1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Coolsearcher.net/1.html browser hijack

Discussion in 'Virus & Other Malware Removal' started by Philip Dru, Apr 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Philip Dru

    Philip Dru Thread Starter

    Joined:
    Jan 8, 2004
    Messages:
    11
    Hello,

    Have acquired an unwanted BHO in the form of the 'Coolsearcher' thingy named above. Spyware Guard prevents it from taking over properly but I'm being prompted to re-set my Home Page every minute or two and its driving me barmy. SpyBot S& D has missed it, and so has my Eset anti-virus programme. No joy from Ad-Aware Pro either. Have cleared my registry of all foreign bodies that I can spot (a good few of these related to coolsearcher). In fact I've done just about everything I can think of to remedy the trouble short of re-installing Windows (I'm on XP Home if that's any use), but I'm a bit of a newby and nervous of re-installing without help. Can someone point me in the right direction please?

    Philip Dru
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Download and unzip to their own permanent folders both the CoolWebShredder and HijackThis from the site below. Then run the CoolWebShredder, have it "fix" problems and reboot.

    Run HijackThis, do NOT fix anything without instructions, but save the Scanlog and copy/paste that here.


    http://www.spywareinfo.com/~merijn/downloads.html

    I think you may need to run the remover described by this problem first:

    CWShredder or HijackThis closes immediately after opening?

    http://www.safer-networking.org/files/delcwssk.zip
     
  3. Philip Dru

    Philip Dru Thread Starter

    Joined:
    Jan 8, 2004
    Messages:
    11
    To Rollin' Rog: The shredder cured the problem on the first try by removing something called a 'cws.yexe' (whatever that is). Since then no more interruptions. The shredder also diagnosed the probable cause, which struck me as interesting, and advised me to lose Microsoft VM, though when I began I was warned that all manner of disasters would befall me if I went ahead (such as being unable to download files from the net), so I didn't pursue it. SP1 is an alternative but it's cumbersome and would be using a hammer to crack a nut from all I'm told. Anyway your advice worked out very well and I'm really grateful. Many thanks.

    Philip
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Phillip, you should post the HijackThis Scanlog anyway, there may be other issues the CWS doesn't address.

    As for Virtual Machine, go to Start> Run enter command if you have Win98/ME or cmd if XP/2k

    At the command prompt enter:

    jview

    If you do not have version 3810 (command line loader for Java), you either need to get it or get Sun Java.

    Here are MS links that address the "Byte Verifier" trojan:

    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

    http://www.download.windowsupdate.c...l/MSJavWU_8073687b82d41db93f4c2a04af2b34d.exe

    The last is a direct download from Windows Update of the last version of Virtual Machine.
     
  5. Philip Dru

    Philip Dru Thread Starter

    Joined:
    Jan 8, 2004
    Messages:
    11
    Hello RR. Here's the HiJack This logfile youwanted a look at. I'll save the other details of your post, regarding VM, and sort that part out later. If in the meantime there is anything you don't like the look of in the list below I'd be grateful for any additional advice.

    Thanks again
    Philip


    Logfile of HijackThis v1.97.7
    Scan saved at 9:00:23 AM, on 20/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nod32cc.exe
    C:\WINDOWS\System32\nod32m2.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Eset\amon.exe
    C:\Program Files\Eset\pop3scan.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\PROGRA~1\EVIDEN~1\ee.exe
    C:\Documents and Settings\Antony Gibsen\Application Data\tesc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://neoeugenics.home.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
    F1 - win.ini: run=C:\WINDOWS\system32\services\wmplayer.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Anonymizer Toolbar - {C14DC52F-B4D9-11D5-B1E6-0050DAD7AF62} - c:\progra~1\Anonymizer\toolbar\AnonymizerBar.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Amon] "C:\Program Files\Eset\amon.exe"
    O4 - HKLM\..\Run: [NOD32POP3] "C:\Program Files\Eset\pop3scan.exe"
    O4 - HKLM\..\Run: [Nod32CC] "C:\WINDOWS\System32\nod32cc.exe" -DONTSHOW
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRA~1\EVIDEN~1\ee.exe /m
    O4 - HKCU\..\Run: [Anti-Keylogger check] C:\Security CD transfers\Anti-Keylogger\AntiKey.exe /checkautorun
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [TickerMyMail] C:\Program Files\TickerMyMail\TickerMyMail.exe
    O4 - HKCU\..\Run: [Oroo] C:\Documents and Settings\Antony Gibsen\Application Data\tesc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
    O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
    O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
    O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
    O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
    O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://xronik.ud-dial.biz/1/dexGB677.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.6136574074
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The Scanlog looks "almost ok", but here are some items you can check and "fix" for general housecleaning purposes:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
    F1 - win.ini: run=C:\WINDOWS\system32\services\wmplayer.exe

    ^^ wmplayer.exe running from that location appears to be malicious; I would check and "fix" the entry, then find all instances of wmplayer.exe. The "legitimate" one should be in the Program Files directory for Windows Media Player. Right click on the one in the "services" folder and select Properties > Version. If it does not have a Microsoft copyright, delete it. Could be a product of the Byte Verifier trojan vulnerability.

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    ^^ Windows puts this in startups after certain types of system errors; it is of use only to professional developers and should be removed.
     
  7. Philip Dru

    Philip Dru Thread Starter

    Joined:
    Jan 8, 2004
    Messages:
    11
    Appreciate the assessment. I wondered why media player has been pestering for access to the internet every time I start the computer this last few days, so your suspicions could be well founded. I'll get on to it.

    Thanks again

    Philip
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're welcome, I was just noticing today that Merijn, author of the CoolWebShredder has covered just this issue on this page and includes download links for files which may have been corrupted, including wmplayer


    http://www.spywareinfo.com/~merijn/winfiles.html
     
  9. Philip Dru

    Philip Dru Thread Starter

    Joined:
    Jan 8, 2004
    Messages:
    11
    Just an update: I've discovered I'm all ready operating the latest (and apparently last) version of MS VM, so okay on that score. Have installed the Media Player patch you directed me to, but can't seem to find the XP version of the VM patch on the Microsoft website - only the one for Windows 2000. I'll try again later. I'll check the spywareinfo page in the meantime. Sounds like the sort of thing we need to know more about.

    Kind Regards once again

    Philip
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Version 3810 is the last version, so if you have that, you are ok. It is the "patched" version. To verify, just go to start and run cmd then at the prompt enter:

    jview

    you should see the version number of "java" (which is Virtual Machine) at the top.

    You're certainly welcome for the help.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221875

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice