Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

RunDLL loves to quit

Started by Victor Creed , Jan 10 2005 05:07 PM

This topic is locked

#16
coachwife6

Posted 17 January 2005 - 02:11 PM

SuperStar

Retired Staff
11,413 posts

1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\rlsl5371.dll
6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.
8. Click "No" at the Pending Operations prompt.
9. Repeat steps 4-8 above for these files:

* C:\WINDOWS\System32\h00q0ad5ed0.dll
* C:\WINDOWS\System32\g8lm0i31e8.dll
* C:\WINDOWS\System32\mticda.dll
* C:\WINDOWS\System32\azas0i97e8.dll
* C:\WINDOWS\System32\ if41_qcx.dll
* C:\WINDOWS\System32\dnnm0151e.dll

All of the following DLLs will have have a C:WINDOWS\System32 in front of it. I don't have time to rewrite C:WINDOWS\System32 in front of each DLL. Am I clear on how this is done?
For example:

Erase the date, time and number --see the bold 01/12/2005 11:58 AM 224,357

Put in C:\ WINDOWS/System 32\woags48b.dll
01/12/2005 11:58 AM 225,574 ktj2l71o1.dll
01/12/2005 11:51 AM 224,357 aprsvc.dll
01/12/2005 11:51 AM 225,638 en82l1lo1.dll
01/12/2005 11:48 AM 224,528 dnpm0171e.dll
01/12/2005 11:43 AM 224,357 wopasf.dll
01/11/2005 11:25 PM 224,357 ennml1511.dll
01/11/2005 11:22 PM 224,161 m4lsle371h.dll
01/10/2005 10:06 PM 225,955 s4rsle971h.dll
01/10/2005 09:23 PM 224,161 h40qled51h0.dll
01/10/2005 09:01 PM 224,161 k480lelm1hqa.dll
01/10/2005 08:48 PM 224,161 j26m0cj1efo.dll
01/10/2005 08:38 PM 223,153 d40mled11h0.dll
01/10/2005 12:20 PM 224,803 n0n6la5s1d.dll
01/10/2005 12:14 PM 223,153 iietcomm.dll
01/10/2005 12:14 PM 224,273 f02mlaf11d2.dll
01/10/2005 12:12 PM 223,153 axl.dll
01/10/2005 12:12 PM 224,492 mvlol9331.dll
01/10/2005 12:09 PM 223,153 nxlanui2.dll
01/10/2005 12:09 PM 223,242 lv8009lme.dll
01/10/2005 12:03 PM 223,153 vsdex.dll
01/10/2005 12:03 PM 223,556 fp0403dqe.dll
01/10/2005 11:32 AM 225,042 mv88l9lu1.dll
01/10/2005 11:29 AM 223,153 lciff13n.dll
01/10/2005 11:29 AM 224,828 azaol9531.dll
01/10/2005 11:26 AM 223,153 aistream.dll
01/10/2005 11:26 AM 224,917 p46slej71ho.dll
01/10/2005 11:24 AM 224,323 k0pmla711d.dll
01/10/2005 11:21 AM 223,153 kmdhela3.dll
01/10/2005 11:21 AM 223,601 k8440ihqe84e0.dll
01/10/2005 12:41 AM 223,153 eaent.dll
01/10/2005 12:35 AM 223,647 l4l6le3s1h.dll
01/09/2005 09:53 PM 223,153 hr4805hue.dll
01/09/2005 08:32 AM 224,242 gplml3311.dll
01/07/2005 12:19 PM 223,153 swlgntfy.dll
01/07/2005 12:16 PM 224,807 n4n6le5s1h.dll
01/07/2005 12:12 PM 223,153 vaa.dll
01/07/2005 12:09 PM 223,153 k4620ejoehoc0.dll
01/07/2005 12:07 PM 223,153 flsdrv.dll
01/07/2005 12:05 PM 223,153 mvnol9531.dll
01/07/2005 12:00 PM 223,153 kddbr.dll
01/07/2005 12:00 PM 223,572 lvj4091qe.dll
01/07/2005 11:50 AM 223,153 kmd101.dll
01/07/2005 11:50 AM 223,855 j20s0cd7ef0.dll
01/07/2005 11:46 AM 223,153 lcrhelp.dll
01/07/2005 11:46 AM 223,333 l08m0al1edq.dll
01/07/2005 11:42 AM 223,153 wndmtpdr.dll
01/07/2005 11:42 AM 223,386 fpl2033oe.dll
01/07/2005 11:35 AM 225,181 cQtsrvut.dll
01/07/2005 11:29 AM 223,153 doprpres.dll
01/07/2005 10:11 AM 225,181 csfview.dll
01/06/2005 08:20 PM 223,153 uhrcoina.dll
01/06/2005 07:31 PM 223,153 krdfi.dll
01/06/2005 07:22 PM 223,153 CZ60SUI.DLL
01/06/2005 07:22 PM 225,168 jrj0251mg.dll
01/06/2005 07:09 PM 223,240 jt8007lme.dll
01/06/2005 07:06 PM 223,442 lv8209loe.dll
01/06/2005 12:35 PM 223,153 s8rs0i97e8.dll
01/05/2005 12:08 PM 223,153 lpfil13n.DLL
01/02/2005 12:07 PM 226,077 k8js0i17e8.dll
12/26/2004 09:50 PM 224,700 cZtsrv.dll
12/25/2004 11:04 PM 225,047 icetres.dll
12/25/2004 07:37 PM 222,831 via64k.dll
12/25/2004 09:23 AM 222,968 fusperf.dll
12/24/2004 10:20 PM 222,831 anmparse.dll
12/24/2004 06:38 PM 226,148 nyevtmsg.dll
12/24/2004 12:17 PM 222,501 xwsp1res.dll
12/24/2004 01:14 AM 226,148 szgtab.dll
12/23/2004 06:54 PM 222,501 org.dll
12/23/2004 06:09 PM 226,148 muctfp.dll
12/22/2004 10:50 PM 224,402 emcapi.dll
12/22/2004 10:07 PM 224,745 kudnecAT.dll
12/22/2004 08:50 PM 224,402 nrtevent.dll
12/22/2004 08:07 PM 223,471 rpm.dll
12/20/2004 06:31 PM 223,158 FHStudioDLL.dll
12/20/2004 01:26 PM 223,158 hvetmon.dll
12/20/2004 12:26 PM 223,158 hucoin.dll
12/19/2004 09:11 PM 223,158 mfnsspc.dll
12/19/2004 04:25 PM 223,158 dldskres.dll
12/17/2004 10:58 PM 223,280 mvn4l95q1.dll
12/16/2004 02:15 PM 223,280 closys.dll
12/15/2004 04:20 PM 222,987 mvjul9191.dll
12/13/2004 11:56 PM 224,403 akifile.dll
12/13/2004 11:32 PM 223,122 pgtorsvc.dll
12/13/2004 11:22 PM 223,861 ksdgkl.dll
12/13/2004 04:51 PM 223,122 muisam11.dll
12/13/2004 12:33 PM 223,861 ceyptext.dll
12/13/2004 12:20 PM 223,122 kodusl.dll
12/13/2004 11:54 AM 225,775 srimgvw.dll
12/12/2004 10:37 PM 222,745 dzsec.dll
12/12/2004 10:31 PM 225,775 jLvacypt.dll
12/12/2004 06:22 PM 223,900 drcompos.dll
12/12/2004 04:47 PM 223,232 aylsp.dll
12/12/2004 04:39 PM 223,900 aaupd.dll
12/12/2004 04:24 PM 223,232 ujerenv.dll

10. Click "Replace on Reboot" and check the "Use Dummy" box.
11. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\Guard.tmp
12. Click the "Delete File" button which looks like a stop sign.
13. Click "Yes" at the Replace on Reboot prompt.
14. Click "Yes" at the Pending Operations prompt to restart your computer.
15. Double-click on find.bat and post the new output.txt.

Do not reboot.

#17
Victor Creed

Posted 17 January 2005 - 02:15 PM

Member

Topic Starter
Member
84 posts

so that long list of dates/times that I'm to replace I need to delete all those? Just to clarify.

#18
Victor Creed

Posted 17 January 2005 - 03:41 PM

Member

Topic Starter
Member
84 posts

No reboot everything done to specifications, new log :tazz:

:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/17/2005 01:20 PM 552 TBPS.ini
01/12/2005 04:21 PM 224,357 irlsl5371.dll
01/12/2005 12:25 PM 224,495 g8lm0i31e8.dll
01/12/2005 12:01 PM 224,357 if41_qcx.dll
01/12/2005 11:58 AM 224,357 woags48b.dll
01/12/2005 11:58 AM 225,574 ktj2l71o1.dll
01/12/2005 11:51 AM 224,357 aprsvc.dll
01/12/2005 11:51 AM 225,638 en82l1lo1.dll
01/12/2005 11:48 AM 224,528 dnpm0171e.dll
01/12/2005 11:43 AM 224,357 wopasf.dll
01/11/2005 11:25 PM 224,357 ennml1511.dll
01/11/2005 11:22 PM 224,161 m4lsle371h.dll
01/06/2005 08:20 PM 223,153 uhrcoina.dll
11/26/2004 08:14 PM <DIR> Microsoft
09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
14 File(s) 2,695,091 bytes
2 Dir(s) 1,166,749,696 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,166,749,696 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
aprsvc.dll Wed Jan 12 2005 11:51:36a ..S.R 224,357 219.10 K
dnpm01~1.dll Wed Jan 12 2005 11:48:02a ..S.R 224,528 219.27 K
en82l1~1.dll Wed Jan 12 2005 11:51:36a ..S.R 225,638 220.35 K
ennml1~1.dll Tue Jan 11 2005 11:25:46p ..S.R 224,357 219.10 K
g8lm0i~1.dll Wed Jan 12 2005 12:25:34p ..S.R 224,495 219.23 K
if41_qcx.dll Wed Jan 12 2005 12:01:50p ..S.R 224,357 219.10 K
irlsl5~1.dll Wed Jan 12 2005 4:21:02p ..S.R 224,357 219.10 K
ktj2l7~1.dll Wed Jan 12 2005 11:58:40a ..S.R 225,574 220.29 K
m4lsle~1.dll Tue Jan 11 2005 11:22:20p ..S.R 224,161 218.91 K
tbps.ini Mon Jan 17 2005 1:20:34p ..S.R 552 0.54 K
uhrcoina.dll Thu Jan 6 2005 8:21:00p ..S.R 223,153 217.92 K
woags48b.dll Wed Jan 12 2005 11:58:40a ..S.R 224,357 219.10 K
wopasf.dll Wed Jan 12 2005 11:43:12a ..S.R 224,357 219.10 K

13 items found: 13 files, 0 directories.
Total of file sizes: 2,694,243 bytes 2.57 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\aqzqmq.exe: updates.qoologic.com
C:\WINDOWS\system32\naoaua.dll: updates.qoologic.com
C:\WINDOWS\system32\qpypzp.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR: .aspack
C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR: .aspack
C:\WINDOWS\system32\gkikok.exe: .aspack
C:\WINDOWS\system32\IJL15.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\kvavyv.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\inunpn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"

#19
coachwife6

Posted 17 January 2005 - 04:17 PM

SuperStar

Retired Staff
11,413 posts

Good job. Keep it going and don't reboot. :tazz:

Follow the same directions as before. This takes many, many steps.

Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

* C:\WINDOWS\System32\irlsl5371.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:

* C:\WINDOWS\System32\g8lm0i31e8.dll

(do the same as before - put the C:\WINDOWS\System32\ before each of the following)

if41_qcx.dll
woags48b.dll
ktj2l71o1.dll
aprsvc.dll
en82l1lo1.dll
dnpm0171e.dll
wopasf.dll
ennml1511.dll
m4lsle371h.dll
uhrcoina.dll

Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

* C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.
Double-click on find.bat and post the new output.txt.

#20
Victor Creed

Posted 17 January 2005 - 05:39 PM

Member

Topic Starter
Member
84 posts

Here's the new one btw I'm sitting around on my laptop so as soon as you send me an email I'm on it. So feel free to check back sooner :tazz:

:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/17/2005 03:05 PM 553 TBPS.ini
11/26/2004 08:14 PM <DIR> Microsoft
09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,135,345,664 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,135,345,664 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
tbps.ini Mon Jan 17 2005 3:09:40p ..S.R 554 0.54 K

1 item found: 1 file, 0 directories.
Total of file sizes: 554 bytes 0.54 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\aqzqmq.exe: updates.qoologic.com
C:\WINDOWS\system32\naoaua.dll: updates.qoologic.com
C:\WINDOWS\system32\qpypzp.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR: .aspack
C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR: .aspack
C:\WINDOWS\system32\gkikok.exe: .aspack
C:\WINDOWS\system32\IJL15.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\kvavyv.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\inunpn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"

#21
Victor Creed

Posted 18 January 2005 - 03:53 AM

Member

Topic Starter
Member
84 posts

upsey daisy since I'm almost done.

#22
coachwife6

Posted 18 January 2005 - 04:00 AM

SuperStar

Retired Staff
11,413 posts

Hey Victor:

I got in at midnight last night and I am working right now. I will try to get to it in about five hours or maybe one of the other staff members will get to it before then. You did great. We are almost there. :tazz:

#23
Victor Creed

Posted 18 January 2005 - 04:02 AM

Member

Topic Starter
Member
84 posts

No problem just let me know unfortunately I rebooted my system shut down. So I'll put up a new log later.

#24
coachwife6

Posted 18 January 2005 - 04:14 AM

SuperStar

Retired Staff
11,413 posts

Go ahead and post it now.

#25
Victor Creed

Posted 18 January 2005 - 04:33 AM

Member

Topic Starter
Member
84 posts

Ok generating it as we speak. Thanks one again.

#26
Victor Creed

Posted 18 January 2005 - 04:53 AM

Member

Topic Starter
Member
84 posts

Here is my new log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/18/2005 02:30 AM 553 TBPS.ini
11/26/2004 08:14 PM <DIR> Microsoft
09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,199,525,888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,199,525,888 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
tbps.ini Tue Jan 18 2005 2:34:32a ..S.R 554 0.54 K

1 item found: 1 file, 0 directories.
Total of file sizes: 554 bytes 0.54 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\aqzqmq.exe: updates.qoologic.com
C:\WINDOWS\system32\naoaua.dll: updates.qoologic.com
C:\WINDOWS\system32\qpypzp.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR: .aspack
C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR: .aspack
C:\WINDOWS\system32\gkikok.exe: .aspack
C:\WINDOWS\system32\IJL15.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\kvavyv.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\inunpn.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"

:tazz:

#27
coachwife6

Posted 18 January 2005 - 11:45 AM

SuperStar

Retired Staff
11,413 posts

Victor:

I want someone to check this out first, so hold off until you hear back from me.

Double-click on KillBox.exe.
1. Click "Replace on Reboot" and check the "Use Dummy" box.
2. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\Beauties Of VirtuaGirls.com.SCR

3. Click the "Delete File" button which looks like a stop sign.
4. Click "Yes" at the Replace on Reboot prompt.
5. Click "No" at the Pending Operations prompt.
6. Repeat steps 1-5 above for these files:

C:\WINDOWS\system32\aqzqmq.exe
C:\WINDOWS\system32\naoaua.dll
C:\WINDOWS\system32\qpypzp.dll
C:\WINDOWS\system32\gkikok.exe
C:\WINDOWS\system32\IJL15.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\Incinerator.dll
C:\WINDOWS\system32\kvavyv.dat
C:\windows\\system32\kalvmhg32.exe
C:\PROGRA~1\COMMON~1\WinTools
C:\PROGRA~1\\Toolbar\TBPS.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\inunpn.exe

7.Click "Replace on Reboot" and check the "Use Dummy" box.
8. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

9. Click the "Delete File" button which looks like a stop sign.
10. Click "Yes" at the Replace on Reboot prompt.
11. Click "Yes" at the Pending Operations prompt to restart your computer.
12. Double-click on find.bat and post the new output.txt.

#28
Victor Creed

Posted 18 January 2005 - 02:47 PM

Member

Topic Starter
Member
84 posts

New Log, all seems to be running fine. Also I don't know does this address the Dr.Postmortem problems also? Another thing I had a question about (I'm trying to limit all these to one thread) is I have some files/folders I'd like to delete but it won't let me. Anyways can get to that after this is sorted out. Here's the log(thank you so far):

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/18/2005 12:27 PM 553 TBPS.ini
11/26/2004 08:14 PM <DIR> Microsoft
09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,280,720,896 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

09/21/2004 10:15 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,280,458,752 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
tbps.ini Tue Jan 18 2005 12:27:12p ..S.R 553 0.54 K

1 item found: 1 file, 0 directories.
Total of file sizes: 553 bytes 0.54 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"

:tazz:

#29
Victor Creed

Posted 18 January 2005 - 06:42 PM

Member

Topic Starter
Member
84 posts

uppity

#30
coachwife6

Posted 18 January 2005 - 09:05 PM

SuperStar

Retired Staff
11,413 posts

Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\\system32\guard.tmp

Copy the part in bold below into notepad and save it as webcheck.reg
(Set filetype to "All files")

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"="
"iebar"= -

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

Reboot into safe mode and get rid of:

C:\WINDOWS\SYSTEM32\tbps.ini
C:\\windows\\system32\\kalvmhg32.exe
C:\\WINDOWS\\system32\\gkikok.exe
C:\\PROGRA~1\\COMMON~1\\WinTools
C:\\PROGRA~1\\Toolbar\\

Post a new HijackThis log when you are done.