Playiis.exe / siiyalp Can't Kill Process

Saw a previous post- no answers Win XP Home , Sp2 recently installed cleaned and updated all . AdAware ,S&D, A squared,Pest patrol RAV Trend Symantec nothing found. Had Previous multiple parasites, removed Virtumonde, CatlEvents adn others. All scans clean at this time, all seems normal AVG Sygate installed only problem at shut down I get "Application could not be started " Playiis.exe. File is located in/as C:\Windows\repair\playiis.exe rerun . Cannot be deleted, all files in that folder are compressed (blue) These are the only entries in black playiis.exe playiis .txt (reveals properties-language unknown)(looks like a huge page of pig latin I might add) playiis .dat and tmp and .dll . No program in add remove cannot kill process cannot delete. It shows up in a HJT scan but will not be deleted Keeps returning, safe mode all cleaned, nothing loaded at start up etc Any ideas how to get rid of it I might mention AVG scan checks it as OK Not a windows process that I can find, no google info, and Playiis spelled backwards is siiyalp and I have siiyalp.dat and temp files I can't get rid of. Thanks much

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I previously removed 3 items BHO CatlEvents/ Tim Local etc siialp
HKLM Run Once playiis and Win Logon Notify all keep returning Thanks HJT attached

 

Sygate was installed yesterday, this program is requesting access, below is Sygate detail
File Version :
File Description : C:\WINDOWS\REPAIR\playiis.exe
File Path : C:\WINDOWS\REPAIR\playiis.exe
Process ID : 0x654 (Heximal) 1620 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 65.199.238.79
Local Port : 1173
Remote Name : svcwin.com
Remote Address : 62.4.84.56
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 92)
Destination: 02-00-20-00-02-00
Source: 00-00-02-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xd22e (Correct)
Source: 65.199.238.79
Destination: 62.4.84.56
Transmission Control Protocol (TCP)
Source port: 1173
Destination port: 80
Sequence number: 2495404789
Acknowledgment number: 0
Header length: 44
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xf674 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 02 00 20 00 02 00 00 00 : 02 00 00 00 08 00 45 00 | .. ...........E.
0010: 00 40 09 93 40 00 80 06 : 2E D2 41 C7 EE 4F 3E 04 | .@..@.....A..O>.
0020: 54 38 04 95 00 50 94 BC : DA F5 00 00 00 00 B0 02 | T8...P..........
0030: 8A 20 74 F6 00 00 02 04 : 05 B4 01 03 03 00 01 01 | . t.............
0040: 08 0A 00 00 00 00 00 00 : 00 00 01 01 04 02 65 6E | ..............en
0050: 2E 67 69 66 20 48 54 54 : 50 2F 31 2E | .gif HTTP/1.

 

http://vil.mcafeesecurity.com/vil/content/v_132427.htm still digging up some info, but still need help this is re: Uploader W

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Download the following removal tools:

• Trojan Vundo Removal Tool
• Trojan Vundo B Removal Tool

Now, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Run both removal tools! Run each one letting it complete. Afterwards procede with the rest of this fix!


Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After you complete the above scan reboot and attach a fresh HJT log.

 

Vundo scans both said clean,sysclean deleted Vundo.A, unable to clean remaining-access denied error, switched to another admin acct ran scans same results, Ran Panda online cleaned some more infections ran vclean Grisoft, still bypasses playiiss as OK Ran Dellater no luck attached new HJT and SYS clean logs Finding Agent.CE, cannot find removal tool for that . All done in safe mode with hidden files shown ,AVG and Sygate turned off for all scans Thanks Appreciate all your help.. what do you suggest ? Suse PS Also run CCleaner after each scan

 

Download Pocket KillBox
(Don't run it yet)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&mem=marilynmcnichol135&key=69f26789b61cd80908 f8f5019907a642&ts=40f482b4&A=210563050004419&B=1052118000000&C=1050130800000&D=0 &I=6.1.4JU&N=PLOC&O=I

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\siiyalp.dat

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [*playiis] C:\WINDOWS\repair\playiis.exe rerun

O20 - Winlogon Notify: playiis - C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\siiyalp.dat

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.



Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, C:\WINDOWS\repair\playiis.exe BAD FILE HERE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\Timothy McNichol\Local Settings\Temp\siiyalp.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above scan with HJT and attach a fresh HJT log.

 

Thank you I believe we got it,one question- One entry in HJT log was not there I believe because I had logged in to the original admin acct to follow your last instructions the 04=HKLM..Run: [UserFaultCheck] %Systemroot% was not in the HJT list to check off and fix. After following your instructions, I logged in to the Admin acct ran HJT, is not there either, my question is is shows up in msconfig start up, would like to remove that entry also.

 

Scan with HijackThis and Check the Boxes for the following:

O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\siiyalp.dat (file missing)

O20 - Winlogon Notify: playiis - C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\siiyalp.dat (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

After you fix the above entries your log will be clean, are you having any further problems?

 

1) I would like to thank you and I think you should change your name to
"BIGARRICK" because you help ina BIG way.
2)Geek Benevolent Fund?? I vote yes! in the meantime I'll get a shirt. PS you stay up too late helping us Thankyou Suse

 

Your Welcome!

To stay clean I recommend your following this article on How to Protect yourself from malware!

 

I clean these PC's up for retired folks, hardware tech, I appreciate your Malware expertise and will return if I get stuck again. I do recommend your staying safe from malware to all my clients. You'd be surprised (maybe not) how many people never install AV or turn on a firewall or even know what it is. So I teach basic instruction also. Thanks

 

Good Luck with your work

Follow out How To Protect article and you will be ok!