Poller.exe & vmnkql.exe Trojan Removal Guide
Posted: Fri Jun 24, 2005 6:39 pm
A Bad Message: Access Denied
I went to a site off Google while looking up some song lyrics and was infected by a couple trojans last night. I also had many pop up windows with the name Aurora in the popup window. I then ran Norton 2005 with the 6-22-2005 definition file was unable to remove the infected files. It basically said "Failed To Repair This File". Next I ran Spybot and Ad-Aware with no such luck. I even rebooted and let it scan the files before Windows loaded... Failure!
I then did the standard removal methods...
Step One: Disabling the System Restore Utility (Windows XP Users)
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.
You must always turn off the system restore feature before removing a variant.
Step Two:
1) Boot into safe mode (hit F8 on reboot)
2) Kill the process (Poller.exe)
3) Manually remove Poller.exe from Windows startup & other parts
Sadly this couldn't be done... Not like the old days eh?
I next downloaded Stinger from McAfee Inc., which is a free software tool that removes 53 specific trojans and other variants. My scan came up clean, meaning that nothing was found wrong. Nothing wrong my ass...
I then downloaded HiJackThis and ran a scan. If you think you are infected with Poller.exe or vmnkql.exe you need to look for the following files after you run a system scan:
Next you need to open the Windows Notepad and copy the following text into a new file:
Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then run HijackThis, click Scan, and check:
Restart your computer in normal mode and see if everything has been removed and fixed.
I was determined not to format my system and after several hours of research I found that it could be done. No one on the internet really has a guide on how to fix these problems as they are new, so here is a guide that will help you. It worked for my desktop system with Windows XP SP2, so hopefully it will work for you.
If you found this information to be a help in removal please join the forums and let us know it helped. Feedback is always good!
I went to a site off Google while looking up some song lyrics and was infected by a couple trojans last night. I also had many pop up windows with the name Aurora in the popup window. I then ran Norton 2005 with the 6-22-2005 definition file was unable to remove the infected files. It basically said "Failed To Repair This File". Next I ran Spybot and Ad-Aware with no such luck. I even rebooted and let it scan the files before Windows loaded... Failure!
I then did the standard removal methods...
Step One: Disabling the System Restore Utility (Windows XP Users)
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.
You must always turn off the system restore feature before removing a variant.
Step Two:
1) Boot into safe mode (hit F8 on reboot)
2) Kill the process (Poller.exe)
3) Manually remove Poller.exe from Windows startup & other parts
Sadly this couldn't be done... Not like the old days eh?
I next downloaded Stinger from McAfee Inc., which is a free software tool that removes 53 specific trojans and other variants. My scan came up clean, meaning that nothing was found wrong. Nothing wrong my ass...
I then downloaded HiJackThis and ran a scan. If you think you are infected with Poller.exe or vmnkql.exe you need to look for the following files after you run a system scan:
Once these files are found go download the 14 day trial version of Ewido Security Suite. Install it, and update the definitions to the newest files. Do NOT run a scan yet. When you update it might automatically detect an issue, but just ignore it and move on.F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Next you need to open the Windows Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". This will remove the nail.exe file and clean up your system...@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then run HijackThis, click Scan, and check:
Close all open windows except for HijackThis and click Fix Checked.F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Restart your computer in normal mode and see if everything has been removed and fixed.
I was determined not to format my system and after several hours of research I found that it could be done. No one on the internet really has a guide on how to fix these problems as they are new, so here is a guide that will help you. It worked for my desktop system with Windows XP SP2, so hopefully it will work for you.
If you found this information to be a help in removal please join the forums and let us know it helped. Feedback is always good!
