Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help med Rundll.


  • This topic is locked This topic is locked

#16
Poseidon

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
THANKS A LOT FOR HELPING ME.
It works now.I have no ERRORS.

HERE IS THE NEW WITHOUT ERROR AND CLEAN LOG.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
3 fil(er) 920 byte
2 katalog(er) 11˙240˙837˙120 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙240˙833˙024 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2001-08-23 14:00 147˙483 scrrun.dll.tmp
1 fil(er) 147˙483 byte
0 katalog(er) 11˙240˙833˙024 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv4o09h3e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

11 items found: 11 files, 0 directories.
Total of file sizes: 9 853 bytes 9,62 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements


#17
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
It looks like the files are gone, but we need to do soemthing about the registry.

Save this text as FixVX3.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX3.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]


Regards,

Pieter

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 15 April 2005 - 11:50 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP