Jump to content
Compatible Support Forums
Sign in to follow this  
wo653

I need help, Quick!

Recommended Posts

Greetings. I'm in urgent need of help with spyware attacks

 

I have ad-aware 6 spybot s and d

hijack this

Thats it

 

Well i get a pop up every minute or so... just 1 every minute for some random thing ... i know i dont have the big stuff like 180searchware or coolwwwsearch

 

Its not big thats why its wierd

but ok i scan on all 3 and get rid of all 3

 

i think its called elitejky32.exe and vimml.exe or something

and i get rid of them... but they come back...

Spyware gets rid of it then it just comes back.

 

What do i do, I really cant just reformat.

 

 

EDIT : Ok I figured out some things

 

Its called Ebates Moneymaker , i got rid of the registry thing

so ebates is gone

 

my new one is in the processes its called

 

Vimmll.exe

I cant find it in spybot or ad-aware and it only shows up on hijack but it comes back too... is there somthing i do for that?

Share this post


Link to post

Can we see your hijack this log?

 

What OS you got? XP?

 

If you got XP then:

Disable Simple File Sharing

1. Open My Computer from the Start Menu or Windows XP Desktop. A new My Computer window will appear.

2. Open the Tools menu and choose the "Folder Options..." option from this menu. A new Folder Options window will appear.

3. Click on the View tab and locate the "Use Simple File Sharing (Recommended)" checkbox in the list of Advanced Settings.

4. To enable Simple File Sharing, ensure this checkbox is checked. To disable Simple File Sharing, ensure this checkbox is not checked. Click inside the checkbox to alternately enable and disable the option.

5. Click OK to close the Folder Options window. The settings for Simple File Sharing are now updated; no computer reboot is required.

 

jerry atrik's tip

Quote:

right click the nasty file (In your case: "vimmll.exe") properties/security tab/advanced

uncheck the "inherit from parent permissions" box

yes to the annoyance popup

apply

remove all users (including system) from the groups/users box

yes to the annoyance popup

reboot

the file is now unable to do anything

u can either leave it or re-take ownership and delete it

(because the system didnt have permission to load it it wont load at boot)

Share this post


Link to post

Logfile of HijackThis v1.99.1

Scan saved at 11:36:52 AM, on 4/20/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\vimmll.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jordan\Desktop\Krap\HijackThis.exe

 

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitejky32.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimmll.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min

O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

 

 

I've known how to keep a clean fast computer until this everything feels slow i just cant stand it...

Any other info

Win xp pro

 

Share this post


Link to post

See, That's the hard thing

I could have done that

 

"What Jarry Ark" said

 

but the thing is i cant find the file and if i delete it it will come back so i have to use that tip but i cant find the file it says its in the sys32 folder, Apparnetly not after my searching

Share this post


Link to post

It is probably a hidden file. Bring up my computer, select Tools, Folder options, view tab, click the radial button on "Show hidden files and folders". Also, uncheck "Hide protected operating system files". Select yes, on the warning, hit okay. Search for that file again.

Share this post


Link to post

Alright, All good tips guys. Thanks a bunch, I'm still finding it because Theefools tip helped and jarry your help worked but im still findint out some stuff but thanks so much already

Share this post


Link to post

Ahhhh, It wont stop... I use all the spyware i can use to get rid o f it... It wont go away... i look for it , its not there i used all your tips... it just keeps coming with the popups... NOOOOO evil popups what do i do... nothings working

Share this post


Link to post

http://www.majorgeeks.com/download.php?det=4465

download this and run in safe mode

 

Also, download the following:

http://lineofire.geekstogo.com/FindIt%20NT-2K-XP.zip

 

# Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.

# Navigate to the FindIt NT-2K-XP directory.

# Double-click on FindVX2.bat and wait for it to run.

# It should open a Notepad window with the FindVX2 log.

# Post the contents of FindVX2.txt into your next post.

 

This is a nice batch file. I've used it a couple times. In fact I already have an improved version of this, that I did on my own.

Share this post


Link to post

Ok this is kind of big but

 

---------------- FindVX2 NT-2K-XP ----------------

 

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

***** Operating System *****

 

Microsoft Windows XP Professional 5.1 (Build 2600)

 

********* Date/Time ********

 

Thursday, April 21, 2005 (4/21/2005)

1:44 PM, Pacific Daylight Time

 

*********** Path ***********

 

FindVX2.bat is running from: C:\Documents and Settings\Jordan\Desktop\FindIt NT-2K-XP

 

------- System Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 50D1-34D6

 

Directory of C:\WINDOWS\System32

 

04/21/2005 12:14 PM <DIR> dllcache

0 File(s) 0 bytes

1 Dir(s) 62,642,429,952 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 50D1-34D6

 

Directory of C:\WINDOWS\System32

 

04/21/2005 12:14 PM <DIR> dllcache

04/14/2005 01:06 PM 488 WindowsLogon.manifest

04/14/2005 01:06 PM 488 logonui.exe.manifest

04/14/2005 01:06 PM 749 nwc.cpl.manifest

04/14/2005 01:06 PM 749 sapi.cpl.manifest

04/14/2005 01:06 PM 749 wuaucpl.cpl.manifest

04/14/2005 01:06 PM 749 cdplayer.exe.manifest

04/14/2005 01:06 PM 749 ncpa.cpl.manifest

7 File(s) 4,721 bytes

1 Dir(s) 62,642,429,952 bytes free

 

--------------- Files Named "Guard" --------------

 

Volume in drive C has no label.

Volume Serial Number is 50D1-34D6

 

Directory of C:\WINDOWS\System32

 

 

-------- Temp Files in System32 Directory --------

 

Volume in drive C has no label.

Volume Serial Number is 50D1-34D6

 

Directory of C:\WINDOWS\System32

 

08/23/2001 05:00 AM 2,577 CONFIG.TMP

1 File(s) 2,577 bytes

0 Dir(s) 62,642,425,856 bytes free

 

------------------- User Agent -------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"iebar"=""

 

--------------- Keys Under Notify ----------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

------------ Shell Extensions Approved -----------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

 

--------------- Locate.com Results ---------------

 

C:\WINDOWS\SYSTEM32\

cdplay~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K

logonu~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K

ncpacp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K

nwccpl~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K

sapicp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K

window~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K

wuaucp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K

 

7 items found: 7 files, 0 directories.

Total of file sizes: 4,721 bytes 4.61 K

 

---------------- FindVX2 NT-2K-XP ----------------

Share this post


Link to post

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

* urllogic C:\WINDOWS\JMHHV.DLL

* qoologic C:\WINDOWS\JMHHV.DLL

* qoologic C:\WINDOWS\UNADBEH.EXE

 

* ad-beh C:\WINDOWS\System32\ADPPQ.DLL

* ad-beh C:\WINDOWS\System32\TSHHBBR.DLL

* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL

* ad-beh C:\WINDOWS\System32\BDRRQQM.EXE

* ad-beh C:\WINDOWS\System32\VIMMLL.EXE

* ad-beh C:\WINDOWS\System32\WMCONFIG.CPL

* ad-beh C:\WINDOWS\UNADBEH.EXE

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NRPP.EXE

 

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

 

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3

 

Global Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

.

..

desktop.ini

nrpp.exe

 

User Startup:

C:\Documents and Settings\Jordan\Start Menu\Programs\Startup

.

..

desktop.ini

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

 

! REG.EXE VERSION 3.0

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk

<NO NAME> REG_SZ {ff549842-977e-454e-a730-3e4f5f3d81e3}

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR

<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

 

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

<NO NAME> REG_SZ Start Menu Pin

 

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

"Find activesetup", version1, launched at: 14:54

Operating System: Windows XP

 

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

"6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)" = ""

\StubPath = "C:\WINDOWS\System32\bdrrqqm.exe" [null data]

 

 

Share this post


Link to post

Okay.

 

This might be a pain, but go into safe mode.

bring up a command prompt.

Also, I prefer going into the Recovery Console.

 

go to the c:\windows directory by typing in:

cd\windows

then type in

attrib -r -h -s -a jmhhv.dll

attrib -r -h -s -a unadbeh.exe

erase jmhhv.dll

erase unadbeh.exe

cd system32

attrib -r -h -s -a adppq.dll

attrib -r -h -s -a tshhbbr.dll

attrib -r -h -s -a winup2~1.dll

attrib -r -h -s -a bdrrqqm.exe

attrib -r -h -s -a vimmll.exe

attrib -r -h -s -a wmconfig.cpl

erase adppq.dll

erase tshhbbr.dll

erase winup2~1.dll

erase bdrrqqm.exe

erase vimmll.exe

erase wmconfig.cpl

cd\docume~1\alluse~1\starm~1\programs\startup

attrib -r -h -s -a nrpp.exe

erase nrpp.exe

exit

then click start, run, regedit

now migrate to HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk

 

delete the key fmttkkxx

 

now migrate to

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

 

delete the key "6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)

 

reboot back into normal mode, and give me your logs again.

 

If you have any questions before doing any of this, feel free to ask them.

 

Your problem is from the qoologic trojan downloader. Avast can find it, but not get rid of it. Norton can't find it, mcafee can't find it, adaware doesn't do anything, spybot nothing, MS antispyware doesn't fix it.

 

This roundabout way is the only way I know how to fix this. Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized.

Share this post


Link to post

Originally posted by theefool:

Quote:
Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized.

Good luck in your project. smile

Share this post


Link to post

The hard part is that not everything in those logs are considered bad.

 

I already have at home a batch file that does exactly the same as findit, except it is a bit more friendly. Also, it autocreates a batch file that needs to be run to fix these issues. But, it still needs some work. Like some error level checks.

 

I've been writing batch files for about 10 years. My favourite ones were when ansi.sys was popular......

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×