My AVG gives me alert about "manager.dll" in c:windows/system32" as a "Trojan horse generic4.RNT" I was not able to get rid off: AppInit_DLLs: C:\WINDOWS\system32\Manager.dll Here are my HJT and CompoFix printouts. Your help is appreciated. Logfile of HijackThis v1.99.1 Scan saved at 9:56:41 AM, on 5/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\Rundll32.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe D:\Program Files\Clock Tray Skins\ClockTraySkins.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe D:\Program Files\CaptureWiz\Pro\CaptureWiz.exe D:\Program Files\MailWasher Pro\MailWasher.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\TOM\Desktop\USEFULL CHORTCUTS\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Companion\Installs\cpn0\yt.dll F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\RunOnce: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce O4 - HKCU\..\Run: [SkinClock] D:\Program Files\Clock Tray Skins\ClockTraySkins.exe O4 - HKCU\..\Run: [XarkaToday] C:\Program Files\Today Application\Today.exe O4 - HKCU\..\Run: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup O4 - Startup: CaptureWiz.lnk = D:\Program Files\CaptureWiz\Pro\CaptureWiz.exe O4 - Startup: MailWasherPro.lnk = D:\Program Files\MailWasher Pro\MailWasher.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?763eb53e35e74837a012bde971f2d744 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?763eb53e35e74837a012bde971f2d744 O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165097492687 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Here is the txt from CompoFix: "TOM" - 2007-05-30 10:00:28 Service Pack 2 ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\TOM\Desktop\USEFULL CHORTCUTS\911-FORCE\combofix\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 )))))))))))))))))))))))))))))))))) 2007-05-29 14:09 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-29 13:54 <DIR> d-------- C:\VundoFix Backups 2007-05-28 14:55 1,298 --a------ C:\WINDOWS\system32\tmp.reg 2007-05-28 14:28 15,204,352 --a------ C:\Documents and Settings\TOM\ntuser.dat 2007-05-28 14:28 15,204,352 --a------ C:\DOCUME~1\TOM\ntuser.dat 2007-05-26 12:03 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\iolo 2007-05-26 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo 2007-05-18 19:21 <DIR> d-------- C:\Program Files\Speed Startup 2007-05-12 12:39 20,471 --a------ C:\WINDOWS\hpoins01.dat 2007-05-12 12:39 16,618 --------- C:\WINDOWS\hpomdl01.dat 2007-05-12 12:38 81,920 -ra------ C:\WINDOWS\system32\hpovst08.dll 2007-05-11 09:05 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Yahoo! 2007-05-09 16:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-05-07 20:49 <DIR> d-------- C:\WINDOWS\Paltalk Messenger 2007-05-07 20:49 <DIR> d-------- C:\Program Files\Paltalk Messenger 2007-05-03 19:21 4,733,788 --a------ C:\WINDOWS\system32\dmap_01200015035.exe 2007-05-03 19:21 0 --a------ C:\WINDOWS\sdfsdfjl.dll 2007-05-02 22:12 <DIR> d-------- C:\Program Files\AxBx 2007-05-02 19:39 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Uniblue 2007-05-02 19:21 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-05-02 19:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-05-02 19:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-05-02 09:24 <DIR> d-------- C:\WINDOWS\system32\070411 2007-05-01 22:17 0 --a------ C:\WINDOWS\004g.dll 2007-05-01 22:05 0 --a------ C:\WINDOWS\qh3.dll 2007-05-01 21:34 2,358,634 --a------ C:\WINDOWS\system32\UUSEE_konglong_Setup_186.exe 2007-05-01 21:33 146,432 --a------ C:\WINDOWS\regbin.exe 2007-05-01 21:31 0 --a------ C:\WINDOWS\Setup(37).dll 2007-05-01 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoGen 2007-04-30 11:36 <DIR> d-------- C:\Program Files\Jufsoft 2007-04-29 10:45 <DIR> d-------- C:\WINDOWS\Prefetch 2007-04-28 23:38 913,408 --a------ C:\WINDOWS\system32\contfilt.dll 2007-04-28 23:38 90,112 --a------ C:\WINDOWS\inst_tsp.exe 2007-04-28 23:38 9,488 --a------ C:\WINDOWS\sporder.dll 2007-04-28 23:38 7,680 --a------ C:\WINDOWS\sporder.exe 2007-04-28 23:38 335,872 --a------ C:\WINDOWS\system32\mwtsp.dll 2007-04-28 23:38 146,432 --a------ C:\WINDOWS\R.COM 2007-04-28 23:38 135,680 --a------ C:\WINDOWS\system32\T.COM 2007-04-28 23:38 130,560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL 2007-04-28 23:38 125,440 --a------ C:\WINDOWS\system32\UNZDLL.DLL 2007-04-28 23:38 123,878 --a------ C:\WINDOWS\winsbak2.reg 2007-04-28 23:38 12,946 --a------ C:\WINDOWS\winsbak.reg 2007-04-28 23:38 110,592 --a------ C:\WINDOWS\system32\mwnsp.dll 2007-04-28 23:38 <DIR> d-------- C:\WINDOWS\system32\FLCSS.EXE 2007-04-28 23:38 <DIR> d-------- C:\Program Files\Common Files\MicroWorld 2007-04-28 23:38 <DIR> d-------- C:\DOCUME~1\REMOTE~1\Documents 2007-04-28 23:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Documents 2007-04-25 16:22 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-04-21 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Eset 2007-04-21 13:36 12,245,711 --------- C:\AVG7QT.DAT 2007-04-21 11:52 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll 2007-04-21 11:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-19 20:01 <DIR> d-------- C:\Program Files\SHOUTcast 2007-04-12 20:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-03 21:51 <DIR> d-------- C:\Program Files\GetRight (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-30 13:34:36 9,857 ----a-w C:\WINDOWS\mozver.dat 2007-05-30 12:42:28 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-30 11:21:58 -------- d-----w C:\DOCUME~1\TOM\APPLIC~1\MailWasherPro 2007-05-28 11:16:03 -------- d-----w C:\Program Files\Trend Micro Cleaner Tool 2007-05-28 00:08:01 -------- d-----w C:\Program Files\SpywareBlaster 2007-05-10 23:02:52 -------- d-----w C:\Program Files\MPEG Audio Collection 2007-05-06 18:05:38 -------- d-----w C:\DOCUME~1\TOM\APPLIC~1\Vso 2007-04-19 18:17:44 -------- d-----w C:\Program Files\Winamp 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-18 01:42:00 -------- d-----w C:\Program Files\Today Application 2007-04-01 02:14:59 -------- d-----w C:\Program Files\Belarc 2007-03-31 00:42:29 87,608 ----a-w C:\DOCUME~1\TOM\APPLIC~1\ezpinst.exe 2007-03-31 00:42:29 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys 2007-03-31 00:42:29 47,360 ----a-w C:\DOCUME~1\TOM\APPLIC~1\pcouffin.sys 2007-03-31 00:42:27 -------- d-----w C:\Program Files\vso 2007-03-31 00:41:09 -------- d-----w C:\Program Files\Common Files\Download Manager 2007-03-22 20:47:35 46,344 ----a-w C:\WINDOWS\NSSetDefaultBrowser.EXE 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-16 02:07:31 13 ----a-w C:\WINDOWS\ffs.dat 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=D:\Program Files\Companion\Installs\cpn0\yt.dll [2006-10-26 11:28] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2006-06-13 20:36] {53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23] {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-10-11 00:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "P17Helper"="P17.dll" [2005-05-03 20:38 C:\WINDOWS\system32\P17.dll] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 16:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkinClock"="D:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2006-01-16 17:09] "XarkaToday"="C:\Program Files\Today Application\Today.exe" [2007-04-13 13:33] "SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2007-01-25 13:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousUserGroupPolicy"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{93994DE8-8239-4655-B1D1-5F4E91300429}"="D:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 16:18] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf] avgwlntf.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\Manager.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk] backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Contents of the 'Scheduled Tasks' folder 2007-05-30 13:04:01 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job 2007-05-12 20:38:23 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1165335067.job 2007-05-30 11:23:48 C:\WINDOWS\tasks\MP Scheduled Scan.job 2007-05-30 11:20:45 C:\WINDOWS\tasks\XoftSpySE 2.job 2006-12-08 16:30:42 C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-30 10:01:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-30 10:02:10 C:\ComboFix-quarantined-files.txt ... 2007-05-30 10:02 --- E O F --- Code: 2004-08-04 03:56 135680 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir 2004-08-04 03:56 146432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir 2006-11-07 06:40 112640 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.skn.vir 2007-02-15 11:19 1837 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\vermini_x1.ini.vir 2007-02-15 11:19 2020 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\vermini.ini.vir 2007-02-15 11:19 997 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\vermini_x.ini.vir 2007-03-16 03:08 21616 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\patch_cmd.exe.vir 2007-03-21 15:10 5 --a------ C:\Qoobox\Quarantine\C\WINDOWS\TEMP.EXE.vir 2007-03-25 23:58 595584 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\ARMP.ocx.vir 2007-03-26 00:00 344192 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\in_psp.dll.vir 2007-03-26 00:01 157824 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\MultiVMR9.dll.vir 2007-03-26 00:02 97920 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\out_mmshttp.dll.vir 2007-03-26 00:04 41088 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\updateC2.ocx.vir 2007-03-26 00:05 116352 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.dll.vir 2007-03-26 00:08 272000 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UURecorder.exe.vir 2007-03-26 00:09 485504 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\uusee_video.dll.vir 2007-03-26 00:12 324736 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUSeePlayer.exe.vir 2007-03-26 00:13 313472 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUSEEAudioDec.ax.vir 2007-03-26 00:14 100480 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\u264Dec.ax.vir 2007-03-26 00:16 153728 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UFDeMux.ax.vir 2007-04-05 03:51 38416 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.ocx.vir 2007-05-01 21:24 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\ntters.dll.vir 2007-05-01 21:31 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\179.dll.vir 2007-05-01 21:31 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\ma.dll.vir 2007-05-01 21:34 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\186.dll.vir 2007-05-01 21:34 41570 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\uninst.exe.vir 2007-05-01 21:34 46 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUSee.url.vir 2007-05-02 08:15 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\10.dll.vir 2007-05-06 14:16 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\20297.dll.vir Folder PATH listing Volume serial number is 201F-AF7E C:\QOOBOX \---Quarantine +---C | +---Program Files | | \---uusee | | ARMP.ocx.vir | | in_psp.dll.vir | | MultiVMR9.dll.vir | | out_mmshttp.dll.vir | | patch_cmd.exe.vir | | u264Dec.ax.vir | | UFDeMux.ax.vir | | uninst.exe.vir | | updateC2.ocx.vir | | UUPlayer.dll.vir | | UUPlayer.ocx.vir | | UUPlayer.skn.vir | | UURecorder.exe.vir | | UUSee.url.vir | | UUSEEAudioDec.ax.vir | | UUSeePlayer.exe.vir | | uusee_video.dll.vir | | vermini.ini.vir | | vermini_x.ini.vir | | vermini_x1.ini.vir | | | \---WINDOWS | | 10.dll.vir | | 179.dll.vir | | 186.dll.vir | | 20297.dll.vir | | ma.dll.vir | | ntters.dll.vir | | REGEDIT.COM.vir | | TEMP.EXE.vir | | | \---system32 | TASKMGR.COM.vir | \---Registry_backups
MasterChu thank you for your response, exactly that was the way with which i deleted the entry in C:\WINDOWS\system32\Manager.dll but as you can see in my reports, it is not there anymore and I am trying to delete the corresponding registry entry: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\Manager.dll Also i tried to rename in registry the windows to windows2 and delete the whole key AppInit_Dlls or the value of the key to "", but it is coming back after reboot. I would like someone to look the HJT report and let me know what to do next. Thanks
There are still some weird dlls in your combofix log. You could try another round with vundofix. I am not totally familiar with Ewido antispyware yet. If the guard.exe program is protecting the registry or some files from being changed, you need to disable it right now while you are trying to fix your system. Hidden files and folders need to be shown temporarily: http://www.bleepingcomputer.com/tutorials/tutorial62.html You can set that back after your computer is fixed. Please rename HijackThis.exe to nana2.exe (or another name of your choosing). Some malware is programmed to hide from the HijackThis file name. Please download atf cleaner here: http://www.atribune.org/content/view/25/2/ and print the instructions. (Please note the comments about saving cookies when you run it later.) Please download VundoFix here: http://www.atribune.org/content/view/24/2/ and print the instructions. (please delete your current version and the c:\vundofix.txt log file and do this step so you will have the most current version.) Please check Ewido antispyware for updates and update if necessary. Please Run vundofix according to its instructions. After the last reboot required by vundofix, Please run atf cleander according to its instructions. Please run ewido/avg antispyware and save a log. Run run HijackThis and save its log. Then post the C:\vundofix.txt log, the ewido/avg antispyware log, and the HijackThis log.
thank you very much for your help, problem solved with an old fashioned system restore to a previoud date.
Hi, I'm glad you got the system running properly again. I would still have a concern that there are infected files on your system and would still recommend that vundofix and at least one online scan (avg or kaspersky - or both) be run to check your system over. As I said before, there are some odd looking dll files in that combofix log. Regards. bc