Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

vimzkl.exe Removal

I need help removing this program.  No matter what I do, it is always back when i restart the computer.  I've tried Adaware, Spybot, Counter Spy, Hijack This, Tend Micro Online virus scan, Kill Box, DLL Compare, and Adaware Away - and I've run them all in safe mode and regular mode.  I've done all the usual other spyware removal techniques, but can't get rid of it.  My Hijack This log is posted below.  Any advice to get rid of this will be appreciated.  Recommending a format and reinstall is not necessary because I already know that will fix just about anything - I'd just rather avoid that scenario.

<<  Hijack This log removed by humeniuk, Page Editor  >>
<<  log file available at www.hijackthis.de/logfiles/beee8c753a8283f57ce344aebf8040f9.html >>
0
CTSLA
Asked:
CTSLA
  • 3
  • 2
  • 2
  • +2
2 Solutions
 
dis1931Commented:
Have you tried simply starting in safe mode and deleting the file from the windows\system32 folder as well as deleting the registry key that is attempting to start it up on login.

Dis
0
 
CTSLAAuthor Commented:
Yes, several times.  I've even used Kill Box to delete on restart, but it always comes back.
0
 
dis1931Commented:
I haven't an idea....i've never heard of that particular process and i can't find any info on it????

Doesn't appear you really have anything bad running in that hijack this log...at least none that should cause problems...

The only other thing I can think of is using your firewall to block this executable from starting up but then you still have the issue that someone/something is trying to start it up and is obviously replacing it in the same folder when you delete it so you do have some other spyware/adware/virus on your PC that should be taken care of.  It looks like you have done most things that you would normally do...Did you check for any weird services starting up....these are usually the culprit of applications repopulating themselves?  Other than that I would say have fun re-formating....it is sometimes the best way to make sure your system is clean...
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
rossfingalCommented:
Hi!

Make sure "Show all Files and Folders", including hidden and system is enabled.
Turn off "System Restore".

You should copy and paste these instructions into Notepad -
you're going to have to go into "Safe" mode - no Internet connection.

In Add/Remove Programs in Control Panel -
uninstall "Weather Bug".

Right-click on the taskbar and choose Task Manager.
In the list of running processes look for:
vimzkl.exe
weather.exe
Kill them, if they're present.

With all browser windows closed and no connection to the Internet:
Run HijackThis again and have it fix the following:
C:\WINDOWS\system32\vimzkl.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vimzkl.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

Click on "Start" - click on "Run" - in the run box type "services.msc" (without quotes)
In the list of running Services look for any that relate to the 2 processes listed above.
If they're present "Stop" and "Disable" them.

Clean out all your "temp" files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Restart your computer into "Safe" mode.
Go through the same steps with Task Manager and services.msc as above.

Using Windows Explorer (Not "Search") check your computer for any instance of:
vimzkl.exe
weather.exe
Delete any that you find -
Make sure you check the dllcache, Prefetch, and all "temp" folders.
Delete the folder "AWS" located at:
C:\Program Files\AWS <-<- this folder

Clean out all your "temp" files.
Empty the Recycle Bin.

Run Killbox and copy and paste the full path into it:
C:\WINDOWS\system32\vimzkl.exe
Put a check-mark on "End Explorer Shell While Killing File"
Make sure "Delete on Reboot" is checked.
Click on the red "X"

Allow the computer to restart into "Normal" mode (or, restart it yourself if you have to).

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

We'll take a look at it!  :)

Please, in the future, do not post your HijackThis log file here!

Here's the Experts-Exchange guidelines on posting HijackThis logs:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

Good luck!
RF
0
 
greyknight17Commented:
You have a bad infection there.  You will NOT be able to fix these just by your normal deletions (or with KillBox) because there are other files associated with this infection that are hidden.

I will need these logs from you (do not delete anything since some may be good files):

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune.org/downloads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads.org/index.php?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.
0
 
CTSLAAuthor Commented:
The scan for REMV3 caused my computer to shut down about ten minutes into it.  I tried it twice.  When I first started working on this laptop, it would shut down when I tried to run a scan of any type - spyware scan or virus scan.

The log for rkfiles is:
Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
 
 
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
 Volume in drive C has no label.
 Volume Serial Number is 5083-5EBA

 Directory of C:\WINDOWS\system32

msi.dll
Finished




Here is the link for my current Hijack This log:
http://www.hijackthis.de/logfiles/beee8c753a8283f57ce344aebf8040f9.html


Thanks for this and any future advice.
0
 
greyknight17Commented:
Did you run these two in Safe Mode?  Did you wait until the DOS window closed before opening up those two log files?

If you did, nothing is showing up here which is weird.  There usually are a couple of files here.  So make sure you are doing this in safe mode and wait until the dos window closes.

If that's what you did already, then try these logs to see if they will show any files:

Download FindQoologic-Narrator.zip at http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981 and save it to your Desktop.  Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic.  Now unzip the file contents of that zip file into that folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply.

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it.  Click on the 'Locate.com' button.  Wait a few seconds and then click on the 'Compare' button.  Let it run, then click on 'Make a log of what was found'.  Post that log here.  Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
0
 
SlymCommented:
Just for grins, in safe mode, look in:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

I had a similar situation last week on a workstation where the bad file could not be deleted, even in safe mode and with Killbox.  There was a hidden file in the startup folder called nkur.exe.  I suppose it could be a random file name, so it could be anything.  Post back if you see anything odd there.  One caveat - after I found it, I navigated away to open a snoop program.  When I returned it was not visible anymore.  Rebooted to safe mode and there it was again.

Maybe yours is similar to this.
0
 
CTSLAAuthor Commented:
I appreciate everyone's help with this.  I already had a lot of time into this, and the customer said she was not having a problem with the computer shutting down.  Since the problem only occurs when scanning for viruses or spyware, she elected to take the computer as-is.  I did a follow-up with her and all is good.  Something obviously is causing the problem, but I guess it will have to remain a mystery for right now.  Thank for your help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now