Help with Virus and Software Restrictions

Acer Aspire 5670 notebook
September 18, 2009 at 10:06:16
Specs: Windows XP
Hey everyone...

I posted a while back and no one responded with a solution to my recurring virus issue...but I have another question concerning the same virus. I constantly remove it but it comes back...meaning I havent got the source. My antivirus program constantly finds files similar to this one...

C:\(long file name..ends with)\kbiwkmpyjklnxo.dll(5).lnk

Now...there are about 50 of them like this...all in different locations (such as temp files, recent files, documents and settings, system32, etc etc etc). However they are all hidden objects that I cannot view at all. My antivirus cannot open them or view them or delete them. It just puts copies in quarantine which solves nothing. My question would I go about making a path rule in the group policy editor security restrictions folder to deny access to them files?

They all come from different locations and even the end of the file names are different and they even have different extensions (.dat, .exe, .sys, .dll, .lnk, etc etc)...however...each and everyone of them includes "kbiwkm" there a general rule I can use that will block all files or paths containing that particular string of letters?

Thanks in advance,

See More: Help with Virus and Software Restrictions

Report •

September 18, 2009 at 10:13:05

This name of .dll are used typically by Vundo.
Can you make, that ?

- Dowload HijackThis on your Desktop.
- Execute HijackThis and accept the license.
- Create a report :
- Clic on Do a system scan & save a logfile
- A report pop up, please paste it on your next reply.

In your next reply, please paste :

- HijackThis.log

Sorry for my future orthographic faults, English is not my mother tongue ;=)

Report •

September 18, 2009 at 10:21:43
Hijack this Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:28 PM, on 9/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Malwarebytes\mbam.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Documents and Settings\Work\Application Data\Mozilla\Firefox\Profiles\gghvj8bs.default\extensions\\plugins\LMIGuardian.exe
C:\Documents and Settings\Work\My Documents\HiJackThis.exe

O2 - BHO: (no name) - autorunsdisabled - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service (adobe lm service) - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O24 - Desktop Component 0: (no name) - (no file)

End of file - 4682 bytes

Report •

September 18, 2009 at 11:21:09

Not infected, in priori but HijackThis don't give all informations.
It's firm's computer ? What are symptoms ?

The pc has many programm who aren't up-to-date !

Have you Spybot ? If yes, uninstall it, he is obsolete.


Sorry for my future orthographic faults, English is not my mother tongue ;=)

Report •

Related Solutions

September 18, 2009 at 11:57:26
seeing that googling kbiwkmpyjklnxo.dll(5).lnk and there are no results means it is probably a new infection.

You could try a complete session with unhackme:
which is a fully functional trial for 30 days.

Use the beginners guide and follow all the prompts. DON'T delete anything you are not sure of, instead google the results and see if it is safe to delete.
Good luck

PS: I've used it on many PC's and it works great. Once you copme out with a clean slate you will be fine.

Some HELP in posting on plus free progs and instructions Cheers

Report •

September 18, 2009 at 12:56:04
"seeing that googling kbiwkmpyjklnxo.dll(5).lnk and there are no results means it is probably a new infection."

It's a random name ... It's normal that you can't find it on the internet :)

Sorry for my future orthographic faults, English is not my mother tongue ;=)

Report •

September 18, 2009 at 14:26:26
Ok...i have tons of spyware/malware/antivirus software...I dont have to scan it...I just want to know if there is a general path rule I can put into the group policy editor (gpedit.msc) to deny access to any file name containing "kbiwkm".

There are about 50 files of it on my pc with different locations and different extension endings.

I tried disallowing C:\*kbiwkm* but it doesnt deny access to all of them because I dont know how to correctly use the wildcard symbols for the policy editor.


Report •

September 18, 2009 at 15:44:11
Mister_Mast Thanks for the clarification :0)

Some HELP in posting on plus free progs and instructions Cheers

Report •

Ask Question