Member Panel

Ktulu

There is a Trojan.Qoologic on my computer. I know the exact file path

c:\windows\system32\orhaatd.dll

but when I go to delete it, ms search can't find it, and ms dos command prompt says that the file cannot be found when I try and delete it there...

so, help, how do I delete this retarted file?

Ktulu

yea I'll do it in a sec, and thanks...

if it helps, I already ran BitDefender Pro, AdAware, and Spybot: Search and Destroy and it came out clean.

Ktulu

hey thanks, don't waste your time on me that malware thing deleted it thanks a bunch!

joe5

Hya Ktulu.

What app said that it was Qoologic? It doesn't look like Qoologic to me, and Ewido wouldn't be able to fix it if it was.

To be sure I would indeed post the HijackThis and Ewido log anyway, and incase it really is Qoologic then run this aswell:

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.

Ktulu

OK once again my ignorance shows

sorry this took so long...

yeah Ewido found the file, and the scan cured it... only until I restarted my computer...

Qoofix deleted them, now I'm not having any trouble...

except I have SurfSideKick and Apropos.... they won't go away...

here's my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:54 AM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B08\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\MIKE\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lhgwwir] c:\windows\system32\lhgwwir.exe
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [qpyrjskA] C:\WINDOWS\qpyrjskA.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [necexkb] C:\WINDOWS\system32\kayzcb.exe r
O4 - HKLM\..\Run: [Mchrbb] C:\Program Files\Ourvc\Yucccw.exe
O4 - HKLM\..\Run: [xij] C:\WINDOWS\xij.exe
O4 - HKLM\..\Run: [dykgxkczuzv] C:\WINDOWS\System32\lhgwwir.exe
O4 - HKLM\..\Run: [w0e987df.dll] RUNDLL32.EXE w0e987df.dll,I2 000ebe2d00e987df
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pvn] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
O4 - HKCU\..\Run: [Csan] "C:\DOCUME~1\MIKE\MYDOCU~1\FNTS~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [blaadm] C:\WINDOWS\system32\blaadm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm185XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169584.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B08\intel_a\code\bin\CATSysDemon.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

thanks again.

Ktulu

oh and it probably won't help now that the files are gone.. but here's an older Ewido log from before I ran Qoofix:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:58:22 PM 8/26/2006

+ Scan result:

HKLM\SOFTWARE\Envolo -> Adware.Apropos : Error during cleaning.
C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Surf SideKick -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Error during cleaning.
HKU\S-1-5-21-515967899-2025429265-725345543-1006\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-515967899-2025429265-725345543-1006\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
[1000] C:\WINDOWS\System32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[112] C:\WINDOWS\System32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[1204] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[1232] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[1820] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[1832] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[1884] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[1908] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[2036] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[2672] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[2916] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[3160] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[3436] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[3460] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[3840] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[480] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[536] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[584] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[596] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[760] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[820] C:\WINDOWS\system32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[888] C:\WINDOWS\System32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
[940] C:\WINDOWS\System32\repairs303169584.dll -> Adware.Surfside : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__o_r_h_a_a_ t_d_._d_l_l_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\niwdu.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1704] C:\WINDOWS\system32\orhaatd.dll -> Downloader.Qoologic.bj : Error during cleaning.
[2800] C:\WINDOWS\system32\orhaatd.dll -> Downloader.Qoologic.bj : Error during cleaning.
[3676] C:\WINDOWS\system32\orhaatd.dll -> Downloader.Qoologic.bj : Error during cleaning.
[3796] C:\WINDOWS\system32\orhaatd.dll -> Downloader.Qoologic.bj : Error during cleaning.
[3924] C:\WINDOWS\system32\orhaatd.dll -> Downloader.Qoologic.bj : Error during cleaning.

::Report end

GaRHaR

just a side note, the reason you wouldn't have found the file in windows or dos is because it was hidden.

to find hidden files in dos you need to dir filename.extension -a

the -a switch is to show all files

Member Panel

Sponsors and Ads

Noticeboard