?
Solved

problem removing adware.QoolAid

Posted on 2006-03-27
9
Medium Priority
?
3,830 Views
Last Modified: 2010-04-11
I have a machine with w2000 prof that Symantec antivirus keeps telling me that has detected Adware.QoolAid, it tries to eliminate it but it can't, can anybody help me with a solution to eliminate the adware.qoolaid?

note: this machine also had adware.look2me, I used the recomendation to run look2me-destroyer and  the look2me is not showing anymore.

thanks for your help

j2006
0
Comment
Question by:j2006
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 480 total points
ID: 16307063
Have you tried Ewido scan in Safe Mode?
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

Let us see a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
 
LVL 8

Assisted Solution

by:nepostojeci_email
nepostojeci_email earned 270 total points
ID: 16309356
I don't know what it is, but you should check your system with HijackThis,
and upload your log at www.hijackthis.de, and post the link to the uploaded
log here, for further assistance, to make sure your system is clear.

Link from the author's site:
http://www.merijn.org/files/hijackthis.zip
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 480 total points
ID: 16310117
>>I don't know what it is, but you should check your system with HijackThis,<<
hmm, that's what I just suggested :)

What he has is a narrator/qoologic infection.
Ewido runs in Safe Mode will get rid of it. Ewido must be run in Safe Mode for it to remove qoo files. If Ewido fails (unlikely) then there is a manual removal that works  all the time.


There is also another scaner that gets rid of qoologic and that is:
AdwareAway -- 5 day trial only
http://www.download.com/Adware-Away/3640-8022_4-10423219.html
If it still removes it for free(I haven't used that link since Ewido takes care of qoologic)
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 480 total points
ID: 16310187
Adware.QoolAid (Symantec).= TROJ_QLOGIC.A (Trend).= Trojan-Downloader.Win32. Qoologic (AVP).

narrator/qoologic is not as bad as look2me, look2me attracts more malware to your pc.
In a system with multiple infections, look2me must be taken care first.
0
 
LVL 1

Author Comment

by:j2006
ID: 16310371
the link to the saved list is:

http://www.hijackthis.de/logfiles/934a3224d6fbf711766aa6e00b5dfae4.html

thanks for your help
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 480 total points
ID: 16315090
You need to uninstal SurfsideKick 3

You also need to run Ewido in Safe Mode or AdwareAway to get rid of qoologic infection.
Manually removing qoologic involves using another little scanner to scan for qoo files, then Killbox the qoo files found and undo the the changes in the registry.
So, it is a lot easier to just use Ewido to get rid of qoologic. If for some reason, Ewido can't get rid of it, or AdawareAway can't, then we can remove it manually.

These are all the bad entries in your Hijackthi log that you can fix:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll    
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe  
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe    
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run  
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O20 - AppInit_DLLs: repairs303169563.dll    
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)

Delete these folder/files: Bear in mind that there are still qoo files not showing in the log, that's why to manually remove qoologic we need other tool to look for qoo files. Much easier to just run Ewido.
C:\Program Files\SurfSideKick 3 <-- this folder
C:\WINNT\system32\getjcu.exe
C:\WINNT\system32\wnknc.exe  
C:\WINNT\system32\repairs303169563.dll <-- this one is SurfsideKick, and it loads before Windows so you need Killbox "delete on reboot" on this one.
0
 
LVL 8

Accepted Solution

by:
nepostojeci_email earned 270 total points
ID: 16319378
-------
Step 1:
-------

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.


-------
Step 2:
-------

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bluetopaz/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wnknc.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hjrrmad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [fvxbcs] C:\WINNT\system32\getjcu.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://obsidian/tiweb50/downloads/BOSIActiveXGrid.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://obsidian/tiweb50/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://obsidian/tiweb50/downloads/TrackitAudit.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.world-check.com/flashdl/swflash.cab

(if this is suspicious to you, then also check these too)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pnbdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pnbdomain.local
(pnbdomain should be one of your domains, if not, check that item too)

O20 - AppInit_DLLs: repairs303169563.dll
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\h22o0cf3ef2.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

Greetings.

Also, read the rpggamergrl's post, as it is about 90% similar to this one.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16329410
I agree with rpggamergirl - ewido is your best bet for removing this particular pest. May need to run it repeatedly.
0
 
LVL 1

Author Comment

by:j2006
ID: 16365348
I was able to delete look to me, but I was not able to delete adware.qoolaid, I used ewido in safe mode, but the symantec kept detecting it, I tried to delete manually but the files were not placed were symantec supposedly detected them.
I had to prepare three new machines and a server as top priority so I had to go to a recent image of the machine and re-install it
Thanks for all your help, I hope I will ahve better look next time,please share the points.

regards
j2006
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question