Anyone heard of TrojanSpy.Win32.Qukart.m?

Discussion in 'Malware Help (A Specialist Will Reply)' started by qhrystyna, Jan 9, 2005.

  1. qhrystyna

    qhrystyna Private E-2

    Hello to Everyone,

    I'm new to this, so please forgive me if i ask stupid questions. I have been unable to get rid of the mysearch toolbar, although i have spybot, Ad-Aware Personal & Spyblaster installed. Today i downloaded HighjackThis in the hope that i could get rid of it.

    I went through your HJT Tutorial & managed to remove all the nasties. Did all my other scans and my PC was clean, or so i thought. I got back on-line after perhaps 15mins the damned toolbar appeared, decided to run a2 again and then found that i have two TrojanSpy.Win32.Qukart.m, and my a2 is unable to delete them & i can't find any info on it on the web.

    Could you so kindly give me a pointer?

    I appreciate your help,

    Qhrys
     
  2. PhilliePhan

    PhilliePhan Guest

    Hi Qhrystyna,

    If you have exhausted the resources in our Cleanup Tutorial, then go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
    Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

    Best :)
    PP
     
  3. qhrystyna

    qhrystyna Private E-2

    Hello Again!

    Sorry for not replying earlier, i have been away. I would really appreciate it if you could help me out.

    I'm sure the problem/solution is obvious thing but i just can't see how I can fix this! I have gone through your instructions on the website time & time again, but the damned lop.com keeps cropping up. My Ad-Aware is the only one that spots but won't get rid of it. In HighjackThis, the R1 line (searchbar) keeps coming up after i delete & re-appears with different random letters!

    I'm going to leave it as it is. Whoever is kind enough to give me instructions, could they state the obvios so that i know what to find where, pretty please?

    Thank you, thank you, thank you, THANK YOU!!

    Qhrys
     

    Attached Files:

  4. PhilliePhan

    PhilliePhan Guest

    Hi Qhrystyna,

    Your HJT Log is not too bad - There are only a few things that we need to fix. However, first I need you to locate HijackThis in its own, safe folder. Here's how to do that:

    To create a new folder:
    Click START > My Computer > Local Disc C: > Program Files
    Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

    Now, extract HJT from the ZIP File to the newly created folder or just move it from the TEMP file where it is now. Then, rescan and attach a fresh log.

    Also, tell me if this is the desired setting for this entry:
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es

    I'll check back when time permits.

    PP :)
     
  5. qhrystyna

    qhrystyna Private E-2

    Hola PhilliePhan!


    Many thanks for your quick reply, it is always appreciated. I had created a folder for my HighjackThis in Program Files, but then moved it to my desktop so that i could have it handy. However, i followed your instructions as below, created a new folder & extracted the zip file, only to find that it created a double folder in my program files. Should i delete the zip file then?

    Anyway, i posted a new log for your review. www.wanadoo.es is my service provider (i'm in Spain) but i rarely go to that page, so it's not necessary to have it.

    I'm seriously pulling out my hair over here! Anything you can help me with, again, is greatly appreciated.

    Muchas gracias!

    Qhrys
     

    Attached Files:

  6. PhilliePhan

    PhilliePhan Guest

    Hi Qhrystyna,

    I really do not see much in your HJT Log to be alarmed about. It would seem to me that there should be more baddies showing if that R1 line keeps coming back. Make sure System Restore is OFF when you fix it this time.


    I do not know what this is. Do you? Is it something you need and use?
    O4 - HKCU\..\Run: [Copy1] C:\WINDOWS\APPLIC~1\MEDIAB~1\option road proc.exe
    It looks a bit like a Trojan!


    ANYHOO:
    Please print out these instructions so that you can operate with All Browser Windows CLOSED.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now scan with HijackThis and Check the Boxes for the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.voqatfdenknm.us/bx9z9bKXs5c33Dx2NCZz6Gj2HT/8d8cOxM/QhtzHKbsrHoRpnjNwzxrwpiO3fYez.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKCU\..\Run: [Copy1] C:\WINDOWS\APPLIC~1\MEDIAB~1\option road proc.exe ---> If you don't know what this is, I suggest removing it as well.



    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    c:\Program Files\AutoUpdate ---> The Folder

    C:\WINDOWS\APPLICATION DATA\MEDIAB~1 ---> Check and see what this folder is for and whether or not you need it. There should be additional letters in the name that are not showing here.

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

    Best luck :)
    PP
     
  7. shewolf

    shewolf Specialist

    Do you use the messenger plus 3 (it's name is something like that and I can't remember the site it gets downloaded from right off hand)?? Anyhow I had that downloaded once and I was getting all kinds of search bars and my home page hijacked and other stuff. Since you mentioned in your post something about a lop.com I thought I would see if you had the Messenger Plus 3 installed.
    Because that Messenger Plus 3 just puts alot of crap on a computer and infects it big time with all that crap so if you have it installed you should uninstall it..
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shewolf,

    If it were installed it would have shown in the HJT log as Messenger Plus 3
    It is not installed!

    And I know PP would not have missed it. ;)
     
  9. PhilliePhan

    PhilliePhan Guest

    Dr. Evil does not make mistakes!! And, if I did, I'd never hear the end of it from Mr. Smartypants :p
     
  10. shewolf

    shewolf Specialist

    Phillie I hope I did not offend you when I typed about the Messenger Plus 3 I know that you and Chas are very smart and talented regarding spyware and with me being a blonde I just saw the mention of the lop.com by qhrystyna and remembered what Chas said about it to me and didn't even think about the fact that it would show up in a HJT log.
    To "MrSmartyPants" & "DrEvil" :p :p I do know first hand that you two are very smart and know what you are talking about regarding spyware and I thank you from the bottom of my heart for all the help and advice you guys have given me over the past few months.. ..
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nah! We are just stupid artifical intelligence programs pretending to be smart humans so people will feel comfortable with our instructions. How else do you think we could be here so much. ;)
     
  12. PhilliePhan

    PhilliePhan Guest

    You're going to have to do better than that if you want to offend me!! ;)
    This Dr. Evil does not have an easily bruised ego!

    PP :)
     
  13. bttrflydaisys

    bttrflydaisys Private E-2

    Hi all, and I have a comment about the Messenger Plus 3. My son put it on my comp awhile back and I also had major problems with it. I even wrote to msnsupport about it. They replied and said that it was a program that didn't have anything to do with msn messenger. Someone had put it out there as an add on. But...I ran an HJT at the time and nothing showed up on it about the plus 3. When I called a tech here about it he said it sounded like the program installed under cover.(I think that is the right way to say it?). When I uninstalled it webroot spysweeper finally found trace of it. I hope that all makes sense. If I am wrong, don't feel bad to say so...lol ;) bttrflydaisys
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    There have been several versions of this program. The first was called MSN Messenger Plus.
    The latest has the 3 added. They all have always showed in a HJT log. And they all added other crap including LOP.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds