Help I have CoolwwwSearch redirect problem

I have followed the read me first page of this site. I did not find the exact items in Nwk Security etc etc. I ran norton and I'm clean. I already have ad-aware se updated & vx2 plug in. I dwnloded ccleaner and ran it in safe mode I dwnloded spyware blaster etc etc. I am in safe mode now and I still have the coolwwwsearch items that nothing seems to be able to remove. Help! What do I do now???? thanks in advance for your help. momofthree

 

Hi Momofthree,

Did you run CWShredder and do the Online Scans as prescribed in the Read Me First Tutorial?

If you are certain that you've exhausted the Tutorial's options, then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will try to take a look at your Log when they get a chance.

Best
PP

 

Hi Philli, Yes I ran online scan, but I forgot the cw shredder. I will do that now, is that ok or is it to late?

 

By all means, run it now. Then, please attach a HJT log as per my previous post and one of us will take a look when we get a chance.

PP

 

Hi PP I hope I sent you the file correctly? I am going to sign off for now, but I will be back tom. Thanks for your help so far. momofthree

 

You did fine You saved the log twice, but hey, as long as I can see it, we're in business.

You have a lot of 016 items (Downloaded Programs). Please let me know if there are any that you absolutely cannot live without. Otherwise, I will be pretty liberal with what we discard.

We will have to attack this in two steps - It is best that way. Here is Step 1:

Please download this tool - http://www.cexx.org/lspfix.zip

THEN:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Do the same for aklsp.dll.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Now, Reboot and then scan with HijackThis and attach that log and we’ll take care of the rest of the baddies. I will check back when I get a chance - I'm usually here in the wee hours.

PP

 

if you have WXP and you DIDNT disable it from creating backup of itself the program will stay on your HDD most likely.

 

Hi Everyone helping on my case I am thankful for all of you. I keep getting pop-ups thru all this typing,but I will continue. I did stop the systems restore before I started with all this. I'm a little concerned about the downloaded stuff you would like to remove. I would like to keep the homestead picture stuff and I'm not sure what else I have downloaded. I guess my email program Incredimail and if you could not have me delete it unless I sure what it is that would be good. If it is causing this prob. I will take it off. I am in safe mode now and will run that last request. Can you tell me what it does? Thanks momofthree

 

Oh yeah about the system restore. I tried to back up my system to an earlier date before I started being redirected and adaware found 300 items of spyware when I backed up the date. I know that it didn't find that many before, so I think it did get into my restore section of the computer. If that makes any sense?!

 

I went thru stuff on comput and i think I know what i'd like to keep. Here is the list. Homestead photsite alb buildr, Weatherbug, Acrobat reader, Magic ball(game), Quicktime player, panicware pop stopper, Palm Onequick install & Hot sync mang, AOL instnt mess. any photo stuff that isn't causing problms. I will wait til I here from u again to do the things u suggested. Momofthree
oh yeah what is the exclamation symbol that says "bad thread" mean. Is there a problem with the advice given or the question asked ?

 

I would also like to keep Vivisimo search engine and windows media player. I found something that I don't think I have seen on my cmpt. before kyyuuy. exe
But, I will quite looking around now till I hear from you.

 

Hi Momofthree,

Usually, when I see so many 016 entries in a log, I find a lot of them to be potential troublemakers. However, on closer inspection, most (if not all) of yours look OK .

Please go ahead and disconnect from the internet and run LSP-Fix as per the instructions in my last post. Then , submit a fresh HJT log and we can take care of the other items.

I will have to check back in the evening, but we should be able to wrap this up quickly!!

PP

 

Hi Phillie Good to hear from you. Here is the next scan frm hjt after the LSP was ran. Let me know what to do next to rid my system of all these redirects and pop-ups. Also, I am doing all of this in safe mode, is that correct?

 

Do the HJT scans in normal windows. SOME of the removal will be in Safe mode. The instructions will be clear on that, don't worry

I'll try to run through this quickly, but I have to get back to work soon - I will definitely have something for you by this evening! Sorry - I'm kinda touch and go in this forum these days. Hang in there!

**** This is new and I do not like the looks of it ---> O4 - Global Startup: kyyuuy.exe (I see you noticed it, too)

Please Download this tool and keep it handy: Pocket KillBox

PP

 

OK i will go in reg mode and run hjt again and resubmit it. also I am in the Mom's acct. should I be in administration acct. I hope it doesn't matter or I will have to start all over?!

 

Here is hjt in reg mode. I will wait to hear from you this evening. Thanks again. Momofthree

 

Interesting that O4 - Global Startup: kyyuuy.exe does not show up here? . . . . Don't worry about it for now. I'll post something this evening.

PP

 

Hi Momofthree,

How many user accounts are there on your machine?

I would strongly suggest Uninstalling ViewPoint & WeatherBug and fixing their entries below ( I went ahead and included them ).
Also, look for TaskAd and Uninstall it, if found.

You may want to consider doing the same for Incredimail and Abacast.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

--Boot to Regular Windows- -

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them if possible (if found):

pyyiiy.exe
gljhvswy.exe

NOW, scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtpr32.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [cntezvgq] C:\WINDOWS\system32\gljhvswy.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW, boot into Safe Mode and navigate to and DELETE the following if they remain (some will be hidden, some will be gone):

C:\WINDOWS\system32\pyyiiy.exe
C:\Program Files\Viewpoint ----> The Folder
C:\WINDOWS\system32\gljhvswy.exe
C:\WINDOWS\multimpp.dll
C:\PROGRA~1\AWS ---> The Folder
C:\WINDOWS\wupdt.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\satmat.exe
C:\Program Files\Windows TaskAd ---> The Folder
C:\windows\system32\kalvtpr32.exe
C:\WINDOWS\ELITES~1 ---> The Folder

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now.
Also, remember to let me know how many user accounts are on the machine.

I'll check back when I get a chance.

Best luck
PP

 

I have two acct on comptr mom and administrator I ran ada ware again and now I have 100's of items. I don't know what view point is and how it got on there. or task ad.

 

hey phillie I did everything up to "navigate to and delete the following c\windows\system 32" etc etc etc. I don't know where to go to find them? I clicked on- c drive in my comptr then, windows but, didn't know where to go from there. also BHO items were not on the hjt scan. And the two items in the task manager weere not there either. Now what?

 

I deleted weatherbug by unistalling it using windows but I would like to keep incredimail. I purchased that from online.

 

In the System32 folder, look for the files I gave you ( for example, kalvtpr32.exe ) and delete them, if found. You'll need to have the viewing of hidden files enabled as per the tutorial.

If you need to, you can use Windows Explorer to search your computer for them. Click Start > Search and enter the files and folders in bold that I listed. Just make sure that, when you find them, they follow the proper path.
For example: C:\WINDOWS\satmat.exe ---> satmat.exe will be found in the Windows directory and for C:\windows\system32\kalvtpr32.exe ---> kalvtpr32.exe will be in the System32 Folder in the Windows directory.

Basically, you need to search the larger folders for the files that I listed and delete them if you find them. The files will be alphabetized, so it should be fairly easy.

Also, you will need to give me HJT Logs for both accounts (label one Mom, the other Admin) - Some problems may be different, some will overlap.

Fun, huh?

PP

 

Ok I'll be back in a while. I have to make dinner sometime tonight! I will do this first and send it your way. While ur looking it over I'll feed my fam.

 

All righty then

I will be going out later this evening - So, don't think I forgot about you if you don't hear back right away.

Try to enjoy your Friday night!

PP

*** About the Incredimail - The final cut is up to you.

 

My puter keeps rebooting by self. here is mom acct after puter rebooted by self. I will run admin acct now.

 

Here is administrator acct hjt log. I had to run it in safe mode. I couldn't find it when I looked in change acct user in control panel page. I will keep looking and see if i can figure out were to go to find it in normal setting. I am still being redirected with lots of pop-ups .

 

If its just in safe mode, don't worry about it.

I'll check back when after I run through the logs. - It may be tomorrow.

* *Are you now comfortable looking for and deleting files?

I'll try to find out what this is -O4 - Global Startup: kyyuuy.exe

PP

 

Yes phillie I am ready to delete some bad stuff! coolwww is still coming up when I run the adaware & spybot It seems like a hard one to get rid of.

 

I just turned on computer and now my desk top says there is an error. Theres a full white screen and it wants me to click "restore active desktop". I'm afraid to click it in fear of what it might add to my system.

 

Go Ahead and restore your active desktop.

The particular malware that you have can often be difficult to remove (it has a tendency to keep coming back), but I think we can do it

1) Please run HijackThis for the Administrator Account (in Safe Mode, if necessary). In the small box in the lower right where it says "other stuff," select CONFIG > Misc Tools and choose Generate Startup List Log. Please save that log and attach it for me.

2) Were you able to download the Pocket Killbox from a few posts back? If not, please do so.

3) Does the Mom account have Administrator Privileges? Click Start > Control Panel > User Accounts to find out.

I realize that this process is rather difficult, trying to message back and forth! Plus, I'm pretty busy this weekend and my internet access will be limited. I will ask Chaslang to keep an eye on your thread as well. Hang in there! We'll get you fixed up.

Try to enjoy the weekend!

PP

 

Hi Phillie, Just a quick note to see if your are on now so we can take care of this mess? Hope you had a nice time out last night. momofthree

 

Hi Phillie, Just a quick note to see if your are on now so we can take care of this mess? Hope you had a nice time out last night.
I do have admi on my acct. and yes I did dwnld killbox but it only says killbox not pocket killbox on the file that is in the special folder with everything else?! momofthree

 

I'm just about ready to log off - Got to start fixing dinner in about 20 mins.
Going out again tonight ( Hey, it's the weekend ), but will probably check back in the wee hours.

Please go ahead and do the items in my last post. I have left a message with Chaslang for him to please keep the ball rolling if he is able to check in this evening. Between the two of us, we may be able to help in a more timely manner!

In addition to the Startuplist log that I asked for, please include Fresh HJT logs for both accounts - in normal Windows if possible. If you can't do normal windows for the Admin, give us a Safe Mode.

I will try to check back this evening before I go out. Right now, I'm just trying to catch up with all of the threads I've answered!!

PP

 

before you go can you explain where to find the config misc tool and where i find gen startup list log??? I have the adnmin hjt log that I just now ran i will send it now. something didnt' work I not sure that is the log I just ran.

 

Open HijackThis > In the small box in the lower right where it says "other stuff," select CONFIG > Misc Tools Tab and Click the tab for Generate Startup List Log. Please save that log and attach it for me.

Dinner is burning, Gotta go


Will check back in a few hrs before I go out.

PP

 

I'm sorry phillie this must be frustrating for you too. I am new to diggin deep into my comput. I ran the list here it is. I am anxious to have my system clean but apprehensive about doing it myself. I do appreciate your patience!

 

Not frustrating. Sure, it would be much easier if I were sitting in front of your computer, but that isn't the case. I'll post something for you before I head out around 8:30PM (EST)

PP

 

Happy Birthday to you, Happy Birthday to you etc etc etc I noticed today is ur B-D.. You should be going out tonight! I'm surprised u had to make dinner! Have a Great time! Momofthree

 

That's not me!! My birthday is in July. . . .Plus, I am almost an old fart like Chaslang.

Post something for you in 30min or so.

PP

 

Yep! I just noticed that it isn't u. Have a great night any way!

 

Hi M3,

I plan to!!

I still see WeatherBug. Is this the MOM account? Let me know, but continue with these instructions. I am halfway out the door – I’ll try to check back in the very wee hours, or tomorrow evening. Chaslang may make an appearance before then.

This particular baddie can be very difficult to kill, so please follow the instructions carefully!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Run Pocket KillBox and select the Delete on Reboot option.

Then, where it says Full Path of File to Delete, Copy and Paste the following into the window: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kyyuuy.exe

Now Click OK.

Now, Click the Delete Button (Red X).

A message will say C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kyyuuy.exe will be Deleted on Next Reboot YES / NO

Click YES.

A message will say: File will be Removed on Reboot, Do you want to reboot now?

Click YES.


Once the machine has rebooted, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see any of them, try to END them if possible:

pyyiiy.exe
kalvtpr32.exe

If you cannot end them or do not find them, go on to the next step.

Now scan with HijackThis and Check the Boxes for the following:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtpr32.exe

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\pyyiiy.exe

O4 - Global Startup: kyyuuy.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and navigate to the System32 Folder and DELETE the following if they should remain:

C:\WINDOWS\system32\pyyiiy.exe
C:\windows\system32\kalvtpr32.exe

If you need to use Windows Explorer to Search for kalvtpr32.exe & pyyiiy.exe, that's fine too. As long as you delete them!!

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Best luck
PP

 

this is insane! This is the third time I have tried to send this info on my progress! Computer keeps shuting down. I am in safe mode now. I couldn't find ok button on killbox but did find red X.copy info in spot u told me to clicked red x got message "Pending file rename operat. registry data has been removed by external process! " It didn't reboot automatically so, I did it and went to next step. got message "ending sgtray exe not respondng" I had to "end now". found pyyiiy ex. tried to delete but got message "can not delete access denied." I did notice two items in My computer on c drive that look odd. "silent 093. exe" and sideDD. exe I just reran hjt in safe mode and found the same 69.20. etc that I told it to fix. here is the latest scan since computer shut down. Should I just reload windows and all the precaution programs suggested here. Will I lose all my pictures and documents if I reload windows and will that get rid of this mess????? momofthree

 

You could back up all of the things that you want to keep and then reformat. But, that process can be equally tedious and is no guarantee that you won't get reinfected the next day!

I'm getting a bit confused as this rolls on. (With all the different threads I see, I'm surprised I can still tell what is what!)


Are there 1 or 2 user accounts in Normal Windows?
I think that weird exe on Global Startup may have thrown me down a wrong path.

Let's take another stab at this: Please attach a fresh HijackThis log from the Mom Account (the one you regularly use) with the scan taken in Normal Windows. I will take a look and post the step by step removal instructions Sunday Evening.

I am not sure if this baddie rewrites the Hosts File - I think that is a worry left for later, though. Please post the log from the Mom Account and lets give it one more try

PP

 

here is the latest hjt in norm mode. I have two accts in norm mode 1. mom acct w/ comput admin password protected and 2. guest (acct is off) I also just downloader Giant antispyware program ( I noticed an other thread that was having same problem and chaslang told him to dwnld that one.) So it is on here, if we need it. I didn't scan with it yet. I have it for 15 days (I am praying we will be done with this by then and I won't need it after that) I noticed everything is back!! It seems to be reloading everytime I delete it. I will be waiting to hear from you.

 

***** PP, I just ran trend micro scan again for grins and it came up w/ Trojan Narrator.A in 6 locations. One was in prog files\hjt\backups\backup-20041204-224455-762-kyyuuy.exe I hit clean and then delete. I then ran it again in safe mode and it came up with two in different locations. I didn't do anything with these except hit the clean button. Do I have a trojan now! I am headed out to a program @ church but I will be back around 8 pm. I need to know what to do to get rid of a trojan, if that is what I have. The new scan in safe mode ended with the kyyuuy. exe and the pyyiiy. exe that we have been fighting all along! Is it the redirect growing or a trojan that was uncovered by what we have done so far? Notice the date that it got into the hjt backup!?

 

This is just the backup made by HJT when it deleted the registry entry. It is nothing to really worry about, although that trojan now appears in startup again. We'll go after it again soon.

Unfortunately, the larger problem remains! I think it may be a new variant of Look2Me – The removal tools have not caught up to it yet. If it makes you feel better, an awful lot of people are having a ridiculously difficult time removing this!! I do not think anybody has a fix for it yet.

We will have to poke around and see if we can find out what makes it tick! Please do the following ( With the Viewing of Hidden Files Enabled):

1) Use Windows Explorer to run a search of your computer for Hosts. Just type Hosts in the window and let it search. Let me know what it finds.

2) Look in the Help Folder at C:\Windows\Help and see if there is a Hosts File in that folder. You should not find one. Let me know either way.

3) Follow this path to the legitimate Hosts File ---> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS. Make sure that there is only 1 Hosts File in the ETC Folder. Then, RightClick it and select Open With > Notepad and tell me what it says.

4) Please download Hoster Zip File and keep it handy. Do not use it yet.

Post back with the results of the above and we'll go from there. I'll try to check back when I am able. I am a bit overextended with all of the threads I've got going right now + real work. So, hang in there!

***** While it probably won't make you feel better, you are not alone here -- We have just gotten 4-5 new threads with the same problem! It is starting to go epidemic . . . . That should get a lot of attention and a tool to fix this may be developed soon!

With all the new threads coming in, perhaps Chaslang or I will be able to spot a common denominator.

PP

 

PP Did as instructed as much as I could. Here is what happen. There were 30 files found when I did search under Hosts. Under- my computer,
c drive,window,system32,driver,etc,host -there are 30 files! I selected first host and right clicked, there was not an option to open "with notepad" only "open" which I didn't do. Looked in help and didn't find any host files there. Also, hoster zip file keeps bringing up aol behind the download page. Is this correct or am I being redirected? I don't want to download the wrong thing. mot

 

You had 30 different Hosts files? Rightclick one of them. One of the options should be "Open with..." Click that and then select Notepad and it should open with notepad. I think I already know what it says.

You might also try to see if you can RightClick them and delete them.

I think for right now, it might be a good idea to wait and see how some of these other threads shake out and what they have to tell us
If, as Chas mentioned, you would like to try to do the same, use the tools and follow the instructions he gave in this thread: CoolWebSearch

Post any questions in your thread here and I'll try to check back regularly to answer them. Let me know if you want to wait and see or if you wish to try this as well.

PP