VS2 and Cool Search...help!!!!!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Greghms, Jan 4, 2005.

  1. Greghms

    Greghms Private E-2

    Please help.

    I have run the virus scans and removal tools as directed by this site. Ad Awares comes up with VS2 files. Spybot comes back with Coolsearch, and Common hijacker files.

    I have also tried to remove the files with Hijackthis 1.99.
    The O1 files (3 of them) reappear in a minute or so.

    Can someone please help me manually remove this!!!!!!
     
    Greghms, Jan 4, 2005
    #1
  2. Greghms

    Greghms Private E-2

    Attached is the log

    any help would be greatly appreciated as I havent slept in a long time......
     

    Attached Files:

    Greghms, Jan 4, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please post HJT logs from normal boot mode only unless otherwise requested. Also next time, please wait until we ask for one.
     
    chaslang, Jan 4, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 4, 2005
    #4
  5. Greghms

    Greghms Private E-2

    Not sure which to run.
    Three files come down - find, locate, string

    Locate brings up files immediately
    find seems to freeze
    string doesnt do anything

    FYI - Im in safe mode with networking
     
    Greghms, Jan 4, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In my last message, I said "then run find.bat"
     
    chaslang, Jan 4, 2005
    #6
  7. Greghms

    Greghms Private E-2

    Sorry didnt realize how long it would take to run
    Thanks for the help
     

    Attached Files:

    Greghms, Jan 5, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 5, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.

    Here is a list of files that we need to delete using Killbox.

    C:\WINDOWS\System32\ksdtat.dll
    C:\WINDOWS\System32\irl8l53u1.dll
    C:\WINDOWS\System32\irnml5511.dll
    C:\WINDOWS\System32\wkploc.dll
    C:\WINDOWS\System32\gliplus.dll
    C:\WINDOWS\System32\k4no0e53eh.dll
    C:\WINDOWS\System32\g2400chmef4a0.dll
    C:\WINDOWS\System32\fp0203doe.dll
    C:\WINDOWS\System32\fpj8031ue.dll
    C:\WINDOWS\System32\ljfax11n.dll
    C:\WINDOWS\System32\sxrialui.dll
    C:\WINDOWS\System32\p8p60i7se8.dll
    C:\WINDOWS\System32\oudbse32.dll
    C:\WINDOWS\System32\mv42l9ho1.dll
    C:\WINDOWS\System32\kkdgae.dll
    C:\WINDOWS\System32\l88m0il1e8q.dll
    C:\WINDOWS\System32\iuakeng.dll
    C:\WINDOWS\System32\f82m0if1e82.dll
    C:\WINDOWS\SYSTEM32\hlhuaw.exe
    C:\WINDOWS\SYSTEM32\clcuqo.dll
    C:\WINDOWS\SYSTEM32\eiepnb.dll
    C:\WINDOWS\SYSTEM32\pwpukb.dat
    C:\WINDOWS\SYSTEM32\wvwugr.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hkhgit.exe

    and C:\WINDOWS\System32\guard.tmp

    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\ksdtat.dll


    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

    After it reboots get another findit.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

    Also post a new HijackThis log.

    Also run Windows Explorer and look in C:\WINDOWS\System32 for the file guard.tmp. Tell me if you see it or not.
     
    Last edited: Jan 5, 2005
    chaslang, Jan 5, 2005
    #9
  10. PhilliePhan

    PhilliePhan Guest

    Drat! I'm always last! :)
     
    PhilliePhan, Jan 5, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not always!

    You just need to stay away from the refrig long enough! :p
     
    chaslang, Jan 5, 2005
    #11
  12. Greghms

    Greghms Private E-2

    Ran as instructed. On rooboot this is what appeared:

    First appeared a Dos box that said: C:\windows\system32\hlhua.exe and asked for end program

    Then after that disappeared, I got a grey windows box that said:
    C:\document~1\alluse~1\startm~1\programs\startup\hkhgit.exe
    The NTVDM CPU has encountered an illegal instruction
    CS:0546 IP:0172 OP:ff ff 83 3e51

    Then McAfee Firewall said GLB3.TMP requesting outbound access

    I do not see guard.tmp in System32 folder.
     

    Attached Files:

    Greghms, Jan 5, 2005
    #12
  13. Greghms

    Greghms Private E-2

    Third requested flog
     

    Attached Files:

    Greghms, Jan 5, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Close all browsers and run HijackThis and have it fix only the next line:
    O4 - Global Startup: hkhgit.exe

    The look for the below file using Windows Explorer and delete it if found:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hkhgit.exe

    If it will not delete added to the below list of files to delete with Killbox.

    You have some more to clean using Killbox.

    C:\WINDOWS\System32\fpr0039me.dll
    C:\WINDOWS\System32\duvenum.dll
    C:\WINDOWS\System32\MHREPL35.DLL
    C:\WINDOWS\System32\q6nulg5916.dll
    C:\WINDOWS\System32\cmm.dll
    C:\WINDOWS\System32\mvj0l91m1.dll

    and C:\WINDOWS\System32\guard.tmp

    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\fpr0039me.dll


    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

    After it reboots get another find.bat log and post it. Tell me about any error messages.

    Last time you forgot to answer my question:
    Also run Windows Explorer and look in C:\WINDOWS\System32 for the file guard.tmp. Tell me if you see it or not.
     
    chaslang, Jan 6, 2005
    #14
  15. Greghms

    Greghms Private E-2

    Attached Files:

    Greghms, Jan 6, 2005
    #15
  16. Greghms

    Greghms Private E-2

    Also just found

    C:WINDOWS\Sytem32\guard.tmp
     
    Greghms, Jan 7, 2005
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds