Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Virus Trojan horse downloader.generic6.abkb - Cant remove

This is a discussion on Virus Trojan horse downloader.generic6.abkb - Cant remove within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. hi my computer have been infected with the Virus Trojan horse downloader.generic6.abkb AVG tried to heal it but it keeps


 
 
Thread Tools Search this Thread
Old 01-18-2008, 09:29 AM   #1
Guest
 
Join Date: Jan 2008
Posts: 4
OS:



hi

my computer have been infected with the Virus Trojan
horse downloader.generic6.abkb

AVG tried to heal it but it keeps coming back and
since it happened, my browsers are completed blocked.
(I can ping and traceroute, but not browse)

it seems very similar to another thread here,
https://www.techsupportforum.com/secu...t-removed.html
so I tried to follow the same first steps (thank yu
already for those^)


before all, Id need confirmation that this is indeed this trojan is indeed what disables my browsers, or if there is still another problem
In which case, I wonder if I should not reinstall windows completely on another disk... would it work or would the trojan still reappear ?


here is a highackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:41, on 18/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\Ati2evxx.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\a-squared Anti-Malware\a2service.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINNT\wscntfy.exe
H:\WINNT\system32\MSTask.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\Ati2evxx.exe
H:\WINNT\Explorer.EXE
H:\WINNT\TEMP\file.exe
H:\WINNT\TEMP\file.exe
H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
H:\WINNT\SOUNDMAN.EXE
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
H:\WINNT\system32\drivers\spool.exe
H:\Program Files\Logitech\SetPoint\SetPoint.exe
H:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
H:\WINNT\System32\svchost.exe
H:\Program Files\internet explorer\iexplore.exe
H:\Documents and Settings\JM Yolin\Desktop\dss.exe
H:\Installs\JM Yolin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=H:\WINNT\system32\drivers\spool.exe H:\WINNT\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenÍtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [a-squared] "H:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [autoload] H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe
O4 - HKCU\..\Run: [Skype] "H:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "H:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [autoload] H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [WintelUpdate] c:\oraqpug.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = H:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: h:\winnt\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1122587772540
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - H:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: Events Log (Event) - Unknown owner - H:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft wscntfy Service - Unknown owner - H:\WINNT\wscntfy.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - H:\WINNT\system32\drivers\spool.exe

--
End of file - 6868 bytes



I downloaded deckard system scanner and here are the results :
Deckard's System Scanner v20071014.68
Run by JM Yolin on 2008-01-18 16:11:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 94% (more than 75%).


-- HijackThis (run as JM Yolin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:41, on 18/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\Ati2evxx.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\a-squared Anti-Malware\a2service.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINNT\wscntfy.exe
H:\WINNT\system32\MSTask.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\Ati2evxx.exe
H:\WINNT\Explorer.EXE
H:\WINNT\TEMP\file.exe
H:\WINNT\TEMP\file.exe
H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
H:\WINNT\SOUNDMAN.EXE
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
H:\WINNT\system32\drivers\spool.exe
H:\Program Files\Logitech\SetPoint\SetPoint.exe
H:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
H:\WINNT\System32\svchost.exe
H:\Program Files\internet explorer\iexplore.exe
H:\Documents and Settings\JM Yolin\Desktop\dss.exe
H:\Installs\JM Yolin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=H:\WINNT\system32\drivers\spool.exe H:\WINNT\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenÍtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [a-squared] "H:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [autoload] H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe
O4 - HKCU\..\Run: [Skype] "H:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "H:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [autoload] H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [WintelUpdate] c:\oraqpug.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = H:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: h:\winnt\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1122587772540
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - H:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: Events Log (Event) - Unknown owner - H:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft wscntfy Service - Unknown owner - H:\WINNT\wscntfy.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - H:\WINNT\system32\drivers\spool.exe

--
End of file - 6868 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - h:\winnt\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - h:\winnt\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 LBeepKE - h:\winnt\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>

S3 BtAudio (Bluetooth Audio) - h:\winnt\system32\drivers\btaudio.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Microsoft wscntfy Service - "h:\winnt\wscntfy.exe"

S2 Event (Events Log) - h:\winnt\system32\drivers\csrss.exe -k networkservice (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: 001494IN-L725
Device ID: DISPLAY\MAG73F1\5&38E0E6B4&0&10000080&01&00
Manufacturer:
Name: 001494IN-L725
PNP Device ID: DISPLAY\MAG73F1\5&38E0E6B4&0&10000080&01&00
Service:


-- Files created between 2007-12-18 and 2008-01-18 -----------------------------

2008-01-18 15:53:19 0 d-------- H:\Documents and Settings\Administrator\Application Data\Identities
2008-01-17 16:00:33 0 d-------- H:\Documents and Settings\Administrator\Application Data\Google
2008-01-17 16:00:29 10240 ---hs---- H:\WINNT\system32\drivers\spool.exe
2008-01-17 02:33:01 16384 --a-----t H:\WINNT\system32\Perflib_Perfdata_3e4.dat
2008-01-17 01:52:12 0 d-------- H:\Program Files\a-squared Anti-Malware
2008-01-17 01:36:03 0 d-------- H:\Program Files\CCleaner
2008-01-17 01:21:41 0 d-------- H:\philippe
2008-01-15 23:23:18 0 d-------- H:\Program Files\Abexo
2008-01-15 00:32:10 0 d-------- H:\New Folder
2008-01-14 19:36:40 0 d--h----- H:\WINNT\PIF
2008-01-12 20:58:01 433152 -r-hs---- H:\WINNT\wscntfy.exe
2008-01-12 07:20:49 74269 -rahs---- H:\WINNT\system32\netstsx.EXE
2007-12-29 09:36:58 0 dr-h----- H:\$VAULT$.AVG
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\Templates
2007-12-28 23:15:21 0 d-------- H:\Documents and Settings\Administrator\Start Menu
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\SendTo
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\Recent
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\PrintHood
2007-12-28 23:15:21 122880 --ah----- H:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\NetHood
2007-12-28 23:15:21 0 d-------- H:\Documents and Settings\Administrator\My Documents
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\Local Settings
2007-12-28 23:15:21 0 d-------- H:\Documents and Settings\Administrator\Favorites
2007-12-28 23:15:21 0 d-------- H:\Documents and Settings\Administrator\Desktop
2007-12-28 23:15:21 0 d---s---- H:\Documents and Settings\Administrator\Cookies
2007-12-28 23:15:21 0 d--h----- H:\Documents and Settings\Administrator\Application Data
2007-12-28 23:15:21 0 d---s---- H:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-28 23:15:21 0 d-------- H:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-28 23:15:17 17 --a------ H:\WINNT\system32\drivers\nwlnkcr.sys
2007-12-28 17:59:01 0 d-------- H:\Documents and Settings\JM Yolin\Application Data\AVG7
2007-12-28 17:58:56 0 d-------- H:\Documents and Settings\Default User\Application Data\AVG7
2007-12-28 17:58:39 0 d-------- H:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-28 17:58:39 0 d-a------ H:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 17:36:19 0 d-------- H:\WINNT\system32\ReinstallBackups
2007-12-27 23:20:22 0 d-------- H:\Documents and Settings\JM Yolin\.housecall6.6
2007-12-27 23:02:04 0 d-------- H:\WINNT\winsxs
2007-12-27 23:01:17 3712 --a------ H:\WINNT\system32\drivers\LBeepKE.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
2007-12-27 23:01:16 69632 --a------ H:\WINNT\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2007-12-27 23:01:16 110592 --a------ H:\WINNT\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2007-12-27 23:01:16 131072 --a------ H:\WINNT\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2007-12-27 23:01:16 155648 --a------ H:\WINNT\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2007-12-27 23:01:03 0 d-------- H:\Program Files\Common Files\Logitech
2007-12-27 23:01:01 0 d-------- H:\Program Files\Logitech
2007-12-27 20:46:24 208896 --a------ H:\WINNT\system32\wmpns.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player>
2007-12-27 20:45:27 0 d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 20:33:43 0 d-------- H:\Documents and Settings\JM Yolin\Application Data\ArcSoft
2007-12-24 12:04:15 118784 --a------ H:\WINNT\SeaMonkeyUninstall.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-18 16:05:43 0 d-------- H:\Documents and Settings\JM Yolin\Application Data\Skype
2008-01-13 09:37:08 0 d-------- H:\Program Files\Mozilla Thunderbird
2007-12-28 18:47:20 1286568 ---h----- H:\WINNT\ShellIconCache
2007-12-28 14:32:32 0 d-------- H:\Program Files\Google
2007-12-28 14:32:11 0 d-------- H:\Program Files\Club-Internet
2007-12-28 14:31:46 0 d-------- H:\Program Files\QuickTime
2007-12-28 14:31:36 0 d-a------ H:\Program Files\Common Files
2007-12-27 23:04:34 0 d-------- H:\Documents and Settings\JM Yolin\Application Data\Logitech
2007-12-27 22:58:53 0 d--h----- H:\Program Files\InstallShield Installation Information
2007-12-27 20:44:15 0 d-------- H:\Program Files\Java
2007-12-25 12:49:28 20762 --a------ H:\WINNT\mozver.dat
2007-12-25 12:49:14 118784 --a------ H:\WINNT\GREUninstall.exe
2007-12-24 12:02:32 0 d-------- H:\Program Files\mozilla.org
2007-12-10 17:07:30 0 d-------- H:\Documents and Settings\JM Yolin\Application Data\Help
2007-11-24 11:40:09 0 d-------- H:\Program Files\SecondLife
2007-11-24 11:22:26 0 d-------- H:\Documents and Settings\JM Yolin\Application Data\SecondLife


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [19/06/03 20:05 H:\WINNT\system32\mobsync.exe]
"ATIPTA"="H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [28/06/05 20:05 ]
"SoundMan"="SOUNDMAN.EXE" [11/11/05 14:07 H:\WINNT\soundman.exe]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/07 01:11 ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [19/07/06 12:03 H:\WINNT\KHALMNPR.Exe]
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [28/12/07 17:58 ]
"a-squared"="H:\Program Files\a-squared Anti-Malware\a2guard.exe" [07/01/08 17:56 ]
"autoload"="H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe" [17/01/08 16:00 ]
"ntuser"="H:\WINNT\system32\drivers\spool.exe" [17/01/08 16:00 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="H:\Program Files\Skype\Phone\Skype.exe" [13/10/06 17:20 ]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [22/07/07 18:52 ]
"SeaMonkey Quick Launch"="H:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [28/11/07 12:14 ]
"autoload"="H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe" [17/01/08 16:00 ]
"ntuser"="H:\WINNT\system32\drivers\spool.exe" [17/01/08 16:00 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"autoload"=H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
"ntuser"=H:\WINNT\system32\drivers\spool.exe
"WintelUpdate"=c:\oraqpug.exe

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lancement rapide d'Adobe Reader.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Logitech SetPoint.lnk - H:\Program Files\Logitech\SetPoint\SetPoint.exe [27/12/2007 23:01:15]
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 20:05:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-01-18 16:13:27 ------------


note : the highjackthis log was created after running DSS (I hadnt kept the log before), I am sorry for that
I tried to run Dss a 2nd time, but it didnt give me another extra.txt
Attached Files
File Type: txt extra.txt (12.8 KB, 8 views)
ptpouf is offline  
Sponsored Links
Advertisement
 
Old 01-18-2008, 10:18 AM   #2
Guest
 
Join Date: Jan 2008
Posts: 4
OS:



I also tried running combofix

ComboFix 08-01-17.3 - JM Yolin 18/01/2008 16:46:50.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.220 [GMT 1:00]
Running from: H:\Documents and Settings\JM Yolin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 16:32 . 08-01-18 16:32 52,736 --a------ H:\WINNT\system32\lrprt7.exe
2008-01-18 16:32 . 08-01-18 16:32 52,736 --a------ H:\WINNT\system32\lrprt5.exe
2008-01-18 16:32 . 08-01-18 16:32 14,080 --a------ H:\WINNT\system32\drivers\sysproc.sys
2008-01-18 16:10 . 08-01-18 16:10 <DIR> d-------- H:\Deckard
2008-01-17 16:00 . 08-01-17 16:00 10,240 ---hs---- H:\WINNT\system32\drivers\spool.exe
2008-01-17 01:52 . 08-01-17 02:32 <DIR> d-------- H:\Program Files\a-squared Anti-Malware
2008-01-17 01:36 . 08-01-17 01:36 <DIR> d-------- H:\Program Files\CCleaner
2008-01-17 01:21 . 08-01-17 01:32 <DIR> d-------- H:\philippe
2008-01-17 00:33 . 00-08-31 08:00 51,200 --a------ H:\WINNT\NirCmd.exe
2008-01-15 23:23 . 08-01-15 23:23 <DIR> d-------- H:\Program Files\Abexo
2008-01-15 00:32 . 08-01-15 00:32 <DIR> d-------- H:\New Folder
2008-01-14 19:36 . 08-01-14 19:36 <DIR> d--h----- H:\WINNT\PIF
2008-01-12 20:58 . 08-01-12 16:43 433,152 -r-hs---- H:\WINNT\wscntfy.exe
2008-01-12 07:20 . 08-01-12 07:22 74,269 -rahs---- H:\WINNT\system32\netstsx.EXE
2007-12-30 10:17 . 08-01-13 19:16 54,156 --ah----- H:\WINNT\QTFont.qfn
2007-12-30 10:17 . 07-12-30 10:17 1,409 --a------ H:\WINNT\QTFont.for
2007-12-28 23:15 . 07-12-28 17:58 <DIR> d-------- H:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-28 23:15 . 08-01-11 13:54 17 --a------ H:\WINNT\system32\drivers\nwlnkcr.sys
2007-12-28 17:59 . 08-01-15 22:32 <DIR> d-------- H:\Documents and Settings\JM Yolin\Application Data\AVG7
2007-12-28 17:58 . 07-12-28 17:58 <DIR> d-------- H:\Documents and Settings\Default User\Application Data\AVG7
2007-12-28 17:58 . 07-12-28 17:58 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-28 17:58 . 08-01-18 03:00 <DIR> d-a------ H:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 17:58 . 07-12-28 17:58 26,944 --a------ H:\WINNT\system32\drivers\avg7rsnt.sys
2007-12-27 23:23 . 07-12-27 23:20 102,664 --a------ H:\WINNT\system32\drivers\tmcomm.sys
2007-12-27 23:20 . 07-12-27 23:24 <DIR> d-------- H:\Documents and Settings\JM Yolin\.housecall6.6
2007-12-27 23:02 . 07-12-27 23:02 <DIR> d-------- H:\WINNT\winsxs
2007-12-27 23:01 . 07-12-27 23:01 <DIR> d-------- H:\Program Files\Logitech
2007-12-27 23:01 . 07-12-27 23:01 <DIR> d-------- H:\Program Files\Common Files\Logitech
2007-12-27 20:46 . 02-12-12 01:34 208,896 --a------ H:\WINNT\system32\wmpns.dll
2007-12-27 20:45 . 07-12-27 21:55 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 20:33 . 07-12-27 20:33 <DIR> d-------- H:\Documents and Settings\JM Yolin\Application Data\ArcSoft
2007-12-24 12:04 . 07-12-25 12:49 118,784 --a------ H:\WINNT\SeaMonkeyUninstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 15:37 --------- d-----w H:\Documents and Settings\JM Yolin\Application Data\Skype
2008-01-13 08:37 --------- d-----w H:\Program Files\Mozilla Thunderbird
2007-12-28 13:32 --------- d-----w H:\Program Files\Google
2007-12-28 13:32 --------- d-----w H:\Program Files\Club-Internet
2007-12-28 13:31 --------- d-----w H:\Program Files\QuickTime
2007-12-27 22:04 --------- d-----w H:\Documents and Settings\JM Yolin\Application Data\Logitech
2007-12-27 21:58 --------- d--h--w H:\Program Files\InstallShield Installation Information
2007-12-27 19:44 --------- d-----w H:\Program Files\Java
2007-12-25 11:49 118,784 ----a-w H:\WINNT\GREUninstall.exe
2007-12-24 11:02 --------- d-----w H:\Program Files\mozilla.org
2007-11-24 10:40 --------- d-----w H:\Program Files\SecondLife
2007-11-24 10:22 --------- d-----w H:\Documents and Settings\JM Yolin\Application Data\SecondLife
2007-11-20 18:09 101,888 ----a-w H:\WINNT\system32\drivers\Rtnic.sys
2005-07-28 21:47 271 ---h--w H:\Program Files\desktop.ini
2005-07-28 21:47 21,952 ---h--w H:\Program Files\folder.htt
1999-12-07 04:00 32,528 ----a-w H:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="H:\Program Files\Skype\Phone\Skype.exe" [06-10-13 17:20 20058152]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-22 18:52 68856]
"SeaMonkey Quick Launch"="H:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [07-11-28 12:14 151552]
"ntuser"="H:\WINNT\system32\drivers\spool.exe" [08-01-17 16:00 10240]
"autoload"="H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe" [08-01-17 16:00 10240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 20:05 111376 H:\WINNT\system32\mobsync.exe]
"ATIPTA"="H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05-06-28 20:05 344064]
"SoundMan"="SOUNDMAN.EXE" [05-11-11 14:07 90112 H:\WINNT\soundman.exe]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 132496]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [06-07-19 12:03 94208 H:\WINNT\KHALMNPR.Exe]
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-12-28 17:58 579072]
"a-squared"="H:\Program Files\a-squared Anti-Malware\a2guard.exe" [08-01-07 17:56 1816208]
"autoload"="H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe" [08-01-17 16:00 10240]
"ntuser"="H:\WINNT\system32\drivers\spool.exe" [08-01-17 16:00 10240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 20752 H:\WINNT\system32\internat.exe]
"AVG7_Run"="H:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-12-28 17:58 219136]
"autoload"="H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe" [08-01-17 16:00 10240]
"ntuser"="H:\WINNT\system32\drivers\spool.exe" [08-01-17 16:00 10240]
"WintelUpdate"="c:\oraqpug.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 20:05 186640]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lancement rapide d'Adobe Reader.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Logitech SetPoint.lnk - H:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-27 23:01:15]
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56]

R1 Avg7RsNT;AVG7 Resident Driver NT;H:\WINNT\system32\Drivers\avg7rsnt.sys [07-12-28 17:58 ]
R2 LBeepKE;LBeepKE;H:\WINNT\system32\Drivers\LBeepKE.sys [06-09-01 12:32 ]
R2 Microsoft wscntfy Service;Microsoft wscntfy Service;"H:\WINNT\wscntfy.exe" [08-01-12 16:43 ]
R3 openhci;Microsoft USB Open Host Controller Driver;H:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 20:05 ]
R3 RimSerPort;RIM Virtual Serial Port;H:\WINNT\system32\DRIVERS\RimSerial.sys [04-08-06 07:50 ]
S2 Event;Events Log;H:\WINNT\system32\drivers\csrss.exe []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-01-18 16:57:26
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

H:\WINNT\system32\Perflib_Perfdata_4cc.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-01-18 17:02:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 16:02:50
ComboFix2.txt 2008-01-16 23:48:13
.
2007-12-27 21:59:16 --- E O F ---








(new highjackthis log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57:42, on 18/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\Ati2evxx.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\a-squared Anti-Malware\a2service.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINNT\System32\svchost.exe
H:\WINNT\wscntfy.exe
H:\WINNT\system32\drivers\spool.exe
H:\WINNT\system32\drivers\spool.exe
H:\WINNT\system32\drivers\spool.exe
H:\WINNT\system32\Ati2evxx.exe
H:\WINNT\system32\drivers\spool.exe
H:\WINNT\Explorer.EXE
H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
H:\WINNT\SOUNDMAN.EXE
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\Skype\Phone\Skype.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe
H:\WINNT\system32\drivers\spool.exe
H:\Program Files\Logitech\SetPoint\SetPoint.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
H:\WINNT\System32\svchost.exe
H:\Installs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=H:\WINNT\system32\drivers\spool.exe H:\WINNT\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenÍtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [a-squared] "H:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [autoload] H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe
O4 - HKCU\..\Run: [Skype] "H:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "H:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe
O4 - HKCU\..\Run: [autoload] H:\Documents and Settings\JM Yolin\Local Settings\Application Data\cftmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] H:\WINNT\system32\drivers\spool.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [WintelUpdate] c:\oraqpug.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = H:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: h:\winnt\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1122587772540
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - H:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: Events Log (Event) - Unknown owner - H:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft wscntfy Service - Unknown owner - H:\WINNT\wscntfy.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - H:\WINNT\system32\drivers\spool.exe

--
End of file - 6826 bytes
ptpouf is offline  
Old 01-20-2008, 01:34 PM   #3
Guest
 
Join Date: Jan 2008
Posts: 4
OS:



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 20752 H:\WINNT\system32\internat.exe]
"AVG7_Run"="H:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-12-28 17:58 219136]
"autoload"="H:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe" [08-01-17 16:00 10240]
"ntuser"="H:\WINNT\system32\drivers\spool.exe" [08-01-17 16:00 10240]
"WintelUpdate"="c:\oraqpug.exe" [ ]


Ive been trying to 'read' the logs and
Id guess this part at least was definitely not right.
my main disk is H:\ anyway and C:\ is empty

but on afterthoughts, Im afraid that even if I could get rid of the virus, I am not sure to get internet back, so I guess Ill try a windows reinstall
ptpouf is offline  
Sponsored Links
Advertisement
 
Old 01-21-2008, 01:35 AM   #4
Guest
 
Join Date: Jan 2008
Posts: 4
OS:



well, I tried to launch the tools from safe mode, but the loading of safe mode freezed systematically at "loading preferences"
and unfortunately afterwards, loading of windows in normal mode could no longer pass the "loading preference" stage either. I really dont understand why since I had rebooted several times just before without pb, and i had done nothing in between

anyway I had no choice and reinstalled windows.
I got at last internet back and managed to launch online scan... it found quite a number of virus but also toolkits... a few were from the tools I downloaded (combofix, etc...) (I suppose it is normal ?)
but how can I remove the others ?
thank you
ptpouf is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:12 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts