I’ve got that awful virus that has the undeletable bho and can’t be deleted or cut and pasted. The module hides inside of winlogon.exe process and if you kill just the module, not even the process, it locks up your system. Filename is urqqpqo.dll in windows system32 folder. Attached is the hijackthis log file. What do I need to doto remove this from my system?

Hi hopefully this should be short but sweet

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.

.
.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\urqqpqo.dll
O20 - Winlogon Notify: urqqpqo - C:\WINDOWS\SYSTEM32\urqqpqo.dll

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\urqqpqo.dll

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Ran hijack this and after removed as you said and rescanned they had readded themselves immediately. Ran otmoveit thing you had me download:
DllUnregisterServer procedure not found in C:\WINDOWS\system32\urqqpqo.dll
C:\WINDOWS\system32\urqqpqo.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\urqqpqo.dll scheduled to be moved on reboot.

OTMoveIt2 v1.0.14 log created on 01262008_094302

OTMoveit said to reboot, which I did twice and it never ran that I was aware of, so ran it a third time and copied the log for you to see. When I rebooted it did nothing out of the ordinary. ???

Will run the clean thing and post results per request.

You will not see it run on reboot, it is sneaky like that ;D

If you could continue now with combofix

gasp Not sure whether to be more afraid of TratBHO or sneaky fix programs! Combofix looks like it did it’s job, no bho registry anymore according to hijackthis. Logfiles attached for combofix and hijackthis…

Checked in spybot and not showing file running under winlogon.exe anymore. Looks to be all good : )

One more thing to do …

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
[*]Download the latest version of Java Runtime Environment (JRE) 6 Update 4 and save it to your desktop.
[*]Scroll down to where it says “JJava Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.
[*]Click the “Download” button to the right.
[*]Read the License Agreement and then check the box that says: “Accept License Agreement”. The page will refresh.
[*]Click on the link to download Windows Offline Installation and save the file to your desktop.
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
[*]Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java versions.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

.
.
And then - drum roll
.
.
Now the best part of the day ----- Your log now appears clean

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe