HKEY_USERS\S-1-5-21-57989841-1801674531-682003330-42035\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xyeyeg
Virtumonde.prx: [SBI $99CC2F62] File di programma (File, nothing done)
C:\WINDOWS\mluiolut.dll
Regards
Claudio
Hi,Claudio
Welcome to our website.
please remove the file in safemode and then run a whole scan.
Then Please download Combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
And save to the desktop.
Close all other browser windows.
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause “unpredictable results”.
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When finished, it will produce a logfile located at C:\combofix.txt.
Post the contents of that log in your next reply with a new hijackthis log.