avwapi32.dll

[Psych]

I'm not sure how this got onto my computer since I am usually careful, but I noticed a significant slowdown in my computer and numerous security pop-ups from Norton, so I checked it out. Apparently a file named "avwapi32.dll" was copied into my \Windows\system32 folder, edow.exe into \Windows, VBounce into \Program Files, and a startup entry.

Winlogon.exe was constantly trying to contact sites like www.888.com and www.look2me.com, but nothing was done to it. I removed everything except avwapi32.dll because it was being used by a process. I tried in Safe Mode, but the same thing happened.

I think Winlogon is being tricked into using avwapi32.dll as an application extension, and since Winlogon can't be turned off, I can't delete avwapi32.dll! Is there any way to do this?

If your answer is to use a DOS boot disk with an NTFS reader and modifier, could you give some instructions or a link to a good way of doing that?

 

[dclive]

Originally posted by: Psych
I'm not sure how this got onto my computer since I am usually careful, but I noticed a significant slowdown in my computer and numerous security pop-ups from Norton, so I checked it out. Apparently a file named "avwapi32.dll" was copied into my \Windows\system32 folder, edow.exe into \Windows, VBounce into \Program Files, and a startup entry.

Winlogon.exe was constantly trying to contact sites like www.888.com and www.look2me.com, but nothing was done to it. I removed everything except avwapi32.dll because it was being used by a process. I tried in Safe Mode, but the same thing happened.

I think Winlogon is being tricked into using avwapi32.dll as an application extension, and since Winlogon can't be turned off, I can't delete avwapi32.dll! Is there any way to do this?

If your answer is to use a DOS boot disk with an NTFS reader and modifier, could you give some instructions or a link to a good way of doing that?

Boot to Recovery Console from your XP CD.
Log in, and copy userinit.exe to avwapi32.dll (both are in c:\windows\system32)

Or you could simply go into regedit, search for that data in winlogon, and modify the winlogin key so it only points to userinit.exe and not avwapi32.dll, then reboot.

 

[Psych]

Thanks. Just curious, what tells Winlogon to load other DLLs and use them?

 

[dclive]

That registry key.

 

[Psych]

Which one, in specific? Is there some interface to enable and diable extensions for these processes?

 

[dclive]

Originally posted by: Psych
Which one, in specific? Is there some interface to enable and diable extensions for these processes?

Or you could simply go into regedit, search for that data in winlogon, and modify the winlogin key so it only points to userinit.exe and not avwapi32.dll, then reboot.

(in other words, search for avwapi32.dll in RegEdt32, and when you get to the Winlogon key, you'll see something like "c:\windows\system32\userinit.exe, c:\windows\system32\avwapi32.dll," --- everything after that first comma (ie the entire avwapi32.dll part) is bad.)

This is an educated guess based on another post I read on this subject. I suggest opening up regedit and looking for that value in the winlogon key, and seeing if it is present.

...or just go into recovery console, rename avwapi32.dll to avwapi32.old, and see what happens. Worst case you'd just need to go back into RC to rename the file...