?? Virus / Spyware / Malware - I don't know ??

Let's take a different approach first. It seems that these processes only show when you run HijackThis from the .bat method I gave to you so I want to look at something else with Process Explorer which you should already have from msg # 36.

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on explorer.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.
• Also, from now on if you have to kill any processes and you cannot kill them with Task Manager, use Process Explorer instead. Sometimes ProcessExplorer can kill things that Task Manager cannot. And Task Manager will not always show all running processes.

 

Okay! If you look at this log I had you post you will see that the three processes I have been complaining about are running under Explorer.exe. You will see each of them in the lower Window pane of Process Explorer. They may also be attach to winlogon.exe so we are going to run Process Explorer again and first select winlogon.exe and unhook those three process and then we will do the same for explorer.exe.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mgihj.exe once and then click the kill button. After you have killed all of the mgihj.exe under winlogon click ok.

Now click on each instance of nedep.exe once and then click the kill button. After you have killed all of the nedep.exe under winlogon click ok.

Now click on each instance of vwqdjs.exe once and then click the kill button. After you have killed all of the vwqdjs.exe under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of mgihj.exe and kill it.

Now click on each instance of nedep.exe once and then click the kill button. After you have killed all of the nedep.exe under winlogon click ok.

Now click on each instance of vwqdjs.exe once and then click the kill button. After you have killed all of the vwqdjs.exe under winlogon click ok.

Now just keep Process Explorer running just incase any of these restart themselves.

Run HijackThis using the special .bat file method and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wboltxa.exe
O4 - HKLM\..\Run: [unuujq] C:\WINDOWS\system32\vwqdjs.exe reg_run
O4 - HKCU\..\Run: [rkcvk] C:\WINDOWS\system32\vwqdjs.exe reg_run
O4 - Global Startup: nedep.exe


Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nedep.exe

Also look for nedep.exe in a similar path to the above but replace All Users with your actual user account name!

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locate let's double check with Windows Explorer for the below and delete them if they still exist:
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nedep.exe

Also look for nedep.exe in a similar path to the above but replace All Users with your actual user account name!


Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Okay let's use a different approach to find all the hidden items that are working with this new form of Qoologic infection. Do not try to fix any of the problems we having been attempting to fix. We need these scans to be run after a fresh reboot with no scanning having been perfomed by cleaning tools. That could cause some items we need to see to be missing from the logs.

Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
• Please attach the Blacklight log file here.

Now download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• Post the contents of the txt.log which will open wen the scan is finished.

 

Run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\SYSTEM32\WBOLTXA.EXE
C:\WINDOWS\SYSTEM32\CEQDABL.DLL
C:\WINDOWS\SYSTEM32\BTGGU.DAT
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\URXKA.DLL
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nedep.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Once you have booted up in safe mode, copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run HijackThis using the special .bat file method and select any of the following lines (if they still exist) but and then click Fix checked:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mgihj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wboltxa.exe
O4 - HKLM\..\Run: [unuujq] C:\WINDOWS\system32\vwqdjs.exe reg_run
O4 - HKCU\..\Run: [rkcvk] C:\WINDOWS\system32\vwqdjs.exe reg_run
O4 - Global Startup: nedep.exe

Now exit HJT

Run Windows Explorer and double check to make sure the below files are all deleted:
C:\WINDOWS\SYSTEM32\WBOLTXA.EXE
C:\WINDOWS\SYSTEM32\CEQDABL.DLL
C:\WINDOWS\SYSTEM32\BTGGU.DAT
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\URXKA.DLL
C:\WINDOWS\system32\vwqdjs.exe
C:\WINDOWS\system32\mgihj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nedep.exe

Then reboot into normal mode and attach a new HJT log and a new log from FindQool

 

It appears that we have defeated this malware!

Are you having any remaining malware problems?

 

You're welcome! You may be better off trying to get help on that one in the Software Forum but you could give the below application a run to see if it can help:

Windows Installer CleanUp Utility

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!