rpka.exe and the unbeatable TrojanDownloader.Qoologic

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).


And since it seem you have a Look2Me VX2 infection.

Please download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log.

This will not fix the VX2 infection yet. We first need to see what you have then we can proceed with the fix.

 

Thanks for continuing we the fix PP.

Tovlakas,

After running what PP gave you, please continue with the below. You have a bunch of other problems. This below tools will help us locate some hidden files so we can work up a fix.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Also download and extract to its own folder Pocket KillBox
Do not run it yet. We will be using it later to fix some problems.

 

Just run RKFiles for now.

 

Then you had not completely fix the problems or someplace you went reinstalled them. You will not get any of these items from Majorgeeks nor from running the processes.

Note: It is not a good idea to work problems on multiple forums. If you wish to work your problem elsewhere that's fine. But do not work at two places at once.

Did you look to see if any of the item appear in Add/Remove programs?

 

Reboot to normal mode to post the log.

Do you use a Promise Hard Disk Controller or do you use RAID? I'm wondering about the below lines that seem fishy:

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

Also do you have a Soltek motherboard and is the below for it:
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe

 

Did you see the question on your Mother board I just added.

 

When you boot into safe mode to run RKfiles also do the below (so download the tool now):

Please follow the steps below:

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

- Now reboot into safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hnjahj.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [bjguvmy] c:\windows\system32\ikmnvf.exe r
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\VBouncer <--- the whole folder
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\system32\hnjahj.exe
c:\windows\system32\ikmnvf.exe
C:\WINDOWS\tegvntnrrq.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Do not reboot after posting your log. Otherwise any remain problems could mutate making the next fix I would post a waste of time.

 

You're log is clean. How are things working?

 

No idea. But the more items you load at startup, the longer it takes to startup! Sometimes it is just a price you need to pay for protection. You still are not even using a real firewall which you must have. See the steps in: How to Protect yourself from malware!

After installing a real firewall, disable the Win XP SP2 firewall which does not provide sufficient protection.