Qoologic/Winsync Help Needed!!!

Please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

After getting the WinPfind log attached, continue to get these logs and attach them.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post the logs as attachments

 

Providing exact error messages (word for word) is a lot more useful to us.

But the error message you were getting could be important especially if it is something about autoexec.nt

Please do not reboot or power down you PC unless we request you to do so. Otherwise this infection could keep renaming itself.

 

Okay let's try the below!

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (if you do not see this exact oikocw.exe filename, look for another O4 line with [winsync] on it and fix that line):
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oikocw.exe reg_run

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (Some may not be found. Let me know what you do and don't find.)
C:\WINDOWS\eiunin2.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\vokvz.dll
C:\WINDOWS\system32\kelkw.dll
C:\WINDOWS\system32\oikocw.exe (if you do not see this exact oikocw.exe filename, look for the one in the O4 line with [winsync] on it and delete that file)
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\Temp\start5\install.DAT <---- in fact it would be best if you delete the whole start5 folder.
C:\WINDOWS\Temp\start5\log1.txt
C:\WINDOWS\Temp\start5\msg.exe
C:\WINDOWS\Temp\start5\Start.exe
C:\WINDOWS\Temp\start5\data\img.bmp
C:\WINDOWS\Temp\start5\data\read.txt
C:\Documents and Settings\Mom\Local Settings\Temp\EINSTALL\INSTALL.EXE
C:\Documents and Settings\All Users\Local Settings\Temp\EINSTALL\INSTALL.EXE
C:\Documents and Settings\Mom\Desktop\jump.url
C:\Documents and Settings\All Users\Desktop\jump.url

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is,
uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this
folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Also download and run Download XP Fix

 

Is the below file visible:

C:\WINDOWS\system32\oikocw.exe

 

Okay! Disable ALL of MS Antispyware's Realtime protection.

Then run HJT and fix the O4 line.
Then reboot and see if a new log is clean.

 

No! Unless we tell you otherwise, always assume normal mode. There are times when certain steps may be run in safe mode but you will always be told when. Like in message 9 where said boot in safe mode before deleting the files.

Get me a new Rkfiles and WinPfind log. Either there is something recreating this key or it is not getting properly removed due to something blocking it (like MS Antispyware or another similar program).

 

Click Start, Run and enter regedit and click OK! Navigate to the below registry key and see if you can find WinSync

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Let me know!

 

Are you sure! WinPfind shows:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
winsync C:\WINDOWS\system32\oikocw.exe reg_run

 

Thanks PP! I gotta change my screen resolution! With the wrap around, I did not see it.

Leezza,

Just look for the file and delete it. If you cannot, then boot to safe mode and delete it.

Afterwards check the HJT log again and see if the O4 line is gone. If not, fix it and see if it stays fixed.

 

Do you mean the file is there? Or do you mean the HJT line?
Either way, delete the file or fix the line. Then reboot and get a new HJT log and see if it is gone. If not, we will need a need WinPfind log to go with the HJT log.

 

That's because you did not get the below deleted:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qhiq.exe

Let's use a different approach.

Disable MS Antispyware again!

Please download: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

Run HJT and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\oikocw.exe reg_run

After clicking Fix, exit HJT.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\system32\oikocw.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qhiq.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

- Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
C:\WINDOWS\system32\oikocw.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qhiq.exe


Now reboot (whether you find them or not) into normal mode.

Now get a new HJT log and attach it here. And tell me how these steps went and how things are working.

 

You're welcome! Now to help keep you clean, work thru the below:

How to Protect yourself from malware!

 

Re: Qoologic/Winsync Help Needed -- Still Gone!!!!

You're welcome. Enjoy the holidays malware free!