Hijacked browser unable to remove coolwwwsearch

What OS? If WinMe or Xp, have you disabled system restore?
If WinXP, have you deleted files from c:\windows\Prefetch

Edit: Oops! I just notice you said WinXP Sp1.

 

Have you tried doing all you scans in safe mode too? Also try Ad-ware fullscan

If that does, not help post a HijackThis log as an attachment. Get new HijackThis here.

 

You did not follow directions. I told you to download the NEW HijackThis. You did not. Also, I really don't think you did the Ad-aware scan will fullscan provisioned. This does not mean do a full scan of your computer it means configure Ad-aware according to the settings in the link I gave and then run it. Why did you ignore those two links?

Also, is your HijackThis log from a normal boot or from safe mode? It seems like some information is missing from it. I do see your problem but some info seems to be missing I would expect. Get the new HijackThis program and this time put it in its own directory. It's a bad idea to run it from a temp folder or from the desktop. Here is where you have it now:
C:\Documents and Settings\Charles E Hundley\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

Here is an example of a better place would be c:\Program Files\SpywareTools
But you can call it what you want. Just do not run it from where you have it. You could loose backup info when temp folders get cleaned. With a name like I suggested you can put similiar programs there too (like CWshredder etc).

So after getting the NEW HJT, ignore the link that tells you to shut down all applications for the moment (I need to see everything right now) and give me a new completer log while booted in normal mode.

The lines we will need to work on are:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\System32\73yrg0079d.dll
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [7rokxi27em] C:\WINDOWS\q38zlft25f.exe
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: mydocs.tlb

BE VERY CAREFUL!!! The O4 line above says winlogin.exe It is bad. DO NOT confuse is with winlogon.exe which is good (part of windows). This winlogin.exe can be a pain to get rid of. Before continuing I really need to see your new full HJT log so I can see where this winlogin.exe file is running from. I would guess it is somewhere under c:\documents and settings. Do not fix anything yet until I get a new log and get back to you. If the previous log was a full log and was not from safe mode, that's okay too. I really need you to use the new version anyway just to make sure (the old version had a couple of bugs in fixing certain items too).

 

Okay! First some prep work:

- enable Windows Explorer to view hidden files and folders while there also make sure you do not have a check on the item that says "Hide extensions for know file types"

- how to boot in safe mode (I believe you already know this one though).

- setup WinXp search to locate hidden/system files: click Start, Search, All Files and folders, select More advanced options. Make sure you have checks on:
1) Search system folders
2) Search hidden files and folders
3) Search subfolders

Looks like you already fixed the R0 & R1 lines I mentioned before with super-sider.com.
If they came back, add them to the list below to fix.


Now click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\73yrg0079d.dll
then click OK. If a dialog box confirming this action appears, click OK.

Run HijackThis and put check marks on the following items (DO NOT FIX YET):
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\System32\73yrg0079d.dll
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [7rokxi27em] C:\WINDOWS\q38zlft25f.exe
O4 - Global Startup: winlogin.exe
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: mydocs.tlb

After checking all the above items, make sure you EXIT (not minimize) all Internet Explorer sessions. Then have HijackThis fix the above items. Now immediately reboot into safe mode. And delete the following (if you cannot find them using Windows Explorer then use the Windows Search option we configured above):
C:\WINDOWS\System32\73yrg0079d.dll
C:\windows\system32\image.dll (I'm not sure where it will be. I just guessed.)
C:\WINDOWS\q38zlft25f.exe
winlogin.exe (This is typically found someplace under c:\document and settings\username.... where username would be you login id. If you have a problem deleting it. Bring up Task Manager by hitting CTRL-ALT-DEL find winlogin.exe and End the process. Be careful to select winlogin.exe not winlogon.exe. Then try to delete it. If that does not work, the using Windows Explorer, right click on it, and Move it to your desktop. Do not copy or make a shortcut, Move it. Then try to delete it from your desktop.)
c:\windows\system32\mydocs.tlb (I'm not sure where it will be. I just guessed.)

Now reboot in normal mode. And see how things are working. Double check another HijackThis log yourself to make sure the lines have not returned. If it's clean, I would assume we are done. If not clean and still having a problem, post a new HijackThis log.

 

It does not look to me like you had HijackThis fix those lines that I listed before.
Did you actually run HijackThis and put a check on each line and then click Fix (after exiting Internet Explorer)?

 

NO! super-spider.com is a problem though. Along with other stuff.

 

Don't say "scanned" if you mean "fixed"! HijackThis can scan and it can fix. They are not the same thing.

Edit: Disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668
this will require a reboot!

Then do the below.

Please run these (let me know if they find anything and fix it or cannot fix it):
http://www.memorywatcher.com/uninst.exe
http://housecall.trendmicro.com/housecall/start_corp.asp <---- select Auto Clean
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php

 

One more item bothering me:

Do you know what this C:\WINDOWS\system32\ssoftsrv.exe application is?
Try right clicking on the file and select Properties and seeing if there is version and company information like on normal applications.

 

Okay! I have a bunch of things for you to do. And I will be asking for some info below that you need to give me answers to. You are going to have to print or save these instructions locally because I am going to have you boot in safe mode later and also at another point have you physically disconnect your network connection (that is unplug the cable).

Please verify again for me, is system restore currently disabled? If not, it must be disabled and remain disabled until we get this fixed.

Verify that all the files indated in the PandaActivescan as being infected were deleted. The same goes for the files that BitDefender found. You should have Norton empty its Quarantine folder. I see no needed to keep this bad stuff there. Also make sure that your Recycle bin is empty after deleting any of these bad files. Also, check c:\windows\Prefetch for these files and delete references to them in the Prefetch directory.

Go to Control Panel, Add/Remove Programs and remove the following if they exist:
freeserve
romahere
matrixhere

1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.


Boot in safe mode and do the following:

Run HijackThis and check the following items but do not click Fix until you exit all Internet Explorer sessions:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/hp.htm?id=9
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\System32\73yrg0079d.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ubjutl0f33b8s.dll
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [7rokxi27em] C:\WINDOWS\q38zlft25f.exe
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: mydocs.tlb

After fixing the above lines run Internet Explore and download and run CCleaner . On the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.

Let's double check after running Ccleaner and make sure that the following directories (if they exist) have been cleaned up:
c:\windows\temp
c:\temp
c:\documents and settings\username\Local Settings\temp <--- where username represents EACH user account on the PC (that includes Administrator)

Also do a full drive file search for:

o1j5tp67sh

do not include any extension. Let me know all file names and extensions and locations where you get hits. You must make sure you configure Search properly. Click Start, Search, All files and folders, enter the file name in the box provided, then click More advanced options and make sure you have checked:
- Search system folders
- Search hidden files and folders
- Search subfolders

The click the Search button. Tell me if you find any matches at all and where they are.


Reboot back in NormalMode
Don't open a browser yet, instead access Network and Internet Connections option via Control Panel, then click Set up or change your Internet Connection
Under the Programs tab "Reset Web Settings"
Under the General tab, click Delete files and also delete offline content. While here also reset home page to what you use.

- Also download and run the file below. It will extract files to a folder c:\findnfix
http://downloads.subratam.org/FINDnFIX.exe

Disconnect your network connection now!

run !log!.bat and it will create a log.txt file (it will also pop up in notepad when done)
Be patient, it takes a little while for it to scan thru all the files it needs to look for.

When it is finished, reconnect your network connection and come back here with answers to all my questions
- Is system restore currently disabled?
- Were all those bad files deleted by BitDefender and Panda?
- Did you find any of those program in Add/Remove programs
- What was in AppInit_DLLs
- Did you find any matches too o1j5tp67sh

Also post the following as attachments
- the log.txt file from FINDnFIX
- a new HijackThis log

 

Okay! I'm working on somemore things that we need to do. We are starting to get enough info from the things I had you run. They are uncovering a bunch of hidden baddies.

I want you to do another full drive file search for:

mydocs

do not include any extension. Let me know all file names and extensions and locations where you get hits. You must make sure you configure Search properly. Click Start, Search, All files and folders, enter the file name in the box provided, then click More advanced options and make sure you have checked:
- Search system folders
- Search hidden files and folders
- Search subfolders

The click the Search button. Tell me if you find any matches at all and where they are.

Then I want you to Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
mydocs.tlb < delete this line , 'Apply' and 'ok' to set.

- Rename the NotWindows folder back to its original name Windows
- Restart computer in safe mode
- This should make the file visible if we could not find it before. So run that search for mydocs.tlb I gave you above again and see what you get now.
- If you find the mydocs.tlb file, rename it to mydocs.bad
- Also while in safe mode. Run HijackThis again and have it fix:
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\System32\73yrg0079d.dll
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [7rokxi27em] C:\WINDOWS\q38zlft25f.exe
O4 - Global Startup: winlogin.exe <--- *** this will most likely be denied ***

Now click Start > Run, and enter cmd so you should see a command prompt.

At the prompt type and enter: cd c:\windows\system32

Now enter the following commands and keep track of the results for each step and let me know exactly what happens:
attrib -h -r -s BRIDGE.DLL
ren BRIDGE.DLL BRIDGE.BAD
attrib -h -r -s D2KPAX.DLL
ren D2KPAX.DLL D2KPAX.BAD
attrib -h -r -s JAC.DLL
ren JAC.DLL JAC.BAD
attrib -h -r -s MSXSLAB.DLL
ren MSXSLAB.DLL MSXSLAB.BAD
attrib -h -r -s SYSTEM32.DLL
ren SYSTEM32.DLL SYSTEM32.BAD
attrib -h -r -s 73yrg0079d.dll
ren 73yrg0079d.dll 73yrg0079d.bad

cd c:\windows
attrib -h -r -s q38zlft25f.exe
ren q38zlft25f.exe q38zlft25f.bad

If any of these will not rename look for them in your Process list and end them and then attempt to rename.

Okay exit the cmd prompt window and Search your PC for:
regsvr32 /u /s image.dll <----- look to see if you have a file name like this (not regsvr32.exe. That is okay. I'm looking for a filename just like I wrote with spaces and other characters. You may need to do a global search for regsrv32 and see what matches you get and then repeat for image.dll)

Reboot normal

Download the VX2 finder, run it and select "click to find abetterinternet". Then select "make log" and copy/paste the log back here as an attachment.
Also let me know the resuluts of all the above steps.
Also post another HijackThis attachment and also run FINDnFIX again and attach its log too.

 

Don't let it frustrate you. And don't start thinking it is a waste of time to try some of these steps again and again. It is the only way to beat some of these problems. They spawn many files all over the place and have many things running that can cause them to keep coming back. The only way to fix these things is to keep trying until you get all the crap cleaned up. Sometimes multiple runs of doing the exactly the same thing over and over again is necessary. You need to realize that you had a load of bad problems (the real sneaky type that hide things real well). You had a load of virus and trojan problems too. We have not been working on only one issue here. Your PC was in worse shape than you thought. All the tools I have you running are finding things that are bad. And there are still bad things in there. That's why you still have the problem. Perserverance and following steps exactly will be the difference in beating these problems. Skipping just one item or not being able to complete a step for whatever reason will allow these problems to show up all over again. This is exactly what happened to you. Your FINDNFIX log and HijackThis log look as though none of the steps I asked you to do before (with all the deletions from the command prompt etc) were done. I'm not saying you did not do them. I'm just saying that they all came back. Most likely due to the last two steps not being completed:

attrib -h -r -s 73yrg0079d.dll
ren 73yrg0079d.dll 73yrg0079d.bad

cd c:\windows
attrib -h -r -s q38zlft25f.exe
ren q38zlft25f.exe q38zlft25f.bad

You said "all were sucessful but the q38zlft25f.exe and 73yrg0079d.dll morphed them selves back the the original copy. " I'm not sure what you mean by this. If they changed to something else, you should have done the same steps on new filenames (morphed means to change). If they just came back immediately after deleting them, you should have deleted them or renamed them again.

Did those last two step work or not? Be clear on explaining exactly what happened. Were the commands accepted? Did you check to see if the renamed files were really there?
Did you have a problem with the attrib command or the ren command on either of those files? If so, did you do what I asked,
"If any of these will not rename look for them in your Process list and end them and then attempt to rename."

Also the mydocs.tlb file still appears to be in AppInit_DLLs. Check it to see if it is there. As I said, one step not being completed made the rest useless. We must get those two other strangely name files deleted.

So respond to some of my questions here and be ready to start again.

VX2finder found some additional bad items that are complicating matters. So before continuing with anything else do the following (do the steps exactly as written do not ignore or skip any steps):

- download ProcessExplorer from here: http://www.sysinternals.com/files/procexpnt.zip
and unzip it to a directory where you can find it easily later. Do not run yet.
- Run Ad-aware, don't scan, just make sure you have Ad-aware (current version 6.0 Personal Build 6.181) installed
- make sure you have the new updated reference list (01R335 04.08.2004)
If you don't know how to verify this, click on the "i" icon on the top right to get build info. The reference file is right on the startup screen (or click on "Details" too).
- Close Ad-Aware 6 build 181 (and Ad-Watch if you have it)
- Download the VX2 Cleaner plugin for Ad-aware here
- Install the VX2 Cleaner (the instructions to download it and run it are on the download page. Make note of them now but do not run yet.)
- Read/Print instructions for doing a fullscan with Ad-aware:
http://www.lavahelp.net/howto/fullscan/index.html
- Disconnect your cables for internet access
- Start Ad-Aware 6 build 181
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware - use fullscan
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan with both the VX2 Cleaner and the Ad-aware fullscan to make sure the files have been removed from your computer (if they find anymore reboot and do it again until....etc until they come up clean).
- Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button.
- Then click make log.

Post the VX2Finder log back here as an attachment.
Now run ProcessExplorer and click on File and then Save As. And save the process list. Post it back here as an attachment.
From now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

Yes. That may be true. But if the user had no capability to backup their own data, this may not be an option. Also, if they have many applications to re-install, and parameters to tweak to get things set back the way they had them before, it can also be a time consuming job too. And for some users, they cannot even perform a re-install by themselves. And with the PC down, they cannot get online help. For these users, they would need to bring the PC somewhere and pay for all the work to be performed. Still takes time and costs money.

Then after doing that, they will still not have learned anything about trying to keep their PCs secure from any of the possible forms of malware that exist (and there are a bunch of them). They would windup in the same boat again. Yes, not using IE can help since some other browsers may have fewer security issues, but they are not perfect either. And some users are required to use IE in some instances (due to work or other application related restrictions).

So there are pros and cons for each method of trying to resolve the issues.