Stubborn Virus! Please Help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by HunterKiller_, Jul 4, 2006.

  1. HunterKiller_

    HunterKiller_ Private E-2

    Hi everyone, first post here. I'll get straight to the point.
    I downloaded crack files that i found on google, how stupid, i know, and shame on me for downloading cracks. I've learnt my lesson and i will never do it again, and i've certainly earned my punishment. So far i've spent the entire afternoon working to fix this virus infection but have had very little progress.

    I'm a bit of a noobie and I will attempt to state as clearly as i can about what i've done so far.
    Some of the symptoms are:
    - Dozens of 'winxxx.tmp.exe' files (e.g. win18.tmp.exe) located in C:\WINDOWS\temp. I've manually deleted all of them in safe mode but they just keep coming back. These files also periodically attempt to connect to the internet, but thankfully Norton stops them.

    - The file 'winwil32.dll' was detected, and i was able to remove it by using 'delete during reboot' with HJT.

    - The file 'nnnkkif.ddl' was detected. I've tried googling, and that comes up with only one result, a site in german. I download the SmitFraudFix from that site and ran it a few times, normal and safe mode, it didn't seem to do anything.
    I'm sure this file is the source of problems and have tried various methods to remove it but to no avial.
    On the HJT scan, it appears under two entries:

    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnkkif.dll
    and
    O20 - Winlogon Notify: nnnkkif - C:\WINDOWS\SYSTEM32\nnnkkif.dll
    It does not show up on any scanner other than HJT, which i have tried to remove it with - nothing. Tried it in safe mode, manually, Killbox, delete during reboot. All failed.
    Please help me!
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Normal cleaning procedure require that you run this Sticky thread READ & RUN ME FIRST Before Asking for Support before attaching HijackThis logs. It is the only way to be sure we clean all of your problems. I'll do you a favor and give you a fix for your current problem (this time ;) ) but you should do yourslef a favor afterwards and run thru the full procedure to make sure nothing else is hiding. HijackThis does not come close to showing all the possible infections you could have.

    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of nnnkkif.dll once and then click the kill button. After you have killed all of the nnnkkif.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of nnnkkif.dll and kill it. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnkkif.dll
    O20 - Winlogon Notify: nnnkkif - C:\WINDOWS\SYSTEM32\nnnkkif.dll



    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.

    del %windir%\temp\win*.*
    exit

    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\WINDOWS\SYSTEM32\nnnkkif.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!
     
  3. HunterKiller_

    HunterKiller_ Private E-2

    Thanks alot chaslang. I'll print this and do it now.
     
  4. HunterKiller_

    HunterKiller_ Private E-2

    I followed the steps through to scanning with HJT... and found no trace of the virus! There was no signs of it when i looked through Process Explorer and then the two entries of it in HJT have disappeared!
    It's gone... or it could be hiding, but it's not causing any immediate problems, so i'm not going to be wasting anymore time on it.

    I have noticed however that there are few weird things happening. Firstly, the computer now starts up quicker than usual, but small applications are opening slower, such as folders, they take a slight moment longer to show all contents.
    I think i'm going to have to format and reinstall everything anyway, now that there are probably bits and pieces of things everywhere.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  6. HunterKiller_

    HunterKiller_ Private E-2

    Thanks for the help man.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds