Can't eliminate problem Coolweb? and ??

I've been working on a computer that one of my son's friends gave him. Friend said he didn't want it anymore as it had "problems."

The primary cause of the problem was that this friend didn't have any sort of AV program running. I installed NAV and immediately found several hundred infected files, most of which NAV quarantined or deleted.

Other problems were removed with spybot and ad-aware. (Over 222 critical objects found on the first scan with ad-aware!)

But every time I rebooted, IE kept getting hijacked to a website: quertysearch123.biz and this file kept getting added: c:\\documents and settings\administrator\favorites\links\!!!The Best and The Fastest Search Engine.url.

Also the same "!!!The Best and The Fastest Search Engine.url" is added to the documents and settings\default\favorites file.

At this point, I read the Majorgeeks tutorial on deleting spyware. I downloaded all the tools and ran them as instructed. (Although I could not run Housecall or about:Buster in safe mode, ran those two programs in normal mode.)

The tools found additional problems which I attempted to fix, but I still am having some issues:

CWShredder repeatedly reports that it finds cws.msconfd and that it's been "removed" but on subsequent boots, there it is again.

Spybot repeatedly finds coolwwwsearch.msconfd, and I tell it to fix the problem, but it reappears.

I ran hijack this, attempted to delete appInit_dlls:avpcc.dll, but I get the following error: An unexpected error has occured at procedure: modBackup_MakeBackup(s) Item=020AppInit_DLLS:avpcc.dll. Error #5-Invalid procedure call or argument.

Attempts to remove the avpcc.dll registry entry manually have been unsuccessful; it reappears on the next boot.

In addition, that "!!!The Best and The Fastest Search Engine.url" file still keeps appearing.

I have run spybot, ad-aware, cwshredder repeatedly, w/o success.

Any help would be very much appreciated.

 

Latest Hijack this log attached.

Thanks for looking at this for me.

 

I could not run either of the on-line scans in safe mode, as I could not connect to my ISP in safe mode.

I did run a full system NAV scan in safe mode.

I also ran a Housecall scan in normal mode.

Should I run the Symantec on-line scan in normal mode?

 

The computer with the problem is running Windows 2000 Pro, Ver 5.0.21.95 SP4.

Made sure viewing of hidden files was enabled (per the tutorial) before running scans or tolls.



Did this:

[Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe]



Done.

Then proceeded to this step:

"[After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [sclg8ah0om] C:\WINDOWS\an0p6r13bp.exe
O4 - HKCU\..\Run: [wdsm9gcnyd] C:\WINDOWS\zx3hvg2sac.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: avpcc.dl
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)"

Got to this point. Everything was "fixed" except the AppInit_DLLs: avpcc.dll.

I got the same error message that I mentioned in my first post:

"An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=020-AppInit_DLLs: avpcc.dll.) Error #5-Invalid procedure call or argument."

I have not proceeded to the next step (below) yet. Awaiting further instructions in light of the above error.

I am posting this via another computer, so I can leave the computer with the problem exactly as it was at this point.


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\wsxsvc <-- the whole folder
C:\windows\rundll32.exe <-- delete this file but DO NOT delete the one in the system32 folder.
C:\WINDOWS\an0p6r13bp.exe
C:\WINDOWS\zx3hvg2sac.exe
C:\WINDOWS\system32\avpcc.dll
C:\WINDOWS\svchost.exe <-- delete this file if found, but DO NOT delete the one in the system32 folder.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.[/QUOTE]

 

Same error message as I got before. I will post new log with response explaining what happened when I took other steps you previously outlined.

 

I previously left off here:


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\wsxsvc <-- the whole folder

Didn't find folder, but found three separate files. Deleled them.

C:\windows\rundll32.exe <-- delete this file but DO NOT delete the one in the system32 folder.

Did not find rundll32.exe in C:\Windows.

There were two files in the system 32 folder: rundll32.exe and one in dllcache.

C:\WINDOWS\an0p6r13bp.exe

Search: no results.

C:\WINDOWS\zx3hvg2sac.exe

Search: no results.

C:\WINDOWS\system32\avpcc.dll

Got error message:
"Cannot delete avpcc: The specified file is being used by Windows."

Checked attributes: *not* read only.

Checked task manager. Did not see any process running that look like it involved avpcc.dll.


C:\WINDOWS\svchost.exe <-- delete this file if found, but DO NOT delete the one in the system32 folder.

Search: no results.


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Done.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

Took all of the above steps.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

skipped.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Newest log attached. Some of the files we previously deleted are gone, but...looks like we've taken a step backwards WRT IE:

Look what's back that wasn't in previous log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://qwertysearch123.biz/?id=1064
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qwertysearch123.biz/?id=1064
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qwertysearch123.biz/?id=1064

In addition, that file !!!The Best and Fastest Search Engine is back in the following locations:

C:\Documents and settings\administrator\favorites
C:\Documents and settings\administrator\favorites\links
C:\Documents and settings\default user\favorites

 

I don't understand! How could you delete files if there was no folder? What are you referring to.

I did not find a folder named wsxsvc in C:\Windows\system32.

Isn't that the name of the folder I was supposed to look for within Windows/system32?

What I did find in C:\Windows\system32 folder, but not in a subfolder marked wsxsvc, were: a "read me" file marked wsxsvc, a file marked wsxsvc.exe, and another file that had wsxscv in the name.

I know I should have written down the names of all three of the files I deleted, but I didn't note the third one I deleted. I hope I didn't screw up too badly by deleting these if I wan't supposed to do so.

Are you sure you have enabled viewing of hidden files and system files? And also that you unchecked the option to hide extensions for known file types.

I am sure. I did that before running the scans and tools per the tutorial.

But I have now rechecked this three times. The button for the "hidden files and folders" is enabled; the check that used to be in front of the option to "hide extensions of known types" has been unchecked.



I did not ask you to look there. I hope you did not touch them.

No, I didn't touch them. I took heed of your previous warning not to delete the file in the system32 folder. I just wanted to let you know that that was the only place I could find rundll32.exe after doing a search. There was no rundll32.exe file that I could find in the C:\Windows folder.


Are you using Windows Search? Did you try just looking in the folders using Windows Explorer?

When I couldn't find the folders or files you told me to delete using Windows Explorer, I did a search to see if I could find them that way. Still couldn't find them with a search.

Why did you skip the Reset of Web Settings?

I didn't skip the reset.

As I understand your previous instructions: you told me that if I had an IE icon on my desktop to do step 2, and then skip step 3. That's what I did. As I said in my previous post, I took all the actions you indicated under step 2; then as you instructed, skipped step 3.

Did I misunderstand your previous instructions WRT the reset?

Try running the procedure from message # 10 after booting in safe mode.
Make sure you only try to rename the file.

I'm sorry, but I don't understand. Is this the procedure you're referring to?:

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\system32\avpcc.dll
then click OK. If a dialog box confirming this action appears, click OK.
If you get an error message just continue.

Now open a command prompt window by click Start, Run, and enter cmd and click OK.
Now enter the following commands each followed by the enter key. Let me know if you get any error messages.
cd c:\windows\system32
attrib -r -h -s avpcc.dll
ren avpcc.dll avpcc.ddd
exit

Now reboot your PC. Run HijackThis and with no browsers running try fixing the below again.
O20 - AppInit_DLLs: avpcc.dll

At what point in that procedure do I rename the file?

 

Before I repeat the procudure from message #10 in safe mode, thought you should know that the most recent hijackthis log does not show:

020 - appInit_DLLs: avpcc.dll.

Most recent log attached FYI.

There is now a file avpcc.ddd in C:\windows\system32.

 

Just wanted to let you know that I'm calling it a night, er, morning. I'm getting punchy. Will take steps in your last post tomorrow.

Thanks for all your help so far.

 

WRT the AppInit_DLL, I wish I could remember everything I did between the two HJT logs.

I remember restarting several times, going into safe mode, then into normal mode--probably did that more than once.

One of the times I was in safe mode, I looked once again for all those files you wanted me to delete, which I hadn't been able to find, just to see if I could find them. (I couldn't.)

I *think* I ran ccleaner again, and reset the web settings again, following your previous instructions, just to be sure that I hadn't missed anything the first time. Perhaps I did miss a step the first time round, although I have each of the steps checked off.

After the first and second time I reset the web settings, I made Firefox my default browser.

I did not repeat the procedure in Message #10.

As for your instructions in message #18: Ran HJT and was able to delete those three R1 lines.

WRT 023 Service: It reappeared after I clicked on "fix."

When I went to "Delete a Windows NT service" I first got a message:
"Serice '.NET Framework Service' was not found in the registry. Make sure you entered the short name of the service.,vb exclamation."

So I took the next step per your instructions and entered the short name. I got this message:

"This service .NET Connection Service is enabled and or running. Disable it first (from the scan results) or the Services.msc window."

 

I don't see .NET Connection Services there.

There's .NET Framework Service.

 

I think we're making progress! I hope, I hope.

When I right clicked on .NET Framework Services, "stop" was greyed out. But I did click on "properties" and disabled it.

I then reran HJT. That 023 line for "Service: .NET Framework Service (.NET Connection Service)" was gone. Didn't have to try to delete it.

Rebooted. Reran HJT. That line is still gone.

Latest log file attached.















1

 

Whoopie!!!! [Doing my happy dance!!]

I haven't seen any problems today, but I really haven't done much on this computer except log on to majorgeeks and run HJT.

Dare I try to use IE again, ever?

Think I'll try to run Spybot and Ad-Aware again and see if they report anything significant, but not tonight. Later today, after I get some sleep.

Thank you so much for all your help.

It's so nice of you and the other majorgeeks here to offer this kind of support, without charge. You are not only a majorgeek, you are a major "good guy."