Please Help Me Remove Qoologic/Winsync!

Discussion in 'Malware Help (A Specialist Will Reply)' started by hypergeek, Jun 29, 2006.

  1. hypergeek

    hypergeek Private E-2

    I've read this forum from top to bottom, tried methods mentioned in other threads (and other web sites) - but to no avail.

    I have taken every preliminary procedure that was mentioned in the "before you post for help" thread, installing software, safe mode scans, online scans, etc.

    Attached are my logs from HJT!, BitDefender, and Panda Activescan

    I currently have Killbox installed, as well. I'm ready to nail this sucker.

    (Attached in the next post is my FindQool log, since there's a 3 attachment limit per post.)
     

    Attached Files:

    hypergeek, Jun 29, 2006
    #1
  2. hypergeek

    hypergeek Private E-2

    Also attached here is my FindQool log.
     

    Attached Files:

    hypergeek, Jun 29, 2006
    #2
  3. hypergeek

    hypergeek Private E-2

    NEW HJT LOG Attached

    Running HJT again, some more stuff has shown up now.

    Attached is my new HJT log.

    NOTE:

    Sorry about the inline log post, but I keep getting this message:
    "You have already attached this file in thread : Please Help Me Remove Qoologic/Winsync!"

    ...Even after I renamed it several times. :(

    Here's the log ---

    Edit by chaslang: Inline log deleted. It was same exact log as the first one. That is why it could not be attached.
     
    Last edited by a moderator: Jun 29, 2006
    hypergeek, Jun 29, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: NEW HJT LOG Attached

    Welcome to Majorgeeks!

    The Read & RUN ME requested that you do not use Spybot's Teatimer. To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer. Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked. Now quit Spybot!


    Now download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\WINDOWS\system32\yypfl.dat
    C:\WINDOWS\system32\scbcav.exe
    C:\WINDOWS\system32\jlrga.exe
    C:\WINDOWS\system32\yjbcqef.dll
    C:\WINDOWS\system32\ugykkbu.exe
    C:\WINDOWS\system32\javaw.dll
    c:\windows\system32\WinNB58.dll
    c:\windows\unstall.exe
    c:\windows\webhdll.dll_tobedeleted
    C:\Program Files\Common Files\?dobe\?hkntfs.exe
    C:\Program Files\nrpn\osoa.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ljndg.exe



    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\WINDOWS\system32\scbcav.exe
    C:\WINDOWS\system32\jlrga.exe
    C:\WINDOWS\system32\jlrga.exe
    C:\WINDOWS\system32\jlrga.exe
    C:\Documents and Settings\Tech\Desktop\Aida\aida32.bin

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jlrga.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ugykkbu.exe
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [ssftat] C:\WINDOWS\system32\scbcav.exe reg_run
    O4 - HKCU\..\Run: [opmub] C:\WINDOWS\system32\scbcav.exe reg_run
    O4 - Global Startup: ljndg.exe
    O20 - AppInit_DLLs: C:\WINDOWS\system32\javaw.dll <--- fixing this will probably cause an error message. Just ignore it and continue.


    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

    C:\WINDOWS\system32\yypfl.dat
    C:\WINDOWS\system32\scbcav.exe
    C:\WINDOWS\system32\jlrga.exe
    C:\WINDOWS\system32\yjbcqef.dll
    C:\WINDOWS\system32\ugykkbu.exe
    C:\WINDOWS\system32\javaw.dll
    c:\windows\system32\WinNB58.dll
    c:\windows\unstall.exe
    c:\windows\webhdll.dll_tobedeleted
    C:\Program Files\Common Files\?dobe <--- the whole folder
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ljndg.exe
    C:\Program Files\nrpn <--- the whole folder
    C:\Documents and Settings\Tech\Desktop\Aida <--- the whole folder
    C:\SOFTWARE\$$$NEW_SYSTEM_SETUP$$$\Windows_XP_Keygen_Key_Change_www.lomalka.ru_.zip



    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, Jun 29, 2006
    #4
  5. hypergeek

    hypergeek Private E-2

    Teatimer was, indeed, running - but it hasn't been showing up in the tray, so I thought I had already disabled it. Looking at the processes that I've been running proves that I was mistaken... it was running without a tray icon. :\

    Is it an alltogether bad idea to run teatimer, or is it a good program to use? I like to have a choice when reg entries are being changed on me, thus it's been a reliable utility for me to have resident over the past couple of years. Which is better, Spybot/TeaTimer or AdAware/AdWatch?

    Attached are the new log you requested, but as for Qoo... it looks like you nabbed it on the first try.

    Thanks for the help!
     

    Attached Files:

    hypergeek, Jun 30, 2006
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds