aftermath of surfsidekick

You have a few remaining problems and really need to follow our standard cleaning procedures along with another procedure for locating hidden files related to the Qoologic infection you have.


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

To aid us in the next steps related to Qoologic, now download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open wen the scan is finished

 

We need to be able to get some of these other tools to work. You have a bunch of problems that are all fighting against us. Let's take a different approach and we will come back to FindQool later.


First run this -->>> Look2Me VX2 Removal and attach the requested log. Attach this log first before continuing on to the below.

Then run the below procedure and attach the requested log from it.

One of your problems is a Wareout infection!

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O4 - HKLM\..\Run: [{BA-A7-7F-FC-ZN}] C:\windows\system32\qjdsregj.exe CORN001
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinkrag.exe CORN001
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinkrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregj.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AAE1481-F48C-46F7-A757-276EF57CDD52}: NameServer = 85.255.116.98,85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{A377C7AB-8F40-47E8-92B2-9982F1C22195}: NameServer = 85.255.116.98,85.255.112.197

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\Network <--- delete the whole folder if found
C:\Program Files\UnSpyPC <--- delete the whole folder if found
C:\windows\system32\qjdsregj.exe
C:\WINDOWS\system32\swinkrag.exe
C:\WINDOWS\system32\dmonwv.dll

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

No you are not done yet and we need to get the Wareout removal procedure and FindQool to run. But you missed a couple items in my previous steps:

C:\Program Files\Network\ipnetwork.exe

O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinkrag.exe CORN001
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinkrag.exe

Repeat the procedure and MAKE SURE you fixed those lines and make sure you locate and delete the files as requested. Let me know if you cannot delete them in safe mode as requested.

 

Alright WareOut looks like it is gone! Now you need to run FIndQool again. If you get any error messages when you try to run it, you must give me the exact word for word message.

Attach the log from FindQool!

 

Run it from a command prompt window. Click Start, Run, and enter cmd and click OK. Now assuming you have extracted FindQool to C:\FindQool , then enter the below in the commands in the command prompt window (follow each command by the Enter key):
cd c:\findqool
Qlocate.bat

Now tell me the error message!

Be specific. Tell me which files you are referring to and if you are getting messages, as always I need the exact message so I know what is happening. Remember I cannot see your PC.

 

You seem to be missing one of your built-in Windows system files.

Click Start and select Search
Now Select "All files and folders"
Enter the find.exe in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Tell me if and where you find matches.

You should have at least one match in c:\windows\system32


If you find not matches, try searching again but use find.ex_

Yes the file name I gave ends with an underscore.

 

Do you have your Windows XP SP2 CD? This must be a Win XP SP2 CD and not a System Recovery disk from a PC manufacturer.

You should be able to locate either find.exe or find.ex_ in the i386 folder of the CD. The find.ex_ file must be uncompressed using another system command named expand

First see if you can find a copy of the file on your CD and copy it to you C:\windows\system32 folder.

 

Put a copy of find.exe in the same folder as Qlocate.bat and see what happens. Run Qlocate.bat from the command prompt so you can see error messages.

It could be that your Windows files search path is messed up. Typing echo %PATH% from the command prompt will give you your search path which shoue include the system32 folder along with others.

 

Hmmmm! It ran but it does not seem like it found everything that it should. I wonder if something else is wrong. We will try a fix and let's see what happens.

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\yaahd.exe
C:\WINDOWS\system32\kvhlnbi.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Common Files\??crosoft\d?xplore.exe
C:\PROGRA~1\ASEMBL~1\wowexec.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yaahd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kvhlnbi.exe

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\WINDOWS\system32\yaahd.exe
C:\WINDOWS\system32\kvhlnbi.exe

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

You should try to run Bitdefender and PandaActive scan now too since you did not get them to run earlier. They may uncover other problems.