Results 1 to 3 of 3

Thread: Adware-qoologic problem

  1. 2006-06-03, 05:40 #1
    yaroslavvb
    yaroslavvb is offline
    Junior Member
    Join Date
    Jun 2006
    Posts
    1

    Default Adware-qoologic problem

    I've gotten a package that included SurfSideKick, IPWins, Adware-qoologic, WinAntiVirusPro2006 and possibly some other trojans. I managed to remove most of them using SSD, but the most insidious problem remains.

    The problem is incessant Firefox and IE popups.

    In particular there are two files in the System32 that are periodically executed. They only run for milliseconds, so you can't see them in TaskManager.
    c:\windows\system32\tbhaf.exe
    c:\windows\system32\erqvgl.exe

    I've ran Spybot S&D and it detects nothing except some cookies. Microsoft's
    Windows Defender on other hand, detect those two files executing and marks them as Adware-qoologic. However after running the fix (in Safe Mode), it comes back.

    I tried deleting the files manually, but the problem is that those files are not visible. If I try to execute one of those files in cmd.exe, I get

    'c:\windows\system32\tbhaf.exe' is not recognized as an internal or external command, operable program or batch file.

    If I do dir /ah c:\windows\system32\tb*, I get nothing
    Similarly with "del c:\windows\system32\tbhaf.exe" it says it can't find the file. But when I try to overwrite it I get "Permission denied".

    HiJackThis reports an entry in system.ini, but when I remove those entries (and everything else except Acrobat stuff) from SafeMode, they are back whenever I boot in Normal.

    Here's my HiJackThis log, any ideas how to proceed?

    Logfile of HijackThis v1.99.1
    Scan saved at 7:41:51 PM, on 6/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\cygwin\bin\cygrunsrv.exe
    C:\cygwin\usr\sbin\sshd.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\ShellToys\Cool Desk\Cdesk.exe
    D:\eMule\emule.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Debugging Tools for Windows\kernel_debugging_tutorial.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\emacs\bin\emacs.exe
    C:\Program Files\mIRC\mirc.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijacThis\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tbhaf.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,fwodqqd.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [Cool Desk] C:\Program Files\ShellToys\Cool Desk\Cdesk.exe
    O4 - HKCU\..\Run: [eMuleAutoStart] D:\eMule\emule.exe -AutoStart
    O4 - Startup: Adobe Gamma.lnk.disabled
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: ATI CATALYST System Tray.lnk.disabled
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe

    fyi
    Please do not post hjt logs in the Spybot forum
    BEFORE you post a log, and who will advise you. Preliminary Steps
    Last edited by tashi; 2006-06-03 at 06:18. Reason: Moved topic from Spybot-S&D to Malware forum
  2. 2006-06-04, 23:24 #2
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hi and welcome to the forum. I do not see a lot, some stuff like this: C:\cygwin\bin\cygrunsrv.exe appears to be safe? I do see the markers for the Qoologic trojan, so let's try to get rid of it and see what happens. If your issues are resolved, let us know so we can close the topic, thanks. Please understand that two tools will be used. The Brute Force Uninstaller in conjunction with the qooFix and the instructions must be followed exactly. If executed properly these two lines will be gone:
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tbhaf.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,fwodqqd.exe

    Thanks to LonnyRJones and any others who helped with this fix.

    Download Brute Force Uninstaller to your C:\
    http://www.merijn.org/files/bfu.zip
    Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
    Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
    (rightclick on this link and choose save as)
    Place qoofix.bat in your C:\BFU - folder. (Important!)
    Doubleclick qooFix.bat, Close all browsers and explorer folders.
    Choose option 1 (Qoolfix autofix) and follow the prompts.
    Please be patient, it will take about five minutes.
    After the PC has restarted please post another hijackthis log.

    Thanks...pskelley
    Safer Networking Forums
  3. 2006-06-09, 16:18 #3
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Thank you pskelley

    yaroslavvb, this topic is closed due to lack of a response.
    If you need it re-opened please send me a pm and provide a link to the thread.

    Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules