1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

WinAntiVirus Pro 2007 & others -- HijackThis Log

Discussion in 'Virus & Other Malware Removal' started by sgttech, Aug 24, 2007.

Thread Status:
Not open for further replies.
  1. sgttech

    sgttech Thread Starter

    Joined:
    Aug 24, 2007
    Messages:
    1
    I appreciate any help!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:26:31 AM, on 8/24/2007
    Platform: Windows 2000 SP3 (WinNT 5.00.2195) ( not up to date, I know)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\winnt\system32\dwdsrngt.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\owinsmdt.exe
    C:\HijackThis\HiJackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [svhost] "C:\WINNT\svhost.exe"
    O4 - HKLM\..\Run: [{46-6F-FC-C2-ZN}] C:\winnt\system32\dwdsrngt.exe CHD003
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: TA_Start.lnk = C:\WINNT\system32\dwdsrngt.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172243256601
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EAGLECOACH.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EAGLECOACH.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EAGLECOACH.local
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

    --
    End of file - 5442 bytes

    I've performed an online scan with Trend Micro's Housecall and found Popwin, Purityscan and other generic trojans/spyware. Here's a Combofix log:

    ComboFix 07-08-17.2 - "Administrator" 08/24/2007 10:20:22.2 - NTFSx86
    Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.25 [GMT -4:00]


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup.\TA_Start.lnk
    C:\WINNT\system32\dwdsrngt.exe
    C:\WINNT\system32\msnav32.ax
    C:\WINNT\system32\owinsmdt.exe
    C:\WINNT\system32\zxdnt3d.cfg


    ((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


    2007-08-24 10:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_364.dat
    2007-08-23 10:42 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
    2007-08-23 10:42 <DIR> d-------- C:\Program Files\Lavasoft
    2007-08-23 10:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
    2007-08-22 17:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-08-22 17:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-08-22 17:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
    2007-08-22 17:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-08-22 16:35 51,200 --a------ C:\WINNT\nircmd.exe
    2007-08-22 15:56 <DIR> d-------- C:\VundoFix Backups
    2007-08-22 15:06 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
    2007-08-22 14:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
    2007-08-22 13:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
    2007-08-22 13:01 <DIR> dr------- C:\Malware Tools
    2007-08-21 11:13 <DIR> dr------- C:\HijackThis
    2007-08-21 10:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1.EAG\.housecall6.6
    2007-08-16 08:58 89,088 --a------ C:\WINNT\system32\atl71.dll
    2007-08-16 08:58 8,704 --a------ C:\WINNT\system32\SpOrder.dll
    2007-08-16 08:40 52,764 --a------ C:\WINNT\system32\lrdsrngp.exe
    2007-08-15 14:30 <DIR> d-a------ C:\WINNT\system32\tmps9
    2007-08-15 14:30 <DIR> d-a------ C:\WINNT\system32\chkconfig
    2007-08-15 14:30 <DIR> d--hs---- C:\WINNT\TWljaGFlbCBLZWxsZXJtYW4sIFNyLg
    2007-08-15 14:30 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\NetMon


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    12/08/98 10:53p 99840 --a------ C:\Program Files\Common Files\IRAABOUT.DLL
    12/08/98 10:53p 70144 --a------ C:\Program Files\Common Files\IRAMDMTR.DLL
    12/08/98 10:53p 48640 --a------ C:\Program Files\Common Files\IRALPTTR.DLL
    12/08/98 10:53p 31744 --a------ C:\Program Files\Common Files\IRAWEBTR.DLL
    12/08/98 10:53p 186368 --a------ C:\Program Files\Common Files\IRAREG.DLL
    12/08/98 10:53p 17920 --a------ C:\Program Files\Common Files\IRASRIAL.DLL
    08/23/07 03:17p --------- d-------- C:\Program Files\Microsoft AntiSpyware
    08/22/07 02:12p --------- d-------- C:\Program Files\MSN Messenger
    07/30/07 07:19p 92504 --a------ C:\WINNT\system32\cdm.dll
    07/30/07 07:19p 549720 --a------ C:\WINNT\system32\wuapi.dll
    07/30/07 07:19p 53080 --a------ C:\WINNT\system32\wuauclt.exe
    07/30/07 07:19p 325976 --a------ C:\WINNT\system32\wucltui.dll
    07/30/07 07:19p 271224 --a------ C:\WINNT\system32\mucltui.dll
    07/30/07 07:19p 207736 --a------ C:\WINNT\system32\muweb.dll
    07/30/07 07:19p 203096 --a------ C:\WINNT\system32\wuweb.dll
    07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\wuaueng.dll
    05/09/03 10:56a 271 ---h----- C:\Program Files\desktop.ini
    05/09/03 10:56a 21952 ---h----- C:\Program Files\folder.htt
    05/08/01 08:00a 32528 --a------ C:\WINNT\inf\wbfirdma.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [05/08/01 08:00a C:\WINNT\system32\mobsync.exe]
    "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [11/15/05 01:12p]
    "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [11/06/03 09:27p]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/06 04:45p]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/19/06 02:01p]
    "svhost"="C:\WINNT\svhost.exe" []
    "{46-6F-FC-C2-ZN}"="C:\winnt\system32\dwdsrngt.exe" []
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/23/07 10:46a]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/07 02:06p]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-10 18:16:27]
    Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 17:51:54]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
    @="Driver"

    R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
    R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS
    R2 ntrtscan;OfficeScanNT RealTime Scan;C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    R2 tmlisten;OfficeScanNT Listener;C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINNT\system32\DRIVERS\fetnd5a.sys
    S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys


    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-24 10:24:43
    Windows 5.0.2195 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 08/24/2007 10:25:40
    C:\ComboFix-quarantined-files.txt ... 08/24/07 10:25a
    C:\ComboFix2.txt ... 08/22/07 04:54p

    --- E O F ---
    Any Help at all is GREATLY appreciated!!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/614597

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice