Need help getting rid of CoolWWWSearch

Make sure system restore is disabled.

Try downloading, installing and running TDS This is Trojan Defence Suite. Run it from a safe mode boot.

Open TDS3's Scan comtrol and enable every option, then scan "All logical drives. This is a very deep scan and will take some time. When the scan is complete and providing you have a description of the malware in the bottom report console you should be able to right click on the result and select Delete or find the files properties etc.

It may not find that EXE but it could find others, like some DLL files.

 

Also, download this: http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

Extract find.bat and run it. Post the log it creates back here.

 

Yes. Also see my other requested item to run (finditnt2000xp.zip)

 

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.

We have some more files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINNT\system32\ieppni.dll
C:\WINNT\system32\lcuuql.dll
C:\WINNT\system32\lhuual.exe
C:\WINNT\system32\wpuukw.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khggik.exe

and C:\WINNT\system32\vwuugv.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\system32\vwuugv.exe
(we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\system32\ieppni.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\system32\vwuugv.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After reboot post another log from this new find.bat program and also post a new HJT log.

 

Well the file (C:\WINNT\system32\vwuugv.exe) we have been trying to remove from your HJT log is gone. Is it still gone?

Does that error related to khggik.exe occur at each boot?
Let's try something, go to the below Startup and remove the entry for trying to start that file:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khggik.exe

 

If you go back and look at your HJT logs, you will see this file (C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khggik.exe) only showed up after we killed all that hidden garbage. It finally made the loading of the process visible.

Try using Killbox. If that does not work, see if you can run msconfig and disable it from loading during startup and then maybe it can be remove/fixed using HJT.

Safe mode boot may be another option to try.

 

Yes! I was going to tell you to have HJT fix that line. It is not a problem but there is no need to have it in your hosts file.

Your log looks good. How is everything working now?

Maybe we are finish other than me saying, check this out: How to Protect yourself from malware!

 

You're welcome. I'm happy we have this all worked out.