Coolsearcher.net/1.html browser hijack

[Philip Dru]

Hello,

Have acquired an unwanted BHO in the form of the 'Coolsearcher' thingy named above. Spyware Guard prevents it from taking over properly but I'm being prompted to re-set my Home Page every minute or two and its driving me barmy. SpyBot S& D has missed it, and so has my Eset anti-virus programme. No joy from Ad-Aware Pro either. Have cleared my registry of all foreign bodies that I can spot (a good few of these related to coolsearcher). In fact I've done just about everything I can think of to remedy the trouble short of re-installing Windows (I'm on XP Home if that's any use), but I'm a bit of a newby and nervous of re-installing without help. Can someone point me in the right direction please?

Philip Dru

 

[Rollin' Rog]

Download and unzip to their own permanent folders both the CoolWebShredder and HijackThis from the site below. Then run the CoolWebShredder, have it "fix" problems and reboot.

Run HijackThis, do NOT fix anything without instructions, but save the Scanlog and copy/paste that here.


http://www.spywareinfo.com/~merijn/downloads.html

I think you may need to run the remover described by this problem first:

CWShredder or HijackThis closes immediately after opening?

http://www.safer-networking.org/files/delcwssk.zip

 

[Philip Dru]

To Rollin' Rog: The shredder cured the problem on the first try by removing something called a 'cws.yexe' (whatever that is). Since then no more interruptions. The shredder also diagnosed the probable cause, which struck me as interesting, and advised me to lose Microsoft VM, though when I began I was warned that all manner of disasters would befall me if I went ahead (such as being unable to download files from the net), so I didn't pursue it. SP1 is an alternative but it's cumbersome and would be using a hammer to crack a nut from all I'm told. Anyway your advice worked out very well and I'm really grateful. Many thanks.

Philip

 

[Rollin' Rog]

Phillip, you should post the HijackThis Scanlog anyway, there may be other issues the CWS doesn't address.

As for Virtual Machine, go to Start> Run enter command if you have Win98/ME or cmd if XP/2k

At the command prompt enter:

jview

If you do not have version 3810 (command line loader for Java), you either need to get it or get Sun Java.

Here are MS links that address the "Byte Verifier" trojan:

http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

http://www.download.windowsupdate.c...l/MSJavWU_8073687b82d41db93f4c2a04af2b34d.exe

The last is a direct download from Windows Update of the last version of Virtual Machine.

 

[Philip Dru]

Hello RR. Here's the HiJack This logfile youwanted a look at. I'll save the other details of your post, regarding VM, and sort that part out later. If in the meantime there is anything you don't like the look of in the list below I'd be grateful for any additional advice.

Thanks again
Philip


Logfile of HijackThis v1.97.7
Scan saved at 9:00:23 AM, on 20/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nod32cc.exe
C:\WINDOWS\System32\nod32m2.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Eset\amon.exe
C:\Program Files\Eset\pop3scan.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\EVIDEN~1\ee.exe
C:\Documents and Settings\Antony Gibsen\Application Data\tesc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://neoeugenics.home.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
F1 - win.ini: run=C:\WINDOWS\system32\services\wmplayer.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Anonymizer Toolbar - {C14DC52F-B4D9-11D5-B1E6-0050DAD7AF62} - c:\progra~1\Anonymizer\toolbar\AnonymizerBar.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Amon] "C:\Program Files\Eset\amon.exe"
O4 - HKLM\..\Run: [NOD32POP3] "C:\Program Files\Eset\pop3scan.exe"
O4 - HKLM\..\Run: [Nod32CC] "C:\WINDOWS\System32\nod32cc.exe" -DONTSHOW
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRA~1\EVIDEN~1\ee.exe /m
O4 - HKCU\..\Run: [Anti-Keylogger check] C:\Security CD transfers\Anti-Keylogger\AntiKey.exe /checkautorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TickerMyMail] C:\Program Files\TickerMyMail\TickerMyMail.exe
O4 - HKCU\..\Run: [Oroo] C:\Documents and Settings\Antony Gibsen\Application Data\tesc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://xronik.ud-dial.biz/1/dexGB677.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.6136574074
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

 

[Rollin' Rog]

The Scanlog looks "almost ok", but here are some items you can check and "fix" for general housecleaning purposes:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
F1 - win.ini: run=C:\WINDOWS\system32\services\wmplayer.exe

^^ wmplayer.exe running from that location appears to be malicious; I would check and "fix" the entry, then find all instances of wmplayer.exe. The "legitimate" one should be in the Program Files directory for Windows Media Player. Right click on the one in the "services" folder and select Properties > Version. If it does not have a Microsoft copyright, delete it. Could be a product of the Byte Verifier trojan vulnerability.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

^^ Windows puts this in startups after certain types of system errors; it is of use only to professional developers and should be removed.

 

[Philip Dru]

Appreciate the assessment. I wondered why media player has been pestering for access to the internet every time I start the computer this last few days, so your suspicions could be well founded. I'll get on to it.

Thanks again

Philip

 

[Rollin' Rog]

You're welcome, I was just noticing today that Merijn, author of the CoolWebShredder has covered just this issue on this page and includes download links for files which may have been corrupted, including wmplayer


http://www.spywareinfo.com/~merijn/winfiles.html

 

[Philip Dru]

Just an update: I've discovered I'm all ready operating the latest (and apparently last) version of MS VM, so okay on that score. Have installed the Media Player patch you directed me to, but can't seem to find the XP version of the VM patch on the Microsoft website - only the one for Windows 2000. I'll try again later. I'll check the spywareinfo page in the meantime. Sounds like the sort of thing we need to know more about.

Kind Regards once again

Philip

 

[Rollin' Rog]

Version 3810 is the last version, so if you have that, you are ok. It is the "patched" version. To verify, just go to start and run cmd then at the prompt enter:

jview

you should see the version number of "java" (which is Virtual Machine) at the top.

You're certainly welcome for the help.