?? Virus / Spyware / Malware - I don't know ??

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

All steps of the READ ME must be run! At a minimum you totally skipped step 6 and attaching the two logs!

EDIT: sorry! Just noticed your comment about errors when running! What were the errors?

You do not need to format! We will get this fixed but please just follow all directions.

 

Please go back and follow the directions in step 7 of the READ & RUN ME and do not use msconfig to control startups. You must select Normal Startup.

Then run the below and attach the log:


Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Afterwards attach a new HJT log and let me know your status.

 

I see you are still running both AVG7 and McAfee antivirus applications. Did you skip step 3 of the READ & RUN ME or did you have a problem trying to uninstall one of them?

You must only have one antivirus application installed. Please fix this and then attach a new HJT log so we can continue with your malware cleanup.

 

Did you try to delete it or did you try to uninstall it? Those are two different things. Did you go to Add/Remove programs and try to uninstall it?

 

If you cannot uninstall McAfee right now, don't worry about it. We will try to fix that later. First continue with the below steps to address your true malware problems.

Look in Add/Remove Programs for the below and uninstall if found.
FreeProd or Toolbar888
MaxSearch or MaxiFiles

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand
side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\outlook\outlook.exe
C:\windows\mousepad4.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you
are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wboltxa.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: wmplayer.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\outlook <--- the whole folder
C:\Program Files\TOOLBA~1 <--- the whole folder
C:\Program Files\Toolbar888 <--- the whole folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\wboltxa.exe
C:\windows\newname4.exe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\windows\mousepad4.EXE <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\windows\KEYBOARD4.EXE <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
C:\windows\GIMMYSMILEYS4.EXE <--- delete any files using the starting with the text GIMMYSMILEYS and ending in .exe (like GIMMYSMILEYS1.exe, GIMMYSMILEYS2.exe...etc)
Also look in c:\ for any of the newnameX, mousepadX, keyboardX, GIMMYSMILEYSX files and delete them too
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back
   to the General tab and set your home page address to something useful like
   www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select
   Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel),
   Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like
   www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select
   Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of
the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please complete the steps in my last message.

 

You must not use msconfig while we are trying to fix problems. See step 7 of the READ ME. You have the below running.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Select normal startup, reboot, and attach a new log. Some malware is still present. And new ones showed up.
Did you miss these two:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wboltxa.exe

Did you find the files to delete?

Did you uninstall AVG?

 

Also questions & comments

What version of LimeWire are you running? Did you know that many versions contain malware? Why are you running it at startup? You should only run it when you use. Leaving the P2P connection up all the time is not a good thing to do.

 

Okay so it should not have been running then in your previous log. No programs like this should be running while trying to fix problems.

You still have not selected Normal Startup! The below should not be running.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

They still show in your HJT log on the F2 lines. Fix them again and double check for the files. Look in both C:\windows\system32 and c:\windows

Let me know what you find.

But now you have no antivirus and you also never had a firewall. You are very susceptible right now.

 

Locate your C:\windows\system.ini using Windows Explorer and load it into notepad.

Do you see any lines have the below files on them:
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\wboltxa.exe

If so, post back here what you found.

 

You did not attach anything. Note: you cannot attach a file with a .ini extensio. Just copy and paste the contents into your message.

Also can I assume you want to dump all of McAfee?

 

Okay! First let's try something else to get rid of those F2 entries and one other problem.


Shut down MS Windows Defender and then exit all browsers.
Then run HJT and select the below lines:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wboltxa.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

Then click Fix checked.. If you get any messages from Windows Defender next time you reboot just okay them and tell me what messages you get (do not restart Windows Defender yet).

Then reboot into safe mode and delete the below:
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe

Now empty your C:\windows\Prefetch folder
Now empty your Recycle Bin

Now reboot and attach a new HJT log.

 

Okay! You keep getting other infections on top of these current problems. You now have an Rbot Worm (winupdates.exe) . We need to get your system better protected before we can continue. Let's change gears a little.

First we will remove McAfee.
Then we will get an anitvirus installed and updated
Then we will install a firewall to get you properly protected.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee WSC Integration (if that is not found, look for the short name: McDetect.exe)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the about stop and disable for the following services:
McAfee Task Scheduler (if that is not found, look for the short name: McTskshd.exe)
McAfee SecurityCenter Update Manager (if that is not found, look for the short name: mcupdmgr.exe)

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

McDetect.exe

Now repeat the about stop and disable for the following services:
McTskshd.exe
mcupdmgr.exe

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (the O23 line should already be gone);
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\program files\mcafee.com <--- the whole folder

Now reboot in normal mode

Now continue with below.

Refer to this link in steps 2 and 3: How to Protect yourself from malware!

And install an antivirus and a firewall. I would recommend you use AVG and ZoneAlarmFree.

After getting them installed ( you may be told to reboot after installing ZoneAlarm - please do so). After you get ZoneAlarm installed you will start noticing messages about programs trying to access the internet. If you do not know what the program is, block it and tell me the program/process name later.

Next continue with the following Ewido scan and attach the Ewido log: Running Ewido Anti-Malware

Now attach a new HJT log and the Ewido log.

 

Okay so do you recognize all the stuff in this \Rob\Complete\ folder? It must be your stuff. What is it? What are all the ZIP files that Ewido is finding?

 

Is EarthLink your ISP? The EarthLink TAR.msi sounds like a Microsoft Installer package for Earthlink.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (the O23 line should already be gone);
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wboltxa.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\winupdates <--- the whole folder
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\SYSTEM32\wboltxa.exe

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

What about the steps in message # 29?

Download and install this: ExplorerXP

Use it to delete the whole folder named Complete
Do this by navigating to the Rob folder in the left window pane and select it (make sure Rob is highlighted) then in the right window pane select the Complete folder. Now in the top menu select Edit and then select Delete Permanently. Does this work?

 

Does ZoneAlarm give the full path to the files? Especially the vwqdjs.exe file. I bet it is in c:\windows\system32

Did you get that whole \Rob\Complete folder to delete?

Uninstall these two old Sun Java versions (you already have the current version installed):
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4


Also do the below. I want to see if it also helps detect a hidden process that does not always show when HijackThis is run via normal methods.

Copy the below quoted text into a new notepad document.
Click File> Save as... and change Save as type to all files, set the File name to runhjt.bat and save it to your Desktop.

Now execute runhjt.bat by double clicking on it. A new HJT log will come up. The file is already save in the folder where HJT is run from. This should be C:\Program Files\HJT if you followed our directions for installing HJT. Attach this new log. I'm suspecting it may reveal another hidden executable process. HJT is also still running minimized. You can close it.

Now I want one more additional log! Run the steps in the below thread and attach the WinPfind log.

Running WinPfind by OldTimer

 

Start by downloading two tools we will need:

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen look for the below process and right click on them and select Kill process. Make sure you look for multiple instances as indicated (there may or may not be multiple of each one)
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\mgihj.exe

Now just exit Process Explorer (even if no processes are found just continue).

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wboltxa.exe
O4 - HKLM\..\Run: [unuujq] C:\WINDOWS\system32\vwqdjs.exe reg_run
O4 - HKCU\..\Run: [rkcvk] C:\WINDOWS\system32\vwqdjs.exe reg_run
O4 - Global Startup: nedep.exe



Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\wboltxa.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\cmd.com

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locate let's double check with Windows Explorer for the below and delete them if they still exist:
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\wboltxa.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\cmd.com

Click Start and select Search
Now Select "All files and folders"
Enter the nedep.exe in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Tell me where you locate this file and also right click on it in the search window and select delete to delete it.


Now attach a new HJT log and tell me how the steps went.

Make sure you tell me how things are working now!

 

We will need to run HijackThis the way I had you do it before or you probably will not see those lines. Run it like this:

Copy the below quoted text into a new notepad document.
Click File> Save as... and change Save as type to all files, set the File name to runhjt.bat and save it to your Desktop.

Now execute runhjt.bat by double clicking on it. A new HJT log will come up will come up in a notepad window. Just close the notepad Window and open the HijackThis task which is minimized in your tray. Then find the lines I gave in my previous message and complete the steps again.

Did Process Explorer see any of those processes?

If Killbox got this error, did it still seem to work. Run all the steps again but make sure you have all browsers and other unnecessary processes and Windows closed.

When I rebooted after running Pocket Killbox, I got a "Virtual Memory Low" message.

Also - when I ran the Search (followed the steps [twice to make sure]) - it did not located anything.

Not sure but let's see if we can find anything by doing the below two scans.

Let's get a Startup List with HijaakThis.

Generating Startup Lists with HijackThis

• Run HijackThis, click Open the Misc Tools section
• Put a check in the List also minor sections (full) check box.
• Now click the Generate StartupList Log button.
• This will create a file named startuplist.txt in the same folder that HijackThis is installed into.
• Also a notepad file will open with this startuplist in it.
• Attach the startuplist.txt file to your next message.

Also run the steps in the below link and attach the requested log to your next message:

Using GetRunKey

 

You cannot use Task Manager for stuff like this. It will not locate many forms of malware. You must use the process manager built into HijackThis or a program like Process Explorer.

 

I did with what?

And what is the full path to the file?

 

Try running the below tool and see if it will cleanup the problem with that Earthlink file.

Windows Installer CleanUp Utility

 

Also download and install: Registrar Lite

Then run it an paste the below string into the Address bar field.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Then in the right window pane locate the Userinit parameter and double click on it. What do you see for in the Value box?

Then close this Data Editor box and click the Security menu selection at the top and select Edit Auditing. Tell me all the info in the Group or user names: box. Also look in the lower form for Permissions and tell me which items are check in the Allow column and in the Deny column.

Then in the right window pane locate the Shell parameter and double click on it. What do you see for in the Value box?

Then close this Data Editor box and click the Security menu selection at the top and select Edit Auditing. Tell me all the info in the Group or user names: box. Also look in the lower form for Permissions and tell me which items are check in the Allow column and in the Deny column.

 

I need to know where the nedep.exe file is located. You said you tried to kill it with HijackThis's process manager or Process Explorer. They can tell you exactly where the file is located. I need this info.

Also to remove the O4 line you must kill the other rogue process first. I gave these to you in message # 36:
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\mgihj.exe
C:\WINDOWS\system32\mgihj.exe

If you do not kill ALL of them, you will not be able to make fixes.

About Registrar Lite and what I asked you to do. You said

As far as I know that is not true. I have the free version and it gives me the information just fine.

 

You are missing the point. You are not supposed to be trying to fix that O4 line without first going to the Process Manager of HijackThis and locating the processes I gave you and killing them. You can also use process explorer to kill them.. But I still need you to tell me where the file is located.

 

You need to download and install Registrar Lite from the Majorgeeks links. It should be version 2.0 not 4.