PDA

View Full Version : qoologic.bj Can't Remove



extremest
2006-07-30, 21:55
I went to the wrong site this morning. I have 2 log files if someone can help me out. I can not get this fixed. I have tried the suggestions from the other 2 threads and it is still here. Here comes the logs

Sun 07/30/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....
C:\WINDOWS\system32\vrtcb.dat
C:\WINDOWS\system32\qteypb.exe
C:\WINDOWS\system32\gdvdo.exe
C:\WINDOWS\system32\wbeygko.dll
C:\WINDOWS\system32\rychahd.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\RYCHAHD.EXE
C:\WINDOWS\SYSTEM32\WBEYGKO.DLL
C:\WINDOWS\SYSTEM32\VRTCB.DAT
C:\WINDOWS\SYSTEM32\QTEYPB.EXE
C:\WINDOWS\SYSTEM32\GDVDO.EXE
C:\WINDOWS\OOLGG.DLL
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\IBQAV.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
07/30/2006 12:41 PM 127,488 ibqav.exe
...

HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"pliqoa"="C:\\WINDOWS\\system32\\qteypb.exe reg_run"
HKCU
"miprq"="C:\\WINDOWS\\system32\\qteypb.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\gdvdo.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,rychahd.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 17/05/2006

Logfile of HijackThis v1.99.1
Scan saved at 1:48:39 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\gdvdo.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,rychahd.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\CDG Ripper\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140560487421
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://philstavern.servebeer.com/ActiveView.cab
O16 - DPF: {69F62FC3-3FEC-4073-BF33-5C64401C0E5D} (ImageCalc Control) - http://philstavern.servebeer.com/ImageCalc.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

extremest
2006-07-30, 22:10
I forgot to mention that when this sucker got installed it also acted like the lsass virus. it popped up the ntauthority 60 second reboot message the first time didn't do it any other times than that and now my internet connection on that system does not work.

pskelley
2006-08-03, 01:05
Hello and welcome to the forum. Have you resolved your problems? You do have a Qoologic trojan, but we have work to do first. If you still need help, then please start like this.

1) C:\HijackThis.exe <<< return here and make a folder, move HJT.exe into that folder like this: C:\HJT\HijackThis.exe Put the log that is there in the folder also.

2) This is a hijacker that we must use a special tool to remove:
O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
http://www.castlecops.com/lsp-102.html <<< information
Read these instructions and download and use the tool:
http://www.bleepingcomputer.com/tutorials/tutorial59.html
This is the item you will be removing: webhdll.dll
This always works well, but here are two emergency tools. You should not need them: http://www.cexx.org/lspfix.htm
http://www.snapfiles.com/get/winsockxpfix.html

Once you complete the above, post a new HJT log and I will respond as soon as possible with instructions.

Thanks...pskelley
Safer Networking Forums

extremest
2006-08-05, 21:36
I currently have it fixed. I ran x-cleaner and that fixed the internet issue. Between kasp, x-cleaner, regcure, ewido, and adaware I managed to get rid of it. ALso used hijackthis.

pskelley
2006-08-05, 22:32
I would be glad to look at a new HJT log to make sure you are clean. Your Call.

Thanks

tashi
2006-08-11, 07:56
This topic has been archived.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.