Friday
2018-04-16, 09:49
The following instructions have been created to help you to get rid of "Ad.Coopen" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
adware
Description:
Ad.Coopen is a Chinese advertising application. This adware changes the wallpaper and the screensaver settings. It installs further software e.g. 'PIPI Player' or 'PIPI Game'.
Links (be careful!):
: ttp://www.Coopen.cn
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$DESKTOP>\Coopen.lnk".
The file at "<$PROGRAMFILES>\Coopen\Coopen.exe".
The file at "<$PROGRAMFILES>\Coopen\Coopen.scr".
The file at "<$PROGRAMFILES>\Coopen\CoopenActiveControl93.dll".
The file at "<$PROGRAMFILES>\Coopen\CoopenAir.exe".
The file at "<$PROGRAMFILES>\Coopen\HttpDownloader.exe".
The file at "<$PROGRAMFILES>\Coopen\image\CoopenWallpaper.bmp".
The file at "<$PROGRAMFILES>\Coopen\licence.txt".
The file at "<$PROGRAMFILES>\Coopen\uninst.exe".
The file at "<$QUICKLAUNCH>\Coopen.lnk".
The file at "<$SYSDIR>\Coopen.inf".
The file at "<$SYSDIR>\Coopen.scr".
Make sure you set your file manager to display hidden and system files. If Ad.Coopen uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) 2.x or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\Coopen\conf".
The directory at "<$PROGRAMFILES>\Coopen\image\Illustrated".
The directory at "<$PROGRAMFILES>\Coopen\image\Photo".
The directory at "<$PROGRAMFILES>\Coopen\image\Share".
The directory at "<$PROGRAMFILES>\Coopen\image".
The directory at "<$PROGRAMFILES>\Coopen\Resource\SkinNormal".
The directory at "<$PROGRAMFILES>\Coopen\Resource".
The directory at "<$PROGRAMFILES>\Coopen".
The directory at "<$PROGRAMS>\Coopen".
Make sure you set your file manager to display hidden and system files. If Ad.Coopen uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
A key in HKEY_CLASSES_ROOT\ named "CoopenActiveControl.CoopenControl.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CoopenActiveControl.CoopenControl", plus associated values.
Delete the registry key "{51D33728-411D-423D-B1C3-92717AB6970A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "Coopen.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Remove "<$PROGRAMFILES>\coopen\image\coopenwallpaper.bmp" from registry value "Wallpaper" at "HKEY_CURRENT_USER\Control Panel\Desktop\".
Remove "C:\Program Files\Coopen\Coopen.scr" from registry value "SCRNSAVE.EXE" at "HKEY_CURRENT_USER\Control Panel\Desktop\".
If Ad.Coopen uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
adware
Description:
Ad.Coopen is a Chinese advertising application. This adware changes the wallpaper and the screensaver settings. It installs further software e.g. 'PIPI Player' or 'PIPI Game'.
Links (be careful!):
: ttp://www.Coopen.cn
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$DESKTOP>\Coopen.lnk".
The file at "<$PROGRAMFILES>\Coopen\Coopen.exe".
The file at "<$PROGRAMFILES>\Coopen\Coopen.scr".
The file at "<$PROGRAMFILES>\Coopen\CoopenActiveControl93.dll".
The file at "<$PROGRAMFILES>\Coopen\CoopenAir.exe".
The file at "<$PROGRAMFILES>\Coopen\HttpDownloader.exe".
The file at "<$PROGRAMFILES>\Coopen\image\CoopenWallpaper.bmp".
The file at "<$PROGRAMFILES>\Coopen\licence.txt".
The file at "<$PROGRAMFILES>\Coopen\uninst.exe".
The file at "<$QUICKLAUNCH>\Coopen.lnk".
The file at "<$SYSDIR>\Coopen.inf".
The file at "<$SYSDIR>\Coopen.scr".
Make sure you set your file manager to display hidden and system files. If Ad.Coopen uses rootkit technologies, use the rootkit scanner integrated into Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) 2.x or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\Coopen\conf".
The directory at "<$PROGRAMFILES>\Coopen\image\Illustrated".
The directory at "<$PROGRAMFILES>\Coopen\image\Photo".
The directory at "<$PROGRAMFILES>\Coopen\image\Share".
The directory at "<$PROGRAMFILES>\Coopen\image".
The directory at "<$PROGRAMFILES>\Coopen\Resource\SkinNormal".
The directory at "<$PROGRAMFILES>\Coopen\Resource".
The directory at "<$PROGRAMFILES>\Coopen".
The directory at "<$PROGRAMS>\Coopen".
Make sure you set your file manager to display hidden and system files. If Ad.Coopen uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
A key in HKEY_CLASSES_ROOT\ named "CoopenActiveControl.CoopenControl.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CoopenActiveControl.CoopenControl", plus associated values.
Delete the registry key "{51D33728-411D-423D-B1C3-92717AB6970A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "Coopen.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Remove "<$PROGRAMFILES>\coopen\image\coopenwallpaper.bmp" from registry value "Wallpaper" at "HKEY_CURRENT_USER\Control Panel\Desktop\".
Remove "C:\Program Files\Coopen\Coopen.scr" from registry value "SCRNSAVE.EXE" at "HKEY_CURRENT_USER\Control Panel\Desktop\".
If Ad.Coopen uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.