Sorry if this is the wrong place, but I know I have the coolwwwsearch.bootconf trojan. Problem is I can't even get Hijackthis to complete a scan without shutting down. What do I do now?
lmb77
Jan 10 2005, 04:30 PM
Here's a log from the older version. 1.99 keeps crashing on me.
Logfile of HijackThis v1.98.2 Scan saved at 10:29:18 AM, on 01/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I finally got hijackthis to run, although it is the older version. Let me know what you think. Thanks
Logfile of HijackThis v1.98.2 Scan saved at 12:24:02 PM, on 01/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
you have multiple infections so this is going to take some time...
Open "Add/Remove Programs" in the Control Panel. Select the following items:
WinTools
and click "Remove" for each of them.
You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.
Run HijackThis, click on "Scan" and check the boxes next to all these items.
Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINDOWS\System32\Guard.tmp and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot" answer Yes, followed by "File will be Removed on Reboot, Do you want to reboot now?", answer "No". Do the same for these files: C:\WINDOWS\SYSTEM32\iuipzn.dll C:\WINDOWS\SYSTEM32\lmlupa.exe C:\WINDOWS\SYSTEM32\lzlugq.dll C:\WINDOWS\SYSTEM32\Incinerator.dll C:\WINDOWS\SYSTEM32\installer.exe C:\WINDOWS\SYSTEM32\vovuyg.exe C:\WINDOWS\SYSTEM32\wywuqk.dat C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpkgyi.exe: .aspack C:\WINDOWS\System32\JLSD400.DLL C:\WINDOWS\System32\i6jq0g15e6.dll C:\WINDOWS\System32\dnno0153e.dll C:\WINDOWS\System32\mvl0l93m1.dll C:\WINDOWS\System32\lv2809fue.dll C:\WINDOWS\System32\n6l8lg3u16.dll C:\WINDOWS\System32\l44qleh51h4.dll C:\WINDOWS\System32\MZC71ENU.DLL C:\WINDOWS\System32\o4840elqehqe0.dll C:\WINDOWS\System32\hrn8055ue.dll C:\WINDOWS\System32\en8ml1l11.dll C:\WINDOWS\System32\jt0607dse.dll C:\WINDOWS\System32\jt0407dqe.dll C:\WINDOWS\System32\lvn2095oe.dll C:\WINDOWS\System32\g2jo0c13ef.dll C:\WINDOWS\System32\ozeprn.dll C:\WINDOWS\System32\fp0203doe.dll C:\WINDOWS\System32\kt4ql7h51.dll C:\WINDOWS\System32\u8ruli9918.dll C:\WINDOWS\System32\enn2l15o1.dll C:\WINDOWS\System32\o484lelq1hqe.dll C:\WINDOWS\System32\l88mlil118q.dll C:\WINDOWS\System32\dn0u01d9e.dll after the last one click the button and answer "Yes" on the "Reboot now?" question. Let Killbox do it's work. Afterwards ost a new log from Find.bat.
Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.
CODE
dir C:\WINDOWS\System32\??chost.exe /a h > files.txt notepad files.txt
Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
Don't forget to post a log from HijackThis.
lmb77
Jan 13 2005, 03:58 PM
Here you go, again thank you very much. Thanks, Will
Here's the findfile.bat output.
Volume in drive C has no label. Volume Serial Number is E44D-6A5E
Logfile of HijackThis v1.99.0 Scan saved at 9:56:03 AM, on 01/13/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Download LSPfix here: www.cexx.org/lspfix.htm Start the application, and click the "I know what I'm doing" checkbox. Check all instances of [c:\windows\system32\calsp.dll] (and nothing else), and move them to the "Remove" pane. Then click Finish and reboot.
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.
Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINDOWS\System32\Guard.tmp and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot" answer Yes, followed by "File will be Removed on Reboot, Do you want to reboot now?", answer "No". Do the same for these files: C:\WINDOWS\SYSTEM32\iuipzn.dll C:\WINDOWS\SYSTEM32\lmlupa.exe C:\WINDOWS\SYSTEM32\lzlugq.dll C:\WINDOWS\SYSTEM32\vovuyg.exe C:\WINDOWS\SYSTEM32\wywuqk.dat C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpkgyi.exe C:\WINDOWS\System32\rlgwizc.dll C:\WINDOWS\System32\fppo0373e.dll C:\WINDOWS\System32\4n4le5q1h.dll C:\WINDOWS\System32\gp2ul3f91.dll after the last one click the button and answer "Yes" on the "Reboot now?" question. Let Killbox do it's work.
Run HijackThis, click on "Scan" and check the boxes next to all these items.
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
Delete the following files in red (it could be that they are deleted already):
C:\WINDOWS\System32\??chost.exe<-- Take care you do not delete svchost.exe. This is a valid part of Windows. The file you want to delete is dated 12/22/2004 and is 389,120 bytes in size C:\WINDOWS\System32\stcans32.exe C:\WINDOWS\System32\sruaemon.exe
Delete the following folders in red (it could be that they are deleted already):
Logfile of HijackThis v1.99.0 Scan saved at 9:59:34 AM, on 01/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINDOWS\System32\olemps.exe and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot" answer Yes, followed by "File will be Removed on Reboot, Do you want to reboot now?", answer "No". Do the same for these files: C:\WINDOWS\System32\cncdll.dll C:\WINDOWS\System32\o0rola931d.dll C:\WINDOWS\System32\OSESVR.DLL C:\WINDOWS\System32\m6julg1916.dll C:\WINDOWS\System32\dDdim700.dll C:\WINDOWS\System32\AQRACE.DLL C:\WINDOWS\System32\k8no0i53e8.dll C:\WINDOWS\System32\en8sl1l71.dll C:\WINDOWS\System32\Guard.tmp after the last one click the button and answer "Yes" on the "Reboot now?" question. Let Killbox do it's work.
Run HijackThis, click on "Scan" and check the boxes next to all these items.
Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread. Also post a log from Find.bat.
lmb77
Jan 14 2005, 06:23 PM
Here we go again. Thanks
Find.bat is running from: C:\findit\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label. Volume Serial Number is E44D-6A5E
Directory of C:\WINDOWS\System32
01/14/2005 12:07 PM 223,114 IZXMONTR.DLL 01/14/2005 12:07 PM 224,253 mvlml9311.dll 01/14/2005 11:42 AM 223,114 dn0q01d5e.dll 01/14/2005 11:00 AM 225,143 j40sled71h0.dll 01/11/2005 04:36 PM <DIR> DLLCACHE 11/12/2003 03:03 AM <DIR> Microsoft 4 File(s) 895,624 bytes 2 Dir(s) 34,227,183,616 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label. Volume Serial Number is E44D-6A5E
Logfile of HijackThis v1.99.0 Scan saved at 12:21:29 PM, on 01/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINDOWS\System32\Guard.tmp and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot" answer Yes, followed by "File will be Removed on Reboot, Do you want to reboot now?", answer "No". Do the same for these files: C:\WINDOWS\System32\IZXMONTR.DLL C:\WINDOWS\System32\mvlml9311.dll C:\WINDOWS\System32\dn0q01d5e.dll C:\WINDOWS\System32\j40sled71h0.dll after the last one click the button and answer "Yes" on the "Reboot now?" question. Let Killbox do it's work.
Run HijackThis, click on "Scan" and check the boxes next to all these items.
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
Delete the following files in red (it could be that they are deleted already):
c:\Windows\System32\olemps.exe
Restart your computer and post a new log in this thread.
lmb77
Jan 14 2005, 10:56 PM
Here we go, one more time.
Find.bat is running from: C:\findit\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label. Volume Serial Number is E44D-6A5E
Directory of C:\WINDOWS\System32
01/11/2005 04:36 PM <DIR> DLLCACHE 11/12/2003 03:03 AM <DIR> Microsoft 0 File(s) 0 bytes 2 Dir(s) 34,235,514,880 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label. Volume Serial Number is E44D-6A5E
Logfile of HijackThis v1.99.0 Scan saved at 4:55:36 PM, on 01/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
It seems we have beaten VX2!! Now... this infection is known to mess with your computer. Can you create a file and delete it. Does it go to the Recycle Bin? Or not? Can you print? Is there anything strange going on?
This is some cleanup code that also has to be done. The first line (about Control Panel) is a leftover from the previous fix, the rest is clean up.
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.
Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
lmb77
Jan 21 2005, 04:13 PM
Thank you very much. Everything seems to be working great, other than the recycle bin never "empties" now. What do I need to do now?
Bobbi Flekman
Jan 22 2005, 10:24 AM
Hi lmb77,
QUOTE
Everything seems to be working great, other than the recycle bin never "empties" now.
We're gonna deal with that now. Launch Notepad, and copy/paste the box below into a new text file. Save it as RepBin.bat and save it on your Desktop.
CODE
attrib -h -s c:\recycler\desktop.ini del c:\recycler\desktop.ini
Locate RepBin.bat on your Desktop and double-click on it. Close the window and restart your computer. Is it okay now?
lmb77
Jan 22 2005, 04:24 PM
Seems to be great, thank you Very much.
Bobbi Flekman
Jan 22 2005, 04:57 PM
Great!
Can you post a final log from HijackThis and Find.bat to make sure that there is no malware lingering in some way.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.