Hijack this assistance

Welcome to Majorgeeks!

You still have problems. One of them is a Qoologic infection. You need to follow the below procedures. Make sure you install HijackThis properly as indicated in step 7 of the READ ME.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

Now to help us find all the additional hidden files from the Qoologic infection, continue with the below.

Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

 

Please remember to always post HijackThis logs from Normal Boot mode unless we request them from safe mode (we rearely do that).

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\w2f6817a.dll
C:\WINDOWS\system32\wnscpcc.exe
C:\WINDOWS\system32\umniqd.exe
C:\WINDOWS\system32\kvfmq.exe
C:\WINDOWS\system32\btniilf.dll
C:\WINDOWS\system32\vqlqcju.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mtajx.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Common Files\??crosoft\d?xplore.exe
C:\PROGRA~1\ASEMBL~1\wowexec.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kvfmq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vqlqcju.exe
O4 - HKLM\..\Run: [w2f6817a.dll] RUNDLL32.EXE


Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\Documents and Settings\scoreboard\Local Settings\Temp <--- delete all files in the Temp folder
C:\Documents and Settings\scoreboard\Application Data\Sskcwrd.dll
C:\WINDOWS\system32\w2f6817a.dll
C:\WINDOWS\system32\umniqd.exe
C:\WINDOWS\system32\kvfmq.exe
C:\WINDOWS\system32\btniilf.dll
C:\WINDOWS\system32\vqlqcju.exe
C:\WINDOWS\system32\ad.html
C:\WINDOWS\system32\wnscpcc.exe
C:\WINDOWS\teller2.chk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mtajx.exe

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

Okay the Qoologic infection is gone but now you have picked up a Virtumonde infection that was not there before. This is all happening because this PC is running with NO protection software (no antivirus, no antispyware, no firewall). You must address this problem or you will do nothing with this PC except spend time fixing it.

Run the below and then attach the requested log:

Virtumonde aka Trojan Vundo Removal


Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

Also delete this file:
C:\WINDOWS\system32\ajdld.dat


Then also attach a new HJT log.