Another victim of Qoologic

Welcome to Majorgeeks!

The below procedure may not complete work to remove your Qoologic problems! Normally we require the READ & RUN ME FIRST Before Asking for Support sticky thread to be run first and then the Qlocate program. However, let's give it a try and see what happens.

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\ehczrw312.exe
C:\WINDOWS\system32\DHaxi.exe
C:\WINDOWS\SYSTEM32\BLMTKDS.EXE
C:\WINDOWS\SYSTEM32\FOOLQFE.DLL
C:\WINDOWS\SYSTEM32\FEEOL.DAT
C:\WINDOWS\SYSTEM32\YHOLAW.EXE
C:\WINDOWS\SYSTEM32\PQGPA.EXE
C:\WINDOWS\UNWN.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\robmg.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\WINDOWS\system32\pwdef.dat
C:\WINDOWS\system32\kyobsb.exe
C:\WINDOWS\system32\biffs.exe
C:\WINDOWS\system32\qgobkjq.dll
C:\WINDOWS\system32\lemjdgf.exe
C:\WINDOWS\IUUIK.DLL
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\chbcy.exe

Then reboot into normal mode and attach a new log from FindQool also tell me how things are working. If still having any problems, run ALL steps in the READ & RUN ME sticky thread and attacht the three requested logs.

 

Looks like the steps that I gave in my previous message were not correct. I forgot to edit something to make it correct for your form of the infection. Thus is had no effect.

Please complete the rest of the READ & RUN ME (step 7) and attach the HijackThis log.

Then I will post a new fix that should help get you fixed up.

 

Looks like you poosted your HJT log from safe mode instead of normal boot mode as specified in step 7 of the READ ME. I will give a procedure anyway, but we may miss something due to the log being in safe mode.

First look in Add/Remove programs for SurfSideKick 3 and uninstall if found.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\thiselt.exe
C:\WINDOWS\ms030601200195.exe
C:\WINDOWS\system32\lshosts32.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\windows\system32\psdsregj.exe
C:\WINDOWS\system32\swintqaf.exe
C:\WINDOWS\system32\pwdef.dat
C:\WINDOWS\system32\kyobsb.exe
C:\WINDOWS\system32\biffs.exe
C:\WINDOWS\system32\lemjdgf.exe
C:\WINDOWS\SYSTEM32\QGOBKJQ.DLL
C:\WINDOWS\SYSTEM32\repairs303169587.dll
C:\WINDOWS\IUUIK.DLL
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\chbcy.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue. I'm guessing due to the safe mode log!)
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\ms030601200195.exe
C:\WINDOWS\system32\lshosts32.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\windows\system32\psdsregj.exe
C:\WINDOWS\system32\swintqaf.exe
C:\WINDOWS\system32\pwdef.dat
C:\WINDOWS\system32\kyobsb.exe
C:\WINDOWS\system32\biffs.exe
C:\WINDOWS\system32\lemjdgf.exe
C:\WINDOWS\system32\??crosoft.NET\javaw.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\biffs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lemjdgf.exe
O2 - BHO: (no name) - {51171D78-07EA-0D12-7D5A-7ECD2A920E2F} - (no file)
O2 - BHO: (no name) - {F753D739-76C9-E76F-EB3C-B51FE0E6E61E} - (no file)
O3 - Toolbar: (no name) - {CC6FF8D1-66AA-4BC1-812B-2E4E2C03861F} - (no file)
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [{3C-CF-FF-F0-ZN}] C:\windows\system32\psdsregj.exe FI002
O4 - HKLM\..\Run: [ms030601200195] C:\WINDOWS\ms030601200195.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt yazb
O4 - HKCU\..\Run: [Jjsroks] C:\WINDOWS\system32\??crosoft.NET\javaw.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swintqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://download.toontown.com/sv1.0.14.33/ttinst.cab
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now exit HJT

Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\Program Files\SurfSideKick 3 <--- the whole folder
C:\Program Files\rdso <--- the whole folder
C:\WINDOWS\system32\??crosoft.NET <--- the whole folder
C:\WINDOWS\thiselt.exe
C:\WINDOWS\ms030601200195.exe
C:\WINDOWS\system32\lshosts32.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\windows\system32\psdsregj.exe
C:\WINDOWS\system32\swintqaf.exe
C:\WINDOWS\system32\pwdef.dat
C:\WINDOWS\system32\kyobsb.exe
C:\WINDOWS\system32\biffs.exe
C:\WINDOWS\system32\lemjdgf.exe
C:\WINDOWS\SYSTEM32\QGOBKJQ.DLL
C:\WINDOWS\SYSTEM32\repairs303169587.dll
C:\WINDOWS\IUUIK.DLL
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\chbcy.exe

Then reboot into normal mode and attach a new log from FindQool also tell me how things are working.

 

Looks like we may have a little more cleanup to do. Attach a new HJT log.


You do not want to use the Windows Firewall anyway. It does not provide adequate protection. We will address this later when you are all clean.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {51171D78-07EA-0D12-7D5A-7ECD2A920E2F} - (no file)
O2 - BHO: (no name) - {F753D739-76C9-E76F-EB3C-B51FE0E6E61E} - (no file)
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swintqaf.exe FI002
O4 - HKLM\..\Run: [jqsssy] C:\WINDOWS\system32\kyobsb.exe reg_run
O4 - HKCU\..\Run: [gnatt] C:\WINDOWS\system32\kyobsb.exe reg_run
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - ADMtek Incorporated. - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (they may be gone already but we must double check):
C:\WINDOWS\system32\swintqaf.exe
C:\WINDOWS\system32\kyobsb.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings (make sure you use www.majorgeeks.com for now! I need to see the fact that the Reset is working):

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes it did! But the two BHO lines I asked you to fix are still present. We are going to need to take special steps to remove them. But before doing that, let's make sure your system is properly protected.

You are running Symantec Security Center. Are you sure it does not contain a firewall? Most security centers do! If it does, that would be why you cannot enable the Windows Firewall (which I already said you do not want to use anyway). So check to see what actually came with your Symantec Security Center software.


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Application Layer Gateway Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

AppLayerGatewayMgr

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.

Now download and Install Registrar Lite (Make sure you select a download link from Majorgeeks and not the Author's)

Run Registrar Lite navigate to the following keys and take ownership of them:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

To take ownership of teh key do the following:
Click-on the above Registry Key
Click-on Security in the Menu
Select Take Ownership
Now locate each of the below keys under the Browser Helper Objects key and select them (one at a time) and right click on them and select Delete

{51171D78-07EA-0D12-7D5A-7ECD2A920E2F}
{F753D739-76C9-E76F-EB3C-B51FE0E6E61E}

After deleting them exit Registrar Lite and attach a new HJT log! Let me know if you had any problems following this procedure.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link (step 3 will take care of getting a firewall installed! Install one of the free ones.)

How to Protect yourself from malware!

 

Try this: MSConfig Cleanup