Hijackthis Log- infected coolwebsearch,wareout,crazy trojans

[ten10]

Hi, I'm trying to fix my badly infected computer. I get constant IE hijacks, crazy large popups, forced antivirus program shut downs, and sometimes long freezes. I have run all these programs to diagnose and fix it, but nothing changed - Adaware, spybot, cws shredder, microsoft antispyware beta, spyware sweeper, spyware blaster, and many many others.
Here is my log file, thanks for your help.
********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 1:56:12 PM, on 4/19/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT1\System32\smss.exe
C:\WINNT1\system32\csrss.exe
C:\WINNT1\system32\winlogon.exe
C:\WINNT1\system32\services.exe
C:\WINNT1\system32\lsass.exe
C:\WINNT1\system32\svchost.exe
C:\WINNT1\system32\spoolsv.exe
C:\WINNT1\System32\svchost.exe
C:\WINNT1\system32\regsvc.exe
C:\WINNT1\system32\MSTask.exe
C:\WINNT1\system32\stisvc.exe
C:\WINNT1\System32\WBEM\WinMgmt.exe
C:\WINNT1\Explorer.EXE
C:\WINNT1\system32\svchost.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe
C:\WINNT1\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) =

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer

= http=localhost:8080;https=localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ActiveX Control - {A7BB8F65-5194-4AF9-82CD-CEA10909EA31} -

C:\WINNT1\System32\mstyp.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINNT1\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program

Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT1\System32\igfxtray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P. C. Secure] C:\Program Files\Easy Desk

Utilities\PCSecure\Pcsecure.exe Silent
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program

Files\MRU-Blaster\mrublaster.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT1\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: .63.219.181.7[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -

http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) -

http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2DE661-4F31-4685-9BD0-AC99226CB00B}:

NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{489CC88A-41F5-48A0-BEB9-D8D7B00ABE09}:

NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{73C2793C-52A4-4F7E-A44A-8953D914F765}:

NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFFFF776-0FFD-4B9B-AF5C-FD1447001109}:

NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8093D7E-DC9B-4907-B675-09061623E505}:

NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer =

69.50.176.156,195.225.176.31
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer =

69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =

69.50.176.156,195.225.176.31
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Software Corp. - C:\WINNT1\System32\dmadmin.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner -

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe"

/service (file missing)
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab -

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies,

Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

 

[ten10]

Here's my startup list log

StartupList report, 4/19/2005, 1:55:25 PM
StartupList version: 1.52.2
Started from : C:\Hijackthis\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT1\System32\smss.exe
C:\WINNT1\system32\csrss.exe
C:\WINNT1\system32\winlogon.exe
C:\WINNT1\system32\services.exe
C:\WINNT1\system32\lsass.exe
C:\WINNT1\system32\svchost.exe
C:\WINNT1\system32\spoolsv.exe
C:\WINNT1\System32\svchost.exe
C:\WINNT1\system32\regsvc.exe
C:\WINNT1\system32\MSTask.exe
C:\WINNT1\system32\stisvc.exe
C:\WINNT1\System32\WBEM\WinMgmt.exe
C:\WINNT1\Explorer.EXE
C:\WINNT1\system32\svchost.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\GT1\Start Menu\Programs\Startup]
MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT1\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
AS00_Gear311T = C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
IgfxTray = C:\WINNT1\System32\igfxtray.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
P. C. Secure = C:\Program Files\Easy Desk Utilities\PCSecure\Pcsecure.exe Silent

--------------------------------------------------

Shell & screensaver key from C:\WINNT1\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINNT1\System32\mstyp.dll - {A7BB8F65-5194-4AF9-82CD-CEA10909EA31}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINNT1\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT1\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT1\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

[ChainCast VMR Client Proxy]
InProcServer32 = C:\WINNT1\Downloaded Program Files\ccpm_0237.dll
CODEBASE = http://www.streamaudio.com/download/ccpm_0237.cab

[CWDL_DownLoadControl Class]
InProcServer32 = C:\WINNT1\Downloaded Program Files\CWDL_DownLoad.dll
CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT1\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Update Class]
InProcServer32 = C:\WINNT1\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38273.3853356481

[Shockwave Flash Object]
InProcServer32 = C:\WINNT1\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINNT1\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT1\system32\NETSHELL.dll
WebCheck: C:\WINNT1\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5,425 bytes
Report generated in 0.050 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[poertner_1274]

I would suggest reading this threadand follow every step. Once that is done post back your HJT log and we'll diagnose it. It will be much easier than telling you to get rid of certain things that the other programs will do on their own.

BTW
:wave:Welcome to TechSpot:wave:

 

[Vigilante]

Be sure to update all those tools. And when updated, use them all from Safe Mode.

And also, this may be a bit premature, but when it's cleaned up, get your Windows service packs loaded. Get 3, if not 4.

Addition tools you may want to use are:

BHO Captor: http://www.snapfiles.com/get/bho.html
Autoruns: http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Make sure you're using the latest versions of ALL your tools.

Also note, if you go into "Safe Mode with Networking", you can go online and do a virus scan from http://housecall.trendmicro.com

[tip] If a "big" popup suddenly comes up, quicly hit ALT-F4. This closes the forground window. This works on those nasty popups when they don't give you a standard windows "close" button, or it's so big you can't REACH the close button. Just hit ALT-F4

Good luck