Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help med Rundll.

Started by Poseidon , Jan 13 2005 08:54 AM

  • This topic is locked This topic is locked

#1
Poseidon
Posted 13 January 2005 - 08:54 AM

Poseidon

    Member

  • Member
  • PipPip
  • 26 posts
I don´t know how to do with rundll,UMONITOR.every time i close my PC or run my pc, it popsup an error message.
Please help me.
Thanks.
  • 0

Advertisements

#2
Metallica
Posted 13 January 2005 - 08:56 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Please do NOT reboot your computer after you have posted the log until you get a response. If you have to reboot, post a new log when you get back.

Regards,

Pieter
  • 0

#3
Poseidon
Posted 13 January 2005 - 10:17 AM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-13 09:59 222˙880 h0l2la3o1d.dll
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
8 fil(er) 1˙120˙883 byte
2 katalog(er) 11˙256˙844˙288 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙256˙840˙192 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 15:08 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙256˙840˙192 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 15:08 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙256˙840˙192 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h0l2la3o1d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
h0l2la~1.dll Thu 2005-01-13 9.59.52 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

16 items found: 16 files, 0 directories.
Total of file sizes: 1 129 816 bytes 1,07 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#4
Poseidon
Posted 14 January 2005 - 02:37 PM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Pleaaaaaaaaaaase.
I need help.Every time a start my pc,appears a UMONITOR error message.I don´t know what to do.I have sent logfile.
Problem still appearing and change name everytime.
C:\windows\system32\alferror.dll"UMONITOR
C:\windows\system32\ijdkcs32.dll"UMONITOR
C:\windows\system32\gji32.dll"UMONITOR
C:\windows\system32\dwviext.dll"UMONITOR
and so on

Thanks a lot.
  • 0

#5
Hemal
Posted 14 January 2005 - 02:43 PM

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
can we see another log please?
  • 0

#6
coachwife6
Posted 14 January 2005 - 04:19 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Poseidon: Please don't start new threads. Keep all your responses in one thread. Thanks. :tazz:

Topics merged.
  • 0

#7
coachwife6
Posted 14 January 2005 - 04:32 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I got halfway through fixint this when I went back and realized you may have restarted your computer.

This is what Metallica wrote early on.

Please do NOT reboot your computer after you have posted the log until you get a response. If you have to reboot, post a new log when you get back


Please post a new log if you have restarted it. Thanks. :tazz:
  • 0

#8
Poseidon
Posted 15 January 2005 - 04:33 AM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I have understand now.
Here is the new LOG and i will wait for responds.Thanks a lot.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-14 23:56 222˙880 irjol5131.dll
2005-01-14 13:54 222˙880 en2ql1f51.dll
2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
9 fil(er) 1˙343˙763 byte
2 katalog(er) 11˙247˙271˙936 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙247˙267˙840 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 10:06 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙247˙267˙840 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 10:06 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙247˙267˙840 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en2ql1f51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
en2ql1~1.dll Fri 2005-01-14 13.54.28 ..S.R 222 880 217,66 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
irjol5~1.dll Fri 2005-01-14 23.56.16 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1 352 696 bytes 1,29 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#9
Metallica
Posted 15 January 2005 - 05:24 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\irjol5131.dll
C:\WINDOWS\System32\en2ql1f51.dll
C:\WINDOWS\System32\g4040edqeh0e0.dll
C:\WINDOWS\System32\ltj0271mg.dll
C:\WINDOWS\System32\enr8l19u1.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\p0n80a5ued.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#10
Poseidon
Posted 15 January 2005 - 07:24 AM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Still have the same problem.
Here is the NEW AND LAST LOG.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 13:25 222˙880 o4840elqehqe0.dll
2005-01-15 13:22 222˙880 en06l1ds1.dll
2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
9 fil(er) 1˙343˙763 byte
2 katalog(er) 11˙242˙631˙168 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙242˙627˙072 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 13:33 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙242˙627˙072 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 13:33 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙242˙627˙072 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en06l1ds1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
en06l1~1.dll Sat 2005-01-15 13.22.04 ..S.R 222 880 217,66 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
o4840e~1.dll Sat 2005-01-15 13.25.26 ..S.R 222 880 217,66 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1 352 696 bytes 1,29 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements

#11
Metallica
Posted 15 January 2005 - 07:55 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\o4840elqehqe0.dll
C:\WINDOWS\System32\g4040edqeh0e0.dll
C:\WINDOWS\System32\ltj0271mg.dll
C:\WINDOWS\System32\enr8l19u1.dll
C:\WINDOWS\System32\p0n80a5ued.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\25FCC6DEDD.sys
C:\WINDOWS\System32\en06l1ds1.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX3.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX3.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]


Run VX2Finder and use the Restore Policy button

Doubleclick recyclerem.bat

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#12
Poseidon
Posted 15 January 2005 - 08:58 AM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hej!
Thanks a lot for all help.
I am analfabet in computers.
Now i have Reboot my PC and the problem still the same.
Here is the new fresh log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 15:10 222˙880 lv4o09h3e.dll
2005-01-15 13:25 222˙880 o4840elqehqe0.dll
2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
9 fil(er) 1˙343˙763 byte
2 katalog(er) 11˙241˙574˙400 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙241˙570˙304 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 15:35 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙241˙570˙304 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 15:35 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙241˙570˙304 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o4840elqehqe0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
lv4o09~1.dll Sat 2005-01-15 15.10.04 ..S.R 222 880 217,66 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
o4840e~1.dll Sat 2005-01-15 13.25.26 ..S.R 222 880 217,66 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1 352 696 bytes 1,29 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#13
Metallica
Posted 15 January 2005 - 09:46 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Are you rebooting your computer between posting the log and applying the answer?

If so, you are wasting our time (yours and mine).

Regards,

Pieter
  • 0

#14
Poseidon
Posted 15 January 2005 - 09:59 AM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I apologize.I didn´t understand it but now i will not do it.I appreciate our patience and it is not my intention do waste your time.
Pardon
  • 0

#15
Metallica
Posted 15 January 2005 - 10:33 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\lv4o09h3e.dll
C:\WINDOWS\System32\g4040edqeh0e0.dll
C:\WINDOWS\System32\ltj0271mg.dll
C:\WINDOWS\System32\enr8l19u1.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\p0n80a5ued.dll
C:\WINDOWS\System32\o4840elqehqe0.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]


Run VX2Finder and use the Restore Policy button

Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Regards,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP