1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack severe problem

Discussion in 'Virus & Other Malware Removal' started by softmedia, Sep 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. softmedia

    softmedia Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    3
    Hi Evryone

    In the last 4 days i am fighting a hijacj that i got from a link in a porn site :confused: .

    I run CWS, AD-AWARE,SPYBOT, NORTON ,GIANT AND OTHER STUFF THAT I FOUND.

    I really dont know what to do anymore it looks like i am cleaning it up but it come again after restarting.

    the problem is that it changes my url in the browser to coolsearch.biz and start to download some exe files to my comp like silent.exe and from here http://69.50.188.54/1/gdnNL208.exe , Please Please help me.

    Here is the log from Hijack This
    Logfile of HijackThis v1.97.7
    Scan saved at 02:03:56, on 23/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\system32\golumm\services.exe
    C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\m\Desktop\CWShredde1r.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\GIANT Company Software\GIANT AntiSpyware\GIANTAntiSpywareMain.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\m\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [SpeedOptimizer] C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
    O4 - HKLM\..\Run: [golumm] C:\WINDOWS\system32\golumm\services.exe
    O4 - HKLM\..\Run: [gcasServ] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
    O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\system32\golumm\services.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: v2cab - http://1231.searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27E576D3-500F-4A4E-B124-EFE01505BBAE}: NameServer = 192.116.202.222 192.116.192.9
    O17 - HKLM\System\CS1\Services\Tcpip\..\{27E576D3-500F-4A4E-B124-EFE01505BBAE}: NameServer = 192.116.202.222 192.116.192.9

    Thank's and hope to hear from u soon

    SoftMedia
     
  2. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    You may want to print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Please close all browsers and windows and have HijackThis fix these entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [golumm] C:\WINDOWS\system32\golumm\services.exe
    O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\system32\golumm\services.exe
    O16 - DPF: v2cab - http://1231.searchmiracle.com/cab/v2cab.cab

    Reconfigure Windows XP to show hidden files:
    Click Start. Open My Computer.
    Select the Tools menu and click Folder Options. Select the View Tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Please delete these folders using Windows Explorer(if present):

    C:\WINDOWS\system32\golumm

    Now you can restart the computer normally.
    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)
     
  3. softmedia

    softmedia Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    3
    Hi LineOFire

    Thanks for replying so quickly

    I did what u said and this is the log after the fix

    Logfile of HijackThis v1.97.7
    Scan saved at 08:06:10, on 23/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\m\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [SpeedOptimizer] C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
    O4 - HKLM\..\Run: [gcasServ] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
    O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27E576D3-500F-4A4E-B124-EFE01505BBAE}: NameServer = 192.116.202.222 192.116.192.9
    O17 - HKLM\System\CS1\Services\Tcpip\..\{27E576D3-500F-4A4E-B124-EFE01505BBAE}: NameServer = 192.116.202.222 192.116.192.9

    Can u tell me if this is over and how can i prevent from it to come again

    Thanks a lot
     
  4. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    It looks to be over unless you are having any specific problems.

    Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
    • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
    • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
    To protect yourself further:
    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
     
  5. softmedia

    softmedia Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    3
    Thanks a lot I will do what u have recommanded. It looks like all the warms gone and i am cured.

    Well u r the best doctor :)
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/277019

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice