Need help getting rid of CoolWWWSearch

I've been in a losing battle with CoolWWWSearch (or some variant) and I have spent the last couple of evenings reading and following many of the suggestions and procedures posted here. I've gone as far as I'm capable and would appreciate some assistance. I have done the steps outlined in the sticky above. Here's what I've done so far....

Turned off System Restore.
Check for Network Security, Remote Procedure Call Helper and Workstation Netlogon Services - no running so no changes were made.
Made sure hidden files/folders/extensions and system folders were visible.
Booted into Safe Mode and ran:

Trend Micro's Free Online Virus Scan - reported Troj.Narrator.A in \winnt\system32\lcuuql.dll and \winnt\system32\lhuual.exe Unable to clean/delete files.

ran Symantec Security Check and no viruses found

ran McAfee AVERT Stinger and nothing reported

ran CCleaner set with default options including Delete index.dat

ran Ad-Aware SE with current update and 20 objects (18 critical) were found. I have a log if you want me to post it. When Ad-Aware went to delete selections my task bar disappeared for a few seconds. The message confirming that I am in Safe Mode displayed (like it does when you first boot up in Safe Mode) and My Documents folder opened. Then the message "c:\winnt\system32\en6ol1j3l.dll" could not be removed. Remove after Reboot? I clicked yes. I have not rebooted as this type of message has been coming up since I started having browser problems and rebooting didn't fix the problem.

ran Spybot and 8(9?) items were found (same ones that have been coming up on the list since I started having browser problems. Only 3 were reported as being fixed.
Common hijacker
CoolWWWSearch.Bootconf
CoolWWWSearch.Loadbat
CoolWWWSearch.Msconfd
CoolWWWSearch.Oslogo
CoolWWWSearch.Tapicfg
CoolWWWSearch.Xmlmimefilter
IGetNet

ran VX2Cleaner - Status: System Clean

ran About.Buster - nothing found

ran CWShredder (v 2.12) and when it encounters the second entry, CWS.Bootconf an error message pops up "CWShredder encountered and unexpected problem and needs to close" and I cannot get it to go any further.

ran Kill2Me - nothing reported but the task bar disappears for a few seconds and My Documents folder opens.

ran HSRemove - said 10 items were removed.

Yesterday I went through all these steps with no success. I then downloaded Foxfire hoping to bypass the problem and found that was a worse option. IE would open a new window when the 'hijacking' occured but Foxfire would use the existing window and go to the hijackers' url. I found this to be worse because the Back button didn't always return me to where I had been. I've now gone back to IE as my default browser.

I am still in Safe Mode and plan to leave it here. Unfortunately occasionally my system has restarted itself without user intervention.

If someone has the time to work with me I'll be waiting for their help...

 

Hi Fromafar3,

Sounds like you might have the new VX2 variant that is making the rounds.

Please send us a HijackThis Log from Normal Windows . Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best
PP

 

Thanks for the instructions. Here is my HijackThis log run after rebooting into Normal Mode.

 

Hi Fromafar3,

It looks like you have the baddie I feared you had. But, before we can go after it, I'd like to get your machine cleaned up a bit first!


Please look in Add or Remove Programs for the following and Uninstall them if found:

WeatherBug
PopUp Sweeper

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

vwuugv.exe
wintask.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe

O4 - HKCU\..\Run: [PopUp Sweeper] C:\Program Files\ExactCom\PopUp Sweeper\PopupSweeper.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/073a11697b4ef2a67000/netzip/RdxIE601.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb13.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab

O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\WINNT\system32\wintask.exe

C:\Program Files\ExactCom\PopUp Sweeper ---> The Folder

C:\Program Files\AWS ---> The Folder

C:\WINNT\system32\vwuugv.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions.

ALSO: In preparation for going after the nasty remaining piece of malware, please download the following tools:

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

Generic Detection Tool

Pocket KillBox

Please attach the fresh HJT log and let me know when you are ready to go after your VX2 Variant Malware.
I am not here that often these days, but will try to check back when I can!

Best luck
PP

 

Thanks so much for your help!

Just as I was starting to check items in HijackThis my system rebooted on it's own so I started over and everything seemed to have stayed the same. I was also able to 'Fix' all the items indicated. Here are the things that didn't go as expected (by me anyway).

WeatherBug wasn't installed therefore I couldn't remove it.

vwuugv.exe wasn't running so I couldn't END it.

I couldn't delete c:\Winnt\System32\vwuugv.exe - access denied

Spybot S&D found the same 9 problems and said it fixed 4 of them.

I have downloaded (and unziped if necessary) the other tools I will need for the next steps and I am ready to proceed whenever you are... Here is my latest hijackthis log.

 

Okay, that worked after a couple of attempts - that file was a determined little bugger and kept restarting. Anyway I was finally able to kill the process then delete it before it restarted...

Here is my new hijackthis log.

 

I hope I did it correctly because it ran very quickly. Here it is.

 

Wow, how you know which files to go after is beyond me - I'm really impressed! Thanks for all the time you've spent on this with me. (Are we there yet?)

Okay, I ran Pocket Killbox, then Findit and Dll Compare (log.txt). Here are the two logs you requested.

 

Here's the latest FindIt log.

I checked c:\Winnt\System32 for guard.tmp and could not find it.

 

When I clicked on the Restore Policy button the message "This will reset the SeDebugPriviledge for Administrators, if you already removed the VX2betterInterent files using Recovery Console" was displayed. When I click OK it tells me "Windows needs to reboot to complete the repair". Is this what I should do?

 

Yes - Click the User Agent button first (if it is enabled & unless you already did it) then do Restore Policy. Go ahead and allow your machine to reboot.

Then, run a fresh Findit.bat and attach the log.

PP

 

Oh Please!! Here I pick up a tough thread to help out because you looked busy and you jump right in!

Carry on!

PP

 

Well I really want to thank both of you for all your help - and please excuse any typos - it's late here in the East.

I clicked the Restore Policy and let the computer reboot. The User Agent button wasn't available.

Here is the latest Findit log and a new HijackThis log...

 

Hi Fromafar3,

Chas & I are happy to help. And, we are almost done! Unfortunately, Mr. SmartyPants over there Missed One!!


Please delete this using Pocket KillBox: C:\WINNT\system32\vwuugv.exe --> Navigate to it or just copy and paste it.


PP

 

Okay, ran the regedit - no problem there. Here's my latest hijackThis log.

It's been over a half hour since I've had any browser issues. I just went to google and did a search and didn't have any windows open up with althernate sites. Yea!!!

 

I'm pretty sure that file was deleted earlier. At least it was once. I just checked to make sure it hadn't come back and I couldn't see it...

 

Thanks again for all the help!

When should I turn on the System Restore? Is there any other clean up I need to do?

I'll review the sticky on Protecting and try my best to avoid this happening again.

Once again, thanks!!!!

 

I vote to Copy&Paste C:\WINNT\system32\vwuugv.exe into KillBox and let it Delete on Reboot!!!

 

I don't see it in winnt\system32. I used Search to find it and it didn't. I tried get Killbox to delete it and got an error message File Access "this file could not be deleted".

Should I reboot into safe mode and try again, like we did earlier?

Never mind what I just said - I'll try PP's way first...

 

Okay, I'm back again.
Originally I used 'Standard File Kill" and it didn't work. I just used 'Delete On Reboot' and ran a new hijackthis log (see attached).

I'm sure I have a bootable CD somewhere but it's getting too late here for me to find it without waking up others.

 

I just noticed this "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khggik.exe" What the heck is it?

 

Okay, I'm calling it a night. I'll post an update after giving things a run through. If I encounter anything weird I'll be back sooner rather than later.

Thanks for all the help so far!

 

Oh man, I could cry - it's back! Before I had even started up IE this morning, the little Scotty dog from WinPatrol popped up with the info that my HOSTS file had been changed! Sure enough, as soon as I opened IE, windows were flying everywhere trying to take me places I have no desire to go.

Looks like a piece was missed that somehow allowed c:\winnt\system32\vwuugv.exe to come back to life because when I run HijackThis and check thru Misc. Tools its one of the running processes again.

I know it's the last day of 2005 and there may be nobody around to help me so I'll be patient and wait until there is. Happy New Year!

 

The 01 entries and the c:\winnt\system32\vwuugv.exe were both back. I hadn't even had time to browse anywhere except my original home page (www.rr.com) and here (MG). As soon as I opened IE and tried to go here windows would pop up showing other seach sites for spyware elimination.

Good news for now! (although you probably will want to slap my hand for trying things on my own, but I love a challenge.) I have managed to stop the windows popping open even though vwuugv.exe is still running....

First I went back to the beginning steps of this thread and using Pocket Killbox tried to eliminate vwuugv.exe using Replace on Reboot, using Dummy. Then when I rebooted I ended up with a problem of a DOS window opening every 4-5 minutes and an error message that the file vwuugv.exe was unexecutable. Then I went back into Pocket Killbox and used Delete on Reboot and then rebooted. While vwuugv.exe was 'gone' I edited my HOSTS file, reran Adaware, Spybot, CCleaner and CWShredder. I let Ad-Aware and Spybot clean everything it found, none of them being CoolWWWSearch this time. and then rebooted and now my browser seems to be working better. I noticed it took about 15 minutes before vwuugv.exe showed back up in HijackThis's process list - it still never shows in Task Manager.

I have taken all the steps in the 'Protect yourself from Malware' sticky and while I'm pretty sure the problem is not gone for good, it has gotten better for now.

I have attached a hijackthis log taken just before this post.

Thanks for your help and if you wish to continue helping me, I would appreciate it.

Have a Happy New Year!

 

Hi Chas! I was able to edit c:\winnt\system32\vwuugv.exe after using HJT to end the process. I also had HJT remove the 09 entry you suggested. I've included another HJT log in case you wanted to look at it.

After doing as you suggested in your last post, I poked around a few of my usual haunts to see how IE reacted, and I had no problems. I then rebooted and encountered an error message from McAfee ActiveShield. It reported 'Some componets of ActiveShield are either missing or might not have been installed properly. Please reinstall ActiveShield.' I've found in the past the McAfee error messages are frequently too generic to take seriously unless they repeatedly occur so I rebooted again and voila! no error message and ActiveShield is running fine. I've since rebooted one more time and still no more problems encountered with ActiveShield. I'm guessing the error message wasn't really connected with me changing the vwuugv.exe file, just coincidence?

At this time IE seems to be working well. I've deliberately gone to many of my usual sites that used to result in many windows opening up to places I'd never chose to visit. I'm happy to report that things are working as they should.

I'd really like to thank you and PP for your direct assistance as well as the author(s) of all the sticky posts. Those posts and being able to read about other people's problems and solutions really have helped someone like me wade my way through the nightmare of malware!

Have a great New Year!

 

I'm glad you are persistant! To answer your questions, I cannot see the file with Windows Explorer so I cannot give you any stats on the file.

I went to the link you gave me and tried to browse to it and couldn't see it so I just type in the name anyway and here are the results. Sorry the tabs didn't seem to stay when I copied it. I'll wait for you to tell me the next step...

Antivirus Version Update Result
AntiVir 6.29.0.5 12.31.2004 -
BitDefender 7.0 12.31.2004 -
ClamAV devel-20041205 01.01.2005 -
DrWeb 4.32b 12.31.2004 Trojan.MulDrop.1400
eTrust-Iris 7.1.194.0 12.31.2004 -
eTrust-Vet 11.7.0.0 12.31.2004 -
F-Prot 3.16a 01.01.2005 -
Kaspersky 4.0.2.24 01.01.2005 Trojan-Downloader.Win32.Qoologic.f
NOD32v2 1.962 12.31.2004 -
Norman 5.70.10 12.31.2005 -
Panda 8.02.00 12.31.2004 Adware/QoolAid
Sybari 7.5.1314 01.01.2005 Trojan-Downloader.Win32.Qoologic.f
Symantec 8.0 01.01.2005 -

 

BTW, IE and Firefox have been hijacked a couple of times in the past hour but only to the same site each time. The big problem with this is they go to a site that contains sound and it startles the crap out of me each time it happens...

 

Sorry, none of those files were found. The exact text was "Search is complete. There are no results to display." for each file you asked me to search for.

I made sure that all three advanced options were checked as you requested. These three options were also checked when I was trying to locate vwuugv.exe which we know to exist in winnt\system32 even though I can't see it.

 

Oops, forgot to add that the search for vwuugv.exe only found the name as part of the file vwuugv.exe-0D140EA5.pf in c:\winnt\prefetch.

 

Done.