System infected with Qoologic - Help!!

Hi! I'm new to this forum, and have tried to follow all the instructions. I have a Gateway running Windows XP Pro with SP2, with Intel Pentium 4A 2533 MHz, System memory 512 MB. I've been dealing with Pop-ups for a week now. I've run Norton, CCleaner, MS Malicious, Ad-Aware, Spybot, MS DEfender, CWShredder, Kill2Me, Bitdefender. I couldn't get Panda ActiveScan to work. Adaware found Look2Me, and Defender keeps finding Qoologic, but keeps sending me into a remove-reboot-remove-reboot loop. I also ran FindQool, RKFiles, and WinPFind. I haven't run HiJack this yet because I don't know how to be sure if programs and msconfig are closed or disabled other than by not opening them after I boot up. I go through AOL for the internet if that matters. I've attached 2 bdscans (I had to interrupt the first one) as well as the findqool and rkfiles scans. I'll add another message to this thread to attach the winpfind scan. Thanks for any help! This is all pretty new to me!

 

Here's the last scan, from Winpfind. Thanks again for your help!!!

 

I don't see Qoologic, but you definitely have a Look2Me infection.

Follow the directions for running Look2Me VX2 Removal.

Run Bitdefender and WinPFind again. Post both logs, the Look2Me log and a HijackThis log.

 

Thanks! I tried to run Look2Me-Destroyer per linked instructions, but it locked up when it said it would re-open in 1 minute. I was in normal boot mode with all windows closed, and waited 5 minutes. Then I rebooted and ran it and waited for it to restart again for 5 minutes. Then I tried safe mode and waited 5 minutes and nothing happened. Did I need to wait longer? I've attached a HijackThis log because I didn't the last time. However, in the instructions for running hijackthis it says "also disable msconfig or any other similar startup control programs" - I couldn't figure out what that meant - disable all the startup processes? Disabling any of them took me out of normal boot mode and so I wasn't sure how to proceed. So I ran HijackThis in normal boot mode and didn't have anything running except the processes that run in the background or on start-up. Please let me know if I need to turn something else off and how to do it and I'll gladly redo the scans!! FYI, it's Windows Defender that keeps telling me I have a "Qoologic-Adware" infection, asks if I want to remove it. If I say yes, it wants to restart. If I say yes, it restarts, and finds the infection again. Thanks again for your help.

 

I apologize, you do have a Qoologic Infection; I missed it the first time I read your logs.

Download and Install (Only the one for your OS)
For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix

Follow the directions, again, for Qoologic/Winsync/Kavsvc.

The last time FindQool did not run properly, because you did not have DOS subsystem support.

Post the logs from the Qoologic procedure and we will go from there.

 

Thanks! I've attached the reruns of the FindQool, RKFiles, and WinPfind logs. Good luck!

 

For some reason one of the files didn't attach - I couldn't get it to attach the new log.txt file from RKFiles Tool because it says that it was already attached to the original thread. Let me know if there is another way to attach the most recent version - I tried renaming it but that didn't work. Thanks!

 

Just add a blank line to the end of the file and attach it.

 

FindQool is not running, the log shows AUTOEXEC.NT missing. Did you download and install the files for your OS?

 

I did download and run XPproFix - I think I ran it with AOL open - should I run it with all windows closed or in Safe mode?

 

Hi again! I ran XPproFix again in safe mode, and discovered that it was by default placing the autoexec file in the Windows folder, but Qlocate was looking for it in the WINNT folder. So I told it to put the file in the WINNT folder and it worked. I reran all the scans again (Qlocate, rkfiles, winPfind, and HJT) and attached them to this message. Thanks again for your patiience with a newbie!

 

Copy the contents of the below quote box to notepad and save as FixReg.reg, to your desktop.

Close notepad. Double-click FixReg.reg and answer "Yes".

Next Start -> Run, type regedit, OK. Navigate to the following keys:

Next search within the registry for the following and delete every occurance:

Now scan with HijackThis and fix the following:

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windos Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Hi again! I'm not sure everything worked, but the new HJT scan is attached. A couple of things:

1 - The ShellScrap key wasn't in the registry
2 - No occurrences of btefr
3 - Three items listed to fix in HJT were not there; three items had part of the description listed but not the whole thing; and in the scan attached the 2 F2 items were back again after I fixed them, and the WebCheck item was back but with a different dll
4 - Not sure if Killbox worked - when I added each file one by one, it never asked to confirm the file for deletion - when I clicked the red X it went right to the reboot prompt window. I clicked no and continued with the next file as instructed.
5 - Defender found Qoologic again when I rebooted after doing all the steps

I figure I need to do more - just let me know - Thanks!

 

OK, it's being a litlle stubborn.

Give me a new FindQool log, WinPFind log, and give a log from GetRunKeys.

Directions for Using GetRunKey

 

Hi! I've attached the FindQool, WinPfind, and GetRunKeys scans here. Thanks for your persistence!!

 

Download and Install:
- Registrar Lite
- ExplorerXP

Make sure that you have enabled viewing of Hidden, System FIles & Folders as per the thread titled How to view hidden, system files & folders!.

Run Registrar Lite navigate to the following Registry Keys; and take the action note for each:

Next run ExplorerXP, navigate to and take teh action noted for each file/folder:

Next REBOOT to Safe Mode.

Search for the above files using the procedure in this thread Searching for Hidden Files on WinXP; if found delete them.

Next REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Hi again! Well, I screwed something up because now my computer is locked up. I followed the latest instructions through reboot in safe mode, but when I rebooted I ended up with the Windows administrator screen - the one that you get when it goes to sleep after a while - and the screen is locked. Since I never needed to protect my computer from other users, I never set up a password, so I can't get into Windows. I am writing from a computer at a library right now. As far as what I actually did, there were a couple of things I wondered about. First, several of the keys to look for in Registrar Lite weren't there. The one that says "{347997AB-5BA6-4FB7-B20E-0C63AD1EB912} = C:\WINNT\system32\mcrepl35.dll" was there, but everything after the "=" sign was missing, and every time I deleted it the screen refreshed and it came back - I couldn't delete it. Second, I didn't find the folder "C:\PROGRA~1\COMMON~1\rkmi", but I did find the folder "C:\Program Files\Common Files\rkmi, so I deleted that - I thought it was close enough but perhaps it needed to be precisely the same. ANyway, that's where I am now. Is there anything I can do or do I need to take it to the shop now? I won't be able to check back in til tomorrow at work. Thanks again!

 

The computer is locked up at the login or you don't know the administrator account password?

The Administrator password is either left blank, or it is "admin" or "administrator". If you can't get into the administrator account then log in to your account in Safe Mode.

Then run this registry patch

Save it as RegFix.reg