Anyone heard of TrojanSpy.Win32.Qukart.m?

Hello to Everyone,

I'm new to this, so please forgive me if i ask stupid questions. I have been unable to get rid of the mysearch toolbar, although i have spybot, Ad-Aware Personal & Spyblaster installed. Today i downloaded HighjackThis in the hope that i could get rid of it.

I went through your HJT Tutorial & managed to remove all the nasties. Did all my other scans and my PC was clean, or so i thought. I got back on-line after perhaps 15mins the damned toolbar appeared, decided to run a2 again and then found that i have two TrojanSpy.Win32.Qukart.m, and my a2 is unable to delete them & i can't find any info on it on the web.

Could you so kindly give me a pointer?

I appreciate your help,

Qhrys

 

Hi Qhrystyna,

If you have exhausted the resources in our Cleanup Tutorial, then go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best
PP

 

Hello Again!

Sorry for not replying earlier, i have been away. I would really appreciate it if you could help me out.

I'm sure the problem/solution is obvious thing but i just can't see how I can fix this! I have gone through your instructions on the website time & time again, but the damned lop.com keeps cropping up. My Ad-Aware is the only one that spots but won't get rid of it. In HighjackThis, the R1 line (searchbar) keeps coming up after i delete & re-appears with different random letters!

I'm going to leave it as it is. Whoever is kind enough to give me instructions, could they state the obvios so that i know what to find where, pretty please?

Thank you, thank you, thank you, THANK YOU!!

Qhrys

 

Hi Qhrystyna,

Your HJT Log is not too bad - There are only a few things that we need to fix. However, first I need you to locate HijackThis in its own, safe folder. Here's how to do that:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

Now, extract HJT from the ZIP File to the newly created folder or just move it from the TEMP file where it is now. Then, rescan and attach a fresh log.

Also, tell me if this is the desired setting for this entry:
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es

I'll check back when time permits.

PP

 

Hola PhilliePhan!


Many thanks for your quick reply, it is always appreciated. I had created a folder for my HighjackThis in Program Files, but then moved it to my desktop so that i could have it handy. However, i followed your instructions as below, created a new folder & extracted the zip file, only to find that it created a double folder in my program files. Should i delete the zip file then?

Anyway, i posted a new log for your review. www.wanadoo.es is my service provider (i'm in Spain) but i rarely go to that page, so it's not necessary to have it.

I'm seriously pulling out my hair over here! Anything you can help me with, again, is greatly appreciated.

Muchas gracias!

Qhrys

 

Hi Qhrystyna,

I really do not see much in your HJT Log to be alarmed about. It would seem to me that there should be more baddies showing if that R1 line keeps coming back. Make sure System Restore is OFF when you fix it this time.


I do not know what this is. Do you? Is it something you need and use?
O4 - HKCU\..\Run: [Copy1] C:\WINDOWS\APPLIC~1\MEDIAB~1\option road proc.exe
It looks a bit like a Trojan!


ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.voqatfdenknm.us/bx9z9bKXs5c33Dx2NCZz6Gj2HT/8d8cOxM/QhtzHKbsrHoRpnjNwzxrwpiO3fYez.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [Copy1] C:\WINDOWS\APPLIC~1\MEDIAB~1\option road proc.exe ---> If you don't know what this is, I suggest removing it as well.


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

c:\Program Files\AutoUpdate ---> The Folder

C:\WINDOWS\APPLICATION DATA\MEDIAB~1 ---> Check and see what this folder is for and whether or not you need it. There should be additional letters in the name that are not showing here.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Do you use the messenger plus 3 (it's name is something like that and I can't remember the site it gets downloaded from right off hand)?? Anyhow I had that downloaded once and I was getting all kinds of search bars and my home page hijacked and other stuff. Since you mentioned in your post something about a lop.com I thought I would see if you had the Messenger Plus 3 installed.
Because that Messenger Plus 3 just puts alot of crap on a computer and infects it big time with all that crap so if you have it installed you should uninstall it..

 

Dr. Evil does not make mistakes!! And, if I did, I'd never hear the end of it from Mr. Smartypants

 

Phillie I hope I did not offend you when I typed about the Messenger Plus 3 I know that you and Chas are very smart and talented regarding spyware and with me being a blonde I just saw the mention of the lop.com by qhrystyna and remembered what Chas said about it to me and didn't even think about the fact that it would show up in a HJT log.
To "MrSmartyPants" & "DrEvil" I do know first hand that you two are very smart and know what you are talking about regarding spyware and I thank you from the bottom of my heart for all the help and advice you guys have given me over the past few months.. ..

 

You're going to have to do better than that if you want to offend me!!
This Dr. Evil does not have an easily bruised ego!

PP

 

Hi all, and I have a comment about the Messenger Plus 3. My son put it on my comp awhile back and I also had major problems with it. I even wrote to msnsupport about it. They replied and said that it was a program that didn't have anything to do with msn messenger. Someone had put it out there as an add on. But...I ran an HJT at the time and nothing showed up on it about the plus 3. When I called a tech here about it he said it sounded like the program installed under cover.(I think that is the right way to say it?). When I uninstalled it webroot spysweeper finally found trace of it. I hope that all makes sense. If I am wrong, don't feel bad to say so...lol bttrflydaisys