Qoolaid

I tried replying to another topic regarding this Malware, but couldnt do so. Sorry for cluttering up the boards :[

Anyways, I ran Norton AntiVirus a couple times to the point where I was left with one piece of Malware: Qoolaid. I saw on these forums that someone else had a problem with it and figured Id ask for your help with it. My computer has gone from running like new to moving at a snail's pace

I ran through steps 1-6 of READ AND RUN ME, and here are my logs.

Thank you for any help you guys can give me

 

Please see this thread for Qoologic Removal Procedures

Once you have complete this please post a fresh HijackThis log. You have other problems than just quoologic

 

First off, sorry about not doing the Qoolfix thing. I didnt see that.

Secondly, my computer already feels like new again Even if this is just the first step, thank you so much already

Finally, heres my HJT log.

 

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Download
- Pocket Killbox


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Navigate to and DELETE the following:

(This may have already been deleted by Pocket Killbox)



Post a fresh HijackThis log

 

Sorry for the delay...needed to get something to eat.

Im rebooting in Safe Mode as we speak. Will post the HJT log in a few minutes.

 

Finished all the steps. C:\Windows\system32\redist.dll was not there when I booted in Safe Mode.

My computer is running at a normal speed, but was slow to boot up. When I checked MSCONFIG to see if anything was loading on startup, two programs were loading up when usually I have none loading. They are:

C:\Windows\System32\redistributor.exe
C:\Windows\System32\ctfmon.exe

Heres the HJT log.

 

C:\Windows\System32\redistributor.exe is a trojan
C:\Windows\System32\ctfmon.exe is normal


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Navigate to and DELETE the following:

(This may have already been deleted by Pocket Killbox)



Post a fresh HijackThis log

 

Everything went as described.

Still slow on reboot, but I can live with that :]

 

Just realised you have HijackThis installed incorrectly:

You have it exactly where we specify not to put it. The instructions indicate:

- not a temp folder
- not on the Desktop
- no sub folder of C:\Documents and Settings

Please install it where recommended

C:\Program Files\HJT\analyse.exe

I'll have someone else look at your logs for anything I am missing. Meanwhile have a read through this http://forums.majorgeeks.com/showthread.php?t=44525 as I notice you arn't running a firewall.

 

Ahh. I had it installed correctly, I just dragged the icon to the desktop to make things quicker. Sorry.

Heres a new log if you or someone else needs it.

 

OK it appears you still have a vundo infection

Please follow the steps in this thread Virtumonde aka Trojan Vundo Removal

Theres a couple of things the panda scan has found as well so could you rerun it for me so we can see which ones are still there. On your next post you please attach the vundofix log, the new active scan log, and a fresh hjt log.

 

Vundo found nothing :\

 

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot.

Now please create a new Hijackthis Log and post it as a reply.

 

Heres my HJT log after enabling all the startup programs.

 

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Download
- Pocket Killbox

Download Brute Force Uninstaller to your desktop.

• Right-click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk ( C: )" or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE (http://downloads.subratam.org/Lon/sidekickFix.bat) and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix by LonnyRJones.

Save it in the same folder you made earlier (C:\BFU).

Close ALL open windows & explorer folder's, then double-click on sidekickFix.bat. Click YES and follow the prompts, when prompted to restart the PC please do so.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Using Search in the Start Menu; search for ibm0000?.*. Delete every occurance.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a Fresh HijackThis log.

 

Im in the process of doing everything you told me, but when I restarted my computer after opening the sidekickFix.bat, I get an error.

"Error loading w6ef9030.dll. The specified module could not be found."
"Error loading w6efbb28dll. The specified module could not be found."

Im guessing that these are caused by me deleting something that is in my startup folder. Im going to continue with the rest of the steps now.

 

Still have adware. As soon as my computer started up, I got two pop-up warnings from Norton.

"wknjzyps.exe is attempting to access the Internet."
"A suspected security risk has been detected: Adware.Bookedspace"

I'm following your instructions step by step, but this malware just wont go away

Heres my HJT log.

 

Follow the Directions for the following procedures:
Running WinPfind by OldTimer
Using GetRunKey
Using ShowNew

Post the WinPFind.txt, runkeys.txt, and newfiles.txt.

 

Here you go.

 

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Post a fresh HijackThis log.

 

I created FixReg.reg, but when I went into HJT to look for C:\WINDOWS\wknjzyps.exe, it was not there. The only programs running out of C:\WINDOWS directory are explorer.exe, arservice.exe, and ARPWRMSG.exe.

Ill wait to move forward until you let me know if I should delete any of those or if I should look somewhere else for C:\WINDOS\wknjzyps.exe

 

If it's not there, it's not there. Skip that step and continue with the fix.

 

Here you go.

 

You have an item in the Internet Explorer Trusted Zone:
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

There should be nothing in the IE Trusted Zone.

Download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Afterwards run Spybot and make sure you re-Immunize immediately. Then run a full system scan. If you get any reported problems, attach the log from Spybot.

Post a fresh HJT log.

 

Everything with DelDomain went smoothly. I ran Spybot and fixed the problems it gave me. After that, I scanned my system 3 times to make sure everything was fixed, and no more problems were found.

Heres my HJT log.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

REBOOT

Post a fresh HijackThis log.

 

Done.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Otherwise your log is clean.

How is your computer running?

 

The computer is running fine. Its a little slow on start up, but thats not a big deal as long as my comp is clean.

My only question is that on my HJT logfile, it mentions "mrfindalot.com" under the R0 things. Is that something that isnt a big deal?

Anyways, here is the most recent (and hopefully last) HJT log.

 

You can remove those lines using HijackThis.

 

Thank you so so much. Youve fixed what has been quite a frustrating week

Ive already recommended this website to a few people who have heard nothing but good things from me.

Do you guys have a paypal account or something to donate money to?

Thanks again

 

No, we don't have any donation accounts.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.