A few lingering baddies I can't get rid of

Welcome to Majorgeeks!

Please run this: Qoologic Removal Procedure and then attach a new HJT log.

Also tell me how things are working afterwards.

 

It is a required Windows process that is necessary for you to properly login to your system. It was probably not complaining about userinit.exe but rather vbkggkn.exe that is trying to load at the same time.

No it did not delete it. That file is in System Restore which cannot be cleaned without disabling system restore which removes the restores points.

Are your copies of Ewido and CounterSpy both free trial versions?


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vbkggkn.exe
O4 - HKLM\..\Run: [ETMSGN] C:\WINDOWS\System32\ETMSGN.exe
O4 - HKLM\..\Run: [plthzfiA] C:\WINDOWS\plthzfiA.exe
O4 - HKCU\..\Run: [Mavpijl] C:\PROGRA~1\COMMON~1\PPPATC~1\WAUBOO~1.EXE
O20 - Winlogon Notify: WASHData - C:\WINDOWS\system32\g040lahm1d4a.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\didduid.ini
C:\WINDOWS\system32\vbkggkn.exe
C:\WINDOWS\System32\ETMSGN.exe
C:\WINDOWS\plthzfiA.exe
C:\Program Files\Common Files\PPPATC~1\WAUBOO~1.EXE <--- you will have to figure out the real full path name the ~1 in the names is an abbreviation for longer names.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Now run the below procedure and attach the newfiles.txt log.

• Using ShowNew

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay we need a little more info before continuing with the cleanup.

Please download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished. You will have to attach this to a second message because only 3 logs can be attached to a single message.

FindQool is not a removal procedure. It is a scan that helps us to locate hidden files and registry keys so we can work up a fix for the Qoologic infection.

 

This could be due to the fact that you are running an old version of FireFox and it is trying to update to the new 2.0 Beta 1 that is out. Or it could be due to a hidden application I have seen recently. Run the below additional quick scan.

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

After I see this report, I will give more fixes to perform.

 

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window,Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Program Files\Common Files\RACLE~1\dvdplay.exe
C:\WINDOWS\NOELOO.DAT
C:\WINDOWS\cmdmgr.exe
C:\WINDOWS\srsfm.dll
C:\WINDOWS\System32\tvmxve.exe
C:\WINDOWS\system32\vbkggkn.exe
C:\WINDOWS\SYSTEM32\w0022149.dll
C:\WINDOWS\SYSTEM32\w016e197.ini


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vbkggkn.exe


Now exit HJT

Run Windows Explorer and double check to make sure the below folders are all deleted:

C:\Program Files\Common Files\omqk <--- the whole folder
C:\Program Files\PECarlin <--- the whole folder


Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new runkeys.txt log

Also tell me how things are working!

 

Yes the new version that is available for download is the raw executable that can just be run. It used to be ZIP'ed and it may be ZIP'ed again. It is difficult to keep our boiler plate messages totally up to date with this. One day ZIP, one day a self extracting exe, next day needs to be installed, and then just a ready to run application.

Yes you can run it from the Desktop but that is not a good choice. Desktop clutter and also other users can get access to your Desktop to run it in other user accounts if that become necessary. Also if you have it on your Desktop and you are not an administrator type account and then boot into safe mode to login as administrator, you again will not be able to locate the file. It is always best to locate programs like we suggest with HijackThis. That way, any user on the PC can always find it and run it. And they can even create a shortcut (yes on your Desktop if desired) to easily run the application.

You need to change your options in FireFox to always ask you where to download to. See Tools, Options, Download and select the option that says Ask me where to save every file

 

This is normal! Userinit.exe is a valid and necessary Windows process. It was the vbkggkn.exe process we were trying to remove. And is still present. Please uninstall CounterSpy and disable Ewido, then run the below again and this time attach the log even if clean:

Qoologic Removal Procedure

The look at your HJT log and fixed that F2 line if the vbkggkn.exe file is still at the end of the line.

Also check to see if the C:\WINDOWS\system32\vbkggkn.exe file exists. If so, delete it.

That's what you think! Run Windows Explorer and go to C:\Documents and Settings everything shown there is actually considered a user account. Account like the following are typically found Administrator, All Users, Default User, LocalService, NetworkService, and your account.