i cant get rid of this malware!

Discussion in 'Malware Help (A Specialist Will Reply)' started by vampira, Jun 5, 2006.

  1. vampira

    vampira Private E-2

    ok. i tried the method that you described and downloaded all those antivirus programs and ran them like described - and the malware wont go away! its seems i have trojan downloader qoologic and some of the antivirus programs also mentioned PECarlin. when i go to running processes naoyt.exe (listed 3 times) and wfjutb.exe are not supposed to be there, and wont go away. my computer wont let me delete the file because it says its a running process, but every time i hit end process on them they immediately pop back up. when i restart my computer now my desktop takes forever to load, only my wallpaper loads fast, my icons and start menu take about 5 minutes to come up. mozilla also frequently crashes and my computer over all is running very very slow. please help. i posted whatever logs i had, and I couldnt run bitdefender because it said it couldnt load for some reason, and I was using the correct internet explorer. :eek:

    also, in the counterspy log attached i included 2 scans because i ran it twice and it found different things.

    i hope i did everything right here, and that you can help :rolleyes:
     

    Attached Files:

    vampira, Jun 5, 2006
    #1
  2. vampira

    vampira Private E-2

    I also ran the special removal procedures for QOOlogic and these are my log files. if they were supposed to get rid of my problems... they didnt. :confused:
     

    Attached Files:

    vampira, Jun 5, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Why are you running this PC without any of the below tools installed:
    - antivirus
    - antispyware
    - firewall

    Did you install Spybot as requested in the READ & RUN ME?
    Did you try using Windows Defender? What happened?


    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\WINDOWS\ofwxeckA.exe
    C:\WINDOWS\srviapohlr.exe
    C:\WINDOWS\system32\VSL03.exe
    C:\WINDOWS\system32\VSL05.exe
    C:\WINDOWS\system32\wfjutb.exe
    C:\WINDOWS\system32\noayt.exe
    C:\WINDOWS\system32\dmjukjl.dll
    c:\windows\system32\dwdsregt.exe
    C:\WINDOWS\system32\yjhdeha.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pmvva.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Make sure viewing of hidden files is enabled (per the tutorial).
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\noayt.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,yjhdeha.exe
    O4 - HKLM\..\Run: [{4C-C2-27-7E-ZN}] c:\windows\system32\dwdsregt.exe GID003
    O4 - HKLM\..\Run: [ofwxeckA] C:\WINDOWS\ofwxeckA.exe
    O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\nideapi.dll (file missing)

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\WINDOWS\ofwxeckA.exe
    C:\WINDOWS\srviapohlr.exe
    C:\WINDOWS\system32\VSL03.exe
    C:\WINDOWS\system32\VSL05.exe
    C:\WINDOWS\system32\wfjutb.exe
    C:\WINDOWS\system32\noayt.exe
    C:\WINDOWS\system32\dmjukjl.dll
    c:\windows\system32\dwdsregt.exe
    C:\WINDOWS\system32\yjhdeha.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pmvva.exe

    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, Jun 5, 2006
    #3
  4. vampira

    vampira Private E-2

    i am running a firewall, zone alarm, i use ad-aware weekly for antispyware, and although i dont have an antivirus program running i frequently run housecall online antivirus scanner.

    i installed spybot the way that was requested, and i couldnt run windows defender because it wouldnt work, but i ran counterspy instead as suggested.

    i think that everything is actually gone now, although there are a few things in my running processes that i dont recognize, however they could be from all the programs ive installed to try and get rid of this virus.

    wscntfy.exe is the name on my running proccesses that i dont recognize, and it says it is being run by my user name on my computer - is this a normal file?
     

    Attached Files:

    vampira, Jun 5, 2006
    #4
  5. vampira

    vampira Private E-2

    also i just ran housecall antivirus again to be SURE everything was gone, and it says i have a whole bunch of vulnerabilitieson my computer and it also says that troj_qoologic.al !!! :eek:
     
    vampira, Jun 5, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry, I missed ZoneAlarm. Ad-aware provides NO Protection. It is an after the fact scanner. Running an online scanner is also not useful since it provides no active protection. It is again after the fact which is too late. You must get adequate protection installed.

    Yes! See: http://www.liutilities.com/products/wintaskspro/processlibrary/wscntfy/

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [wvnmty] C:\WINDOWS\system32\wfjutb.exe reg_run
    O4 - HKCU\..\Run: [ssunu] C:\WINDOWS\system32\wfjutb.exe reg_run

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete     (if found):
    C:\WINDOWS\system32\wfjutb.exe
    C:\WINDOWS\system32\dcxxf.dat

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 6, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds