Hello again.
You have several different nasty infections there. It may take a few passes to get all of this cleaned up, and I again ask for your patience as we tackle it. Let's get started..
Before proceeding, please print this page or copy it to
Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it.
Download and install
CleanUp.
Download
KillBox.
Download
Rkfiles.zip and UNZIP the contents to a permanent folder on your desktop.
Download the attachment remv3.zip from
this page. Make a folder on the root drive C:\ and unzip the files into it.
Download
ewido security suite
It looks like you have been infected with at least one virus. If you have a fast internet connection (broadband), run an online scan at
Trend Micro or
RAV Antivirus. Please select the “autoclean” option when using Trend Micro.
Go to
My Computer > Tools > Folder Options > View tab and make sure that
Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the
Hide protected operating system files option.
Update
ewido's database. Run a scan and let it clean the PC.
Run CleanUp! and click the
CleanUp! button. When it asks whether you want to log off, click
Yes.
Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then selecting
Safe Mode.
Open HijackThis. Click
Config > Misc. Tools > Open process manager. If they still exist -- and they might not -- select the following items one at a time and click
Kill process for each:
c:\windows\system32\mcrnng.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\mmvpvm.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\mriim700.exe
C:\WINDOWS\System32\abasa5jrp.exe
Click
Start > (Settings >) Control Panel > Add/Remove Programs. If the following programs exist -- and they might not -- uninstall them:
kxakzuqs
Open Hijack This and click
Scan. If they still exist -- and some might not -- check all of the following entries
(make sure you do not miss any):
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsmD9.dll
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mmvpvm.exe
O4 - HKLM\..\Run: [vwmgzo] c:\windows\system32\vwmgzo.exe
O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\Owner\LOCALS~1\Temp\180SACIDInstaller. exe /did=5592
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [kxakzuqs] C:\Program Files\kxakzuqs\kxakzuqs.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [mhxokc] c:\windows\system32\mcrnng.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [krwk] C:\PROGRA~1\COMMON~1\krwk\krwkm.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [aw47RfJme] mriim700.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Please close all other windows, including browsers, then click Fix checked.
If they still exist, delete the following files indicated in
RED and folders indicated in
BLUE.
files:
C:\WINDOWS\System32\
abasa5jrp.exe
C:\WINDOWS\System32\
ap9h4qmo.exe
c:\windows\system32\
mcrnng.exe
C:\WINDOWS\System32\
mmvpvm.exe
C:\WINDOWS\System32\
mriim700.exe
C:\WINDOWS\System32\
nsmD9.dll
C:\WINDOWS\System32\
ntddetect.exe
C:\WINDOWS\
svcproc.exe
C:\WINDOWS\System32\
wintask.exe
C:\WINDOWS\System32\
winupdt.exe
c:\windows\system32\
vwmgzo.exe
C:\WINDOWS\
Bolger.dll
C:\WINDOWS\
cfgmgr51.dll
C:\WINDOWS\
Nail.exe
you'll need to search for these files:
AUNPS2.DLL
mriim700.exe (we've already deleted one by this name, but let's make sure there's not another)
folders:
C:\PROGRAM FILES\COMMON FILES\
krwk
C:\Program Files\
kxakzuqs
Reboot your system into Safe Mode once more (again, this means repeatedly tapping F8 until the menu appears, then selecting
Safe Mode).
This is very important, as the following must be done in Safe Mode!
Double-click rkfiles.bat. It will scan for a while, so please be patient. Wait until the DOS window closes, then open the C:\log.txt it created and rename it log1.txt.
This is important: both this tool and the next one use log.txt as the logfile name, so if you don't rename this one, it'll be overwritten when you run the next tool, and you don't want that!
Next, open the folder where you unzipped the remv3.zip files, and double-click the rem.bat file. Let it run. It will delete the files and remove the infection, and then make a log of the files it finds. The log files will be C:\log.txt and bad1.txt.
Reboot back to normal mode.
In your next post, please include a fresh HijackThis log and the contents of both the log.txt and log1.txt (from the rkfiles and rem.bat scans), and let's see how much progress we've made.
__________________
Have TSF volunteers helped you? Please consider helping TSF by
subscribing or
donating. Thanks!
