PDA

View Full Version : Adware-qoologic problem


yaroslavvb
2006-06-03, 06:40
I've gotten a package that included SurfSideKick, IPWins, Adware-qoologic, WinAntiVirusPro2006 and possibly some other trojans. I managed to remove most of them using SSD, but the most insidious problem remains.

The problem is incessant Firefox and IE popups.

In particular there are two files in the System32 that are periodically executed. They only run for milliseconds, so you can't see them in TaskManager.
c:\windows\system32\tbhaf.exe
c:\windows\system32\erqvgl.exe

I've ran Spybot S&D and it detects nothing except some cookies. Microsoft's
Windows Defender on other hand, detect those two files executing and marks them as Adware-qoologic. However after running the fix (in Safe Mode), it comes back.

I tried deleting the files manually, but the problem is that those files are not visible. If I try to execute one of those files in cmd.exe, I get

'c:\windows\system32\tbhaf.exe' is not recognized as an internal or external command, operable program or batch file.

If I do dir /ah c:\windows\system32\tb*, I get nothing
Similarly with "del c:\windows\system32\tbhaf.exe" it says it can't find the file. But when I try to overwrite it I get "Permission denied".

HiJackThis reports an entry in system.ini, but when I remove those entries (and everything else except Acrobat stuff) from SafeMode, they are back whenever I boot in Normal.

Here's my HiJackThis log, any ideas how to proceed?

Logfile of HijackThis v1.99.1
Scan saved at 7:41:51 PM, on 6/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\cygwin\bin\cygrunsrv.exe
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ShellToys\Cool Desk\Cdesk.exe
D:\eMule\emule.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Debugging Tools for Windows\kernel_debugging_tutorial.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\emacs\bin\emacs.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijacThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tbhaf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,fwodqqd.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Cool Desk] C:\Program Files\ShellToys\Cool Desk\Cdesk.exe
O4 - HKCU\..\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: ATI CATALYST System Tray.lnk.disabled
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe

fyi ;)
Please do not post hjt logs in the Spybot forum (http://forums.spybot.info/showthread.php?t=1266)
BEFORE you post a log, and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)
pskelley
2006-06-05, 00:24
Hi and welcome to the forum. I do not see a lot, some stuff like this: C:\cygwin\bin\cygrunsrv.exe appears to be safe? I do see the markers for the Qoologic trojan, so let's try to get rid of it and see what happens. If your issues are resolved, let us know so we can close the topic, thanks. Please understand that two tools will be used. The Brute Force Uninstaller in conjunction with the qooFix and the instructions must be followed exactly. If executed properly these two lines will be gone:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tbhaf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,fwodqqd.exe

Thanks to LonnyRJones and any others who helped with this fix.

Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

Thanks...pskelley
Safer Networking Forums
tashi
2006-06-09, 17:18
Thank you pskelley

yaroslavvb, this topic is closed due to lack of a response.
If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.