[Alienbaby74]

Right after I ran this program you recommended, Norton antivirus popped up and told me to halt the script. I went ahead and let it run?

So far the only thing that the window says is

The First Finished! message is only part of the scan Just wait until a text opens please.

Then this pops up.

Disregard the parameters message.

Thats all??? Not sure what to do now?

[Advertisements]

Oh wait, I see a text file now....but it didn't find anything, just says files found: and then nothing is listed?

Could this be because Ewido guard just cleaned it off this morning?

[Alienbaby74]

Oh wait, I see a text file now....but it didn't find anything, just says files found: and then nothing is listed?

Could this be because Ewido guard just cleaned it off this morning?

[Crustyoldbloke]

Hello again

If we are to try and find this hidden malware and the files it contains, then we must stop any real-time programmes from interfering.

Norton will always show any script as malicious, we knew that, but if Ewido is cleaning every time you boot or on daily cycle, we will never get there.

Let's disable Ewido from real-time protection, then reboot and run QoologicFinder and post the results and then leave the PC on, do not reboot.

Thanks.

[Alienbaby74]

Not to sound retarded but how do I deactivate the real time Ewido and Norton???

Corey

[Crustyoldbloke]

Hello Corey

I don't use either but from memory, both have an icon in the task bar (normally bottom left where the clock is). Double click it to open the programme interface, look for the "real-time" settings and disable.

I've done remote assistance on many PC's in the USA (1 in Texas and another in NJ yesterday alone) to recall the Norton AV settings. The Ewido programme has a huge yellow "e" I think.

This will only be a temporary issue. Once we can establish which files are hiding and being malicious, we can eradicate them and you can revert back.

BTW, the dumbest question is the one you never asked.

[Alienbaby74]

Another "dumb" question...

How long should this Find Qoologic thing take? I get a text file generated within seconds that lists no files? Am I allowing the program long enough to scan? Since there is no progress bar I have no idea if it is scanning or not. The last thing in the text window is "disregard the parameters message"...should I be waiting for something else or should I just exit?

I did notice that uvkkup is back again once I deactivated the live Ewido Guard...

Here is another copy of the text file genereated by Find Qoologic ....



PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

thats all i keep getting???

and here is Hijack

Logfile of HijackThis v1.99.1
Scan saved at 3:53:08 PM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnkk.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteppo32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvkkup.exe reg_run
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117663274299
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Crustyoldbloke]

Hello again Corey

Normally the scan takes 3-5 mins. I think HJT has provided with the answers, or at least they look like they are.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

rnkk.exe

Exit the Task Manager when finished.

Close all programmes leaving only HijackThis running. Place a checkmark against each of the following:

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteppo32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvkkup.exe reg_run

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnkk.exe
C:\windows\system32\eliteppo32.exe
C:\WINDOWS\System32\uvkkup.exe reg_run

Exit Explorer, and reboot as normal afterwards.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnkk.exe
C:\windows\system32\eliteppo32.exe
C:\WINDOWS\System32\uvkkup.exe reg_run

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and we will take another look.

[Alienbaby74]

Aargh!

uvkkup is still there? when I go to the Windows/System 32 folder it isn't there?

the other two appear to be gone for now.

Logfile of HijackThis v1.99.1
Scan saved at 10:08:26 PM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\uvkkup.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvkkup.exe reg_run
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117663274299
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Alienbaby74]

Oh and also here is another Ewido scan...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:48:25 AM, 6/7/2005
+ Report-Checksum: 698A83D0

+ Date of database: 6/5/2005
+ Version of scan engine: v3.0

+ Duration: 126 min
+ Scanned Files: 95110
+ Speed: 12.58 Files/Second
+ Infected files: 12
+ Removed files: 12
+ Files put in quarantine: 12
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Corey\Cookies\corey@41409448[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\wpaaw.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup


::Report End

[Crustyoldbloke]

Hello again Corey

Please try to run Qoologic fix again. Please be patient.

[Alienbaby74]

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Once again that is all that Qoologic Finder found? I am getting little annoying pop ups again. Sigh.

Hijack log still shows uvkkup.exe reg_run. Can't locate this file when using Windows to navigate to the System 32 folder.

Corey

[Crustyoldbloke]

Hello again Corey

Don't worry. let's just try something else first and then I will come up with something to fix it, I just want to be sure first.

Please download Silent Runners

Please save the file to your desktop. Doubleclick on it to run it.

You may get a warning from your anti-virus program. (Many scripts are dangerous. this script is not.) Please allow the script to run.

After a few minutes, you will be notified when it has completed, a new text report will also appear called “Startup Programs” followed by the PC name and date and the *.txt extension.

Please include that report in your reply.

[Alienbaby74]

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KavSvc" = "C:\WINDOWS\System32\uvkkup.exe reg_run" [null data]



Corey

[Crustyoldbloke]

Hello Corey

Ok, it is just the one file that is persistent. Firstly please ensure you have administrators rights on this PC, and that there are no more identites on this PC (family members wih their own settings).

Please set your system to show
all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

uvkkup.exe

Exit the Task Manager when finished.

Close all programmes leaving only HijackThis running. Place a checkmark against the following:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvkkup.exe reg_run

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following file, and delete it:

C:\WINDOWS\System32\uvkkup.exe

Exit Explorer, and reboot as normal afterwards.

If it does not delete,

Open Killbox, and click the radio button that says Standard File Kill. For the file you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

That should delete the file, if it is still present, try again and use the other Killbox instruction to "Delete File on Reboot"

The programme will ask you if you want to reboot; say yes

Let the system reboot.

Post a fresh HJT log for appraisal.

[Alienbaby74]

uvkkup.exe is still there, as is rnkk.exe.....

Logfile of HijackThis v1.99.1
Scan saved at 9:54:39 PM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnkk.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvkkup.exe reg_run
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117663274299
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe