YWRIVR Trojan

Seeing a process running as a subprocess of Explorer.exe. This process
appears to be opening internet explorer windows.

Google knows nothing (amazing!)

Winternals makes reference to Qoolaid.v.2.7.1, but all info on that leads to
blind alleys. Anybody else seeing this.

Karl
Wed Dec 15 06:45:14 CST 2004

Need much more information. Does this process have a name? Where is the
file located, and what are its properties? What search did you do to find
the reference to Qoolaid? Try these steps:

http://securityadmin.info/faq.asp#hacked

Find the file and submit it to antivirus vendors using www.virustotal.com

Running silent runners from www.silentrunners.org and RKdetect from
www.google.com might also be helpful.


"TrojanMan" <TrojanMan@discussions.microsoft.com> wrote in message
news:05B60DD6-EC43-4459-8A8B-BE75A195A67F@microsoft.com...
> Seeing a process running as a subprocess of Explorer.exe. This process
> appears to be opening internet explorer windows.
>
> Google knows nothing (amazing!)
>
> Winternals makes reference to Qoolaid.v.2.7.1, but all info on that leads
to
> blind alleys. Anybody else seeing this.

TrojanMan
Wed Dec 15 09:29:05 CST 2004

Karl,

Thanks for the information. Let me be a little more clear:

the process is ywrivr.exe
it is running as a subprocess of explorer.exe (according to winternals).
it is some form of adware
i sometimes cannot delete the file (even in Safe Mode DOS and other tricks)
rename it or otherwise alter it.
windows search sometimes does not report the file's existence.
if i do manage to get it deleted, it is restored (seemingly) by some other
process

Thanks.



"Karl Levinson, mvp" wrote:

> Need much more information. Does this process have a name? Where is the
> file located, and what are its properties? What search did you do to find
> the reference to Qoolaid? Try these steps:
>
> http://securityadmin.info/faq.asp#hacked
>
> Find the file and submit it to antivirus vendors using www.virustotal.com
>
> Running silent runners from www.silentrunners.org and RKdetect from
> www.google.com might also be helpful.
>
>
> "TrojanMan" <TrojanMan@discussions.microsoft.com> wrote in message
> news:05B60DD6-EC43-4459-8A8B-BE75A195A67F@microsoft.com...
> > Seeing a process running as a subprocess of Explorer.exe. This process
> > appears to be opening internet explorer windows.
> >
> > Google knows nothing (amazing!)
> >
> > Winternals makes reference to Qoolaid.v.2.7.1, but all info on that leads
> to
> > blind alleys. Anybody else seeing this.
>
>
>

edillon
Thu Jan 06 12:27:24 CST 2005


I am having the same problem. Except the process is showing up a
yoqyuq.exe, and qoolaid_v2.7.4


-
edillo
-----------------------------------------------------------------------
Posted via http://www.webservertalk.co
-----------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message636165.htm

Karl
Fri Jan 07 07:08:11 CST 2005

Did you read and try my advice? What Antivirus are you using, and does it
have the last updates for this week installed? What did your anti-virus
vendor or any anti-virus vendor say when you submitted the files to them?
Try using http://www.virustotal.com


"edillon" <edillon.1igod3@mail.webservertalk.com> wrote in message
news:edillon.1igod3@mail.webservertalk.com...
>
> I am having the same problem. Except the process is showing up as
> yoqyuq.exe, and qoolaid_v2.7.4.
>
>
>
> --
> edillon
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message636165.html
>