Help with coolwwwsearch please??

I've used Spybot, Adaware, and CWShredder to no avail. This thing won't go away, or keeps coming back.

I've already downloaded the tools I've seen recommended to others but am afraid to proceed on my own. This is the nastiest thing I've ever seen on my computer. Can someone help, please?

 

Hi TB,

Generally, it is a good idea to start with the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

Thanks for the quick response. I'll follow all instructions on the link you provided and post back.

BTW, I am using WinXP SP2, fully updated. Thanks again. Back shortly.

Blaze

 

I am downloading stuff from the tutorial, some I already had, but I'm seeing that the next step is TWO online virus scans. I'm not trying to be difficult, but I am on an older computer, and a 28.8 connection, which is at an excruciating crawl right now with all of the pop-ups. Can someone tell me if there are similar downloadable virus scanners that I could use instead, or could I run just one of these online ones?

BTW I am currently using Avast Antivirus and the most current virus definition file (dated 12/31/04).

I'll continue following the tutorial until I hear something, but I'm hoping for good news...

 

About the links... I also have had trouble with some of them. I just closed the window and tried again, and it usually worked after the second or third try.

 

Hi TB,

Please go ahead and submit a HijackThis log as per the info in my last post.

PP

 

Thanks for your help PP...

The HJT log is attached. I finished downloading Trend Micro's engine and am about to start the scan.

Back soon.

 

Hmmm... I can't connect to the internet in safe mode with networking... I've never tried to do this before so I don't know that it's related to my problem.

Running Trend Micro now in normal mode.

Thanks again.

 

Normal Mode is fine.
After you're done, please attach a fresh HJT log - Make sure ALL browsers are closed when you scan.

PP

 

Hi TexasBlaze,

I’ve got to call it a night and crash!! This old dog ain’t as spry as he used to be! I’ll go ahead and give you the next set of instructions, though we may have to remove some items from your HJT Log before proceeding:

Please download the following tools to deal with your VX2 variant:

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

Generic Detection Tool for Win 2K / XP ---> Click "Agree"

Pocket KillBox


NOW:
Unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log along with the HijackThis log I requested in my last post.


THEN, run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Since you may only attach 2 logs, please go ahead and Copy & Paste the Complete log into your post.


Note that, once you have scanned your machine with these tools, you MUST NOT REBOOT or some of the malware will mutate.

I will try to check back when time permits – likely Sunday evening. We can knock this out then – If our resident workaholic, Chaslang, can resist the urge to jump into this thread!!

PP

 

I fell asleep running the second virus scan last night. It took a few attempts to get rid of a narrator.a trojan... I guess I don't trust using just one virus scanner any more.

The HJT log and the FindIt output file are attached. Below is the dll compare log. I'm keeping the machine running until I'm told otherwise. Many, many thanks for your help PP - and anyone else who might jump in!

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dn4m01~1.dll Mon Dec 27 2004 11:39:08p ..S.R 224,886 219.61 K
C:\WINDOWS\SYSTEM32\dnrm01~1.dll Wed Dec 29 2004 12:04:48a ..S.R 224,614 219.35 K
C:\WINDOWS\SYSTEM32\enj4l1~1.dll Tue Dec 28 2004 7:22:52a ..S.R 224,423 219.16 K
C:\WINDOWS\SYSTEM32\g0lmla~1.dll Sat Jan 1 2005 5:32:56p ..S.R 223,708 218.46 K
C:\WINDOWS\SYSTEM32\gpp8l3~1.dll Tue Dec 28 2004 4:03:58p ..S.R 226,296 220.99 K
C:\WINDOWS\SYSTEM32\h42o0e~1.dll Mon Dec 27 2004 1:16:00a ..S.R 224,747 219.48 K
C:\WINDOWS\SYSTEM32\hr6205~1.dll Tue Dec 28 2004 5:40:08p ..S.R 224,688 219.42 K
C:\WINDOWS\SYSTEM32\jt0q07~1.dll Fri Dec 31 2004 5:55:22a ..S.R 225,748 220.46 K
C:\WINDOWS\SYSTEM32\jtlm07~1.dll Fri Dec 31 2004 5:50:12p ..S.R 225,378 220.09 K
C:\WINDOWS\SYSTEM32\jtp407~1.dll Tue Dec 28 2004 1:38:26p ..S.R 224,900 219.63 K
C:\WINDOWS\SYSTEM32\k2jslc~1.dll Fri Dec 31 2004 6:45:34p ..S.R 225,241 219.96 K
C:\WINDOWS\SYSTEM32\k4js0e~1.dll Fri Dec 31 2004 5:46:42a ..S.R 225,955 220.66 K
C:\WINDOWS\SYSTEM32\kidne.dll Tue Dec 28 2004 1:05:56p ..S.R 224,423 219.16 K
C:\WINDOWS\SYSTEM32\ksdne.dll Wed Dec 29 2004 7:08:30a ..S.R 224,423 219.16 K
C:\WINDOWS\SYSTEM32\l88mli~1.dll Tue Dec 28 2004 12:51:22p ..S.R 224,423 219.16 K
C:\WINDOWS\SYSTEM32\m6julg~1.dll Thu Dec 30 2004 7:56:32a ..S.R 222,929 217.70 K
C:\WINDOWS\SYSTEM32\mv0ul9~1.dll Thu Dec 30 2004 7:03:06p ..S.R 223,841 218.59 K
C:\WINDOWS\SYSTEM32\mvp6l9~1.dll Thu Dec 30 2004 2:07:46a ..S.R 226,098 220.80 K
C:\WINDOWS\SYSTEM32\nwrseng.dll Sat Jan 1 2005 12:36:12p ..S.R 223,487 218.25 K
C:\WINDOWS\SYSTEM32\o2660c~1.dll Tue Dec 28 2004 1:05:56p ..S.R 225,085 219.81 K
C:\WINDOWS\SYSTEM32\o4ro0e~1.dll Sat Jan 1 2005 3:08:24p ..S.R 222,859 217.63 K
C:\WINDOWS\SYSTEM32\p86s0i~1.dll Wed Dec 29 2004 8:29:58a ..S.R 224,507 219.24 K
C:\WINDOWS\SYSTEM32\q2ps0c~1.dll Fri Dec 31 2004 1:20:10a ..S.R 226,013 220.71 K
C:\WINDOWS\SYSTEM32\q886li~1.dll Wed Dec 29 2004 7:47:32a ..S.R 224,423 219.16 K
C:\WINDOWS\SYSTEM32\utlmon~1.dll Sat Jan 1 2005 11:05:36a ..S.R 222,859 217.63 K
C:\WINDOWS\SYSTEM32\wacsapi.dll Thu Dec 30 2004 12:18:46a ..S.R 224,764 219.50 K
C:\WINDOWS\SYSTEM32\wnv8dmoe.dll Mon Dec 27 2004 12:32:02p ..S.R 224,886 219.61 K
C:\WINDOWS\SYSTEM32\wpnntbbu.dll Wed Dec 29 2004 11:18:58p ..S.R 224,507 219.24 K
C:\WINDOWS\SYSTEM32\wrapper.dll Wed Sep 11 1996 1:31:40p ...HR 5,536 5.41 K
________________________________________________

1,466 items found: 1,466 files (29 H/S), 0 directories.
Total of file sizes: 327,651,099 bytes 312.47 M

Administrator Account = True

--------------------End log---------------------

 

Is there something else I can be doing while waiting for someone to look at those logs? I started the tutorial yesterday, and here's what I've done so far :

1. Disable System Restore - DONE
2. Services mentioned in tutorial were not running
3. View hidden files/folders, unhide known extension types - DONE
4. Download tools and install - DONE

Scanning & Cleaning:
1. Virus & Trojan scanning - DONE with MicroTrend and Avast
2. Clean Hard Drive - NOT DONE - should I do this now?
3. Main Spyware Scan - I've been doing these for several days. The coolwwwsearch always comes back. Also something called AproposMedia.
4. Secondary Spyware Scan - CWShredder appeared to work, but CWS comes back on reboot. Have installed Kill2me, about:Buster and HSRemove but have not run them.

In addition, I had re-enabled some startup items that had previously given me trouble, (this was advised in one of the help files or posts I was reading, and makes sense - maybe I can get rid of some older problems while I'm at this).

Also, since I am not surfing the web anymore, just hanging out here, the pop-ups have slowed to nearly nothing, but they're not gone.

 

Hi TB,

Am cooking dinner - will run through your logs right after and post soon after that!!

PP

 

Thanks PP. You rock.

 

Hi TexasBlaze,

Before we start, it looks like you are running both McAfee and Avast AV at the same time? Or perhaps McAfee was not fully uninstalled?

Also, If you are able to do this without rebooting your machine, please DISABLE SpybotSD's Tea Timer - It can interfere with some fixes!

I am going to be trying something a bit different with this fix, so please bear with me!

We may run into a bit of difficulty with this due to your machine not being as clean as I’d like it to be to start. If that happens, we may have to take a few steps back and start over and go another route. However, in the interest of saving some time. . . Off we go!



Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions.

This fix will take a couple of steps. I will try to keep it very simple. Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Now, run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\g0lmla311d.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\o4ro0e93eh.dll
into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\nwrseng.dll
into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea. . . Please do the same for the following entries:

utlmon(3).dll
k2jslc171f.dll
jtlm0731e.dll
jt0q07d5e.dll
k4js0e17eh.dll
q2ps0c77ef.dll
mv0ul9d91.dll
m6julg1916.dll
mvp6l97s1.dll
wacsapi.dll
wpnntbbu.dll
p86s0ij7e8o.dll
q886lils18q6.dll
ksdne.dll
dnrm0191e.dll
hr6205joe.dll
gpp8l37u1.dll
jtp4077qe.dll
kidne.dll
o2660cjsefo60.dll
l88mlil118q.dll
enj4l11q1.dll
dn4m01h1e.dll
wnv8dmoe.dll
h42o0ef3eh2.dll


Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .


NOW, you will be entering more items into KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\SYSTEM32\pzpuum.exe
C:\WINDOWS\SYSTEM32\zozppu.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\SYSTEM32\qaquuy.dat
C:\WINDOWS\SYSTEM32\yiyuuo.exe
C:\WINDOWS\frsk.exe
C:\WINDOWS\System32\supporter5.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yuyggp.exe

When the last item has been entered and you are prompted to reboot, allow KillBox to Reboot your computer.

Then, please attach a fresh HijackThis Log.

Run a Fresh Find.bat scan and attach that log.

Run DLL Compare once more and Copy&Paste that log into your post.

And. . . We’ll go from there. I’ll try to check back as time permits. As I mentioned at the start, I am going at this a bit differently than normal since we didn't clean other malware first. So, I am keeping my fingers crossed that this first step goes well. Otherwise, we'll have to start at the very beginning!

Best Luck
PP

 

Thanks PP...

Yes, I tried to uninstall McAfee a long time ago, but never got rid of all of it.

TeaTimer is not running now. I'll disconnect and follow the steps then be back.

Thanks again!

 

I messed up with Pocket Killbox and somehow skipped over the guard.tmp in the instructions until I had reached the end of the list. I went ahead and added it last, then hit "Yes" to reboot. Instead of rebooting, I got an error that said "PendingFileNameOperations Registry Data has been Removed by External Process!" I manually rebooted ..

Then I tried to attach the Find-It output, and the file was gone..?? I ran it again and saved the output to two different locations. This time the whole Find-It folder was gone but I was able to attach the second copy that I had saved to the desktop.


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\wrapper.dll Wed Sep 11 1996 1:31:40p ...HR 5,536 5.41 K
________________________________________________

1,465 items found: 1,465 files (1 H/S), 0 directories.
Total of file sizes: 321,337,980 bytes 306.45 M

Administrator Account = True

--------------------End log---------------------

 

Hi TB,

Well, we made some progress

Suggest you UNINSTALL WildTangent!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\System32\supporter5.exe

O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yiyuuo.exe

O4 - HKCU\..\Run: [5-2-100-174] c:\windows\5-2-100-174.exe -m

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22f0ef2daabf23ff6d00/netzip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -


O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

Again, make sure All Browser Windows are Closed when you Click FIX.

Now:
Please run PocketKillBox.
Choose the Delete on Reboot option, but do not allow machine to reboot until I tell you. Just Copy and Paste the following into the box, click the Red X and then NO to Reboot:

C:\WINDOWS\system32\yiyuuo.exe
C:\WINDOWS\frsk.exe
C:\WINDOWS\System32\supporter5.exe


Now:
Select the option to Replace on Reboot.
Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .

(NOTE: If KillBox tells you it cannot find a file to remove, please continue on anyway!)

Then:
Please download this older version of the Detection Tool and run Find.bat and attach that log! Also attach a fresh HJT Log.

Old Generic Detection Tool

I will check back when I get a chance!

PP

 

Thanks PP...

I uninstalled Wild Tangent a long time ago, but portions of it apparently remain... it no longer shows up in the Add/Remove programs.

Fresh logs attached... I did this from the beginning twice because my computer crashed when I was trying to get the HJT log the first time.

Thanks again!

 

Hi TB,

We still need to kill that pesky Guard.tmp
Keep feeding it to KillBox using Standard File Kill or Delete on Reboot until it is gone! Keep at it until you no longer see it in the system32 folder!

C:\WINDOWS\System32\guard.tmp

Also: Is this something you used? C:\editpad\EditPad.exe
There is a similar CWS related object. If you do not recognize it, DELETE it.

AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the User Agent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information in bold print below to Notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg



REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E087F3EE-40D2-4754-A4C9-3B74F94AADD9}"=-



Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entry into the registry.

Finally, attach another Find.bat log from the OLD Generic Detection Tool and a Fresh HJT log and we'll finish this up!

I will try to check back tonight or tomorrow evening! We should just have a bit of minor cleaning left to do.

PP

 

PP

I'll work on guard.tmp now, then follow the rest of your instructions.

EditPad is a freeware text editor i downloaded from nonags about 2 years ago. I've never noticed any problems with it. If I should take a closer look tho, let me know.

Thank you again for all your help!

Back later...

 

It is probably OK then

 

PP

KEWL! guard.tmp is gone and didn't come back!

Followed your other instructions and the files are much shorter now! Thank you soooooo much!

HJT and Find logs attached.

 

Hi TB,

Looks good!

Please have HijackThis Fix these lines:

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

O23 - Service: McAfee.com McShield - Unknown - C:\Program Files\mcafee.com\VSO\mcshield.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Make sure all browser windows are closed when you click FIX.


Might as well remove the McAfee since you are using AVAST:
C:\Program Files\mcafee.com


Anyhoo, things should be OK! How are things running?

PP

 

Thank You PP!!

I haven't tried going to Google or Yahoo yet, but I haven't seen a pop-up in quite a while.

I tried repeatedly but cannot get rid of these entries in HJT :

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

I hope I'm right in assuming the crisis is over but I'd like to know everything is good.

I'll check in again tomorrow night after work. Thank you again for all of your help.

 

You're Welcome! I'm happy to help

I think you're probably OK now. The new version of HijackThis is really buggy. That may be why you can't remove the 016s.

Please check out Chaslang's guide to protecting your computer from annoying malware!

Let me know if you run into further difficulties!

PP

 

Hey PP--

Just wanted to say thanks again. Things seem back to normal, from what I can tell. I don't have much time to do anything during the week tho.

Those five entries in HJT still aren't gone, but I'm not too worried. I'll give this thing a once-over this weekend just to be sure.

Thanks again soooooo much! You rock!

TB

 

Hi TB,

You're Welcome!

We are seeing a lot of these infections lately!

For those hard to remove entries, try booting to Safe Mode and then fix them with HijackThis and see if that does the trick.

Let me know how things shake out after the weekend!

Best
PP

 

Looks like I've got exactly the same problem as Texas!
I've spent hours trying to get rid of it.
I've got all the tools PP talked about and am ready to go.
My situation looks easier than Texas, a bit I think.
Should I attempt it on my own on PP's pattern? or wait for someone to help me?

Thanks for your help in advance!
-Immovable