Solved! Use KJGJMN.SYS (Virus Sality) Removal Guide

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Download UnHackMe
Fully Functional 30-day Trial. No credit card is required. Reviews. EULA. Privacy Policy.

KJGJMN.SYS – Virus Sality removal

File MD5 Virus Alias
KJGJMN.SYS bf31a8d79f704f488e3dbcb6eea3b3e3 Virus Sality
KJGJMN.SYS bf31a8d79f704f488e3dbcb6eea3b3e3 Trojan Lineage
KJGJMN.SYS bf31a8d79f704f488e3dbcb6eea3b3e3 Trojan Generic
KJGJMN.SYS bf31a8d79f704f488e3dbcb6eea3b3e3 Trojan Agent

KJGJMN.SYS size: 5157 bytes
KJGJMN.SYS hash: BF31A8D79F704F488E3DBCB6EEA3B3E3

Created files:

C:\504d23
C:\51292e
C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
%WinDir%\h2s.exe
%WinDir%\nacl.exe
%WinDir%\system\lsass.exe
%SysDir%\drivers\kjgjmn.sys
%WinDir%\userinit.exe
D:\50512a
D:\512d21
D:\cert\VBoxCertUtil.exe
D:\OS2\VBoxControl.exe
D:\OS2\VBoxReplaceDll.exe
D:\OS2\VBoxService.exe
D:\VBoxWindowsAdditions-amd64.exe
%Temp%\uwddr.exe
%Temp%\ytdqhm.exe

Autostart registry keys:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit: %WinDir%\userinit.exe
HKLM\System\CurrentControlSet\Services\amsint32\Type: 01000000
HKLM\System\CurrentControlSet\Services\amsint32\Start: 03000000
HKLM\System\CurrentControlSet\Services\amsint32\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\amsint32\DisplayName: amsint32
HKLM\System\CurrentControlSet\Services\amsint32\ImagePath: %WinDir%\System32\drivers\kjgjmn.sys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\pikachu: %WinDir%\nacl.exe

Detected by UnHackMe:

KJGJMN.SYS
Default location: %SYSDIR%\DRIVERS\KJGJMN.SYS

Dropper information:
MD5: cb5dc84cbab633a0ac36878ff916cabb
File size: 297984 bytes

Leave a Reply