RunDLL loves to quit
Started by
Victor Creed
, Jan 10 2005 05:07 PM
#31
Posted 18 January 2005 - 11:05 PM
#32
Posted 18 January 2005 - 11:17 PM
Post a Hijack This log and I'll look at it in the morning. Make sure all files are showing when you look for them.
We're getting closer.
We're getting closer.
#33
Posted 18 January 2005 - 11:21 PM
uh oh some reason my HJT won't complete a scan and give me a log
#34
Posted 19 January 2005 - 01:12 PM
In Taskmanager doubleclick just inside the left or right outer border of the window to get the tabs back.
Post a new Findit log.
Regards,
Pieter
Post a new Findit log.
Regards,
Pieter
#35
Posted 19 January 2005 - 03:17 PM
I'm doin the log right now but also my SpySubtract keeps picking up this IBIS,LLC inthe Venus Spy Trap and I can't delete it with Venus Spy Trap any way to rid myself of it?
#36
Posted 19 January 2005 - 03:57 PM
New log and don't forget to check what I said above this log merci:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
01/19/2005 01:11 PM 553 TBPS.ini
01/18/2005 08:45 PM <DIR> dllcache
11/26/2004 08:14 PM <DIR> Microsoft
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,118,126,080 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
01/18/2005 08:45 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,118,121,984 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
tbps.ini Wed Jan 19 2005 1:11:12p ..S.R 553 0.54 K
1 item found: 1 file, 0 directories.
Total of file sizes: 553 bytes 0.54 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
01/19/2005 01:11 PM 553 TBPS.ini
01/18/2005 08:45 PM <DIR> dllcache
11/26/2004 08:14 PM <DIR> Microsoft
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,118,126,080 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
01/18/2005 08:45 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,118,121,984 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C is MI6
Volume Serial Number is 2C7E-7243
Directory of C:\WINDOWS\System32
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
tbps.ini Wed Jan 19 2005 1:11:12p ..S.R 553 0.54 K
1 item found: 1 file, 0 directories.
Total of file sizes: 553 bytes 0.54 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"
#37
Posted 20 January 2005 - 01:11 PM
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
TBPS.ini
C:\WINDOWS\system32\guard.tmp <= save till last
After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=-
"iebar"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"=-
"Narrator"=-
"WinTools"=-
"TBPS"=-
Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button
Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")
attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f
Close all programs and doubleclick recyclerem.bat
Post back with a HijackThis log.
Regards,
Pieter
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
TBPS.ini
C:\WINDOWS\system32\guard.tmp <= save till last
After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=-
"iebar"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"=-
"Narrator"=-
"WinTools"=-
"TBPS"=-
Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button
Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")
attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f
Close all programs and doubleclick recyclerem.bat
Post back with a HijackThis log.
Regards,
Pieter
#38
Posted 20 January 2005 - 01:12 PM
Metallica got it.
#39
Posted 20 January 2005 - 06:11 PM
for some reason whenever I run HJT for a log it scans completely then freezes...
#40
Posted 20 January 2005 - 09:03 PM
Were you able to follow Metallica's instructions?
#41
Posted 20 January 2005 - 09:04 PM
all except the HJT log my HJT freezes even after I re-installed.
#42
Posted 20 January 2005 - 09:10 PM
Perhaps your version of HijackThis is corrupt. Try downloading it again over the old version.
#43
Posted 20 January 2005 - 09:15 PM
This version I got was from the first time I started here in this forum... about a week ago. I did d/l again and ran that still froze.
#44
Posted 20 January 2005 - 09:45 PM
Try going to www.merijn.org and downloading it from his site. Then I want you to name it something else and not use the word hijack.
I remember reading about this, but I can't remember what the fix is.
Either the one you downloaded first is corrupt or something is preventing it to run.
I remember reading about this, but I can't remember what the fix is.
Either the one you downloaded first is corrupt or something is preventing it to run.
#45
Posted 28 January 2005 - 09:51 PM
Sorry it's been a while I renamed it and it's STILL not working. I renamed it HJT... so I don't know what's up.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users