Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help med Rundll.


  • This topic is locked This topic is locked

#1
Poseidon

Poseidon

    Member

  • Member
  • PipPip
  • 26 posts
I don´t know how to do with rundll,UMONITOR.every time i close my PC or run my pc, it popsup an error message.
Please help me.
Thanks.
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Please do NOT reboot your computer after you have posted the log until you get a response. If you have to reboot, post a new log when you get back.

Regards,

Pieter
  • 0

#3
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-13 09:59 222˙880 h0l2la3o1d.dll
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
8 fil(er) 1˙120˙883 byte
2 katalog(er) 11˙256˙844˙288 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙256˙840˙192 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 15:08 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙256˙840˙192 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 15:08 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙256˙840˙192 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h0l2la3o1d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
h0l2la~1.dll Thu 2005-01-13 9.59.52 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

16 items found: 16 files, 0 directories.
Total of file sizes: 1 129 816 bytes 1,07 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#4
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Pleaaaaaaaaaaase.
I need help.Every time a start my pc,appears a UMONITOR error message.I don´t know what to do.I have sent logfile.
Problem still appearing and change name everytime.
C:\windows\system32\alferror.dll"UMONITOR
C:\windows\system32\ijdkcs32.dll"UMONITOR
C:\windows\system32\gji32.dll"UMONITOR
C:\windows\system32\dwviext.dll"UMONITOR
and so on

Thanks a lot.
  • 0

#5
Hemal

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
can we see another log please?
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Poseidon: Please don't start new threads. Keep all your responses in one thread. Thanks. :tazz:

Topics merged.
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I got halfway through fixint this when I went back and realized you may have restarted your computer.

This is what Metallica wrote early on.

Please do NOT reboot your computer after you have posted the log until you get a response. If you have to reboot, post a new log when you get back


Please post a new log if you have restarted it. Thanks. :tazz:
  • 0

#8
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I have understand now.
Here is the new LOG and i will wait for responds.Thanks a lot.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-14 23:56 222˙880 irjol5131.dll
2005-01-14 13:54 222˙880 en2ql1f51.dll
2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
9 fil(er) 1˙343˙763 byte
2 katalog(er) 11˙247˙271˙936 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙247˙267˙840 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 10:06 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙247˙267˙840 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 10:06 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙247˙267˙840 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en2ql1f51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
en2ql1~1.dll Fri 2005-01-14 13.54.28 ..S.R 222 880 217,66 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
irjol5~1.dll Fri 2005-01-14 23.56.16 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1 352 696 bytes 1,29 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\irjol5131.dll
C:\WINDOWS\System32\en2ql1f51.dll
C:\WINDOWS\System32\g4040edqeh0e0.dll
C:\WINDOWS\System32\ltj0271mg.dll
C:\WINDOWS\System32\enr8l19u1.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\p0n80a5ued.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#10
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Still have the same problem.
Here is the NEW AND LAST LOG.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 13:25 222˙880 o4840elqehqe0.dll
2005-01-15 13:22 222˙880 en06l1ds1.dll
2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
9 fil(er) 1˙343˙763 byte
2 katalog(er) 11˙242˙631˙168 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙242˙627˙072 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 13:33 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙242˙627˙072 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 13:33 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙242˙627˙072 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en06l1ds1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
en06l1~1.dll Sat 2005-01-15 13.22.04 ..S.R 222 880 217,66 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
o4840e~1.dll Sat 2005-01-15 13.25.26 ..S.R 222 880 217,66 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1 352 696 bytes 1,29 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\o4840elqehqe0.dll
C:\WINDOWS\System32\g4040edqeh0e0.dll
C:\WINDOWS\System32\ltj0271mg.dll
C:\WINDOWS\System32\enr8l19u1.dll
C:\WINDOWS\System32\p0n80a5ued.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\25FCC6DEDD.sys
C:\WINDOWS\System32\en06l1ds1.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX3.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX3.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]


Run VX2Finder and use the Restore Policy button

Doubleclick recyclerem.bat

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#12
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hej!
Thanks a lot for all help.
I am analfabet in computers.
Now i have Reboot my PC and the problem still the same.
Here is the new fresh log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 15:10 222˙880 lv4o09h3e.dll
2005-01-15 13:25 222˙880 o4840elqehqe0.dll
2005-01-13 15:05 222˙880 g4040edqeh0e0.dll
2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-10 16:05 225˙138 ltj0271mg.dll
2005-01-07 00:03 225˙138 enr8l19u1.dll
2005-01-04 00:15 223˙927 p0n80a5ued.dll
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
9 fil(er) 1˙343˙763 byte
2 katalog(er) 11˙241˙574˙400 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙241˙570˙304 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 15:35 222˙880 guard.tmp
1 fil(er) 222˙880 byte
0 katalog(er) 11˙241˙570˙304 byte ledigt

------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-15 15:35 222˙880 guard.tmp
2001-08-23 14:00 147˙483 scrrun.dll.tmp
2 fil(er) 370˙363 byte
0 katalog(er) 11˙241˙570˙304 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o4840elqehqe0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
enr8l1~1.dll Fri 2005-01-07 0.03.44 ..S.R 225 138 219,86 K
g4040e~1.dll Thu 2005-01-13 15.05.36 ..S.R 222 880 217,66 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ltj027~1.dll Mon 2005-01-10 16.05.28 ..S.R 225 138 219,86 K
lv4o09~1.dll Sat 2005-01-15 15.10.04 ..S.R 222 880 217,66 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
o4840e~1.dll Sat 2005-01-15 13.25.26 ..S.R 222 880 217,66 K
p0n80a~1.dll Tue 2005-01-04 0.15.02 ..S.R 223 927 218,68 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1 352 696 bytes 1,29 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Are you rebooting your computer between posting the log and applying the answer?

If so, you are wasting our time (yours and mine).

Regards,

Pieter
  • 0

#14
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I apologize.I didn´t understand it but now i will not do it.I appreciate our patience and it is not my intention do waste your time.
Pardon
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\lv4o09h3e.dll
C:\WINDOWS\System32\g4040edqeh0e0.dll
C:\WINDOWS\System32\ltj0271mg.dll
C:\WINDOWS\System32\enr8l19u1.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\p0n80a5ued.dll
C:\WINDOWS\System32\o4840elqehqe0.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]


Run VX2Finder and use the Restore Policy button

Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP