Hijack this log, please help!!!

[aloshaz]

Hi, i've had this coolwebsearch and clear-search malware on my computer for about 2 weeks now, and i've used spybot, adaware, and cwshredder, all of which removed the malware, but then it kept coming back. i was thinking of reinstalling windows to remove the problem, but that it just too much of a hassle now. I've read the directions for the hijackthis log, and i would greatly appreciate it if somebody could help me out here.

Logfile of HijackThis v1.97.7
Scan saved at 2:57:08 PM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton\navapsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\anvshell.exe
D:\Norton\AdvTools\NPROTECT.EXE
D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alosh\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {778010C4-8F6F-499E-BEF8-87451E898BA8} - C:\WINDOWS\System32\ghap.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton\NavShExt.dll
O2 - BHO: (no name) - {EB383722-C57F-4BC7-904E-0681EA2B2AE3} - C:\WINDOWS\System32\mpemld.dll (file missing)
O2 - BHO: (no name) - {F2CF6320-3E7D-4A15-B155-F410F42130DA} - C:\WINDOWS\System32\ldf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [zSPGuard] d:\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = D:\OfficeXp\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OfficeXp\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...075.6863773148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Please help me out as soon as anybody can. I want to do some important things on my computer and i do not wish to do them while i know there is some type of malware/spyware on my computer that i cannot get rid of by myself. Thanks in advance.

[Pieter_Arntz]

Hi aloshaz,

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {778010C4-8F6F-499E-BEF8-87451E898BA8} - C:\WINDOWS\System32\ghap.dll (file missing)

O2 - BHO: (no name) - {EB383722-C57F-4BC7-904E-0681EA2B2AE3} - C:\WINDOWS\System32\mpemld.dll (file missing)
O2 - BHO: (no name) - {F2CF6320-3E7D-4A15-B155-F410F42130DA} - C:\WINDOWS\System32\ldf.dll (file missing)

Then download:
http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice on the root drive, in your case C:\

1.Run start.bat and press option 1. 'output.txt' will be created in the folder

(note : it's best to post that report together with a HijackThis log in your topic, so experts can have a look as well)

2. IF hidden dll was successfully found, run start.bat again and choose option 2. Hit '1' and enter dll name manually.

3. If dll was not found after first running start.bat :

Run start.bat again and choose option '2'. You must reboot after doing so.

4. Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

5. Ask for a new hijackthis log, a new output.txt after the fix

6. You can also run CWShredder finally to clean up other entries

Regards,

Pieter

[aloshaz]

Hi Pieter,

Thank you so much! I cant thank you enough. I think the trojan/spyware is finally gone, i found the msl.dll file that the dllfix found and deleted it, and now spywareblaster could finally install and now ive got all the protection i need. Thank you for the help, you saved me a good day of work .

Alosh'

[Pieter_Arntz]

Excellent work, aloshaz

Glad we could help,

Pieter