help removing coolwwwsearch

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

I caught you napping!

 

You did not run all the steps in the READ ME FIRST as required. You never ran the online scanners. Is there a reason for that? Was anything else skipped?

You have several problems including a nasty VX2 problem and a Narrator trojan. I'll get back to you with the starting steps.

 

You must stop using msconfig to control what programs are being loaded at boot up. Please run msconfig and select normal startup. You don't need to reboot right now if prompted to do so. Wait until later.

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

LSP - Fix


Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


First Step:

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move aklsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Second Step:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect).

Third Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Fourth Step:
Get a new HJT log.

Now reconnect and come back here and post as attachments the l2mfix log the find.bat log (normally already named output.txt) and the new HJT log (this will require two posts as only two attachments can be made in a message).Based on those logs, we will determine the next steps. Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Your HJT log still does not show any indication that the online scans were run. If you ran the Symantec and Trendmicro online scans there would be O16 entries for both of them.

 

Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

Run "find.bat" from the Generic Detection Tool again!

Okay after doing the above DO NOT REBOOT. Now reconnect to the internet and come back here and post and attach the find.bat log along with the L2MeFix Log.

You have other problems two along with a Narrotor trojan and some Qooligic problems. We will get to them later.

 

Let's worry about those later after fixing all the problems I can see (there are a bunch).

Question: Do you use C:\Program Files\Messenger\msmsgs.exe
That's Windows Messenger. It's not the same thing as MSN Messenger. If you do not use it. Try running this: Uninstall Messenger

That may take care of some of those inbound items.

 

No don't run anything else but what I ask.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\ykqkrq.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe

After clicking Fix, exit HJT.

Now copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixrun.reg. Doubleclick it and grant it permission to merge in the registry entries.

We have some files that we need to delete using Killbox. Following is a list of files and the how to delete will be explained further down.
C:\WINDOWS\system32\gpipoi.dll
C:\WINDOWS\system32\pqxqwx.exe
C:\WINDOWS\system32\zasabs.dll
C:\WINDOWS\system32\qvgvbg.dat
C:\WINDOWS\system32\n20050308.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynfntf.exe

and C:\WINDOWS\system32\ykqkrq.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\system32\ykqkrq.exe (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\system32\gpipoi.dll



1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\system32\ykqkrq.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. If you get an error message about "Pending operations", just reboot manually.

Please note any error messages that you see during reboot and copy down the exact full message if you do get any. This could occur due to us removing this malware as it attempts to reload itself. Post those error messages when you come back to post the logs.

After reboot:
1) Run Windows Explorer and delete the below two folders:
C:\WINDOWS\system32\wsxsvc
C:\WINDOWS\system32\vmss

2) Try to run the Generic Tool again (make sure you wait long enough for it to complete). Post the log from the Generic Tool's find.bat program and also post a new HJT log.

 

Okay! All of the fixes did not take We are going to do some steps over with some slight changes in options on Killbox.

Now copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixnarrator.reg. Doubleclick it and grant it permission to merge in the registry entries.

Here are the files that we need to delete using Killbox.
C:\WINDOWS\system32\gpipoi.dll
C:\WINDOWS\system32\pqxqwx.exe
C:\WINDOWS\system32\zasabs.dll
C:\WINDOWS\system32\qvgvbg.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynfntf.exe

and C:\WINDOWS\system32\ykqkrq.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Delete on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\system32\ykqkrq.exe (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\system32\gpipoi.dll

1) Now, Copy and Paste fullpathfile into the box
2) Now, Click the Red X and Yes to the confirmation message.
3) A message will ask if you want to reboot now – Click NO.
4) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\system32\ykqkrq.exe into the box. Make sure you still have Delete on Reboot selected. Then click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. If you get an error message about "Pending operations", just reboot manually but tell me if you are getting this message.

Please note any error messages that you see during reboot and copy down the exact full message if you do get any. This could occur due to us removing this malware as it attempts to reload itself. Post those error messages when you come back to post the logs.

 

Looking better!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

After clicking Fix, exit HJT.

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

Post another hopefully final HJT log.

 

Your log is now clean. Check you options for the AutoProtect and see if it has a setting wrong. I do see it being loaded in the O4 section of your log but it does not seem to be running.

 

You're welcome!

If you like Norton and feel comfortable with it and most important have a paid subscription where you get constant updates, then you can keep it. If you do not get updates then you need to subscribe or uninstall and use one of the other free AV's I list.

Yes you need to use a software firewall in addition to your router's but the one in Windows is not very good. Disable the one in Windows and try Sygate's.

The item from Quicktime never needs to be loaded. You can just have HJT fix that entry and it will no longer load at Startup. That does not stop Quiktime from working.

What items from Roxio don't you want to load? Do you ever need them?

Do you use Windows Messenger? Most people never use it and you can uninstall it if you do not. Uninstall Messenger

Yes! Post it! Is it in file you can attach, like a Word Document?

Lot's of reading and studying to do. There are lots of aspects to know about your PC not just malware. Read the Software, Hardware, Networking, and Spyware Forum threads. Search the internet. Ask questions and take notes. Save good links for reference.

You can buy a Majorgeek's teashirt and send your friends here.

 

I'm happy to see you are writing something to help others avoid some of the problems related to malware.

Some comments on your article. Take it as constructive/educational criticism.

Not always! And not always very clear about what they will be doing. They really try to hide it from you in many cases.

Plug Majorgeeks from now on. We have all the downloads available and we verify that they are clean and worth using unlike many other sites.

It's Ad-Aware SE. Ad-Aware is old and not what you want.

Technically that is not completely true. There emphasis is virus/trojan but they do detect various forms of spyware. You can even see it in the names that give to some items. They even precede it with Adware.xxxxx (where xxxxx is the name of the spware).

One item you should have mentioned that is even more important than spyware blockers or scanners is a firewall. No PC should be connected to the Internet without one.

Good job! Keep educating the novices and maybe we will have a fighting chance.