Hijack This logfile question

Greetings,

I executed the spyware tutorial to the letter, and am still getting pop-up ads. After running Hijack This, I noticed some O4 entries with executable files that I'm not familiar with, and I cannot find any information about these files on the web. The executable's are:

rexup.exe
nvkuzn.exe
quacji32.exe

Does anyone know of these particular files?

Thanks!

 

Thanks.........

I removed them and will monitor the system to see if they return.......

 

Looks like the nvkuzn.exe file tried to reload, however Microsoft's new spyware program allowed me to block it....It sure would be nice to know that that particular executable is....

Thanks!

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Attached is the log file......Thanks in advance for any help!!!!!

 

You HJT version is WAY out dated. Please update to Hijack This 1.99.1 and attach a new log using the new version.

 

My apologies........Attached is a log using the updated version.........

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

AutoUpdate

Now procede with the following steps:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

Sorry for the delay......Business travel........

I did not see the "Autoupdate" program in the "Add/Remove" programs section, but there is a folder under "Program Files" called "Autoupdate." I deleted this folder via command prompt in Safe Mode, however when I restarted the system, the folder reappeared. I also noticed that when I ran HijackThis again, several executables that I deleted before have now reappeared as well. Regarding "Autoupdate," there's a .dll file in use so I could not delete the folder in standard mode.

Attached are the log files you requested, based on my running of the programs as instructed below.

Thanks again for the wonderful assistance!

 

Download Pocket KillBox
(Don't run it yet)


Now boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\SYSTEM32\gzioxgh.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\OBNDAOR.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\REDIT.cpl into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\nvkuzn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\supdate.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\vpawu.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\CFindUninst.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\CPBFDLL.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\FRVKENC.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\del.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach 2 new logs from the tools and a fresh HJT log.

 

Greetings,

Actions performed as instructed. I ran the RKFiles tool in Safe Mode as before. Looks like many of the files have reappeared, based on the new logs. The Qoologic and RKFiles log are in the next e-mail..........

 

Additional log files.........

 

First, uninstall Microsoft AntiSpyware so it wont block anything we try to fix.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\obndaor.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\gzioxgh.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\nvkuzn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\vpawu.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\dgrpxspx.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\dcocsp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnkr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded procede with the next part of this fix.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\nvkuzn.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [7F8U37R] dgrpxspx.exe
O4 - HKCU\..\Run: [Mor8RXdEQ] dcocsp.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Aprps ←–– Delete this whole folder if it exist!

C:\Program Files\AutoUpdate ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete ALL of the above, reboot and post a fresh HJT log along with 2 new logs from the tools.

 

Actions performed, log files attached.......HijackThis log in next e-mail.......

Thanks!!

 

Attachment

 

Scan with HijackThis and Check the Boxes for the following:

O4 - HKCU\..\Run: [Mor8RXdEQ] ws2msft.exe

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following file:

C:\WINDOWS\system32\ws2msft.exe
(If you get an error while deleting, boot into Safe Mode and try again)

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot, Scan with HijackThis and attach the new log.

 

Greetings,

I ran HijackThis, and could not find the file/entry in question. The file also doesn't exist in either the registry or the system folder. I ran CCleaner and cleanmgr as directed, and attached is a new log file.

There's something called ApproposMedia (or something to that effect) that keeps trying to install, but it is being intercepted by Microsoft's Spyware program. I found a registry entry that I believe is connected to this, and deleted it, so hopefully this threat has been taken care of.

Thanks again for the wonderful assistance!!

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [7F8U37R] lapngine.exe
O4 - HKCU\..\Run: [Mor8RXdEQ] iuetetab.exe

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\iuetetab.exe

C:\WINDOWS\system32\lapngine.exe

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Actions performed as requested, logfile attached.........Again, thank you so much for the assistance.......I never realized it would be this involved.......

 

Your HJT log is clean, are you having any further problems?

 

Greetings,

It seems everything is back to normal.......Even the "apropos" warning no longer comes up under Microsoft's Spyware program.........

I can't thank you enough for the help........Seems to me if someone can develop a single program that can perform this function, they'd be looking at early retirement!!!!!

Again, many thanks for all the help!!!!!!!!!!!!!!!!!!!!!!!!!

 

You're Welcome!

I've said the same thing, the punks that create this stuff could have a hell of a career if they only would use it in a positive way.

Anyway, You should see this article on How to Protect yourself from malware!