Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

isearch blocks IE, refuses definition updates


  • This topic is locked This topic is locked

#16
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Sorry, there's no text file in the qoologic directory.
  • 0

Advertisements


#17
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Whats in the folder ?
You have it saved in a folder ?
  • 0

#18
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I have it in the qoologic directory right off the root C: directory. It has five files, xfind.com, activesetup.vbs, gstarts.exe, fstarts.exe, and find-qoologic2.bat. I did a search for any file on the C: drive with the file name activesetup*.* and only the vbs file returned.
  • 0

#19
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Open the folder and leave it open double click on the activesetup.vbs,
You should hear it running, give a second after it stops you should see a text file appear in the folder and the a pop up stating its finished
  • 0

#20
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Don, I just double clicked on the vbs file in the qoologic directory and nothing happened. I don't want to keep you up all night on my problem. I really appreciate your help but tomorrow will work too. As it is I don't know what drives you guys to help strangers with weird problems.
  • 0

#21
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi bookie,

I haven't seen this happen, I m checking with others to see if we can get it sorted out for you, I will reply back at some point today,

Don
  • 0

#22
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Bookie,
A couple things we need to try here,



1-
Download the following program, They have a free verison you can download.

Ewido Security Suite
http://www.ewido.net/en/

Be sure to get the updates first before scanning




2-
Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip

Create a new folder called c:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into this new RKFiles folder.

Then,

C. Reboot into Safe Mode

D. Restart and press the F8 key a few times after the BIOS loads -- the first thing you see when the pc "comes alive" and does its "self test" -- before windows loads).

E. Open the C:\Antispyware\RKFiles folder

* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finaly finished a text file will open.
* Save the contents of that text file.

Note: It should save by default to C:\Log.txt
* Find this log, right-click and rename it RKFiles_log.txt so you can post it later.
  • 0

#23
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I'm on it!
  • 0

#24
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OK, I ran qoologic from safe mode and here's the text of the log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JMKZK.DLL
* qoologic C:\WINDOWS\JMKZK.DLL
* qoologic C:\WINDOWS\UNADBEH.EXE

* ad-beh C:\WINDOWS\System32\TSGRGEG.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\BDOMOXO.EXE
* ad-beh C:\WINDOWS\System32\VINKNA.EXE
* ad-beh C:\WINDOWS\System32\PWVKV.DAT
* ad-beh C:\WINDOWS\System32\WMCONFIG.CPL
* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NRTI.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
desktop.ini
nrti.exe
SMC2635W 11Mbps WLAN Monitor.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
<NO NAME> REG_SZ {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmqxqsqn

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu
<NO NAME> REG_SZ {26E7F081-EB97-11d3-9239-006008D2D00F}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 14:13
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
"70794ae8-bda2-4e68-ad3d-6208027d7a45\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\bdomoxo.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

THEN I ran ewido and it's the only program for weeks that's been able to update the definitions. It found vinkna and said to clean and reboot but every time I do it finds it again and tells me to reboot.

Finally, here's the text of the rkfile_log.txt file:

C:\antispyware\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ir.exe: UPX!
C:\WINDOWS\system32\pwvkv.dat: UPX!
C:\WINDOWS\system32\telnet.exe.tmp: UPX!
C:\WINDOWS\system32\vinkna.exe: UPX!
C:\WINDOWS\system32\winup2date.dll: UPX!
C:\WINDOWS\system32\wmconfig.cpl: UPX!
C:\WINDOWS\system32\xvclnl.exe: UPX!
C:\WINDOWS\system32\e8020idoe80c0.dll: fsg!M
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\goInstaller.exe: PEC2

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nrti.exe: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\epsuninst.exe: UPX!
C:\WINDOWS\icont.exe: UPX!
Finished
bye

I hope this is helping.
  • 0

#25
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Thats what we needed bookie,

Print out these instrctions or save them to notepad so you have access to them,
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\JMKZK.DLL
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\JMKZK.DLL
    • C:\WINDOWS\System32\UNADBEH.EXE
    • C:\WINDOWS\System32\TSGRGEG.DLL
    • C:\WINDOWS\System32\WINUP2~1.DLL
    • C:\WINDOWS\System32\BDOMOXO.EXE
    • C:\WINDOWS\System32\VINKNA.EXE
    • C:\WINDOWS\System32\PWVKV.DAT
    • C:\WINDOWS\System32\WMCONFIG.CPL
    • C:\WINDOWS\UNADBEH.EXE
    • C:\docume~1\alluse~1\startm~1\programs\startup\NRTI.EXE
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\system32\bdomoxo.exe
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

  • 0

Advertisements


#26
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Wow. This thing must be a mess. No wonder friends tried to talk me out of trying to clean it myself. I'll post the new log after I've done all this.
  • 0

#27
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Alright, Don, here's the latest qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JMKZK.DLL
* qoologic C:\WINDOWS\JMKZK.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
desktop.ini
SMC2635W 11Mbps WLAN Monitor.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
<NO NAME> REG_SZ {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmqxqsqn

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu
<NO NAME> REG_SZ {26E7F081-EB97-11d3-9239-006008D2D00F}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 16:40
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
  • 0

#28
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Outstanding :tazz:

A couple more to go, But what I want you to do is run through the entire early list I had you do,

And post back after you have done it please, Doulble check as to not miss any, Your doing great
  • 0

#29
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OK, it took awhile to do all the scans again but here's what I came up with. Here's the qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JMKZK.DLL
* qoologic C:\WINDOWS\JMKZK.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
desktop.ini
SMC2635W 11Mbps WLAN Monitor.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
<NO NAME> REG_SZ {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmqxqsqn

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu
<NO NAME> REG_SZ {26E7F081-EB97-11d3-9239-006008D2D00F}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 17:47
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

Here's the rkfiles log:

C:\antispyware\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ir.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\goInstaller.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\epsuninst.exe: UPX!
C:\WINDOWS\icont.exe: UPX!
Finished
bye


Here's an updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:34 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ontrack\PowerDesk\PDEXPLO.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpyDefender Scanner] C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\SDScanner.exe /scan /remove /minimized /quitwhendone
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...en/IbmEgath.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Finally, I did run ewido (which took most of the time) but when it hit about 80% it stopped to report that it found an archived directory with isearch in it (I still have that as my search engine in Firefox). I told it to remove the directory and that blew out ewido altogether.

This thing just doesn't want to let go.
  • 0

#30
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok Bookie,

We need to get the last of these,
Most of these are removed but I want you to check for all again please,
Again might be best to print this out,
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\JMKZK.DLL
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\JMKZK.DLL
    • C:\WINDOWS\System32\UNADBEH.EXE
    • C:\WINDOWS\System32\TSGRGEG.DLL
    • C:\WINDOWS\System32\WINUP2~1.DLL
    • C:\WINDOWS\System32\BDOMOXO.EXE
    • C:\WINDOWS\System32\VINKNA.EXE
    • C:\WINDOWS\System32\PWVKV.DAT
    • C:\WINDOWS\System32\WMCONFIG.CPL
    • C:\WINDOWS\UNADBEH.EXE
    • C:\docume~1\alluse~1\startm~1\programs\startup\NRTI.EXE
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\system32\bdomoxo.exe
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP