QoolAid Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by jeanksme, Apr 3, 2006.

  1. jeanksme

    jeanksme Private E-2

    Following the Special Removal Instructions;

    FindQool Log:
     
    jeanksme, Apr 3, 2006
    #1
  2. jeanksme

    jeanksme Private E-2

    I don't know why it won't attach. Its in my user CP, and it says its "in progress", but I was able to open it. This is the text of the attached log. I apologize if this is not the right way to do this. I'm off to start in safemode and grab the next log.

    Mon 04/03/2006
    Running from: C:\FindQool
    PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
    Files found with locate com.

    C:\WINDOWS\SYSTEM32\BIKFSQA.EXE
    C:\WINDOWS\SYSTEM32\FKMWASL.DLL
    C:\WINDOWS\SYSTEM32\FBBAU.DAT
    C:\WINDOWS\SYSTEM32\YDMWIK.EXE
    C:\WINDOWS\SYSTEM32\PMDBI.EXE
    C:\WINDOWS\SYSTEM32\DMONWV.DLL
    C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\RKXXO.EXE
    Re-check using dir /a:-d
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    04/02/2006 05:10 PM 127,488 rkxxo.exe
    "C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe"
    ...

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    [-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

    ...
    Runs, Listed here as a Doublecheck for the locate com results
    HKLM
    "yuqoii"="C:\\WINDOWS\\system32\\ydmwik.exe reg_run"
    HKCU
    "urxpj"="C:\\WINDOWS\\system32\\ydmwik.exe reg_run"
    ...

    Files In Winlogon shell and userinit
    Listed here as a Doublecheck for the locate com results
    shell REG_SZ Explorer.exe, C:\WINDOWS\system32\pmdbi.exe
    userinit REG_SZ C:\WINDOWS\system32\userinit.exe,bikfsqa.exe
    ...
    SWReg utility
    Written by Bobbi Flekman © 2005
    Findqool edited 3/26/2006
     
    jeanksme, Apr 3, 2006
    #2
  3. jeanksme

    jeanksme Private E-2

    Alrighty ... I followed all the steps and hopefully I can attach the remaining logs and get QoolAid out of my pc for good!
     

    Attached Files:

    jeanksme, Apr 3, 2006
    #3
  4. jeanksme

    jeanksme Private E-2

    I also had Look2Me, and ran the removal tool.

    :rolleyes: You must get tired of saying it ... but hopefully I'll beat you to it. I'm almost done doing steps 1-6, and will be reposting my HJT file.

    I might be done tomorrow this is slow going. ;) I could not download windows defender. The download said that it could not verify my version of windows. I'm running xp media center. I'll post the exact specs on my computer when I finish my "homework" ... sorry.
     
    jeanksme, Apr 3, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After you complete the remainder of the READ & RUN ME, attach a new HJT log.

    Which Look2Me tool did you run? Was it Look2Me Destroyer? Do you have the log you can attach?
     
    chaslang, Apr 3, 2006
    #5
  6. jeanksme

    jeanksme Private E-2

    Yes, it was Look2Me Destroyer.

    The log is attached:
     

    Attached Files:

    jeanksme, Apr 3, 2006
    #6
  7. jeanksme

    jeanksme Private E-2

    Thanks for your help. I think I've accomplished quite a bit with all the scans I've done. It took spybot 2 hours to run in safemode. This site is a Godsend!

    QoolAid is the bane of my computer's existence. That program is most annoying. I'm determined to get it, before it gets me! :D
     
    jeanksme, Apr 3, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note: You have not completed the READ AND RUN ME. You have not attached the two logs from step 6. There could be more baddies in the Panda log!

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\system32\wd434ef9.dll
    C:\WINDOWS\system32\full.exe
    C:\WINDOWS\system32\q3.exe
    C:\WINDOWS\system32\z1.exe
    C:\WINDOWS\system32\bikfsqa.exe
    C:\WINDOWS\system32\FKMWASL.DLL
    C:\WINDOWS\system32\FBBAU.DAT
    C:\WINDOWS\system32\ydmwik.exe
    C:\WINDOWS\system32\pmdbi.exe
    C:\WINDOWS\system32\DMONWV.DLL
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkxxo.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pmdbi.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bikfsqa.exe
    O4 - HKLM\..\Run: [wd434ef9.dll] RUNDLL32.EXE wd434ef9.dll,I2 00015d150d434ef9
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab


    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\WINDOWS\system32\wd434ef9.dll
    C:\WINDOWS\system32\full.exe
    C:\WINDOWS\system32\q3.exe
    C:\WINDOWS\system32\z1.exe
    C:\WINDOWS\system32\bikfsqa.exe
    C:\WINDOWS\system32\FKMWASL.DLL
    C:\WINDOWS\system32\FBBAU.DAT
    C:\WINDOWS\system32\ydmwik.exe
    C:\WINDOWS\system32\pmdbi.exe
    C:\WINDOWS\system32\DMONWV.DLL
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkxxo.exe

    Then reboot into normal mode and attach a new HJT log and a new log from FindQool
     
    chaslang, Apr 4, 2006
    #8
  9. jeanksme

    jeanksme Private E-2

    Ok I've ran all the scans, saved the logs, including HJT.

    I have not run Pocket KillBox yet ... Let me post the logs that I have completed before I take on Killbox. This took a monumental amount of time, inbetween RL interruptions.

    I'll post a new HJT log after I complete the Killbox changes
     

    Attached Files:

    jeanksme, Apr 4, 2006
    #9
  10. jeanksme

    jeanksme Private E-2

    OK I copy and pasted the regedit and merged it with the registry.

    I then ran KillBox, Tools, Delete Temp Files, Delete Selected Temp Files

    After it was completed I got an error message:

    (error 6)

    Should I continue on and copy/paste the system files? It looks like all the junk I want to get rid of.
     
    jeanksme, Apr 4, 2006
    #10
  11. jeanksme

    jeanksme Private E-2

    Ok I completed the rest of your instructions, seemed like the right thing to do.

    Norton's hasn't alerted my about QoolAid, and PCDoctor isn't blocking malicious browser pages from opening.

    My system seems to be running as it should, not all bogged down.

    Here are the Latest HJT and FindQool logs:
     

    Attached Files:

    jeanksme, Apr 4, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [yuqoii] C:\WINDOWS\system32\ydmwik.exe reg_run
    O4 - HKCU\..\Run: [urxpj] C:\WINDOWS\system32\ydmwik.exe reg_run

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Zango Programs <--- the whole folder
    C:\Documents and Settings\HP_Administrator\My Documents\My Downloads\ezcardsalloccasionsfree.exe
    C:\w.exe
    C:\WINDOWS\country.exe
    C:\WINDOWS\NDNuninstall7_22.exe
    C:\WINDOWS\toolbar.exe
    C:\WINDOWS\system32\full.exe
    C:\WINDOWS\system32\MTE2ODI6ODoxNg.exe
    C:\WINDOWS\system32\wd434ef9.dll
    C:\WINDOWS\system32\q.exe
    C:\WINDOWS\system32\q3.exe
    C:\WINDOWS\system32\xxx2.exe
    C:\WINDOWS\system32\z1.exe
    C:\WINDOWS\system32\z3.exe
    C:\WINDOWS\system32\fkmwasl.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Apr 4, 2006
    #12
  13. jeanksme

    jeanksme Private E-2

    Here is the latest HJT Log. Crossing my fingers that all I have to do is get rid of the restore points now.
     

    Attached Files:

    jeanksme, Apr 5, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 5, 2006
    #14
  15. jeanksme

    jeanksme Private E-2

    Thank you so much!! I cleared the restore points. My computer seems to be running like it's supposed!!

    I'll look at the link you suggested to see what I can do to safeguard against anymore of these nasties.

    Thanks for your time Chaslang!
     
    jeanksme, Apr 5, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     
    chaslang, Apr 5, 2006
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds