Qoologic... cant get rid of

ManIneedHelP · Jun 16, 2006

I have been working on this, with the help of this site, for two days now... It started with the Brave Sentry garbage, now has turned into this.

Ad-Aware(up to date) shows the same three entrys everytime. I remove them and they are ALWAYS back right away. Spybod S&D(up to date) always says Im clean. Microsoft Defender ALWAYS shows the same qoologic, and then says I need to restart to fix but it is ALWAYS there after restarting. Ill attach pix of the ad-aware and ms def.

hijackthis said:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:14 AM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\easmk.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,ouaquwf.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [0mcamcap] D:\WINDOWS\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [SystemTools] D:\WINDOWS\system32\kernels8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127071668727
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127071660445
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - D:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\o2pqlc751f.dll
O20 - Winlogon Notify: emldvc - D:\WINDOWS\SYSTEM32\emldvc.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - D:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - D:\WINDOWS\system32\panlggfn.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - D:\WINDOWS\system32\dxvwvcbg.exe
O21 - SSODL: SPgMn - {B0477B54-1AED-D1FE-60D1-D2E8A1B9C07C} - D:\WINDOWS\system32\lcce.dll (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Click to expand...

I installed and updated Trendmicros PC Cillin in hopes that it would take care of it. It always finds files but cant do anything with them, it suggests I manually del them but I cant, in safe mode I can del a few of them but some I cant.

Any help would be GREATLY appreciated!
Also windows is fully up to date.

ManIneedHelP · Jun 17, 2006

Went throught all the steps again in safemode with networking to see if I could get it to go... All went well except for the panda scan. It would get to the screen to choose my comp, hdds, etc. but when I clicked on anyone of the options nothing would happen...

Run Ccleaner - Del about 78mb of stuff
Microsoft Windows Malicious Software Removal Tool - didnt find anything
Run Ad-Aware SE - found the same three as the pic in first post
Run Spybot Search & Destroy - didnt find anything
Run Microsoft Windows Defender - found the same qoologic

Bitdefender - found a decent amount, attaching log
Panda - as stated above, didnt work

hope this helps

ManIneedHelP · Jun 17, 2006

well for some reason I was still using Ad-aware 6.5 so I upgraded to se and it took care of some of the problems...

Now Ad-aware sees two e2g problems in the registry:
HKLM\SOFTWARE\Classes\IeBHOs.Control
HKLM\SOFTWARE\Classes\IeBHOs.Control.1

When I try and repair them it says it needs to start on next restart to take care of the problem... But the stupid malware somehow makes just exlporer restart so that when I restart the computer ad-aware doesnt start up like it was supposed to...

Man this is driving me crazy.

I tried ewido's online scan and it detected the same problems but couldnt fix it. I dl'd ewido's program and scanned. Detected the e2g but cant fix it...

I could really use some help...

chaslang · Jun 18, 2006

You need to run the below so we can locate hidden files related to a Qoologic infection.

Download FindQool by LonnyRJones

Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\

Open the folder and run Qlocate.bat

attach the contents of the txt.log which will open when the scan is finished. You will have to attach this to a second message because only 3 logs can be attached to a single message.

FindQool is not a removal procedure. It is a scan that helps us to locate hidden files and registry keys so we can work up a fix for the Qoologic infection.

There is another sticky thread procedure for E2Give problems that you should follow.

ManIneedHelP · Jun 18, 2006

I did the "generic" e2g removal sticky which got rid of the e2g folder and thats about it.

As you said there seems to be some hidden file still running the show. That and the fact that I am unable to delete the HKLM\SOFTWARE\Classes\IeBHOs.Control
HKLM\SOFTWARE\Classes\IeBHOs.Control.1
in the registry...

The qooreport didnt show any files until:
Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ userinit.exe

If I still need to creat another post just let me know, I was trying to keep it simple in one post for future searches.

Thanks!

ManIneedHelP · Jun 18, 2006

I guess I read your post incorrectly.

Here are the logs for findqool, rkfiles, and winpfind

ManIneedHelP · Jun 18, 2006

and a current hijackthis

I dont know if this helps or not but it seems that 90% of the pop ups that I keep getting dont open the page they are trying to get. The window opens(but doesnt show on the taskbar) with nothing on it.

chaslang · Jun 18, 2006

The symptoms in you HJT log have change since the previous post. Have you been running other steps to remove problems? Or did you incorrectly attach a HijackThis log from safe boot mode which is of no use to us?

Anyway..... run the below procedure and attach the requested log. This should fix your Look 2 Me infection.

Look2Me VX2 Removal

Then also attach a new HJT log from Normal Boot mode.

ManIneedHelP · Jun 19, 2006

well that program seemed to do what the others have failed at. Thanks! The only problem that I can see now is that all my picture choices for my desktop background are still all greyed out...

Here are the logs, sorry for the last hijackthis in safemode. Ive been living in safemode for the last week...

thanks again!

chaslang · Jun 19, 2006

ManIneedHelP said:

The only problem that I can see now is that all my picture choices for my desktop background are still all greyed out.
Click to expand...

Okay all visible malware seems to be gone. You remaining problems could be due to some registry changes.

Run the below procedure and attach the runkeys.txt log.

Using GetRunKey

ManIneedHelP · Jun 20, 2006

Heres the runkey

ManIneedHelP · Jun 20, 2006

its all good now, I dont know what caused it but the last restart took care of it.
Thanks for all the help!

chaslang · Jun 20, 2006

You still have a few hidden problems we need to fix.

First click Start, Run and enter MSconfig and click OK. Then select Normal Startup. Then click Apply, Ok and reboot.

Now run the below procedure which I recently updated:

SpywareQuake & SpyFalcon Removal Procedure

Then attach the smitfiles.txt log that is requested.

Then get another runkeys.txt log and attach it. There could be more to clean up.

ManIneedHelP · Jun 20, 2006

thanks

chaslang · Jun 21, 2006

Okay the SPywareQuake procedure fixed some of the things I saw. But you attached the wrong log. I need a new runkeys.txt log which comes from running GetRunKey.bat. I did not need to see an rkfiles log.

ManIneedHelP · Jun 21, 2006

sorry, been running so many things I thought the runkey was the rkfiles...

here is the real one

chaslang · Jun 21, 2006

Okay there are still a few things lingering around in the registry I want to fix.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"{77-7B-B5-53-ZN}"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"Windows Overlay Components"=-
"SDhelper"=-
"Network Monitor"=-
"cmdService"=-
Click to expand...

Then attach a new and hopefully a final runkey.txt log so we can make sure we got everything fixed. Also attach a new HJT log.

ManIneedHelP · Jun 22, 2006

thanks again!

chaslang · Jun 23, 2006

Your logs are clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Qoologic... cant get rid of

ManIneedHelP Private E-2

Attached Files:

ManIneedHelP Private E-2

Attached Files:

ManIneedHelP Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ManIneedHelP Private E-2

ManIneedHelP Private E-2

Attached Files:

ManIneedHelP Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ManIneedHelP Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ManIneedHelP Private E-2

Attached Files:

ManIneedHelP Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ManIneedHelP Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ManIneedHelP Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ManIneedHelP Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member