Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

clean up computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby wng_z3r0 » June 22nd, 2005, 1:48 pm

grr!!

OK: are you getting errors when you run find qoologic /narrator?

Here's the full instructions for it:
Download FindQoologic-Narrator. Extract(unzip) the files into their own folder. Browse to where you saved them. Double-click the Find-Qoologic2.bat file to run it. A text file will open. Copy and paste the contents of the file into your reply along with a new HijackThis log please.


Note: If you get an error similar to:
autoexec.nt the system file is not suitable for running ms-dos etc etc , or a 16 bit app error etc etc'
Go here and use the approprient fix for your system then run find qoologic again.
http://www.tech-forums.net/computer/topic/29806.html
More info here: http://support.microsoft.com/default.as ... -us;324767

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm
Advertisement
Register to Remove

Unread postby timroc9 » June 22nd, 2005, 3:42 pm

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
daik.exe
DESKTOP.INI

User Startup:
C:\Documents and Settings\Joe Maione\Start Menu\Programs\Startup
.
..
DESKTOP.INI

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gyxnkyys
<NO NAME> REG_SZ {a0ee0040-9e0c-4ed0-aeee-a87fde797c79}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin




Logfile of HijackThis v1.99.1
Scan saved at 3:43:50 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\kapjua.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\nqjlspm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Joe Maione\Desktop\clean up\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kapjua.exe reg_run
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [edzovgl] c:\windows\system32\nqjlspm.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://gold.domino.cooksonelectronics.com/iNotes.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/Reflex ... Loader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby wng_z3r0 » June 22nd, 2005, 4:34 pm

Well, let's leave Qoologic alone for a sec. NAIL has creeped back into your system. Please follow these steps:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php? ... 5010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode

then:
Download and install Agent Ransack a free search tool.
http://www.mythicsoft.com/agentransack/default.aspx

Install the program.

Start the program. Start > Programs > Agent Ransack > Agent Ransack
Check expert user if it is not already checked.

Copy (Ctrl+c)/paste(ctrl+v) the following
(Qoologic|Aspack|narrator)+
into the "Containing Text" field.

Copy the following:
C:\windows;C:\windows\start menu\programs\Startup
into the "Look in" field.

Uncheck the box "Search subfolders"

Click "Start search"

Once the scan is finished please go to "File" (at the top of the screen) and click it. Select "Save results from the menu.
Clipboard is checked by default. Leave it as it is.
At the bottom of the screen under "Information" uncheck "Contents". Now click "Save". This copies it to your clipboard.
Right-click in the reply area below the last log and paste that information into the post. Again do not assume all thats is being found is bad.


Once you post the logs above, please do not reboot, restart/shutdown the computer. Just leave it on. If you restart, the malware recreates, and any information you provide may change, taking us back to square one.

Give me a Agent Ransack log, an Ewido log, and a HJT log.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby timroc9 » June 22nd, 2005, 4:53 pm

problems with ewido continue every time i have used this scan it either didnt open, it said their was an error or couldnt update is there another scan i can run
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby LonnyRJones » June 22nd, 2005, 9:28 pm

Hi

Ewido must be updated , heres how
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.
Later tell us How that went

Was there any problem getting into safe mode ?

Boot into safe mode.

Run Ewido and let it delete anything found.
while it is working do not open any folders ,especialy the windows control panel

Restart back to normal and post a fresh hijackthis log

When you had ran find qoologic before did you see any errors ?
Do you have any questions ?
LonnyRJones
Regular Member
 
Posts: 51
Joined: February 25th, 2005, 5:29 am

Unread postby timroc9 » June 22nd, 2005, 9:28 pm

ive stopped waht i have been doing i was just wondering if i should give u a new log of hijack this
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby LonnyRJones » June 23rd, 2005, 5:37 am

Hi

Yes another hijackthis log after we get ewido updated and ran again while in safe mode
LonnyRJones
Regular Member
 
Posts: 51
Joined: February 25th, 2005, 5:29 am

Unread postby timroc9 » June 23rd, 2005, 12:25 pm

Logfile of HijackThis v1.99.1
Scan saved at 12:24:45 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\kapjua.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Joe Maione\Desktop\clean up\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kapjua.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://gold.domino.cooksonelectronics.com/iNotes.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/Reflex ... Loader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby LonnyRJones » June 23rd, 2005, 1:07 pm

How did updating and running ewido in safe mode go ?
Details are important

When you ran find qooligic before was there errors ?
LonnyRJones
Regular Member
 
Posts: 51
Joined: February 25th, 2005, 5:29 am

Unread postby timroc9 » June 23rd, 2005, 1:19 pm

ok EVERY TIME I RUN EWIDO it says error right when the scan finishes and i can never save the log
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby timroc9 » June 23rd, 2005, 1:21 pm

the qoologic error says 16 bit ms-dos subsystem
c:\windows\system32\cmd.exe
c:\windows\system32\autoexec.nt The system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby LonnyRJones » June 23rd, 2005, 2:02 pm

"EVERY TIME I RUN EWIDO it says error "

Is there an error number ?

Here is the findqoologic instructions again:
Download FindQoologic-Narrator.zip save it to your Desktop.
http://forums.net-integration.net/index ... &id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic2.bat file to run it.
wait until a text opens, post it in a reply to your thread.
Note: If you get an error similar to:
autoexec.nt the system file is not suitable for running ms-dos etc etc , or a 16 bit app error etc etc'
Go here and use the approprient fix for your system then run find qoologic again.
http://www.tech-forums.net/computer/topic/29806.html
More info here: http://support.microsoft.com/default.as ... -us;324767


So apply the fix then run it again and post its log please
LonnyRJones
Regular Member
 
Posts: 51
Joined: February 25th, 2005, 5:29 am

Unread postby timroc9 » June 23rd, 2005, 6:26 pm

ok the findqoologic works now i am going to run ewido in safe mode to try and see what the error says



PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\EKIPCKK.DLL
* KavSvc C:\WINDOWS\System32\RKSWV.DLL
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\QUKAY.DAT
* aspack C:\WINDOWS\System32\CAMNQAA.EXE
* aspack C:\WINDOWS\System32\KAPJUA.EXE
* aspack C:\WINDOWS\System32\EKIPCKK.DLL
* aspack C:\WINDOWS\System32\RKSWV.DLL
* aspack C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\AIM.EXE
* UPX! C:\WINDOWS\System32\PSOF1.EXE
* UPX! C:\WINDOWS\System32\R.EXE
* UPX! C:\WINDOWS\System32\UCI.EXE
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ARDJXN~1.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\DAIK.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
daik.exe
DESKTOP.INI

User Startup:
C:\Documents and Settings\Joe Maione\Start Menu\Programs\Startup
.
..
DESKTOP.INI

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gyxnkyys
<NO NAME> REG_SZ {a0ee0040-9e0c-4ed0-aeee-a87fde797c79}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby timroc9 » June 23rd, 2005, 7:38 pm

heres what i belive the error is at leat that what it said for the ewido scan

c:\docume~1\joemai~1\locals~1\temp\wer1.tmp.dir00\appcompat.txt
User avatar
timroc9
Regular Member
 
Posts: 47
Joined: June 19th, 2005, 6:12 pm
Location: nj

Unread postby LonnyRJones » June 23rd, 2005, 11:59 pm

Hi, Thanks

Download Pocket Killbox version 2.0.0.175
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe
If you already have Killbox first ensure it is this version !.
Start Killbox place a tick next to [x]delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\System32\EKIPCKK.DLL
C:\WINDOWS\System32\RKSWV.DLL
C:\WINDOWS\System32\SUPDATE.DLL
C:\WINDOWS\System32\QUKAY.DAT
C:\WINDOWS\System32\CAMNQAA.EXE
C:\WINDOWS\System32\KAPJUA.EXE
C:\WINDOWS\System32\REDIT.CPL
C:\WINDOWS\System32\AIM.EXE
C:\WINDOWS\System32\PSOF1.EXE
C:\docume~1\alluse~1\startm~1\programs\startup\DAIK.EXE


Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the first prompt and no to the second.


Exit Killbox and restart your PC.

Place these files in a zip, Send to filesubmitATnet-integration.net
Replace AT with @ and include a link back to this thread.
if you know how to place a password/encrypt on it do so, use "infected"
More info if needed here http://forums.net-integration.net/index ... =3&t=27243
C:\WINDOWS\System32\R.EXE
C:\WINDOWS\System32\UCI.EXE
C:\WINDOWS\ARDJXN~1.EXE

Download/save then run AIM Fix
http://www.jayloden.com/AIMFix.exe
Restart the PC again, Post back with the aimfix.log and a fresh hijackthis log.
LonnyRJones
Regular Member
 
Posts: 51
Joined: February 25th, 2005, 5:29 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware