Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

RunDLL loves to quit


  • This topic is locked This topic is locked

#31
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
None of those last files existed. Also when I bring up task manager... the top part of the window is gone. It's just all the gray part. :tazz: ... Next?
  • 0

Advertisements


#32
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Post a Hijack This log and I'll look at it in the morning. Make sure all files are showing when you look for them.

We're getting closer. :tazz:
  • 0

#33
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
uh oh some reason my HJT won't complete a scan and give me a log
  • 0

#34
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
In Taskmanager doubleclick just inside the left or right outer border of the window to get the tabs back.

Post a new Findit log.

Regards,

Pieter
  • 0

#35
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
I'm doin the log right now but also my SpySubtract keeps picking up this IBIS,LLC inthe Venus Spy Trap and I can't delete it with Venus Spy Trap any way to rid myself of it? :tazz:
  • 0

#36
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
New log and don't forget to check what I said above this log :tazz: merci:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/19/2005 01:11 PM 553 TBPS.ini
01/18/2005 08:45 PM <DIR> dllcache
11/26/2004 08:14 PM <DIR> Microsoft
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,118,126,080 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/18/2005 08:45 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,118,121,984 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
tbps.ini Wed Jan 19 2005 1:11:12p ..S.R 553 0.54 K

1 item found: 1 file, 0 directories.
Total of file sizes: 553 bytes 0.54 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"



  • 0

#37
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

TBPS.ini
C:\WINDOWS\system32\guard.tmp <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=-
"iebar"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"=-
"Narrator"=-
"WinTools"=-
"TBPS"=-


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#38
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Metallica got it. :tazz:
  • 0

#39
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
for some reason whenever I run HJT for a log it scans completely then freezes... :tazz:
  • 0

#40
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Were you able to follow Metallica's instructions?
  • 0

Advertisements


#41
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
all except the HJT log my HJT freezes even after I re-installed. :tazz:
  • 0

#42
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Perhaps your version of HijackThis is corrupt. Try downloading it again over the old version.
  • 0

#43
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
This version I got was from the first time I started here in this forum... about a week ago. I did d/l again and ran that still froze. :tazz:
  • 0

#44
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Try going to www.merijn.org and downloading it from his site. Then I want you to name it something else and not use the word hijack.

I remember reading about this, but I can't remember what the fix is.

Either the one you downloaded first is corrupt or something is preventing it to run. :tazz:
  • 0

#45
Victor Creed

Victor Creed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Sorry it's been a while I renamed it and it's STILL not working. I renamed it HJT... so I don't know what's up.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP