• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3833
  • Last Modified:

problem removing adware.QoolAid

I have a machine with w2000 prof that Symantec antivirus keeps telling me that has detected Adware.QoolAid, it tries to eliminate it but it can't, can anybody help me with a solution to eliminate the adware.qoolaid?

note: this machine also had adware.look2me, I used the recomendation to run look2me-destroyer and  the look2me is not showing anymore.

thanks for your help

j2006
0
j2006
Asked:
j2006
  • 4
  • 2
  • 2
  • +1
6 Solutions
 
rpggamergirlCommented:
Have you tried Ewido scan in Safe Mode?
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

Let us see a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
 
nepostojeci_emailCommented:
I don't know what it is, but you should check your system with HijackThis,
and upload your log at www.hijackthis.de, and post the link to the uploaded
log here, for further assistance, to make sure your system is clear.

Link from the author's site:
http://www.merijn.org/files/hijackthis.zip
0
 
rpggamergirlCommented:
>>I don't know what it is, but you should check your system with HijackThis,<<
hmm, that's what I just suggested :)

What he has is a narrator/qoologic infection.
Ewido runs in Safe Mode will get rid of it. Ewido must be run in Safe Mode for it to remove qoo files. If Ewido fails (unlikely) then there is a manual removal that works  all the time.


There is also another scaner that gets rid of qoologic and that is:
AdwareAway -- 5 day trial only
http://www.download.com/Adware-Away/3640-8022_4-10423219.html
If it still removes it for free(I haven't used that link since Ewido takes care of qoologic)
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
rpggamergirlCommented:
Adware.QoolAid (Symantec).= TROJ_QLOGIC.A (Trend).= Trojan-Downloader.Win32. Qoologic (AVP).

narrator/qoologic is not as bad as look2me, look2me attracts more malware to your pc.
In a system with multiple infections, look2me must be taken care first.
0
 
j2006Author Commented:
the link to the saved list is:

http://www.hijackthis.de/logfiles/934a3224d6fbf711766aa6e00b5dfae4.html

thanks for your help
0
 
rpggamergirlCommented:
You need to uninstal SurfsideKick 3

You also need to run Ewido in Safe Mode or AdwareAway to get rid of qoologic infection.
Manually removing qoologic involves using another little scanner to scan for qoo files, then Killbox the qoo files found and undo the the changes in the registry.
So, it is a lot easier to just use Ewido to get rid of qoologic. If for some reason, Ewido can't get rid of it, or AdawareAway can't, then we can remove it manually.

These are all the bad entries in your Hijackthi log that you can fix:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll    
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe  
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe    
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run  
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O20 - AppInit_DLLs: repairs303169563.dll    
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)

Delete these folder/files: Bear in mind that there are still qoo files not showing in the log, that's why to manually remove qoologic we need other tool to look for qoo files. Much easier to just run Ewido.
C:\Program Files\SurfSideKick 3 <-- this folder
C:\WINNT\system32\getjcu.exe
C:\WINNT\system32\wnknc.exe  
C:\WINNT\system32\repairs303169563.dll <-- this one is SurfsideKick, and it loads before Windows so you need Killbox "delete on reboot" on this one.
0
 
nepostojeci_emailCommented:
-------
Step 1:
-------

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.


-------
Step 2:
-------

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bluetopaz/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://obsidian/tiweb50/downloads/BOSIActiveXGrid.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://obsidian/tiweb50/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://obsidian/tiweb50/downloads/TrackitAudit.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.world-check.com/flashdl/swflash.cab

(if this is suspicious to you, then also check these too)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pnbdomain.local
(pnbdomain should be one of your domains, if not, check that item too)

O20 - AppInit_DLLs: repairs303169563.dll
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

Greetings.

Also, read the rpggamergrl's post, as it is about 90% similar to this one.
0
 
r-kCommented:
I agree with rpggamergirl - ewido is your best bet for removing this particular pest. May need to run it repeatedly.
0
 
j2006Author Commented:
I was able to delete look to me, but I was not able to delete adware.qoolaid, I used ewido in safe mode, but the symantec kept detecting it, I tried to delete manually but the files were not placed were symantec supposedly detected them.
I had to prepare three new machines and a server as top priority so I had to go to a recent image of the machine and re-install it
Thanks for all your help, I hope I will ahve better look next time,please share the points.

regards
j2006
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now