Qoologic infection Removal Guide!
skywalker45
Bloomington, IN. USA
There seems to have been a recent revival of sorts with the Qoologic Adware infection. This guide is designed to help you recognize the signs of the infection in your log and remove it.
Qoologic is an Adware Trojan that displays pop-ups and slows your PC to a crawl in some cases. It can also download other various types of malware. There are many variants and like most specific malware it is all but impossible to remove without the correct tools. Please see this article for in depth information regarding the capabilities of the Qoologic Trojan.
Before proceeding further into this fix you should check to see if you also have a Look2Me pop-up infection along with the Qoologic (please see the sticky "Look2Me pop-up infection removal guide" by Trogan_1000 for details about Look2Me). If a Look2Me infection exists then you have to fix it first. The Qoologic fix won't work if a Look2Me is present in your log without first fixing the Look2Me.
Qoologic can be identified by entries like those below in your log. Keep in mind these are examples:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tnqyr.exe<---File name is always random.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ejwddho. exe<---File name is always random.
You will also likely see one or more 04 entries that look like this:
O4 - HKCU\..\Run: [fexci] C:\WINDOWS\system32\jpmihe.exe reg_run<---File and process name are random.
The following line is usually the kicker since most, but not all, Qoologic infections contain this line. The file dmonwv.dll is one filename within the Qoologic infection that doesn't change and shows in the log as an 09-Extra button and 09-Extra 'Tools' menuitem. Note the lines below:
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
One of our other members here at Short-Media passed along this automated fix to me. With the emergence of several infected logs recently I felt it only pertinent to post this to help any user with a Qoologic infection. Remember to check for a Look2Me infection first and then check your Hijack This log for the above signs of Qoologic. If Qoologic is identified follow the steps below:
===================================================
Please download Brute Force Uninstaller to your desktop.
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).
Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option #1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
===================================================
This should take care of any Qoologic infection you may have. It will also automatically get rid of the above Hijack This entries. At any point however, if you feel you need assistance or the Hijack This entries don't go away, please post your log in the forum and one of us will help you as soon as we can.
Qoologic is an Adware Trojan that displays pop-ups and slows your PC to a crawl in some cases. It can also download other various types of malware. There are many variants and like most specific malware it is all but impossible to remove without the correct tools. Please see this article for in depth information regarding the capabilities of the Qoologic Trojan.
Before proceeding further into this fix you should check to see if you also have a Look2Me pop-up infection along with the Qoologic (please see the sticky "Look2Me pop-up infection removal guide" by Trogan_1000 for details about Look2Me). If a Look2Me infection exists then you have to fix it first. The Qoologic fix won't work if a Look2Me is present in your log without first fixing the Look2Me.
Qoologic can be identified by entries like those below in your log. Keep in mind these are examples:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tnqyr.exe<---File name is always random.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ejwddho. exe<---File name is always random.
You will also likely see one or more 04 entries that look like this:
O4 - HKCU\..\Run: [fexci] C:\WINDOWS\system32\jpmihe.exe reg_run<---File and process name are random.
The following line is usually the kicker since most, but not all, Qoologic infections contain this line. The file dmonwv.dll is one filename within the Qoologic infection that doesn't change and shows in the log as an 09-Extra button and 09-Extra 'Tools' menuitem. Note the lines below:
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
One of our other members here at Short-Media passed along this automated fix to me. With the emergence of several infected logs recently I felt it only pertinent to post this to help any user with a Qoologic infection. Remember to check for a Look2Me infection first and then check your Hijack This log for the above signs of Qoologic. If Qoologic is identified follow the steps below:
===================================================
Please download Brute Force Uninstaller to your desktop.
- Right-click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk ( C: ) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).
Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option #1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
===================================================
This should take care of any Qoologic infection you may have. It will also automatically get rid of the above Hijack This entries. At any point however, if you feel you need assistance or the Hijack This entries don't go away, please post your log in the forum and one of us will help you as soon as we can.
0
This discussion has been closed.