Wilders Security Forums  

Go Back   Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning
Reload this Page Can someone read my log and advise?
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old November 10th, 2003, 02:00 PM
blueberry blueberry is offline
Infrequent Poster
  
Join Date: Nov 2003
Posts: 1
Default Can someone read my log and advise?
Apparently I have been hijacked with the "cool-search" junk. If anyone can have a look at my log and advise me what to delete I would appreciate it. I already went through it once and took out all the obvious referances to cool-search, but the following day it all came back. Any help would be appreciated. Here is my log:

Logfile of HijackThis v1.97.3
Scan saved at 11:35:54 AM, on 11/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\Program Files\Software by Design\Calendar.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\AtomTime\ATOMTIME.EXE
C:\Program Files\TIME\TIME.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\CPal\CPal.exe
C:\WINDOWS\Utils\Zoomer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Local Settings\Temp\Temporary Directory 3 for hijackthis_temp.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage.co
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-search.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-search.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage.co
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage.co
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://cool-homepage.co
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-search.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\msfeme.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Cookie Pal] "C:\Program Files\CPal\CPBrWtch.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Shortcut to ATOMTIME.EXE.lnk = C:\Program Files\AtomTime\ATOMTIME.EXE
O4 - Startup: Shortcut to TIME.EXE.lnk = C:\Program Files\TIME\TIME.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.4416319444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks!
  #2  
Old November 10th, 2003, 02:32 PM
Pieter_Arntz's Avatar
Pieter_Arntz Pieter_Arntz is offline
Spyware Veteran
  
Join Date: Apr 2002
Location: Netherlands
Posts: 12,298
Default Re:Can someone read my log and advise?
Hi blueberry,

Welcome at Wilders.

Could you please mail C:\WINDOWS\msfeme.dll
to the address in my profile.

Then check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage.co
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-search.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-search.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cool-homepage.co
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://cool-homepage.co
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://cool-homepage.co

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-search.net/

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\msfeme.dll

Then reboot.

Regards,

Pieter
__________________
Regards,

Pieter
It´s nice to be important, but it´s more important to be nice.
Remove & Prevent spyware
It's human to make mistakes. It's even more so to blame the computer for it.
 

Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 11:39 PM.

Contact Us - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2009, Wilders Security Forums