Help! Its got me again! New Log!

What you have is a variant of the the 'coolwwwsearch' Trojan.  A particularly nasty and ingenious spyware/virus from a group in the former USSR.  It is a spyware program that actively disables your anti-spyware programs, thus it could be labeled a virus.

What that means is that when you open spybot search & destroy this trojan automatically adds itself to the list of 'safe programs to ignore' and therefore spybot or any other program has a tough time identifying its existence.

luckily, there is a program designed to specifically attack coolwwwsearch also called Cassandra, whenusearch, wintools, spywareout and about 40 other names.  The program was just purchased by trend micro (makers of Panda Anti-virus) and is available here . It is called coolschredder and there is no installation only need to unzip and run.  The file is an .exe file so your other anti-virus or anti-spyware may identify it as malicious.  So disable or exit all such programs when you download and run it.  I would recommend downloading the file to your desktop and then disconnect from the internet completely (i.e. unplug Ethernet cable from computer) then extract and run.  The link is the newest version so an update is not needed.  From the menu choose to 'repair'.  If you know how to boot up into safe mode it will work better.  then rerun HJT and post a new log.  The R1 items of the log are the identifiable coolsearch entries, but this program creates random files and folders to rebury itself when attempts to clean are detected.  Once coolsearch gets an upper hand then HJT or Spybot can be used to finish the job.

One last item of note is that coolsearch works as a portal for various other virus and spyware, which depending how long you have had it may require additional procedures.  If you have another computer to access this forum and can keep the infected one offline completely the process will be easier since coolsearch can't reinstall from the web.  If not only stay on the net for as long as you need to and then unplug that network cable again.  This puppy is a masterful job of disguising itself as real windows programs.  Yeah you got the king of all malicious software.:manhappy:

Message Edited by dobhar on 10-07-2005 10:13 AM

Message Edited by madcow22 on 10-07-2005 02:35 PM

Hi madcow22...

Let's get to it... :)

________________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
________________________________________________________

Step 1.
==========
- Create a folder called Antispyware on your C: Drive
- Download the following tools but do not run until asked
1. Download HSFix.zip from http://users.telenet.be/marcvn/regfiles/HSfix.zip. Extract\Unzip it into its own folder under C:\Antispyware. Call the new folder HSFix
2. Download About:Buster5 from http://downloads.malwareremoval.com/AboutBuster5.zip. Extract\Unzip it into its own folder under C:\Antispyware. Call the new folder AboutBuster. check for updates
3. Download Trend Micro's CWShredder from http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe. Extract\Unzip it into its own folder under C:\Antispyware. Call the new folder C:\CWS

Step 2.
==========
Please download and install CCleaner from http://www.ccleaner.com/download123.asp
(Note: DO NOT run this program yet)

Step 3.
==========
Please download Ewido Security Suite from http://www.ewido.net/en/download/. It is a free version of the program.
- Install Ewido
- When installing the program, under " Additonal Options" uncheck...
* Install background guard
* Install scan via context menu
- Launch ewido, there should now be an icon on your desktop, double-click it.
- The program will now open to the main screen.
- When you run ewido for the first time, you MAY get a warning " Database could not be found!". Click OK. We will fix this in a moment.
- You will need to update ewido to the latest definition files:
* On the left hand side of the main screen click " Update".
* Then click on " Start Update".
- The update will start and a progress bar will show the updates being installed. (Note: the status bar at the bottom will display "Update successful")
- Close Ewido Security Suite

(Note: If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/)

Step 4.
==========
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup instructions => http://rstones12.geekstogo.com/adawareSE_setup.htm
(Note: Please do NOT run it yet!)

Step 5.
==========
- Disconnect from the internet for the duration of this fix <<<= Very Important
- Reboot computer into " Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - http://www.pchell.com/support/safemode.shtml)

Step 6.
==========
We need to make sure all Hidden Files are showing so please:
* Open " My Computer" then click on " Tools" and from the drop down menu select " Folder Options".
* Select the " View" tab.
* Under the " Hidden files and folders" heading SELECT " Show hidden files and folders".
* UNCHECK the " Hide file extensions for known types option".
* UNCHECK the " Hide protected operating system files (recommended) option".
* Click " Yes" to confirm.
* Click " OK"

Step 7.
==========
- Navigate to C:\Antispyware\HSFix folder
- Double-click on the HSfix.reg
- Grant it permission to MERGE into the registry items

Step 8.
==========
- Navigate to C:\Antispyware\CWS folder
- Double-click on CWShredder.exe to start it
- click the "Fix ->" button
- You will be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows. click " OK" to continue
- Let it run completely to delete anything it finds
- After its scan, click " Next", then " Exit"

Step 9.
==========
Delete the following file(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
File(s)...
D:\WINDOWS\ addsi32.dll <<<= Delete This File
D:\WINDOWS\System32\ tfjgq.dll <<<= Delete This File
D:\WINDOWS\System32\ sdkxb32.dll <<<= Delete This File
D:\WINDOWS\System32\ d3hm32.exe <<<= Delete This File
D:\WINDOWS\System32\ netzq32.exe <<<= Delete This File
D:\WINDOWS\System32\ mfcej.exe <<<= Delete This File

Step 10.
==========
- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\tfjgq.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5C2E18F0-2AB9-3C5E-B1E9-BD7910F26E87} - D:\WINDOWS\addsi32.dll
O2 - BHO: Class - {797F33D0-1204-41CA-1A3E-630AC5EC5FB7} - D:\WINDOWS\system32\sdkxb32.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - D:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O4 - HKLM\..\Run: [d3hm32.exe] D:\WINDOWS\system32\d3hm32.exe
O4 - HKLM\..\Run: [netzq32.exe] D:\WINDOWS\system32\netzq32.exe
O4 - HKLM\..\Run: [mfcej.exe] D:\WINDOWS\system32\mfcej.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe

- Click the " Fix checked" button...

Step 11.
==========
We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into " Options" => Select " Advanced" => Deselect\uncheck " Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure the recycle Bin is empty

Step 12.
==========
- Browse to C:\Antispware\aboutuster folder
- Double-click on AboutBuster.exe to start it
- Click Begin Removal to allow AboutBuster to scan
- When it has finished, AboutBuster will open a " Scan Completed" window. Click OK
- Another information window will open. Click on Exit
- AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Step 13.
==========
- Start Ad-aware SE 1.06 and do a full scan
- Remove all it finds

Step 14.
==========
- start Ewido Security Suite
- Click on " Scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
- Click on " Complete System Scan", the scan will now begin.
- While the scan is in progress you will be promted to clean files, click " OK".
- When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says " Perform action on all infections", then choose " Clean" and click " OK".
- Once the scan has completed, there will be a button located at the bottom of the screen named " Save Report".
- Click " Save Report".
- Now save the report .txt file to your desktop.
- Close Ewido Security Suite

Step 15.
==========
- Reboot your computer back into " Normal Mode" and re-connect internet connection
- Post back a fresh new HijackThis log
- Post back the Ewido scan log
- Post back results of CWShredder scan
- Post back the About:Buster log

Hi...

It has been 7 days since I last heard from you. I will be monitoring this thread for another 7 days. If unanswered at the end of those 7 days I will be considering this topic closed and will not be monitoring it for replies.

Thank You,

Hi madcow...

Thanks for replying back. Do you want to give me a fresh new HJT log to look at so we can make sure everything is good to go?? There could be some clean up to do...

- Post back a fresh new HijackThis log
- Post back the Ewido scan log
- Post back results of CWShredder scan
- Post back the About:Buster log

Thanks, :)

Message Edited by dobhar on 10-14-2005 02:57 PM

This thread is now considered complete therefore I have stopped monitoring it for replies. If you require more help please start a new thread and a volunteer like myself will help you.

Thank You and Surf Safely... :)