CoolWWW and other popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Cannons, Dec 25, 2004.

  1. Cannons

    Cannons Private E-2

    i am on my mothers pc because I am home for christmas break from school, and to put it simply its been taken over. ive dealt with basic stuff like this on my pc, so i ran adaware and spybot and stinger and downloaded firefox for her. the popups just kept coming back though. its gotten so bad, that IE popups come up (when im not using it), plus it started to change FIREFOX pages! if i typed in a website it would change the site to something else, like americangreetings. i was geting the a-d-ware.com or something like that IE popups. so, i then downloaded regular mozilla, and instead of changing the page (like firefox) it actually caused mozilla popups when i typed in a site (this is with the popup blockers on). i have already followed the link about getting rid of spyware and stuff. and i have updated her windows (35 total downloads.) when i run adaware, there is always something it cannot delete (it changes nearly every time), and spybot says it gets rid of most things but cannot get rid of the common
    coolwwwsearch. bootconf; loadbat; msconfd; oslogo; tapicfg; and xmlmimefilter that i have seen is sooo many other posts. any help would be more than thankful. this pc was windows 2000 on it
     
    Cannons, Dec 25, 2004
    #1
  2. Cannons

    Cannons Private E-2

    can someone please help me?? i go home on tuesday and my mom has no clue what anything is on on a computer and thus wont be able to follow the directions that well
     
    Cannons, Dec 25, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have followed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem, follow the guidelines below.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Dec 26, 2004
    #3
  4. Cannons

    Cannons Private E-2

    heres my log. i just want to say thanks in advanced!
     

    Attached Files:

    Cannons, Dec 26, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINNT\system32\wowrow.exe
    C:\WINNT\System32\dpmw32.exe
    C:\Documents and Settings\Bg10\Application Data\oete.exe
    C:\WINNT\system32\l?ass.exe <--- note this is NOT lsass.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [fwhbagbodtmzq] C:\WINNT\system32\jepoyz.exe
    O4 - HKCU\..\Run: [cmpbk32] C:\WINNT\system32\cmpbk32.exe
    O4 - HKCU\..\Run: [eBqtRWfnR] rsnfmon.exe
    O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe
    O4 - HKCU\..\Run: [Casp] C:\Documents and Settings\Bg10\Application Data\oete.exe
    O4 - HKCU\..\Run: [Akbeu] C:\WINNT\system32\l?ass.exe
    O4 - HKCU\..\Run: [setupapi] C:\WINNT\system32\setupapi.exe
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\wowrow.exe
    C:\WINNT\System32\dpmw32.exe
    C:\Documents and Settings\Bg10\Application Data\oete.exe
    C:\WINNT\about.htm
    C:\Program Files\CSBB <--- the whole folder
    C:\WINNT\system32\jepoyz.exe
    C:\WINNT\system32\cmpbk32.exe
    C:\WINNT\system32\rsnfmon.exe
    C:\WINNT\system32\winpack.exe
    C:\WINNT\system32\setupapi.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    The O1 - Hosts: lines will most likely all come back. They have been a big problem lately (Vx2 problems). If they do, you will have to download these tools:


    Generic Detection Tool
    http://www.downloads.subratam.org/DllCompare.exe
    http://www.downloads.subratam.org/VX2Finder.exe
    http://www.downloads.subratam.org/KillBox.zip
    Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

    The tool should generate a long text file. Please attach that to your next post.
    Do not reboot after that because that can cause the files to mutate.
     
    chaslang, Dec 26, 2004
    #5
  6. Cannons

    Cannons Private E-2

    this pc has windows 2000 on it, thus when i press ctrl+alt+del the only options are "Lock Workstation", "Logout", "Shutdown", "Change Password", "Task List", and "Cancel". when i click on task list the only program that comes up is mozilla because thats the only thing im technically running right now. if there is another way to end the processes let me know. im going to follow the rest of your directions anyways
     
    Cannons, Dec 26, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Windows 2000 also has a Task Manager in that first windows. Click on it and select the Processes tab.
     
    chaslang, Dec 26, 2004
    #7
  8. Cannons

    Cannons Private E-2

    still couldnt find that process tab. this pc is windows 2000 with nt technology if that means anything.., not sure if it does. i had some problems dleeting the files u told me to in safemode.
    wowrow.exe said "access denied. the source file may be in use". after deleting some of the other files though, this one dissapeared
    oete.exe could not be found.
    about.htm wasnt found
    programfiles/csbb the folder wasnt there
    cmpbk32.exe wasnt found but the dll version was..i didnt delete it because i wasnt sure
    winpack.exe wasnt there
    setupapi.exe wasnt there but a dll for it was...i didnt delete it because i wasnt sure

    when i ran hijack again since rebooting, everything i was told to delete wasnt there except for the O1 hosts, but i have ran the programs u told me to run and created logs for them. i couldnt figure out how to work killbox though. and once i ran Generic Detection Tool, some popups came back.
     

    Attached Files:

    Cannons, Dec 26, 2004
    #8
  9. Cannons

    Cannons Private E-2

    here are the dllcompare and vx2 finder logs
     

    Attached Files:

    • log.txt
      File size:
      4.3 KB
      Views:
      2
    • vx2.txt
      File size:
      343 bytes
      Views:
      2
    Cannons, Dec 26, 2004
    #9
  10. Cannons

    Cannons Private E-2

    popups are all back again :rolleyes:
     
    Cannons, Dec 26, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try this to bring up TaskManager. Click Start, Run, and enter taskmgr into the box and click OK.
    If that, brings up TaskManager, select the Processes tab. You need to be able to end process or you will not be able to clean up these issues. You have big problems with VX2. You already have about 42 bad files in c:\winnt\system32 and it probably gets worse at each reboot.

    By the way I noticed you are running multiple antivirus applications (McAfee and Avast). You must only run one. Choose which one you want to keep and uninstall the other. Do that now and reboot.
     
    Last edited: Dec 26, 2004
    chaslang, Dec 26, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are now able to get to Task Manager's process list do the below.

    If you still cannot get to Task Manager's process list, then use the one built into HijackThis. When HJT comes up, click the Misc Tools button. The clicl open Process Manager and use it to select each item I list to kill and then click the Kill Process button. Substitute that in where I say use TaskManager.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    wowrow.exe
    dpmw32.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch

    O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\wowrow.exe
    C:\WINNT\System32\dpmw32.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Note this will not fix the O1 - Hosts lines but I need to make sure you have other items fixed first and that you have a means to kill processes.
     
    chaslang, Dec 26, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing my instructions in message #11 and then #12, do the following.

    Run PocketKillbox that I had you download.

    Run Killbox again.
    1) Click "Replace on Reboot" and check the "Use Dummy" box.
    Paste the below file into the top "Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\awsnw.dll

    (Make sure you cut & paste in the filenames. If you try typing, you will get an error on the c: )

    2) Click the "Delete File" button which looks like a stop sign.
    3) Click "Yes" at the Replace on Reboot prompt.
    4) Click "No" at the Pending Operations prompt.
    5) Repeat steps 4-8 above for these files:

    C:\WINNT\SYSTEM32\azas0i57e8.dll
    C:\WINNT\SYSTEM32\d00m0ad1ed0.dll
    C:\WINNT\SYSTEM32\dnnu0159e.dll
    C:\WINNT\SYSTEM32\e8202ifmg82a2.dll
    C:\WINNT\SYSTEM32\f42mlef11h2.dll
    C:\WINNT\SYSTEM32\fp4203hoe.dll
    C:\WINNT\SYSTEM32\fp6803jue.dll
    C:\WINNT\SYSTEM32\fpjs0317e.dll
    C:\WINNT\SYSTEM32\fprs0397e.dll
    C:\WINNT\SYSTEM32\g8lmli3118.dll
    C:\WINNT\SYSTEM32\i424lefq1h2e.dll
    C:\WINNT\SYSTEM32\i460lejm1hoa.dll
    C:\WINNT\SYSTEM32\ir46l5hs1.dll
    C:\WINNT\SYSTEM32\ir88l5lu1.dll
    C:\WINNT\SYSTEM32\j4n2le5o1h.dll
    C:\WINNT\SYSTEM32\jr4025hmg.dll
    C:\WINNT\SYSTEM32\jt2007fme.dll
    C:\WINNT\SYSTEM32\k008ladu1d08.dll
    C:\WINNT\SYSTEM32\k462lejo1hoc.dll
    C:\WINNT\SYSTEM32\k8440ihqe84e0.dll
    C:\WINNT\SYSTEM32\kt2ol7f31.dlll
    C:\WINNT\SYSTEM32\ktr0l79m1.dll
    C:\WINNT\SYSTEM32\l4p2le7o1h.dll
    C:\WINNT\SYSTEM32\lv8009lme.dll
    C:\WINNT\SYSTEM32\lv8u09l9e.dll
    C:\WINNT\SYSTEM32\lvnq0955e.dll
    C:\WINNT\SYSTEM32\m028lafu1d28.dll
    C:\WINNT\SYSTEM32\m0nqla551d.dll
    C:\WINNT\SYSTEM32\m2rm0c91ef.dll
    C:\WINNT\SYSTEM32\mv88l9lu1.dll
    C:\WINNT\SYSTEM32\mvn2l95o1.dll
    C:\WINNT\SYSTEM32\mvp0l97m1.dll
    C:\WINNT\SYSTEM32\nwdsetup.dll
    C:\WINNT\SYSTEM32\o8ns0i57e8.dll
    C:\WINNT\SYSTEM32\o8nsli5718.dll
    C:\WINNT\SYSTEM32\p0r4la9q1d.dll
    C:\WINNT\SYSTEM32\q068laju1do8.dll
    C:\WINNT\SYSTEM32\q0psla771d.dll
    C:\WINNT\SYSTEM32\q8860ilse8q60.dll
    C:\WINNT\SYSTEM32\t48u0el9ehq.dll
    C:\WINNT\SYSTEM32\tukwks.dll

    Still in Killbox
    Make sure you still have "Replace on Reboot" and check the "Use Dummy" box.
    Paste the below file into the top "Full Path of File to Delete" box.
    C:\WINDOWS\System32\Guard.tmp

    Click the "Delete File" button which looks like a stop sign.
    Click "Yes" at the Replace on Reboot prompt.
    Click "Yes" at the Pending Operations prompt to restart your computer.

    After your PC reboots run find.bat again and post the new output.txt (you will have to rename it to output2.txt to upload it).
     
    chaslang, Dec 26, 2004
    #13
  14. Cannons

    Cannons Private E-2

    okay, did everything u told me to do. i had to use the Hijack processes page because when i went to task manager, i got the task list but there was no processes tab and just showed whatever program i had open at the time, guess my windows is just weird. anyways, for some reason after doing everything, i just checked and it still said wowrow.exe was running, though i did delete the file. also, as im typing this i just got some I.E. popup..here are my logs
     

    Attached Files:

    Cannons, Dec 27, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Don't worry about the popups! We are not done fixing the VX2 issues yet. We have a ways to go. We did not get all the files on the first attempt:

    Run Killbox again.
    1) Click "Replace on Reboot" and check the "Use Dummy" box.
    Paste the below file into the top "Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\grkrsrc.dll

    (Make sure you cut & paste in the filenames. If you try typing, you will get an error on the c: )

    2) Click the "Delete File" button which looks like a stop sign.
    3) Click "Yes" at the Replace on Reboot prompt.
    4) Click "No" at the Pending Operations prompt.
    5) Repeat steps 1-4 above for these files:

    C:\WINNT\SYSTEM32\dnl2013oe.dll
    C:\WINNT\SYSTEM32\l04q0ah5ed4.dll
    C:\WINNT\SYSTEM32\j4l40e3qeh.dll
    C:\WINNT\SYSTEM32\wzv9vcm.dll
    C:\WINNT\SYSTEM32\kt2ol7f31.dll

    Still in Killbox
    Using Standard File Kill" Paste the below file into the top "Full Path of File to Delete" box. C:\WINNT\SYSTEM32\Guard.tmp

    Click the "Delete File" button which looks like a stop sign.
    Click "Yes" at the Pending Operations prompt to restart your computer.

    After your PC reboots run find.bat again and post the new output.txt (you will have to rename it to output3.txt to upload it).

    Also use Windows Explorer and please Navigate to C:\winnt\SYSTEM32 and look for a file named guard.tmp. I want to make sure it is gone.

    Make sure you tell me if there are any errors or problems along the way.
     
    Last edited: Dec 27, 2004
    chaslang, Dec 27, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also after your machine reboots, run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.
     
    chaslang, Dec 27, 2004
    #16
  17. Cannons

    Cannons Private E-2

    okay, done everything u told me to so far. guard.tmp isn't there, here are my logs
     

    Attached Files:

    Cannons, Dec 27, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sometimes this requires repetition and a few extra twists. This time make sure you are physically disconnected (unplug cable) from the internet during this whole procedure until I have you reboot an come back here. So print this instructions of save them locally since you must be offline.

    Run Killbox again.
    1) Click "Replace on Reboot" and check the "Use Dummy" box.
    Paste the below file into the top "Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\wvuspol.dll

    (Make sure you cut & paste in the filenames. If you try typing, you will get an error on the c: )

    2) Click the "Delete File" button which looks like a stop sign.
    3) Click "Yes" at the Replace on Reboot prompt.
    4) Click "No" at the Pending Operations prompt.
    5) Repeat steps 1-4 above for these files:

    C:\WINNT\SYSTEM32\kt0ol7d31.dll
    C:\WINNT\SYSTEM32\lvl8093ue.dll
    C:\WINNT\SYSTEM32\gprml3911.dll

    Still in Killbox (we have to check again, it may come back)

    Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue underneath the filename box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

    After your PC reboots run find.bat again and post the new output.txt (you will have to rename it to output4.txt to upload it).

    Also use Windows Explorer and please Navigate to C:\winnt\SYSTEM32 and look for a file named guard.tmp. Tell me if it is still gone.
     
    Last edited: Dec 27, 2004
    chaslang, Dec 27, 2004
    #18
  19. Cannons

    Cannons Private E-2

    ok, did everything. this is the weird part. guard.tmp was not there when i checked, before and after rebooting. but i just ran adaware to see how much stuff it would pick up, the first time just some vx2 some other things. the second time only 4 items. one of them being a vx2 process with the location being "C:\WINNT\System32\Guard.tmp" . so i used explorer and checked for it, and there it was. and also, i see that find.bat found some more items, im wondering if i should just keep looking at the log and deleting the files it shows, or just keep posting them here and waiting for directions
     
    Cannons, Dec 27, 2004
    #19
  20. Cannons

    Cannons Private E-2

    im having a slight problem uploading the new log. the site keeps erroring. ill try again later
     
    Cannons, Dec 27, 2004
    #20
  21. Cannons

    Cannons Private E-2

    here it is finally
     

    Attached Files:

    Cannons, Dec 27, 2004
    #21
  22. Cannons

    Cannons Private E-2

    i must say though, even with the problems the pc still has, it is running a lot faster
     
    Cannons, Dec 27, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to repeat the process with Killbox on the below files and finish of with fixing of guard.tmp again. Do not run any other scanners of process while trying to fix this. Also avoid reboots except when told. These will cause mutation.

    c:\windows\system32\wyvdmod.dll
    c:\windows\system32\irj6l51s1.dll
    c:\windows\system32\sfscrap.dll
    c:\windows\system32\gpjsl3171.dll

    Then Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue underneath the filename box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

    After that post a new findit.bat log and also run DLLcompare and post a log.
     
    chaslang, Dec 27, 2004
    #23
  24. Cannons

    Cannons Private E-2

    i think everything looks pretty good! (at least i hope). here are my logs
     

    Attached Files:

    Cannons, Dec 27, 2004
    #24
  25. Cannons

    Cannons Private E-2

    i just searched explorer..guard.tmp is still there, should i go into safe mode and delete it? i have been using killbox but it doesnt seem to be working with it
     
    Cannons, Dec 27, 2004
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes delete it! If you cannot delete it with explorer, do the below

    Run Pocket KillBox and Copy and Paste the Following into the box: C:\WINNT\System32\guard.tmp
    Select Standard File Kill - Click Red X to delete it.

    Then do the following steps:

    Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

    NOW:

    Open VX2Finder and Click the Restore Policy Button.

    Then, use the UserAgent$ Button to remove the UserAgent from the registry.

    NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

    We are almost there! As long as it does not respawn! Be careful what you run. Do not run any other tools.
     
    chaslang, Dec 28, 2004
    #26
  27. Cannons

    Cannons Private E-2

    guard.tmp looks to be deleted. i deleted it manually then tried to run killbox anyways and it said the file wasnt found, so that looks good. whenever i ran VX2Finder and hit the restore policy button, it would ask to reboot my pc. i did, and when it came back, the UserAgent$ button was still unclickable. so i tried it again, and once again it asked for it to reboot, and when i came back i still couldnt click on that button. here are my logs
     

    Attached Files:

    Cannons, Dec 28, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Using START > RUN > regedit, please open the registry editor and navigate to the following:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings

    Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
    RightClick on the above registry key (the Internet Settings one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.


    We don't seemed to need any fixes in HijackThis . The O1 - Hosts lines are gone.

    After doing the above you should be clean! Let me know.
    Make sure you check this thread out: How to Protect yourself from malware!
     
    chaslang, Dec 28, 2004
    #28
  29. Cannons

    Cannons Private E-2

    thanks a lot man! you are a lifesaver! i cannot thank you enough for all my troubles, u truly are awesome. hopefully everything works out!
     
    Cannons, Dec 28, 2004
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Stop back and let me know how it's working.
     
    chaslang, Dec 28, 2004
    #30

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds