gzmrt.dll: remote hacker attack
Ok I’ve decided to put this all in one place.
1st off I was experiencing slow pc behavior
I found when I was in COD2 my ping would jump from 70 to 800+
Time Warner was at this time working on IP addressing in this area and said
they may have laggy access. (Figured it was them for about a week) It wasn’t.
My computer hd is set up like a dell with 3 partitions 1 for dos 1 for
windows and 1 for a recovery image
Trojan. Unclassified/FukuRuku. Process
CA-Anti-Spy (toolbar) named as AdRotator F (adware)
This is a remote hacker attack:
How I removed it:
Software I used:
SAVEPART.exe (dos): Drive image creator
NTFS4DOS.exe (dos): NTFS access for DOS
DOS 7.1 (someone made a full version)
Windows Defender
CA-Anti-Spy (yahoo toolbar and on)
Boot to DOS, load NTFS4DOS, and at command prompt find the drive allocation
for Windowsxp
In my case it was F:\
From C:\ command prompt type
C:\ > attrib –A –H F:\windows\system32\gzmrt.dll /s
ENTER
-A This changes the file gxmrt.dll archive bit to unchecked
-H makes sure it’s not hidden
-S makes sure it’s not a system file
/s includes the sub directories in the tree
C:\ > DELTREE F:\windows\system32\gzmrt.dll
If you try and use just DEL then dos cannot find the file because the file
is a binary directory
After deleting the gzmrt.dll reboot to windowsxp
You will get an “error cant find gxmrt.dll” after you log on, read on
Use start/run regedit and find and open this folder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete this key within the above folder
postsetupcheck
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" Dll -Start
This stops the error flag
Not sure what these do but the 1st 2 are listed under publisher not
available so I disabled them as to date nothing is a miss from it the last
one however is a new entry I found in the startup heading of windows defender
and it contains a 2ndary reference to gzmrt.dll
So I disabled this too. Note there is a 2nd process running on my pc called
*rundll32 and is legit make sure you get the correct files else you find
unexpected mishaps.
File Name: ISUSPM.exe -startup
Startup Value: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
File Path: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Disabled
SpyNet Voting: In Progress
File Name: issch.exe" -start
Startup Value: "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
File Path: "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Disabled
SpyNet Voting: Not Available
*File Name: Rundll32.exe
Display Name: Microsoft Run a DLL as an App
Description: Run a DLL as an App
Publisher: Microsoft Corporation
Digitally Signed By: Microsoft Windows Verification Intermediate PCA
File Type: Application
Startup Value: C:\WINDOWS\System32\Rundll32.exe
"C:\WINDOWS\system32\gzmrt.dll" DllStart
File Path: C:\WINDOWS\System32\Rundll32.exe
File Size: 33280
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Date Installed: 8/10/2004 6:00:00 AM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Disabled
Ships with Operating System: Yes
SpyNet Voting: Not applicable