Hijack this log, please help!!!

Discussion in 'adware, spyware & hijack cleaning' started by aloshaz, May 29, 2004.

Thread Status:
Not open for further replies.
  1. aloshaz

    aloshaz Registered Member

    Joined:
    May 29, 2004
    Posts:
    2
    Hi, i've had this coolwebsearch and clear-search malware on my computer for about 2 weeks now, and i've used spybot, adaware, and cwshredder, all of which removed the malware, but then it kept coming back. i was thinking of reinstalling windows to remove the problem, but that it just too much of a hassle now. I've read the directions for the hijackthis log, and i would greatly appreciate it if somebody could help me out here.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:57:08 PM, on 5/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\Norton\navapsvc.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\anvshell.exe
    D:\Norton\AdvTools\NPROTECT.EXE
    D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Alosh\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {778010C4-8F6F-499E-BEF8-87451E898BA8} - C:\WINDOWS\System32\ghap.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton\NavShExt.dll
    O2 - BHO: (no name) - {EB383722-C57F-4BC7-904E-0681EA2B2AE3} - C:\WINDOWS\System32\mpemld.dll (file missing)
    O2 - BHO: (no name) - {F2CF6320-3E7D-4A15-B155-F410F42130DA} - C:\WINDOWS\System32\ldf.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\Norton\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [zSPGuard] d:\spguard\spguard.exe /s /r
    O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = D:\OfficeXp\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OfficeXp\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38075.6863773148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Please help me out as soon as anybody can. I want to do some important things on my computer and i do not wish to do them while i know there is some type of malware/spyware on my computer that i cannot get rid of by myself. Thanks in advance.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi aloshaz,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {778010C4-8F6F-499E-BEF8-87451E898BA8} - C:\WINDOWS\System32\ghap.dll (file missing)

    O2 - BHO: (no name) - {EB383722-C57F-4BC7-904E-0681EA2B2AE3} - C:\WINDOWS\System32\mpemld.dll (file missing)
    O2 - BHO: (no name) - {F2CF6320-3E7D-4A15-B155-F410F42130DA} - C:\WINDOWS\System32\ldf.dll (file missing)

    Then download:
    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    1.Run start.bat and press option 1. 'output.txt' will be created in the folder

    (note : it's best to post that report together with a HijackThis log in your topic, so experts can have a look as well)

    2. IF hidden dll was successfully found, run start.bat again and choose option 2. Hit '1' and enter dll name manually.

    3. If dll was not found after first running start.bat :

    Run start.bat again and choose option '2'. You must reboot after doing so.

    4. Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    5. Ask for a new hijackthis log, a new output.txt after the fix

    6. You can also run CWShredder finally to clean up other entries

    Regards,

    Pieter
     
  3. aloshaz

    aloshaz Registered Member

    Joined:
    May 29, 2004
    Posts:
    2
    Hi Pieter,

    Thank you so much! I cant thank you enough. I think the trojan/spyware is finally gone, i found the msl.dll file that the dllfix found and deleted it, and now spywareblaster could finally install and now ive got all the protection i need. Thank you for the help, you saved me a good day of work :D .

    Alosh'
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Excellent work, aloshaz :cool:

    Glad we could help,

    Pieter
     
Thread Status:
Not open for further replies.