Evil Qoologic please help

Welcome to Majorgeeks!

Yes you do have the new Qoologic infection but we also need you to run our standard cleaning procedures (below) to make sure we find all problems. Also I need you to run Blacklight and attach the log too:

Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
• Please attach the Blacklight log file here.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You have HJT install here: C:\Documents and Settings\Owner\Desktop\HijackThis.exe
That is exactly where we ask that it not be installed. Please read the instructions and link in step 7 of the READ ME again and install HJT properly. Do this before continuing to my next message (which I will be posting soon).

 

Downloading - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\UNWN.EXE
C:\WINDOWS\ieunst.exe
C:\WINDOWS\ftpnw.dll
C:\WINDOWS\RGFuaWVsIFNoaWVsZHM\l3IRuqpPKIhCuqpPtJg.vbs
C:\WINDOWS\system32\hyjggt.exe
C:\WINDOWS\system32\wiakg.exe
C:\WINDOWS\system32\idhoqyu.exe
C:\WINDOWS\system32\ngigwcg.dll
C:\WINDOWS\SYSTEM32\MVXJR.DAT
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yguhm.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Now run HijackThis using the special .bat file method and select any of the following lines (if they still exist) and then click Fix checked:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wiakg.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,idhoqyu.exe

Now exit HJT

Run Windows Explorer and double check to make sure the below files are all deleted:

C:\WINDOWS\UNWN.EXE
C:\WINDOWS\ieunst.exe
C:\WINDOWS\ftpnw.dll
C:\WINDOWS\RGFuaWVsIFNoaWVsZHM\l3IRuqpPKIhCuqpPtJg.vbs
C:\WINDOWS\system32\hyjggt.exe
C:\WINDOWS\system32\wiakg.exe
C:\WINDOWS\system32\idhoqyu.exe
C:\WINDOWS\system32\ngigwcg.dll
C:\WINDOWS\SYSTEM32\MVXJR.DAT
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yguhm.exe

Then reboot into normal mode and attach a new HJT log and a new log from FindQool

 

Somewhere along the way did you delete this file?
C:\WINDOWS\SYSTEM32\Userinit.exe


Did the registry patch get added into the registry with no problems?

Do you have a bootable Windows XP SP2? If not, can you borrow one from a friend! I believe we are going to need to reboot to the Recovery Console.

 

I believe something I gave you really messed you up. I apologize for that.

We are more than like going to have to run a procedure like what is documented in the below by Microsoft but you will need a bootable WinXP SP2 CD to do this:

http://support.microsoft.com/?kbid=307545

Print this if you can and start reading it. Basically what it does it the following:

• Boot to Recovery Console and back up your current registry (even though bad and blocking you from logging in)
• copies registry files from an initial point in time when Windows was first installed on your PC. This will make it so we can a least boot up into safe mode to try to fix the problems with logging in.
• Once in safe mode you pick a restore point from before the last fix of mine was applied that messed you up. And then you copy registry files from this restore point into a C:\windows\tmp folder.
• Then reboot to Recovery Console and delete the registry files from the initial Windows install time frame (the ones that allowed us to boot in safe mode). And then copy the ones from the C:\Windows\tmp folder which is from a recent restore point.
• Then you reboot (and should be able to login to your PC like normal) and then you would do a true full system restore to a point before I broke your PC.

After doing this we could continue to remove your malware problems (some of which may get restored too).