This vx2 , coolweb stuff is winning, would appreciate any help. im bout toast and need to get it back to bro. xp home




Logfile of HijackThis v1.99.0
Scan saved at 3:56:53 AM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qkwokg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Encarta Dictionary Quickshelf.lnk = C:\Program Files\Microsoft Encarta\Encarta World English Dictionary\Qshlfed.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103830959903
O17 - HKLM\System\CCS\Services\Tcpip\..\{353F53C7-C6B3-4C1A-AAB7-6218F0727122}: NameServer = 151.203.0.85 151.202.0.85
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

2,251 items found: 2,251 files, 0 directories.
Total of file sizes: 397,358,966 bytes 378.95 M

Administrator Account = True

--------------------End log---------------------

Ad aware sees it, but my logs dont match up to other posts?!?
I know that qkwokg.exe is bad newz but eyesand head r mushy.
default settings for dll compare ok? win\sys32 inc subdir?
:rolleyes:

try safemode hjt and hit these? think i did it b4 tho...

O17 - HKLM\System\CCS\Services\Tcpip\..\{353F53C7-C6B3-4C1A-AAB7-6218F0727122}: NameServer = 151.203.0.85 151.202.0.85

C:\WINDOWS\System32\qkwokg.exe

If you still need help, please post another hijackthis log taken after a reboot.

thx crunchie, im stumpified

Logfile of HijackThis v1.99.0
Scan saved at 1:15:51 PM, on 12/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qkwokg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\hjt\hijackthis\HijackThis.exe

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Encarta Dictionary Quickshelf.lnk = C:\Program Files\Microsoft Encarta\Encarta World English Dictionary\Qshlfed.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103830959903
O17 - HKLM\System\CCS\Services\Tcpip\..\{353F53C7-C6B3-4C1A-AAB7-6218F0727122}: NameServer = 151.203.0.85 151.202.0.85
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


both vx2find and dll cmpare same as above

what should my dll compare settings be? I see it in regmon, filemon but its everywhere and nowhere...

out for now, ill post another hjt-last one inaccurate- early a.m.edt dec 30

Open Task Manager & end process on the following:
qkwokg.exe

Go to C:\WINDOWS\system32 and delete the file manually.

download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again.

http://www.lavasoftusa.com/software/...2cleaner.shtml

Let me know how you get on.

I have tried that, and I cannot find qkwokg.exe anywhere,(all folder view options are set properly) I can usually dig this crap out....On boot using regmon after about 10 minutes qkwokg.exe:620 starts a queryvalue in hkcu\software\microsoft\windows\currentversion\internetsettings\enableautodial
but cant be seen as process. Buuuut using Sysinternals process explorer thar she blows. with a start address qkwokg.exe+0x13001 . I havent tried killing with process explorer then ad aware(do that next) But have tried other routes with ad aware vx2 add on,, cleaned out all users temp files , prefetches ect. When I do run ad aware vx2 it doesnt see anything to remove, regular adaware finds coolweb and vx2 and regmon goes nutty with many qkwokg entries. Using filemon after boot shows qkwokg.exe in C:\Docs and setting\joe\localsettgs\Temp internetfiles\content.IE5\index.dat , repeatedly deleted those areas in previous attempts Ill try killing and cleaning...again but if i cant find qkwokg to delete i know it wont work. any other ideas greatly appreciated. thx

ok, this may be new, when I try to kill it and delete index.dat-no go qkwokg just restarts and index.dat in use...

This is someones laptop and i have no network to backup files reinstall OS.

it is intereesting, ive had the laptop on and offline to dl stuff , post logs from.
recently found a "C:\!Submit" folder that appeared empty said not empty when tried to delete. did a kill "qkwokg.exe" with "sysinternals" process explorer then
killbox to it, gone. same with c:\windows\system32\qkwokg.exe "PE" then killbox
But qkwokg still keeps coming back!?!? oh, b4 that was able to remove index.dat with killbox on boot.

Process PID CPU Description Company Name
System Idle Process 0 97
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1
smss.exe 716 Windows NT Session Manager Microsoft Corporation
csrss.exe 788 Client Server Runtime Process Microsoft Corporation
winlogon.exe 812 Windows NT Logon Application Microsoft Corporation
services.exe 856 1 Services and Controller app Microsoft Corporation
svchost.exe 1008 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1096 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1132 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1176 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1312 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1532 Spooler SubSystem App Microsoft Corporation
ati2evxx.exe 1636
ccEvtMgr.exe 1652 Event Manager Service Symantec Corporation
dcfssvc.exe 1696 Kodak DC Ring 3 Conduit (Win32) Eastman Kodak Company
HPConfig.exe 1756 HPConfig Module Hewlett-Packard
HPWirelessMgr.exe 1796 HPWirelessMgr Module Hewlett-Packard Co.
Navapsvc.exe 1952 Norton AntiVirus Auto-Protect Service Symantec Corporation
PTSsvc.exe 1984
locator.exe 2044 Rpc Locator Microsoft Corporation
svchost.exe 184 Generic Host Process for Win32 Services Microsoft Corporation
SymWSC.exe 244 Norton Security Center Service Symantec Corporation
alg.exe 1324 Application Layer Gateway Service Microsoft Corporation
lsass.exe 868 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 680 Windows Explorer Microsoft Corporation
SynTPLpr.exe 1400 TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 1408 Synaptics TouchPad Enhancements Synaptics, Inc.
Directcd.exe 1456 DirectCD Application Roxio
procexp.exe 3132 1 Sysinternals Process Explorer Sysinternals
qkwokg.exe 2268

Process: qkwokg.exe Pid: 2268

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent
File \Device\NamedPipe\ROUTER
File \Device\Tcp
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\Ip
File \Device\NamedPipe\ROUTER
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File C:\Documents and Settings\Joe\Cookies\index.dat
File C:\Documents and Settings\Joe\Local Settings\History\History.IE5\index.dat
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\Documents and Settings\Joe
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
Key HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKLM
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKCU
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\qoolaid_v2.7.4
Mutant \BaseNamedObjects\SynTPFcsMutex
Mutant \BaseNamedObjects\_!MSFTHISTORY!_
Mutant \BaseNamedObjects\c:!documents and settings!joe!local settings!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\c:!documents and settings!joe!cookies!
Mutant \BaseNamedObjects\c:!documents and settings!joe!local settings!history!history.ie5!
Mutant \BaseNamedObjects\WininetStartupMutex
Mutant \BaseNamedObjects\WininetConnectionMutex
Mutant \BaseNamedObjects\WininetProxyRegistryMutex
Mutant \BaseNamedObjects\RasPbFile
Section \BaseNamedObjects\SENS Information Cache
Section \BaseNamedObjects\_mymeanmap_
Section \BaseNamedObjects\SynTPFcsMemMap
Section \BaseNamedObjects\_dll_mmap_shared_2o2o
Section \BaseNamedObjects\C:_Documents and Settings_Joe_Local Settings_Temporary Internet Files_Content.IE5_index.dat_2654208
Section \BaseNamedObjects\C:_Documents and Settings_Joe_Local Settings_History_History.IE5_index.dat_278528
Section \BaseNamedObjects\C:_Documents and Settings_Joe_Cookies_index.dat_65536
Section \BaseNamedObjects\UrlZonesSM_Joe
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Thread qkwokg.exe(2268): 2296
Thread qkwokg.exe(2268): 2296
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0

just now noticing qoolaid ill look into it

i see, killbox creates !submit