vimzkl.exe Removal

Posted on 2005-05-02
Last Modified: 2013-12-04
I need help removing this program.  No matter what I do, it is always back when i restart the computer.  I've tried Adaware, Spybot, Counter Spy, Hijack This, Tend Micro Online virus scan, Kill Box, DLL Compare, and Adaware Away - and I've run them all in safe mode and regular mode.  I've done all the usual other spyware removal techniques, but can't get rid of it.  My Hijack This log is posted below.  Any advice to get rid of this will be appreciated.  Recommending a format and reinstall is not necessary because I already know that will fix just about anything - I'd just rather avoid that scenario.

<<  Hijack This log removed by humeniuk, Page Editor  >>
<<  log file available at >>
Question by:CTSLA
    LVL 10

    Expert Comment

    Have you tried simply starting in safe mode and deleting the file from the windows\system32 folder as well as deleting the registry key that is attempting to start it up on login.


    Author Comment

    Yes, several times.  I've even used Kill Box to delete on restart, but it always comes back.
    LVL 10

    Expert Comment

    I haven't an idea....i've never heard of that particular process and i can't find any info on it????

    Doesn't appear you really have anything bad running in that hijack this least none that should cause problems...

    The only other thing I can think of is using your firewall to block this executable from starting up but then you still have the issue that someone/something is trying to start it up and is obviously replacing it in the same folder when you delete it so you do have some other spyware/adware/virus on your PC that should be taken care of.  It looks like you have done most things that you would normally do...Did you check for any weird services starting up....these are usually the culprit of applications repopulating themselves?  Other than that I would say have fun is sometimes the best way to make sure your system is clean...
    LVL 12

    Accepted Solution


    Make sure "Show all Files and Folders", including hidden and system is enabled.
    Turn off "System Restore".

    You should copy and paste these instructions into Notepad -
    you're going to have to go into "Safe" mode - no Internet connection.

    In Add/Remove Programs in Control Panel -
    uninstall "Weather Bug".

    Right-click on the taskbar and choose Task Manager.
    In the list of running processes look for:
    Kill them, if they're present.

    With all browser windows closed and no connection to the Internet:
    Run HijackThis again and have it fix the following:
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vimzkl.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -

    Click on "Start" - click on "Run" - in the run box type "services.msc" (without quotes)
    In the list of running Services look for any that relate to the 2 processes listed above.
    If they're present "Stop" and "Disable" them.

    Clean out all your "temp" files:
    # C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
    # C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
      <=This will delete all your cached internet content including cookies.
      This is recommended and strongly suggested!
        However, if you delete all your cookies - this can affect your stored Internet passwords
        and your ability to logon automatically to various sites.
        So, consider deleting all your cookies - optional
    # C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
    # C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
    # C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

    Empty your "Recycle Bin".

    Restart your computer into "Safe" mode.
    Go through the same steps with Task Manager and services.msc as above.

    Using Windows Explorer (Not "Search") check your computer for any instance of:
    Delete any that you find -
    Make sure you check the dllcache, Prefetch, and all "temp" folders.
    Delete the folder "AWS" located at:
    C:\Program Files\AWS <-<- this folder

    Clean out all your "temp" files.
    Empty the Recycle Bin.

    Run Killbox and copy and paste the full path into it:
    Put a check-mark on "End Explorer Shell While Killing File"
    Make sure "Delete on Reboot" is checked.
    Click on the red "X"

    Allow the computer to restart into "Normal" mode (or, restart it yourself if you have to).

    With all browser windows closed - run HijackThis and
    copy and paste the log file into the Analysis site here:

    Click on the "Analyze" button; and when the analysis is done -
    Click on the "Save Analysis" button -
    A page will be generated with your saved analysis -
    Post a LINK to that page back here.

    We'll take a look at it!  :)

    Please, in the future, do not post your HijackThis log file here!

    Here's the Experts-Exchange guidelines on posting HijackThis logs:

    Good luck!
    LVL 15

    Assisted Solution

    You have a bad infection there.  You will NOT be able to fix these just by your normal deletions (or with KillBox) because there are other files associated with this infection that are hidden.

    I will need these logs from you (do not delete anything since some may be good files):

    Download and install CleanUp
    Download KillBox
    Download rkfiles and unzip the contents to a new folder on your desktop.

    Download the at (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip files into it.

    Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

    Run CleanUp program now and logoff.

    REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
    Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

    Now open the folder where you saved files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

    **Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

    Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.

    Author Comment

    The scan for REMV3 caused my computer to shut down about ten minutes into it.  I tried it twice.  When I first started working on this laptop, it would shut down when I tried to run a scan of any type - spyware scan or virus scan.

    The log for rkfiles is:
    Files Found.................

    Files Not deleted.................

    Merging registry entries
    The Registry Entries Found...
    Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
     Volume in drive C has no label.
     Volume Serial Number is 5083-5EBA

     Directory of C:\WINDOWS\system32


    Here is the link for my current Hijack This log:

    Thanks for this and any future advice.
    LVL 15

    Expert Comment

    Did you run these two in Safe Mode?  Did you wait until the DOS window closed before opening up those two log files?

    If you did, nothing is showing up here which is weird.  There usually are a couple of files here.  So make sure you are doing this in safe mode and wait until the dos window closes.

    If that's what you did already, then try these logs to see if they will show any files:

    Download at and save it to your Desktop.  Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic.  Now unzip the file contents of that zip file into that folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply.

    Download DllCompare and run it.  Click on the '' button.  Wait a few seconds and then click on the 'Compare' button.  Let it run, then click on 'Make a log of what was found'.  Post that log here.  Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
    LVL 2

    Expert Comment

    Just for grins, in safe mode, look in:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    I had a similar situation last week on a workstation where the bad file could not be deleted, even in safe mode and with Killbox.  There was a hidden file in the startup folder called nkur.exe.  I suppose it could be a random file name, so it could be anything.  Post back if you see anything odd there.  One caveat - after I found it, I navigated away to open a snoop program.  When I returned it was not visible anymore.  Rebooted to safe mode and there it was again.

    Maybe yours is similar to this.

    Author Comment

    I appreciate everyone's help with this.  I already had a lot of time into this, and the customer said she was not having a problem with the computer shutting down.  Since the problem only occurs when scanning for viruses or spyware, she elected to take the computer as-is.  I did a follow-up with her and all is good.  Something obviously is causing the problem, but I guess it will have to remain a mystery for right now.  Thank for your help.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now