Have been hijacked by Coolsearch

HijackThis is the last step and we have rules about how and when to post a log.

Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


NOTE: You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!


Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

For your particular problem, this will not totally resolve your problem but it will get rid of any other problems lurking in the background which could make gettting rid of your hijacker easier.

 

This programs should not be running when you use HijackThis:

C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ABC\abc.exe <----- do you know what this is????
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Virus\about\AboutBuster\AboutBuster.exe
C:\Program Files\Internet Explorer\iexplore.exe


Also do you know what this is?
C:\WINDOWS\system32\golumm\services.exe
Looks suspicious.

 

Okay to continue with fixing your problem (and I am assuming that your file names in a HijackThis log have not changed), do the following.

Make sure viewing of hidden files is enabled.
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
C:\Documents and Settings\Owner\xexx.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {101C5631-168A-4140-A00A-8A51EA441BA9} - C:\WINDOWS\system32\gecp.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O18 - Filter: text/html - {0A1B7367-1B10-427C-992E-4221974A6A5C} - C:\WINDOWS\system32\gecp.dll
O18 - Filter: text/plain - {0A1B7367-1B10-427C-992E-4221974A6A5C} - C:\WINDOWS\system32\gecp.dll

Use Windows Explorer to locate and delete:
C:\WINDOWS\system32\gecp.dll <----- WE MUST FIND AND DELETE THIS
C:\Documents and Settings\Owner\xexx.exe
If either of them will not delete, boot in safe mode and try to delete them again.

Now click Start and select Control Panel, Network and Internet Connections, and then Internet Options. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you are in safe mode due to the deleting of files above, reboot in normal mode and post a new HijackThis log as a .txt file attachment. I'm not sure this will get all of the hijacker. There may be other hidden files involved. If it does not work, do the steps below with Registrar Lite.
1) go here and download Registrar lite and install it
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:



I'll hold off on the below until I hear from you on whether you know what
golumm\services is. I have a bad feeling about this one.
C:\WINDOWS\system32\golumm\services.exe
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\system32\golumm\services.exe
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\system32\golumm\services.exe

 

Thanks PP!

Zoe,

Add them to the list of things to fix with HJT and to delete in safe mode.

 

Zoe,

You must remember to ATTACH your logs. Do not put add them as inline text. See how I changed it.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
C:\WINDOWS\system32\golumm\services.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\system32\golumm\services.exe
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\system32\golumm\services.exe

Then boot in safe mode and delete:
C:\WINDOWS\system32\golumm\services.exe

If that does not work, repeat all of the steps but do everything while in safe mode.

 

We need to end the services.exe process for golumm. The services.exe program for Windows is a required service but not this one. Download and unzip to a folder ProcessExplorer. Get it here:ProcessExplorer for Win NT/2K/XP

Run ProcessExplorer and look for matches to services.exe. There must be more than one. When you see them, select one by right click on it and choose Properties. This will show you the Path, Command line, and Current direcory for the file. Find the one that says: C:\WINDOWS\system32\golumm\services.exe . And kill it with Process Explorer. Then fix the lines in HJT and then delete the file. As I said before, if you cannot do that in normal boot try the same from safe mode boot.

 

Yes! This is important info for us Zoe. Also have you gone thru a few reboots and iare it and all other problems still fixed?

 

Please start your own thread for your problem. However, your first steps should be to follow this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal