[Victor Creed]

None of those last files existed. Also when I bring up task manager... the top part of the window is gone. It's just all the gray part. ... Next?

[Advertisements]

Post a Hijack This log and I'll look at it in the morning. Make sure all files are showing when you look for them.

We're getting closer.

[coachwife6]

Post a Hijack This log and I'll look at it in the morning. Make sure all files are showing when you look for them.

We're getting closer.

[Victor Creed]

uh oh some reason my HJT won't complete a scan and give me a log

[Metallica]

In Taskmanager doubleclick just inside the left or right outer border of the window to get the tabs back.

Post a new Findit log.

Regards,

Pieter

[Victor Creed]

I'm doin the log right now but also my SpySubtract keeps picking up this IBIS,LLC inthe Venus Spy Trap and I can't delete it with Venus Spy Trap any way to rid myself of it?

[Victor Creed]

New log and don't forget to check what I said above this log merci:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/19/2005 01:11 PM 553 TBPS.ini
01/18/2005 08:45 PM <DIR> dllcache
11/26/2004 08:14 PM <DIR> Microsoft
07/24/2004 09:35 PM 848 KGyGaAvL.sys
2 File(s) 1,401 bytes
2 Dir(s) 1,118,126,080 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

01/18/2005 08:45 PM <DIR> dllcache
07/24/2004 09:35 PM 848 KGyGaAvL.sys
09/30/2001 11:30 PM 488 logonui.exe.manifest
09/30/2001 11:30 PM 488 WindowsLogon.manifest
09/30/2001 11:30 PM 749 wuaucpl.cpl.manifest
09/30/2001 11:30 PM 749 cdplayer.exe.manifest
09/30/2001 11:30 PM 749 nwc.cpl.manifest
09/30/2001 11:30 PM 749 ncpa.cpl.manifest
09/30/2001 11:30 PM 749 sapi.cpl.manifest
8 File(s) 5,569 bytes
1 Dir(s) 1,118,121,984 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is MI6
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=""
"iebar"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
tbps.ini Wed Jan 19 2005 1:11:12p ..S.R 553 0.54 K

1 item found: 1 file, 0 directories.
Total of file sizes: 553 bytes 0.54 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"="C:\\windows\\system32\\kalvmhg32.exe"
"Narrator"="C:\\WINDOWS\\system32\\gkikok.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"




[Metallica]

Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

TBPS.ini
C:\WINDOWS\system32\guard.tmp <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF9803A1-F905-43E6-BC06-98BEEE3FDE38}"=-
"iebar"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"=-
"Narrator"=-
"WinTools"=-
"TBPS"=-


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Regards,

Pieter

[coachwife6]

Metallica got it.

[Victor Creed]

for some reason whenever I run HJT for a log it scans completely then freezes...

[coachwife6]

Were you able to follow Metallica's instructions?

[Victor Creed]

all except the HJT log my HJT freezes even after I re-installed.

[coachwife6]

Perhaps your version of HijackThis is corrupt. Try downloading it again over the old version.

[Victor Creed]

This version I got was from the first time I started here in this forum... about a week ago. I did d/l again and ran that still froze.

[coachwife6]

Try going to www.merijn.org and downloading it from his site. Then I want you to name it something else and not use the word hijack.

I remember reading about this, but I can't remember what the fix is.

Either the one you downloaded first is corrupt or something is preventing it to run.

[Victor Creed]

Sorry it's been a while I renamed it and it's STILL not working. I renamed it HJT... so I don't know what's up.