Problems getting rid of Zqwest, Qoolaid, Downloader-EV

Discussion in 'Malware Help (A Specialist Will Reply)' started by Dollphinea, Jul 11, 2006.

  1. Dollphinea

    Dollphinea Private E-2

    Hi there!

    I have been working on removing the bugs on my computer for 8+ hours, I searched and download HijackThis, SpyBot Search & Destroy, Ad-Adware, Ran CCleaner in safemode, removed registrykeys told, Have McAffee and TrojanHunter is doing it's thing. I managed to get rid of the intellegent search bar (so far) now I get something else on the left side. I got rid of SurfSideKick3. But my McAffee's keeps telling me that it quarantined and found some trojans ~~ ughhh! Zquest, Qoolaid, Downloader-EV just to name a few. I notice in HijackThis certain files I delete keep coming back. I have unchecked the SystemRestore.... I do not know what else to do at this point. :mad: Any help would be greatly appreciated. I can not do my work at home with all these popups between the adware, trojans and blockers I am going insane. Here is a copy of my last HijackerThis log.

    EDIT: deleted inline log for guide to be run
     
    Last edited by a moderator: Jul 11, 2006
    Dollphinea, Jul 11, 2006
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and welcome do please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis


    When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
     
    DavidGP, Jul 11, 2006
    #2
  3. Dollphinea

    Dollphinea Private E-2

    Thank you, I am on Step 6 will let you know my progress. Sorry for jumping the gun there. I am following the steps to a tee now. :) Wheww lots of work.
     
    Dollphinea, Jul 11, 2006
    #3
  4. Dollphinea

    Dollphinea Private E-2

    Hi there,

    I have done steps 1-7 and still am infected, in fact I have more it looks like. :eek: Please Help!

    I have attached all 3 files.

    Thank you so much for your support, you guys are great!!

    Doll =0)
     

    Attached Files:

    Dollphinea, Jul 12, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Next time (if there is a next time) please follow the directions exactly as written for creating the Bitdefender log. What you posted is not what we requested. It is okay this time but the directions wanted you to save the HTML file that Bitdefender creates and just name it with a .txt extension. The HTML file is easier to read and easier for you to create.

    You have HijackThis installed here:

    C:\Documents and Settings\Andres Helmers\My Documents\hijackthis\HijackThis.exe

    That is exactly where step 7 specifies not to put it. Please follow the directions in step 7 exactly and install it as requested. Do this now before continuing.


    Start by downloading Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\bdpn.exe


    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\system32\v199.dll
    O2 - BHO: (no name) - {09CAE84A-46FB-42FA-BFCE-0267B6639AAB} - C:\Program Files\MSN Gaming Zone\hozelodaw.dll (file missing)
    O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
    O2 - BHO: (no name) - {45E3168D-D5F6-43A3-B2CA-05EA3B1FC706} - C:\Program Files\MSN Gaming Zone\hozelodaw.dll (file missing)
    O2 - BHO: (no name) - {7B1556F5-44D8-A70D-E7E0-F78EAE64D97B} - C:\WINDOWS\burmfpollc.dll (file missing)
    O2 - BHO: (no name) - {C3A0C3E5-7165-4E47-810F-1377FC50BA4C} - \
    O2 - BHO: Root.CERT - {D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {EB9315B9-7926-4AB7-9B31-98792499B578} - (no file)
    O4 - HKLM\..\Run: [{D9-9B-B6-60-ZN}] c:\windows\system32\dwdsregt.exe GID002
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\system32\bdpn.exe"
    O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
    O4 - HKCU\..\Run: [ssqbn.exe] C:\WINDOWS\system32\ssqbn.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\pkdsregq.exe
    O15 - Trusted Zone: *.rizonrox.com
    O15 - Trusted Zone: http://*.rizonrox.com
    O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
    O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
    O18 - Filter: text/html - (no CLSID) - (no file)



    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
    c:\windows\downloaded program files\USDR6_0001_D08M0404NetInstaller.exe
    C:\WINDOWS\system32\adwerkz.dll
    C:\WINDOWS\system32\bdpn.exe
    c:\windows\system32\dwdsregt.exe
    C:\WINDOWS\system32\nodeipproc.dll
    C:\WINDOWS\system32\nwinlqez.exe
    C:\WINDOWS\system32\pkdsregq.exe
    C:\WINDOWS\system32\ssqbn.exe
    C:\WINDOWS\system32\v199.dll
    C:\WINDOWS\system32\virznmp.dll.tcf
    c:\windows\system32\vsl13.exe
    c:\windows\system32\WinNB58.dll
    C:\WINDOWS\QW5kcmVzIEhlbG1lcnM\kqc4wApWKH15v3Y5wBg.vbs
    c:\windows\unstall.exe
    c:\windows\webhdll.dll_tobedeleted

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot delete the below using Windows Explorer:
    C:\Program Files\Kazaa <--- the whole folder
    C:\Documents and Settings\Andres Helmers\Application Data\Lycos <--- the whole folder
    C:\Documents and Settings\Andres Helmers\Local Settings\Temp <--- delete all files in this Temp folder. Windows will block deletion of a few files that are in use by the system.

    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!
     
    chaslang, Jul 13, 2006
    #5
  6. Dollphinea

    Dollphinea Private E-2

    Hi there,

    Sorry for the delay ~ bad week, but hopefully this message means things are starting to turn around for me. Thanks again for all your help. My system is already running smoother. I had already installed HJT in my documents folder before doing your steps, sorry about that, it is moved to program files folder. And on the Bitedefender log, I did save the html and change it as a text, :confused: I am not sure what I did wrong there, hopefully I won't have to go thru this again.

    I did all your next instructions and followed them to a tee. :) In Killbox, I had rizonrox.com as a trusted zone because the ActiveX on that webpage was kicking me off (and i created that site..lol need to see and work with it), but now it didn't so thank you for fixing that too - been searching everywhere to overcome that XP security update problem.

    I did not have anyPendingFileRenameOperations prompts on the Killbox, it went smoothly. Also, When I deleted the Temp file there were only two items left in there and Windows did not block anything. I deleted the Lycos folder and there were not files in it - will this remove that stupid Lycos search engine that comes up in my IE when a webpage doesn't exist? If so, you guys ROCK!! I hate that Lycos stuff.

    Okay, I attached the new HJT log and for once that stupid hozeldaw.dll was missing and didn't come back. Also, my McAfees virus scanner has not popped up yet (it usually does).

    Hopefully I am clean now. Thank you, thank you, thank you - I can sit here and type to you and no popups or other items yet! :D

    I await your response ~ Have a wonderful day!!
    Dollphinea =0)
     

    Attached Files:

    Dollphinea, Jul 14, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but now you put it in the root folder of C:\Program Files which is another bad idea. It should be C:\Program Files\HJT\HijackThis.exe . You really should make this HJT folder and move the EXE file there. Also you will now see C:\Program Files\backups which is a backup folder that HJT created. Move this folder to the new HJT folder too. If you don't do this the backups folder will look like malware and HijackThis.exe could also be assumed to be a malware copy and it could be mistakenly deleted.

    You were not supposed to change it into text. You were suppose to save the HTML encoded file and then simple rename the file to have a .txt extension so it could be uploaded.

    You should do the below to help make sure!

    Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jul 14, 2006
    #7
  8. Dollphinea

    Dollphinea Private E-2

    Thanks again Chas for all your help. I understand about the HJT and fixed that and know what to do now if I have to go through this in the future.

    One quick question ~ I have another user on my computer (I am the administrator) Do I need to do all the steps again on theirs too? I did read where it said to do some of the stuff at the same time and I did. I just didnt do the online scan etc.

    Again, you ROCK! Good Kharma is coming your way :)
     
    Dollphinea, Jul 15, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It never hurts to check all user accounts. There are two approaches:

    1. proactive - always scan all user accounts to make sure there is no malware
    2. reactive or if it ain't broke, don't fix it - only scan if it appears to be having problems
    And your okay as far as the online scans go. It is normally not necessary to run them for each user account. The other steps should be run.

    And you're welcome!
     
    chaslang, Jul 16, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds