[Solved]Coolwebsearch variant. Please help

Discussion in 'adware, spyware & hijack cleaning' started by Spicey25, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    My Absolute Startup Monitor has detected MSConfig as a dangerous program on my computer. This program has put itself in the startup list and registry. I have scanned my computer with Ad-aware, Spybot and CWShredder. I have also notice something trying to delete my antivirus programs. My Hijack This log is attached.

    I'm unable to paste the actual log from Absolute Startup. It reads as follows:

    MSConfig: C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    Coolwebsearch parasite related. Note - This is not the valid "MSConfig" entry which can be left over if don't check the box after rebooting windows.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:37:37 AM, on 7/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\TDS3\TDS-3.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\WkDStore.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\UIEngines\FlashUIEngine\cpskin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLEAN~4.EXE" -turbo -autostart -NOREBOOT
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Downloads (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1080626940750
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
    O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O17 - HKLM\System\CS1\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Coolwebsearch variant. Please help

    Hi Spicy25,

    In this case, it is: "the valid "MSConfig" entry which can be left over if don't check the box after rebooting windows." Are you using a "Selective Startup" and when you rebooted the box came up to notify you that you were not using the Normal Startup.

    The CWS variant that uses the msconfig.exe file that Absolute Startup Monitor says the file is related to would be this one: CWSChronicals CWS.Msconfig

    That msconfig.exe (if present) would be showing in your Running Processes and the path to it would be C:\Windows\System

    The MSconfig.exe you are seeing in the 04 line in Hijackthis is in the correct location, so it is the legitimate one. :)

    BTW...your log is clean.

    You mentioned something trying to turn off or delete your antivirus programs. I'm not seeing anything in your log that would do that. Could you give me more information when this is happening, what programs you have running, etc.

    It may be a case of programs conflicting with each other and nothing more, but to be sure, could you do an on-line virus scan. You can find several to choose from here: Free Services

    Let us know what the scan results are.

    Regards,

    snap

    PS. You may want to email the people who make Absolute Startup Monitor and report that this is a false/positive if their program is flagging the legitimate msconfig also.
     
  3. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    Re: Coolwebsearch variant. Please help

    Thank you for your quick response.

    Yes, I am using a "Selective Startup" and when I rebooted the box came up to notify me that I was not using the Normal Startup. Is it not OK to use a Selective Startup? I just updated CWShredder today to v1.591 and scanned again. When I rebooted, the MSConfig was not in my startup log anymore. I also updated HijackThis to v1.98 and did another scan which is attached. I see a couple of .dlls that was not in the other log (apitrap.dll, shdocvw.dll and msjava.dll). I hope these are good dlls.

    In regards to the something trying to delete my antivirus programs. I was originally deleting a program which I don't remember what it was, but Spybot popped up and ask if I wanted to delete, Norton, Qwik Fix and Zonealarm. I told it no and everything seems to be OK.

    If all is well with my HijackThis log, I will purchase Diamonds Process Guard so I will stop being so paranoid. Thanks again for your help.

    Logfile of HijackThis v1.98.0
    Scan saved at 1:17:37 AM, on 7/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\TDS3\TDS-3.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.exe
    C:\Program Files\Verizon Online\Verizon Online Control Pad\UIEngines\FlashUIEngine\cpskin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCLEAN~4.EXE" -turbo -autostart -NOREBOOT
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Downloads - {FA89F458-2DF1-494a-A66D-47BF7F04E713} - C:\WINNT\System32\Shdocvw.dll
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
    O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O17 - HKLM\System\CS1\Services\Tcpip\..\{04696B8C-EBA8-4AE1-8DDB-9080C588DB9A}: NameServer = 151.202.0.84 151.203.0.84
    O20 - AppInit_DLLs: apitrap.dll
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Coolwebsearch variant. Please help

    Hi Spicy25,

    Your log is clean. :)

    Yes, it is ok to use Selective Startup. I use it myself. It's just that when someone's computer is infected or having problems, they may turn off some startup apps and then it makes it hard for us to know if they've turned off a bad one and it's still sitting there waiting to be active again. So we like to see everything listed in the startup with a hijackthis log so we determine whether there is anything bad still sitting there.

    The .dll's you were wondering about, are good one's so you don't have to worry about them. The new version of Hijackthis now shows them whereas it didn't in the earlier versions.

    These are System dll's and needed as they're used by Window's applications
    C:\WINNT\System32\Shdocvw.dll
    C:\WINNT\System32\msjava.dll

    O20 - AppInit_DLLs: apitrap.dll
    Apitrap.dll file is installed by Symantec's Norton Cleansweep version 4, so it is also a good dll and needed.

    Regards,

    snap
     
  5. Spicey25

    Spicey25 Registered Member

    Joined:
    May 20, 2004
    Posts:
    8
    Location:
    Bronx, NY
    Re: Coolwebsearch variant. Please help

    Snapdragin,

    Thank you so much for your prompt help. I'm very happy to be clean. I will go ahead and purchase Process Guard now.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Coolwebsearch variant. Please help

    You're very welcome, Spicey25.

    Glad we could help! :)

    Regards,

    snap
     
Thread Status:
Not open for further replies.