wo653 0 Posted April 20, 2005 Greetings. I'm in urgent need of help with spyware attacks I have ad-aware 6 spybot s and d hijack this Thats it Well i get a pop up every minute or so... just 1 every minute for some random thing ... i know i dont have the big stuff like 180searchware or coolwwwsearch Its not big thats why its wierd but ok i scan on all 3 and get rid of all 3 i think its called elitejky32.exe and vimml.exe or something and i get rid of them... but they come back... Spyware gets rid of it then it just comes back. What do i do, I really cant just reformat. EDIT : Ok I figured out some things Its called Ebates Moneymaker , i got rid of the registry thing so ebates is gone my new one is in the processes its called Vimmll.exe I cant find it in spybot or ad-aware and it only shows up on hijack but it comes back too... is there somthing i do for that? Share this post Link to post
theefool 0 Posted April 20, 2005 If you have the elite toolbar download the elite toolbar remover: http://www.majorgeeks.com/download.php?det=4465 If you are getting popups every minute or so, this may (or may not) be qoologic. If so, what is your OS? Share this post Link to post
Wilhelmus 1 Posted April 20, 2005 Can we see your hijack this log? What OS you got? XP? If you got XP then: Disable Simple File Sharing 1. Open My Computer from the Start Menu or Windows XP Desktop. A new My Computer window will appear. 2. Open the Tools menu and choose the "Folder Options..." option from this menu. A new Folder Options window will appear. 3. Click on the View tab and locate the "Use Simple File Sharing (Recommended)" checkbox in the list of Advanced Settings. 4. To enable Simple File Sharing, ensure this checkbox is checked. To disable Simple File Sharing, ensure this checkbox is not checked. Click inside the checkbox to alternately enable and disable the option. 5. Click OK to close the Folder Options window. The settings for Simple File Sharing are now updated; no computer reboot is required. jerry atrik's tip Quote: right click the nasty file (In your case: "vimmll.exe") properties/security tab/advanced uncheck the "inherit from parent permissions" box yes to the annoyance popup apply remove all users (including system) from the groups/users box yes to the annoyance popup reboot the file is now unable to do anything u can either leave it or re-take ownership and delete it (because the system didnt have permission to load it it wont load at boot) Share this post Link to post
wo653 0 Posted April 20, 2005 Logfile of HijackThis v1.99.1 Scan saved at 11:36:52 AM, on 4/20/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\vimmll.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\msiexec.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jordan\Desktop\Krap\HijackThis.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitejky32.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimmll.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe I've known how to keep a clean fast computer until this everything feels slow i just cant stand it... Any other info Win xp pro Share this post Link to post
wo653 0 Posted April 20, 2005 See, That's the hard thing I could have done that "What Jarry Ark" said but the thing is i cant find the file and if i delete it it will come back so i have to use that tip but i cant find the file it says its in the sys32 folder, Apparnetly not after my searching Share this post Link to post
theefool 0 Posted April 20, 2005 It is probably a hidden file. Bring up my computer, select Tools, Folder options, view tab, click the radial button on "Show hidden files and folders". Also, uncheck "Hide protected operating system files". Select yes, on the warning, hit okay. Search for that file again. Share this post Link to post
Jerry Atrik 0 Posted April 21, 2005 when i cant find the offending file i scan with adaware and look at the files it "can't" delete Share this post Link to post
wo653 0 Posted April 21, 2005 Alright, All good tips guys. Thanks a bunch, I'm still finding it because Theefools tip helped and jarry your help worked but im still findint out some stuff but thanks so much already Share this post Link to post
wo653 0 Posted April 21, 2005 Ahhhh, It wont stop... I use all the spyware i can use to get rid o f it... It wont go away... i look for it , its not there i used all your tips... it just keeps coming with the popups... NOOOOO evil popups what do i do... nothings working Share this post Link to post
theefool 0 Posted April 21, 2005 http://www.majorgeeks.com/download.php?det=4465 download this and run in safe mode Also, download the following: http://lineofire.geekstogo.com/FindIt%20NT-2K-XP.zip # Unzip the contents of FindIt NT-2K-XP.zip to a convenient location. # Navigate to the FindIt NT-2K-XP directory. # Double-click on FindVX2.bat and wait for it to run. # It should open a Notepad window with the FindVX2 log. # Post the contents of FindVX2.txt into your next post. This is a nice batch file. I've used it a couple times. In fact I already have an improved version of this, that I did on my own. Share this post Link to post
theefool 0 Posted April 21, 2005 Also, download and post the log of this program too. http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981 Share this post Link to post
wo653 0 Posted April 21, 2005 Ok this is kind of big but ---------------- FindVX2 NT-2K-XP ---------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ***** Operating System ***** Microsoft Windows XP Professional 5.1 (Build 2600) ********* Date/Time ******** Thursday, April 21, 2005 (4/21/2005) 1:44 PM, Pacific Daylight Time *********** Path *********** FindVX2.bat is running from: C:\Documents and Settings\Jordan\Desktop\FindIt NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 50D1-34D6 Directory of C:\WINDOWS\System32 04/21/2005 12:14 PM <DIR> dllcache 0 File(s) 0 bytes 1 Dir(s) 62,642,429,952 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 50D1-34D6 Directory of C:\WINDOWS\System32 04/21/2005 12:14 PM <DIR> dllcache 04/14/2005 01:06 PM 488 WindowsLogon.manifest 04/14/2005 01:06 PM 488 logonui.exe.manifest 04/14/2005 01:06 PM 749 nwc.cpl.manifest 04/14/2005 01:06 PM 749 sapi.cpl.manifest 04/14/2005 01:06 PM 749 wuaucpl.cpl.manifest 04/14/2005 01:06 PM 749 cdplayer.exe.manifest 04/14/2005 01:06 PM 749 ncpa.cpl.manifest 7 File(s) 4,721 bytes 1 Dir(s) 62,642,429,952 bytes free --------------- Files Named "Guard" -------------- Volume in drive C has no label. Volume Serial Number is 50D1-34D6 Directory of C:\WINDOWS\System32 -------- Temp Files in System32 Directory -------- Volume in drive C has no label. Volume Serial Number is 50D1-34D6 Directory of C:\WINDOWS\System32 08/23/2001 05:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 62,642,425,856 bytes free ------------------- User Agent ------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "iebar"="" --------------- Keys Under Notify ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------ Shell Extensions Approved ----------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] --------------- Locate.com Results --------------- C:\WINDOWS\SYSTEM32\ cdplay~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K logonu~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K ncpacp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K nwccpl~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K sapicp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K window~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K wuaucp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K 7 items found: 7 files, 0 directories. Total of file sizes: 4,721 bytes 4.61 K ---------------- FindVX2 NT-2K-XP ---------------- Share this post Link to post
wo653 0 Posted April 21, 2005 PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» * urllogic C:\WINDOWS\JMHHV.DLL * qoologic C:\WINDOWS\JMHHV.DLL * qoologic C:\WINDOWS\UNADBEH.EXE * ad-beh C:\WINDOWS\System32\ADPPQ.DLL * ad-beh C:\WINDOWS\System32\TSHHBBR.DLL * ad-beh C:\WINDOWS\System32\WINUP2~1.DLL * ad-beh C:\WINDOWS\System32\BDRRQQM.EXE * ad-beh C:\WINDOWS\System32\VIMMLL.EXE * ad-beh C:\WINDOWS\System32\WMCONFIG.CPL * ad-beh C:\WINDOWS\UNADBEH.EXE »»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» * exe C:\docume~1\alluse~1\startm~1\programs\startup\NRPP.EXE »»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» (fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3 Global Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup . .. desktop.ini nrpp.exe User Startup: C:\Documents and Settings\Jordan\Start Menu\Programs\Startup . .. desktop.ini »»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»» ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk <NO NAME> REG_SZ {ff549842-977e-454e-a730-3e4f5f3d81e3} HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files <NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03} HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With <NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936} HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu <NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46} HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR <NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA} HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} <NO NAME> REG_SZ Start Menu Pin »»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» "Find activesetup", version1, launched at: 14:54 Operating System: Windows XP HKLM\Software\Microsoft\Active Setup\Installed Components\ "6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)" = "" \StubPath = "C:\WINDOWS\System32\bdrrqqm.exe" [null data] Share this post Link to post
theefool 0 Posted April 21, 2005 Okay. This might be a pain, but go into safe mode. bring up a command prompt. Also, I prefer going into the Recovery Console. go to the c:\windows directory by typing in: cd\windows then type in attrib -r -h -s -a jmhhv.dll attrib -r -h -s -a unadbeh.exe erase jmhhv.dll erase unadbeh.exe cd system32 attrib -r -h -s -a adppq.dll attrib -r -h -s -a tshhbbr.dll attrib -r -h -s -a winup2~1.dll attrib -r -h -s -a bdrrqqm.exe attrib -r -h -s -a vimmll.exe attrib -r -h -s -a wmconfig.cpl erase adppq.dll erase tshhbbr.dll erase winup2~1.dll erase bdrrqqm.exe erase vimmll.exe erase wmconfig.cpl cd\docume~1\alluse~1\starm~1\programs\startup attrib -r -h -s -a nrpp.exe erase nrpp.exe exit then click start, run, regedit now migrate to HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk delete the key fmttkkxx now migrate to HKLM\Software\Microsoft\Active Setup\Installed Components\ delete the key "6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default) reboot back into normal mode, and give me your logs again. If you have any questions before doing any of this, feel free to ask them. Your problem is from the qoologic trojan downloader. Avast can find it, but not get rid of it. Norton can't find it, mcafee can't find it, adaware doesn't do anything, spybot nothing, MS antispyware doesn't fix it. This roundabout way is the only way I know how to fix this. Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized. Share this post Link to post
Wilhelmus 1 Posted April 22, 2005 Originally posted by theefool: Quote: Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized. Good luck in your project. Share this post Link to post
theefool 0 Posted April 22, 2005 The hard part is that not everything in those logs are considered bad. I already have at home a batch file that does exactly the same as findit, except it is a bit more friendly. Also, it autocreates a batch file that needs to be run to fix these issues. But, it still needs some work. Like some error level checks. I've been writing batch files for about 10 years. My favourite ones were when ansi.sys was popular...... Share this post Link to post
