We help IT Professionals succeed at work.

problem removing adware.QoolAid

j2006
j2006 asked
on
Medium Priority
3,850 Views
Last Modified: 2010-04-11
I have a machine with w2000 prof that Symantec antivirus keeps telling me that has detected Adware.QoolAid, it tries to eliminate it but it can't, can anybody help me with a solution to eliminate the adware.qoolaid?

note: this machine also had adware.look2me, I used the recomendation to run look2me-destroyer and  the look2me is not showing anymore.

thanks for your help

j2006
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007
Commented:
Have you tried Ewido scan in Safe Mode?
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

Let us see a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
I don't know what it is, but you should check your system with HijackThis,
and upload your log at www.hijackthis.de, and post the link to the uploaded
log here, for further assistance, to make sure your system is clear.

Link from the author's site:
http://www.merijn.org/files/hijackthis.zip
CERTIFIED EXPERT
Top Expert 2007
Commented:
>>I don't know what it is, but you should check your system with HijackThis,<<
hmm, that's what I just suggested :)

What he has is a narrator/qoologic infection.
Ewido runs in Safe Mode will get rid of it. Ewido must be run in Safe Mode for it to remove qoo files. If Ewido fails (unlikely) then there is a manual removal that works  all the time.


There is also another scaner that gets rid of qoologic and that is:
AdwareAway -- 5 day trial only
http://www.download.com/Adware-Away/3640-8022_4-10423219.html
If it still removes it for free(I haven't used that link since Ewido takes care of qoologic)
CERTIFIED EXPERT
Top Expert 2007
Commented:
Adware.QoolAid (Symantec).= TROJ_QLOGIC.A (Trend).= Trojan-Downloader.Win32. Qoologic (AVP).

narrator/qoologic is not as bad as look2me, look2me attracts more malware to your pc.
In a system with multiple infections, look2me must be taken care first.

Author

Commented:
the link to the saved list is:

http://www.hijackthis.de/logfiles/934a3224d6fbf711766aa6e00b5dfae4.html

thanks for your help
CERTIFIED EXPERT
Top Expert 2007
Commented:
You need to uninstal SurfsideKick 3

You also need to run Ewido in Safe Mode or AdwareAway to get rid of qoologic infection.
Manually removing qoologic involves using another little scanner to scan for qoo files, then Killbox the qoo files found and undo the the changes in the registry.
So, it is a lot easier to just use Ewido to get rid of qoologic. If for some reason, Ewido can't get rid of it, or AdawareAway can't, then we can remove it manually.

These are all the bad entries in your Hijackthi log that you can fix:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll    
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe  
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe    
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run  
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O20 - AppInit_DLLs: repairs303169563.dll    
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)

Delete these folder/files: Bear in mind that there are still qoo files not showing in the log, that's why to manually remove qoologic we need other tool to look for qoo files. Much easier to just run Ewido.
C:\Program Files\SurfSideKick 3 <-- this folder
C:\WINNT\system32\getjcu.exe
C:\WINNT\system32\wnknc.exe  
C:\WINNT\system32\repairs303169563.dll <-- this one is SurfsideKick, and it loads before Windows so you need Killbox "delete on reboot" on this one.
-------
Step 1:
-------

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.


-------
Step 2:
-------

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bluetopaz/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://obsidian/tiweb50/downloads/BOSIActiveXGrid.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://obsidian/tiweb50/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://obsidian/tiweb50/downloads/TrackitAudit.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.world-check.com/flashdl/swflash.cab

(if this is suspicious to you, then also check these too)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pnbdomain.local
(pnbdomain should be one of your domains, if not, check that item too)

O20 - AppInit_DLLs: repairs303169563.dll
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

Greetings.

Also, read the rpggamergrl's post, as it is about 90% similar to this one.
r-k

Commented:
I agree with rpggamergirl - ewido is your best bet for removing this particular pest. May need to run it repeatedly.

Author

Commented:
I was able to delete look to me, but I was not able to delete adware.qoolaid, I used ewido in safe mode, but the symantec kept detecting it, I tried to delete manually but the files were not placed were symantec supposedly detected them.
I had to prepare three new machines and a server as top priority so I had to go to a recent image of the machine and re-install it
Thanks for all your help, I hope I will ahve better look next time,please share the points.

regards
j2006
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.