Coolsearcher Problems

Discussion in 'adware, spyware & hijack cleaning' started by Martin Green, Apr 27, 2004.

Thread Status:
Not open for further replies.
  1. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    I am inexperienced user and have had problems with coolsearcher etc stealing my home page and other viruses that came with it. I have managed to clear the viruses but have been left with other problems. I have found some bits and pieces which were created at the time the virus attacked and would like to know what to do.
    The rogue bits and pieces are wpa.dbl in windows system32
    wapisvtr in the same location
    wmplayer.exe.tmp in program files\media player
    collected_data 8097 and 8107 both in pchealth\healthctr
    Any suggestions gratefully accepted

    I downloaded Hijackthis and CWshredder this morning and followed the instructions the scan file is attached

    I thank you for your help

    Martin

    Logfile of HijackThis v1.97.7
    Scan saved at 09:57:30, on 27/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Utils\Fix-It\mxtask.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Tiscali\tkonnect\tkonnect.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\Documents and Settings\Martin\Application Data\hshe.exe
    C:\WINDOWS\System32\wapisvtr.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Intuit\QuickBooks Pro 2001\Components\QBAgent\qbdagent2001.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Utils\Fix-It\mxtask.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\OffGuard.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
    O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
    O4 - HKCU\..\Run: [Wrbc] C:\Documents and Settings\Martin\Application Data\hshe.exe
    O4 - HKCU\..\Run: [WTST] C:\WINDOWS\System32\wapisvtr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro 2001\Components\QBAgent\qbdagent2001.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37751.6568981481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
     

    Attached Files:

    Last edited by a moderator: Apr 27, 2004
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Martin Green,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe

    O4 - HKCU\..\Run: [Wrbc] C:\Documents and Settings\Martin\Application Data\hshe.exe
    O4 - HKCU\..\Run: [WTST] C:\WINDOWS\System32\wapisvtr.exe

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\System32\services\wmplayer.exe
    C:\Documents and Settings\Martin\Application Data\hshe.exe
    C:\WINDOWS\System32\wapisvtr.exe
    C:\program files\media player\ <-- entire folder

    Reboot.

    In windows explorer, see if you have any files in this folder C:\WINDOWS\System32\services\ and post the list here.
    Also try your windows media player and see if it works.
    Post the above info along with a new HJT log.

    Regards,
    Kent
     
  3. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Kent,

    I have done everything except delete the file C:\ProgramFiles\Media Player.
    Did you really mean that I should Delete the C:\Program Files\Windows Media Player -Completely as all the stuff in the file is dated years ago. Will you please confirm what I should do.

    I do not have a FileC:\Windows\System32\Services- is this O.K.?

    I do have 2 files that are in the System32 file dated after the Infection, they are Pav.Sig 6848KB SIG FILE and WPA.DBL 3KB DBL FILE- are these OK?

    Attached is the latest Hijackthis Scanlog.

    Thanks

    Martin
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Martin,

    C:\WINDOWS\System32\services\wmplayer.exe <= that is the one you need to remove

    Regards,

    Pieter
     
  5. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Pieter,

    Thanks for reply- I do not have a Window|System32|Services File, is this ok or do I have other problem?

    Martin
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"
     
  7. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Derek,

    Thanks have done as suggested - What next?

    Martin
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That allows you to look for and find the services folder which is normally hidden and fix it as described above

    then post a new log so we can check
     
  9. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Derek,

    I have checked and do not have a C:\WINDOWS\System32\Services folder, I do have a Services.exe application and a another 2 services files in the System32 location. Does that give me any problems other than those I am experiencing at the moment?

    I have attached the latest HJT scanlog

    Thank you for help I am extremely grateful

    MartinLogfile of HijackThis v1.97.7
    Scan saved at 20:18:10, on 30/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\Utils\Fix-It\mxtask.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Tiscali\tkonnect\tkonnect.exe
    C:\Utils\Fix-It\mxtask.exe
    C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Intuit\QuickBooks Pro 2001\Components\QBAgent\qbdagent2001.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\OffGuard.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
    O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
    O4 - HKLM\..\RunOnce: [washindex] C:\Utils\Washer\washidx.exe "Martin"
    O4 - HKCU\..\RunOnce: [washindex] C:\Utils\Washer\washidx.exe "Martin"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro 2001\Components\QBAgent\qbdagent2001.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37751.6568981481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
     

    Attached Files:

    Last edited by a moderator: Apr 30, 2004
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    There are various services files in system32 that are legitimate

    if the folder has gone then it looks like cwshredder removed it for you

    have all the problems gone now
     
  11. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Derek,

    I do not appear to have any problems - other than some corrupt files when running antivirus scan (Kaspersky).

    As I am a total novice about computers - only being a user, I do not know when things are working correctly or not - so any assistance is gratefully received.

    So please accept my thanks for all your help over these last few days.

    I would like to make a donation so if you want it or you want to name some charity for lost computer souls like me let me know.

    Thanks

    Martin

    P.S. I will pass details of your organisation to all my friends who like me are ignorant of the inner workings of the magic box.
     
  12. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Re: Coolsearcher Problems & Associated

    Anyone,

    Can you please explain what collecteddata_****.xml files are in the
    C:\WINDOWS\PcHealth\HelpCtr\DataCollection directory?

    I am getting paranoid as every time I run my antivirus update and scanner I keep getting new virus descriptions which cannot be disinfected only deleted.

    The lates 3 today are Trojan.win32.Scapur and
    Trojan Downloader Win32.Krepper.b and just while I was typing this another popped up Worm Win32.Sasser.a

    Please can anyone advise

    Thanks

    Martin
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    The times that viruses could be cleaned out of files has passed down memory lane mostly. Delete is the appropriate course of action.

    Regards,

    Pieter
     
  14. Martin Green

    Martin Green Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    8
    Pieter,

    Done - Thanks for your help

    Martin
     
Thread Status:
Not open for further replies.