CoolWWWSearch.LoadBat and Family

Hi all!! Recently, I noticed that my computer started having pop ups. I am running Windows Xp SP 2. initially, the pop up blocker was working fine until i started seeing a few coming up. I downloaded spybot - search and Destroy and scanned my system with it. It constantly found CoolWWWSearch.Loadbat and a whole lot of its other friends all under CoolWWWSearch but spybot could not eradicate it. I did a quick search on google using CoolWWWSearch and found Tinas case. Our case seems the same though my problem has yet to be exploded to that extend. I seriously hope that someone can help me before I have to reformat my computer. Thanks in advance.

 

Welcome

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure one of the PROS can help you. These guys are quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

 

I have followed the instructions that were given in that thread. All the detectors did detect spywares. The list included VX2, look2me and quite a few other irritating stuff. The pop ups had this addresses on them: http://69.20.61.245/info@nictechnetworks.com/ad-armorie.htm and http://www.spotresults.com/cgi-bin/search.cgi?keywords=02467d305d08c2e2729e34b55dc280a0 Can someone please help me to get rid of these spywares? Whenever I am connected to the internet, i will receive these pop ups, even when i am playing online games. Please Help me!!

 

If you still have a problem then do the following:

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

Good Luck

 

Hi everyone! i have finally managed to scan my computer with hijack this. i really hope someone can help me!! Thanks!

 

At the minimum it looks like you have a VX2 infection. i have asked Chaslang to take over this thread. Hopefully he can fit it into his busy schedule, so please be patient.

 

This is the new Hijack this log. I could not attach this so i copied it.

Edit by chaslang: Inline log attached

 

this is the output.txt log file.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Spyware Detector\NO2\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0E6-4C0A

Directory of C:\WINDOWS\System32

02/18/2005 08:13 PM 222,923 bzhserv.dll
02/18/2005 08:12 PM 224,811 u6ru0g99e6.dll
02/18/2005 08:08 PM 224,811 idrtprio.dll
02/18/2005 08:05 PM 222,923 n86qlij518o.dll
02/18/2005 09:21 AM 222,923 kpdsmsno.dll
02/16/2005 05:37 PM <DIR> dllcache
02/15/2005 09:07 PM 224,111 i860lijm18oa.dll
02/15/2005 10:11 AM 225,091 l8j8li1u18.dll
02/14/2005 01:18 PM 226,134 l88m0il1e8q.dll
02/14/2005 10:41 AM 224,111 gpjsl3171.dll
02/12/2005 11:07 PM 224,111 lt2027fmg.dll
02/10/2005 11:38 PM 224,111 m0640ajqedoe0.dll
02/05/2005 12:19 PM 225,168 enpul1791.dll
08/20/2004 01:09 AM <DIR> tewinext
06/14/2004 12:55 AM 848 KGyGaAvL.sys
06/01/2004 01:05 AM <DIR> Microsoft
12/26/2003 05:49 PM 204,800 archlib.dll
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/10/1999 09:34 AM 24,848 msjter35.dll
06/10/1999 09:34 AM 123,664 msjint35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
04/25/1999 05:00 PM 368,912 Vbar332.dll
04/25/1999 05:00 PM 252,176 Msrd2x35.dll
25 File(s) 6,258,588 bytes
3 Dir(s) 5,092,913,152 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C0E6-4C0A

Directory of C:\WINDOWS\System32

02/16/2005 05:37 PM <DIR> dllcache
01/21/2005 05:14 PM 488 WindowsLogon.manifest
01/21/2005 05:14 PM 488 logonui.exe.manifest
01/21/2005 05:14 PM 749 cdplayer.exe.manifest
01/21/2005 05:14 PM 749 wuaucpl.cpl.manifest
01/21/2005 05:14 PM 749 ncpa.cpl.manifest
01/21/2005 05:14 PM 749 nwc.cpl.manifest
01/21/2005 05:14 PM 749 sapi.cpl.manifest
12/08/2004 09:11 PM 10,828 WeHelp.GID
08/20/2004 01:09 AM <DIR> tewinext
06/14/2004 12:55 AM 848 KGyGaAvL.sys
06/01/2004 02:02 AM 8,628 amecsa.GID
10 File(s) 25,025 bytes
2 Dir(s) 5,092,925,440 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is C0E6-4C0A

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is C0E6-4C0A

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E13FF810-C31B-4226-A13B-19A5365FE8D1}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n86qlij518o.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
bzhserv.dll Fri Feb 18 2005 8:13:38p ..S.R 222,923 217.70 K
cdplay~1.man Fri Jan 21 2005 5:14:10p A..HR 749 0.73 K
enpul1~1.dll Sat Feb 5 2005 12:19:26p ..S.R 225,168 219.89 K
gpjsl3~1.dll Mon Feb 14 2005 10:41:16a ..S.R 224,111 218.86 K
i860li~1.dll Tue Feb 15 2005 9:07:06p ..S.R 224,111 218.86 K
idrtprio.dll Fri Feb 18 2005 8:08:08p ..S.R 224,811 219.54 K
kpdsmsno.dll Fri Feb 18 2005 9:21:28a ..S.R 222,923 217.70 K
l88m0i~1.dll Mon Feb 14 2005 1:18:22p ..S.R 226,134 220.83 K
l8j8li~1.dll Tue Feb 15 2005 10:11:26a ..S.R 225,091 219.81 K
logonu~1.man Fri Jan 21 2005 5:14:16p A..HR 488 0.48 K
lt2027~1.dll Sat Feb 12 2005 11:07:36p ..S.R 224,111 218.86 K
m0640a~1.dll Thu Feb 10 2005 11:38:12p ..S.R 224,111 218.86 K
n86qli~1.dll Fri Feb 18 2005 8:05:28p ..S.R 222,923 217.70 K
ncpacp~1.man Fri Jan 21 2005 5:14:10p A..HR 749 0.73 K
nwccpl~1.man Fri Jan 21 2005 5:14:10p A..HR 749 0.73 K
sapicp~1.man Fri Jan 21 2005 5:14:10p A..HR 749 0.73 K
u6ru0g~1.dll Fri Feb 18 2005 8:12:08p ..S.R 224,811 219.54 K
wehelp.gid Wed Dec 8 2004 9:11:04p A..H. 10,828 10.57 K
window~1.man Fri Jan 21 2005 5:14:16p A..HR 488 0.48 K
wuaucp~1.man Fri Jan 21 2005 5:14:10p A..HR 749 0.73 K

20 items found: 20 files, 0 directories.
Total of file sizes: 2,706,777 bytes 2.58 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ha1.ax: .aspack
C:\WINDOWS\system32\ha2.ax: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AME_CSA"="rundll32 amecsa.cpl,RUN_DLL"
"CTStartup"="C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"razertra"="C:\\Program Files\\Razer\\razertra.exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"WINDVDPatch"="CTHELPER.EXE"
"gcasServ"="\"D:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




 

Regarding the proxy server, I am using a cable modem and has no configurations dealing with the proxy. unfortunately, i do not know if the modem did something related to the proxy. I guess we can just delete it and i can just install back the modem if anything goes wrong.

I have never seen these services before. Have you seen them in your other cases before? I know one the fgwsocketproxy but i am not using it so i guess we can delete it.

I guess we can delete all of them, unless stated otherwise by you..

 

By the way, i also experience periodical winlogon illegal operation. Its prompts me to ignore the problem or debug it. either way my computer will just restart by itself illegally. Could this be related to spyware/malware.

 

This line has been changed:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.56.68.29:80

to

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711

I know that 127.0.0.1 is my own add. So what do I do with this line?

 

I cannot open the manage attachments. Whenever i click on it, a blank window just appears and does not seem to be loading. I cannot upload all the logs for you now.. What should I do?

 

This is the l2mfix.bat log file. report2.log

 

This is the findit log file(output) and first l2mfix log file(report3)

 

This is the second l2mfix log file.(log.txt)

 

Hi! this is the new HJT log file. before I rebooted, I played counterstrike online. Surprisingly, I did not experience any pop ups unlike last times, whenever I play half way, pop ups will occur and i have to alt + tab back to CS. Just curious, what is my status now and what about the other applications that you told me to download?

 

Since Chas! Is not here at the moment, I viewed your HJT log and there is a few entries that needs to be fixed.

Go ahead and do another scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.


O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: CPU_UNIT - Unknown owner - %FinsServer%\bin\CpuUnit.exe (file missing)

O23 - Service: ETN_UNIT - Unknown owner - %FinsServer%\bin\EthernetUnit.exe (file missing)

O23 - Service: FgwSocketProxy - Unknown owner - %FinsServer%\bin\FgwSocketProxy.exe (file missing)

O23 - Service: MapAgent - Unknown owner - %FinsServer%\bin\MapAgent.exe (file missing)

O23 - Service: NameSpaceServer - Unknown owner - %FinsServer%\bin\NsServer.exe (file missing)

O23 - Service: SerialUnit - Unknown owner - %FinsServer%\bin\SeriUnit.exe (file missing)



Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

After you have completed these few task, reboot and post a fresh HJT log.

Thanks Bj

 

This is the new HJT log file.

 

Lets try this again, Have HJT fix this entry. Be sure to close all open browsers before fixing anything.


O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)


After you remove this entry, reboot and post new HJT. How are things running? Are you still experiencing any problems?

 

Hi.. Here is the new one.its much better now... so far hasn't seenm one yet...

 

For some reason this entry keeps coming back. Do you know what the Brother Popup Suspend Service is at all?

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

 

Im assuming that the Brother Popup Suspend Service is related to the Brother printer, correct?

 

Yes... I think so.. I do have a brother printer connected... I dun think its that important anyway...

 

Now the pop ups has stopped appearing... so does that mean thats it?

 

I am still now sure what this is for... but in any case, i had HJT fixed all up and I haven't had any errors so far... I have rebooted 2 or 3 times already and played numerous online games and no pop ups. So I guess thats it right ?? Thank you so much for all the help!!! Companies will need people like you to help!!!