Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32.Qoologic.V or webpdp.gator.com

Started by ssurf , Aug 14 2006 11:50 AM

  • Please log in to reply

#1
ssurf
Posted 14 August 2006 - 11:50 AM

ssurf

    New Member

  • Member
  • Pip
  • 1 posts
Attached File  hijackthislog.txt   2.25KB   93 downloadsGreetings!
I'm looking for help to remove something called Win32.Qoologic.V, which my ZoneLab Security Sweep tells me that SpySweeper was unable to treat. Is "V" a new variant? I've done the usual scans with Ad-Aware (found nothing), SpyBot S&D (found Unforgettable!.exe), SpySweeper (found ckloptimizer), and Ewido (found nothing).

My HJT log shows the stubborn pieces that keep coming back, mostly notably:
[winsync] iwpaow.exe
[C:\WINDOWS\system32\regsvr 32 /s] hhctrl.exe under a \RunOnce HKLM
and [Unforgettable!.exe] under C:\Program (of course, there is no program in my Folders with Unforgettable) {Spybot SD finds this under Autorun settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unforgettable!}

In addition, my Find-Qoologic batch file found an WINDOWS\system32\nbdgabx.exe which does not sound legitimate.

HKLM\Software\Microsoft\Active Setup\Installed Components\
"45d0549b-b7de-4d57-bfcc-450795e790a4\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\nbdqabx.exe" [file not found]

">{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default)" = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [file not found]

Other things I've noticed:

When restarting Windows, a little shield sometimes shows up in the Taskbar which looks just like the official Windows Update, but the download always says 0%. The little shield icon doesn't always come up, but there are sometimes 2 wuauclt.exe processes running in the Task Manager. Not long after Windows has started up, SpySweeper tells me it has blocked access to webpdp.gator.com

My WindowsUpdate log shows suspicious download activity, one from a "cached cookie" and some copying, renaming, and moving of muweb.dll. I can provide a copy of that log, if necessary.

I've spent 3 days trying to remove these myself via online guides/suggestions, but I haven't seen much of anything on Win32.Qoologic.V as of yet. :whistling:

P.S. Should there be prefetch files for wuauclt.exe? I have 2.

Edited by ssurf, 14 August 2006 - 12:35 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP