also @ TechSpot: Android 4.0: Tracking Ice Cream Sandwich's Availability on Smartphones

TechSpot

Hijackthis Log- infected coolwebsearch,wareout,crazy trojans

Discussion in 'Virus and Malware Removal' started by ten10, Apr 19, 2005.

Thread Status:
Not open for further replies.

  1. ten10 Newcomer, in training

    Hi, I'm trying to fix my badly infected computer. I get constant IE hijacks, crazy large popups, forced antivirus program shut downs, and sometimes long freezes. I have run all these programs to diagnose and fix it, but nothing changed - Adaware, spybot, cws shredder, microsoft antispyware beta, spyware sweeper, spyware blaster, and many many others.
    Here is my log file, thanks for your help.
    ********************************************************

    Logfile of HijackThis v1.99.1
    Scan saved at 1:56:12 PM, on 4/19/2005
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINNT1\System32\smss.exe
    C:\WINNT1\system32\csrss.exe
    C:\WINNT1\system32\winlogon.exe
    C:\WINNT1\system32\services.exe
    C:\WINNT1\system32\lsass.exe
    C:\WINNT1\system32\svchost.exe
    C:\WINNT1\system32\spoolsv.exe
    C:\WINNT1\System32\svchost.exe
    C:\WINNT1\system32\regsvc.exe
    C:\WINNT1\system32\MSTask.exe
    C:\WINNT1\system32\stisvc.exe
    C:\WINNT1\System32\WBEM\WinMgmt.exe
    C:\WINNT1\Explorer.EXE
    C:\WINNT1\system32\svchost.exe
    C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Hijackthis\HijackThis.exe
    C:\WINNT1\system32\notepad.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) =

    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =

    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://www.google.com/keyword/%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://www.google.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer

    = http=localhost:8080;https=localhost:8080
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ActiveX Control - {A7BB8F65-5194-4AF9-82CD-CEA10909EA31} -

    C:\WINNT1\System32\mstyp.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467}

    - C:\WINNT1\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program

    Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT1\System32\igfxtray.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [P. C. Secure] C:\Program Files\Easy Desk

    Utilities\PCSecure\Pcsecure.exe Silent
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program

    Files\MRU-Blaster\mrublaster.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

    C:\WINNT1\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -

    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT1\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

    http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

    Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -

    http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) -

    http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

    http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2DE661-4F31-4685-9BD0-AC99226CB00B}:

    NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{489CC88A-41F5-48A0-BEB9-D8D7B00ABE09}:

    NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{73C2793C-52A4-4F7E-A44A-8953D914F765}:

    NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFFFF776-0FFD-4B9B-AF5C-FD1447001109}:

    NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E8093D7E-DC9B-4907-B675-09061623E505}:

    NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer =

    69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer =

    69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =

    69.50.176.156,195.225.176.31
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

    Software Corp. - C:\WINNT1\System32\dmadmin.exe
    O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner -

    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe"

    /service (file missing)
    O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab -

    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies,

    Inc. - C:\Program Files\Sygate\SPF\Smc.exe
    O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common

    Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
    ten10, Apr 19, 2005
    #1

  2. ten10 Newcomer, in training

    Here's my startup list log

    StartupList report, 4/19/2005, 1:55:25 PM
    StartupList version: 1.52.2
    Started from : C:\Hijackthis\HijackThis.EXE
    Detected: Windows 2000 SP2 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT1\System32\smss.exe
    C:\WINNT1\system32\csrss.exe
    C:\WINNT1\system32\winlogon.exe
    C:\WINNT1\system32\services.exe
    C:\WINNT1\system32\lsass.exe
    C:\WINNT1\system32\svchost.exe
    C:\WINNT1\system32\spoolsv.exe
    C:\WINNT1\System32\svchost.exe
    C:\WINNT1\system32\regsvc.exe
    C:\WINNT1\system32\MSTask.exe
    C:\WINNT1\system32\stisvc.exe
    C:\WINNT1\System32\WBEM\WinMgmt.exe
    C:\WINNT1\Explorer.EXE
    C:\WINNT1\system32\svchost.exe
    C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\GT1\Start Menu\Programs\Startup]
    MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT1\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    AS00_Gear311T = C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
    IgfxTray = C:\WINNT1\System32\igfxtray.exe
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    P. C. Secure = C:\Program Files\Easy Desk Utilities\PCSecure\Pcsecure.exe Silent

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT1\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\WINNT1\System32\mstyp.dll - {A7BB8F65-5194-4AF9-82CD-CEA10909EA31}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [PCPitstop Utility]
    InProcServer32 = C:\WINNT1\Downloaded Program Files\PCPitstop.dll
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT1\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINNT1\System32\LegitCheckControl.DLL
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

    [ChainCast VMR Client Proxy]
    InProcServer32 = C:\WINNT1\Downloaded Program Files\ccpm_0237.dll
    CODEBASE = http://www.streamaudio.com/download/ccpm_0237.cab

    [CWDL_DownLoadControl Class]
    InProcServer32 = C:\WINNT1\Downloaded Program Files\CWDL_DownLoad.dll
    CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT1\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINNT1\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38273.3853356481

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT1\System32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINNT1\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT1\system32\NETSHELL.dll
    WebCheck: C:\WINNT1\system32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 5,425 bytes
    Report generated in 0.050 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    ten10, Apr 19, 2005
    #2

  3. poertner_1274 secroF laicepS topShceT

    I would suggest reading this threadand follow every step. Once that is done post back your HJT log and we'll diagnose it. It will be much easier than telling you to get rid of certain things that the other programs will do on their own.

    BTW
    :wave:Welcome to TechSpot:wave:
    poertner_1274, Apr 19, 2005
    #3

  4. Vigilante TechSpot Paladin

    Be sure to update all those tools. And when updated, use them all from Safe Mode.

    And also, this may be a bit premature, but when it's cleaned up, get your Windows service packs loaded. Get 3, if not 4.

    Addition tools you may want to use are:

    BHO Captor: http://www.snapfiles.com/get/bho.html
    Autoruns: http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

    Make sure you're using the latest versions of ALL your tools.

    Also note, if you go into "Safe Mode with Networking", you can go online and do a virus scan from http://housecall.trendmicro.com

    [tip] If a "big" popup suddenly comes up, quicly hit ALT-F4. This closes the forground window. This works on those nasty popups when they don't give you a standard windows "close" button, or it's so big you can't REACH the close button. Just hit ALT-F4

    Good luck
    Vigilante, Apr 19, 2005
    #4
Thread Status:
Not open for further replies.