problem removing adware.QoolAid

I have a machine with w2000 prof that Symantec antivirus keeps telling me that has detected Adware.QoolAid, it tries to eliminate it but it can't, can anybody help me with a solution to eliminate the adware.qoolaid?

note: this machine also had adware.look2me, I used the recomendation to run look2me-destroyer and  the look2me is not showing anymore.

thanks for your help

j2006
LVL 1
j2006Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
Have you tried Ewido scan in Safe Mode?
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

Let us see a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
nepostojeci_emailCommented:
I don't know what it is, but you should check your system with HijackThis,
and upload your log at www.hijackthis.de, and post the link to the uploaded
log here, for further assistance, to make sure your system is clear.

Link from the author's site:
http://www.merijn.org/files/hijackthis.zip
rpggamergirlCommented:
>>I don't know what it is, but you should check your system with HijackThis,<<
hmm, that's what I just suggested :)

What he has is a narrator/qoologic infection.
Ewido runs in Safe Mode will get rid of it. Ewido must be run in Safe Mode for it to remove qoo files. If Ewido fails (unlikely) then there is a manual removal that works  all the time.


There is also another scaner that gets rid of qoologic and that is:
AdwareAway -- 5 day trial only
http://www.download.com/Adware-Away/3640-8022_4-10423219.html
If it still removes it for free(I haven't used that link since Ewido takes care of qoologic)
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

rpggamergirlCommented:
Adware.QoolAid (Symantec).= TROJ_QLOGIC.A (Trend).= Trojan-Downloader.Win32. Qoologic (AVP).

narrator/qoologic is not as bad as look2me, look2me attracts more malware to your pc.
In a system with multiple infections, look2me must be taken care first.
j2006Author Commented:
the link to the saved list is:

http://www.hijackthis.de/logfiles/934a3224d6fbf711766aa6e00b5dfae4.html

thanks for your help
rpggamergirlCommented:
You need to uninstal SurfsideKick 3

You also need to run Ewido in Safe Mode or AdwareAway to get rid of qoologic infection.
Manually removing qoologic involves using another little scanner to scan for qoo files, then Killbox the qoo files found and undo the the changes in the registry.
So, it is a lot easier to just use Ewido to get rid of qoologic. If for some reason, Ewido can't get rid of it, or AdawareAway can't, then we can remove it manually.

These are all the bad entries in your Hijackthi log that you can fix:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll    
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe  
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe    
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run  
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O20 - AppInit_DLLs: repairs303169563.dll    
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)

Delete these folder/files: Bear in mind that there are still qoo files not showing in the log, that's why to manually remove qoologic we need other tool to look for qoo files. Much easier to just run Ewido.
C:\Program Files\SurfSideKick 3 <-- this folder
C:\WINNT\system32\getjcu.exe
C:\WINNT\system32\wnknc.exe  
C:\WINNT\system32\repairs303169563.dll <-- this one is SurfsideKick, and it loads before Windows so you need Killbox "delete on reboot" on this one.
nepostojeci_emailCommented:
-------
Step 1:
-------

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.


-------
Step 2:
-------

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bluetopaz/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://obsidian/tiweb50/downloads/BOSIActiveXGrid.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://obsidian/tiweb50/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://obsidian/tiweb50/downloads/TrackitAudit.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.world-check.com/flashdl/swflash.cab

(if this is suspicious to you, then also check these too)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pnbdomain.local
(pnbdomain should be one of your domains, if not, check that item too)

O20 - AppInit_DLLs: repairs303169563.dll
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

Greetings.

Also, read the rpggamergrl's post, as it is about 90% similar to this one.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
r-kCommented:
I agree with rpggamergirl - ewido is your best bet for removing this particular pest. May need to run it repeatedly.
j2006Author Commented:
I was able to delete look to me, but I was not able to delete adware.qoolaid, I used ewido in safe mode, but the symantec kept detecting it, I tried to delete manually but the files were not placed were symantec supposedly detected them.
I had to prepare three new machines and a server as top priority so I had to go to a recent image of the machine and re-install it
Thanks for all your help, I hope I will ahve better look next time,please share the points.

regards
j2006
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.