Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help med Rundll.

Started by Poseidon , Jan 13 2005 08:54 AM

  • This topic is locked This topic is locked

#16
Poseidon
Posted 15 January 2005 - 11:55 AM

Poseidon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
THANKS A LOT FOR HELPING ME.
It works now.I have no ERRORS.

HERE IS THE NEW WITHOUT ERROR AND CLEAN LOG.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\TEMP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2005-01-01 20:05 16 AdCache
2004-11-06 13:18 <KAT> Microsoft
3 fil(er) 920 byte
2 katalog(er) 11˙240˙837˙120 byte ledigt

------- Hidden Files in System32 Directory -------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2005-01-13 14:55 <KAT> dllcache
2005-01-10 19:56 848 KGyGaAvL.sys
2005-01-02 23:11 56 25FCC6DEDD.sys
2004-10-27 11:50 <KAT> GroupPolicy
2004-10-25 18:21 4˙212 zllictbl.dat
2004-10-19 08:02 488 WindowsLogon.manifest
2004-10-19 08:02 488 logonui.exe.manifest
2004-10-19 08:02 749 sapi.cpl.manifest
2004-10-19 08:02 749 nwc.cpl.manifest
2004-10-19 08:02 749 wuaucpl.cpl.manifest
2004-10-19 08:02 749 cdplayer.exe.manifest
2004-10-19 08:02 749 ncpa.cpl.manifest
10 fil(er) 9˙837 byte
2 katalog(er) 11˙240˙833˙024 byte ledigt

------------ Files Named "Guard" ---------------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volymen i enhet C har ingen etikett.
Volymens serienummer „r A87B-532E

Inneh†ll i katalogen C:\WINDOWS\System32

2001-08-23 14:00 147˙483 scrrun.dll.tmp
1 fil(er) 147˙483 byte
0 katalog(er) 11˙240˙833˙024 byte ledigt

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv4o09h3e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
25fcc6~1.sys Sun 2005-01-02 23.11.06 ..SHR 56 0,05 K
adcache Sat 2005-01-01 20.05.52 ..S.R 16 0,02 K
cdplay~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
kgygaavl.sys Mon 2005-01-10 19.57.00 A.SH. 848 0,83 K
logonu~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
ncpacp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
nwccpl~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
sapicp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
window~1.man Tue 2004-10-19 8.02.10 A..HR 488 0,48 K
wuaucp~1.man Tue 2004-10-19 8.02.04 A..HR 749 0,73 K
zllictbl.dat Mon 2004-10-25 18.21.04 ...H. 4 212 4,11 K

11 items found: 11 files, 0 directories.
Total of file sizes: 9 853 bytes 9,62 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\Incinerator.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Armor2net"="C:\\Program\\Armor2net\\Armor2net Personal Firewall\\Armor2net.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements

#17
Metallica
Posted 15 January 2005 - 12:23 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
It looks like the files are gone, but we need to do soemthing about the registry.

Save this text as FixVX3.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX3.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8ADBD08F-E58E-4378-AA53-2F3FDA85A775}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]


Regards,

Pieter

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 15 April 2005 - 11:50 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP