WMIHTKL.EXE Virus

patp22
patp22 used Ask the Experts™
on
Greetings:
I have a pc hit with WMIHTKL.exe virus

This is what I have done so far - still the WMIHTKL.exe keeps coming back

(1)
I turned the System restore off and tried to run Malware Bytes - it stops the malware bytes.  I had to rename the mbam.exe and then run it and clean up what it found.

(2)
I took the drive out - put it as a second hard drive on another machine and cleaned it up using Avira, which is running on the other machines.

(3)
Reinstalled XP over the existing system

(4)
Had to do netsh couple of times to reset the ipstack and winsock

I can go online now, but the system is slow, the wmihtkl.exe still comes back and runs in the background.

Any suggestions appreciated.

On a related question - is there way [if i take this drive and put it as a secondary drive on another xp machine - same xp release/update level]  to overwrite all system files.  If I am able to do it, then I know none of my dll or windows files like svhost, services etc are not compromised.

Secondly, is there a way to edit the registry that will be on this second hard drive

When i googled wmihtkl.exe I found it on the link below

http://www.prevx.com/filenames/241924833464495123-X1/WMIHTKL.EXE.html

I downloaded and ran it, and they want money to cleanup.  So I am skeptical, I have already paid for my existing antivirus solution

Is prevx.com scam?.  How come none of the other antivirus vendors found out about this executable?


Thanks!!
 







http://www.prevx.com/filenames/241924833464495123-X1/WMIHTKL.EXE.html
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Have you tried Combo fix?  You can download it here:  
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Just make sure that you rename it when you download it like you did for malwarebytes.  This is my go to virus fix if all else fails and has worked every time.

Commented:
In order to truly wipe the drive, you need to format it.  That's if all you want to do is make sure nothing is available from the old incarnation of the drive when you reload Windows.  If you want to wipe it so no one has access to your data prior to getting rid of the drive, there are other methods.

You cannot edit a registry on a non-active drive, at least, I've not found a way to do that.

According to the site you found, the bug has only been out a week, provided we can trust that site.  Since I've never heard of Prevx, I'm not going to buy into what they say just because the site looks good.  However, I did find these reviews from online sources I trust, so maybe they ARE legit:

http://www.pcmag.com/article2/0,2817,2346861,00.asp

http://download.cnet.com/Prevx/3000-2239_4-10914524.html
Prevx.com is a valid company, although I don't use their apps.  According to the link you provided this is acting like a rootkit.  Take a look at the article I wrote on rootkits:

http://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Anti-rootkit-software.html

You can run SpyDLLRemover - the only problem is that if the rootkit is tenacious it may delete the offending DLL but when you run it again you will find it will come back.  The good thing is that it will identify the DLL as part of a rootkit.

http://www.pendriveapps.com/spyware-remover-spydllremover/
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Mohammed HamadaSenior IT Consultant
Commented:
Hi Patp22
Copying system files from another machine to yours might cause BSOD everytime windows boot up, however you might replace the bad system files(damaged or infected) by reinstalling the currently installed Service Pack for windows, It will almost replace all of the system files, However you can be able to edit the registry using BartPE Live CD or Ultimate boot CD (google that for more info).

For fast & good results, I think you better download the Kasper rescue disc, It's available on Kaspersky website and also the latest definitions can be available for download online, you just have to burn it to a CD and copy the definitions file to C:\ drive on the infected system using Ultimate Boot CD... once you boot up from Kasper Rescue CD you can update manually and do a full system scan to remove the infection.

Note:
the file you posted might not be a virus name, it's a packed with a virus/trojan file if you have an installed antivirus it will scan this file and analyse then recognize which virus or crapware it is.
Most Valuable Expert 2011
Top Expert 2011

Commented:
If you can see the file "WMIHTKL.EXE.html"

Right click it>Properties>Security>and in the top, remove all users but the logged in user and SYSTEM. Might need to go to Advanced, and uncheck "Inherit permissions", and select COPY in teh pop up box.....

For the remaining 2 users, select Deny Full Control for each one, and reboot.......
Most Valuable Expert 2011
Top Expert 2011
Commented:
Then see if you can delete it, after folloign the steps and granting YOUR USER ID Full Control... If once deleted, it returns again, lets look at an AutoRuns log.......

Autoruns
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

I would say to get an AutoRuns export (save it as a .arn file, not a .log file), and let us see whats loading with the machine..... Post it here please.....

Author

Commented:
Gentlemen Thank You for the guidance.  
I am going to try it one by one.  Per tzucker, I ran SpyDLLRemover_3.0 - see attached.  Can I go ahead and connect the infected drive as a second drive and delete and replace the dll's listed with good files ?
Or is there some other step that I should follow

ScannedResult.html
Mohammed HamadaSenior IT Consultant

Commented:
The scan result shows that you only have one file infected which is highlighted in red ... Delete that and if it was in-accessible then I recommend that you try deleting the file in safe mode with command prompt.
Once there use the following dos command.

Del /f C:\WINDOWS\system32\wmihtkl.exe

If you get access denied again, download hijackfree this program runs like process explorer however it'll show you all the related files to the infected file if it runs in memory and so you can kill & delete it.

http://www.hijackfree.com/en/ 
Make sure to run SpyDllremover again after you delete and reboot.  If it comes back than follow moh10ly's advice.
Top Expert 2007
Commented:
You should try the first suggestion which is ComboFix... if Combofix won't remove it on its first run we can remove it using its script function, its script function deletes any files you input in the script.
It's also a good idea to run Gmer and show us the log.
http://www.gmer.net/gmer.zip 

Author

Commented:
Solved,
I ran SPYDLL_REMOVER and then used Kaspersky rescue disk.

Thanks to Everyone

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial