1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan horse generic4.RNT in manager.dll

Discussion in 'Windows - Virus and spyware problems' started by nana2, May 30, 2007.

  1. nana2

    nana2 Member

    Joined:
    May 30, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    My AVG gives me alert about "manager.dll" in c:windows/system32"
    as a "Trojan horse generic4.RNT"
    I was not able to get rid off:
    AppInit_DLLs: C:\WINDOWS\system32\Manager.dll

    Here are my HJT and CompoFix printouts.
    Your help is appreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:56:41 AM, on 5/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    D:\Program Files\Clock Tray Skins\ClockTraySkins.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    D:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
    D:\Program Files\MailWasher Pro\MailWasher.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\TOM\Desktop\USEFULL CHORTCUTS\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Companion\Installs\cpn0\yt.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\RunOnce: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce
    O4 - HKCU\..\Run: [SkinClock] D:\Program Files\Clock Tray Skins\ClockTraySkins.exe
    O4 - HKCU\..\Run: [XarkaToday] C:\Program Files\Today Application\Today.exe
    O4 - HKCU\..\Run: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup
    O4 - Startup: CaptureWiz.lnk = D:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
    O4 - Startup: MailWasherPro.lnk = D:\Program Files\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?763eb53e35e74837a012bde971f2d744
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?763eb53e35e74837a012bde971f2d744
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165097492687
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
    O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Here is the txt from CompoFix:

    "TOM" - 2007-05-30 10:00:28 Service Pack 2
    ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\TOM\Desktop\USEFULL CHORTCUTS\911-FORCE\combofix\"


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))


    2007-05-29 14:09 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-05-29 13:54 <DIR> d-------- C:\VundoFix Backups
    2007-05-28 14:55 1,298 --a------ C:\WINDOWS\system32\tmp.reg
    2007-05-28 14:28 15,204,352 --a------ C:\Documents and Settings\TOM\ntuser.dat
    2007-05-28 14:28 15,204,352 --a------ C:\DOCUME~1\TOM\ntuser.dat
    2007-05-26 12:03 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\iolo
    2007-05-26 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
    2007-05-18 19:21 <DIR> d-------- C:\Program Files\Speed Startup
    2007-05-12 12:39 20,471 --a------ C:\WINDOWS\hpoins01.dat
    2007-05-12 12:39 16,618 --------- C:\WINDOWS\hpomdl01.dat
    2007-05-12 12:38 81,920 -ra------ C:\WINDOWS\system32\hpovst08.dll
    2007-05-11 09:05 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Yahoo!
    2007-05-09 16:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-05-07 20:49 <DIR> d-------- C:\WINDOWS\Paltalk Messenger
    2007-05-07 20:49 <DIR> d-------- C:\Program Files\Paltalk Messenger
    2007-05-03 19:21 4,733,788 --a------ C:\WINDOWS\system32\dmap_01200015035.exe
    2007-05-03 19:21 0 --a------ C:\WINDOWS\sdfsdfjl.dll
    2007-05-02 22:12 <DIR> d-------- C:\Program Files\AxBx
    2007-05-02 19:39 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Uniblue
    2007-05-02 19:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-05-02 19:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-05-02 19:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-05-02 09:24 <DIR> d-------- C:\WINDOWS\system32\070411
    2007-05-01 22:17 0 --a------ C:\WINDOWS\004g.dll
    2007-05-01 22:05 0 --a------ C:\WINDOWS\qh3.dll
    2007-05-01 21:34 2,358,634 --a------ C:\WINDOWS\system32\UUSEE_konglong_Setup_186.exe
    2007-05-01 21:33 146,432 --a------ C:\WINDOWS\regbin.exe
    2007-05-01 21:31 0 --a------ C:\WINDOWS\Setup(37).dll
    2007-05-01 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoGen
    2007-04-30 11:36 <DIR> d-------- C:\Program Files\Jufsoft
    2007-04-29 10:45 <DIR> d-------- C:\WINDOWS\Prefetch
    2007-04-28 23:38 913,408 --a------ C:\WINDOWS\system32\contfilt.dll
    2007-04-28 23:38 90,112 --a------ C:\WINDOWS\inst_tsp.exe
    2007-04-28 23:38 9,488 --a------ C:\WINDOWS\sporder.dll
    2007-04-28 23:38 7,680 --a------ C:\WINDOWS\sporder.exe
    2007-04-28 23:38 335,872 --a------ C:\WINDOWS\system32\mwtsp.dll
    2007-04-28 23:38 146,432 --a------ C:\WINDOWS\R.COM
    2007-04-28 23:38 135,680 --a------ C:\WINDOWS\system32\T.COM
    2007-04-28 23:38 130,560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL
    2007-04-28 23:38 125,440 --a------ C:\WINDOWS\system32\UNZDLL.DLL
    2007-04-28 23:38 123,878 --a------ C:\WINDOWS\winsbak2.reg
    2007-04-28 23:38 12,946 --a------ C:\WINDOWS\winsbak.reg
    2007-04-28 23:38 110,592 --a------ C:\WINDOWS\system32\mwnsp.dll
    2007-04-28 23:38 <DIR> d-------- C:\WINDOWS\system32\FLCSS.EXE
    2007-04-28 23:38 <DIR> d-------- C:\Program Files\Common Files\MicroWorld
    2007-04-28 23:38 <DIR> d-------- C:\DOCUME~1\REMOTE~1\Documents
    2007-04-28 23:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Documents
    2007-04-25 16:22 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2007-04-21 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Eset
    2007-04-21 13:36 12,245,711 --------- C:\AVG7QT.DAT
    2007-04-21 11:52 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
    2007-04-21 11:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-04-19 20:01 <DIR> d-------- C:\Program Files\SHOUTcast
    2007-04-12 20:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-04-03 21:51 <DIR> d-------- C:\Program Files\GetRight


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-05-30 13:34:36 9,857 ----a-w C:\WINDOWS\mozver.dat
    2007-05-30 12:42:28 -------- d-----w C:\Program Files\Mozilla Thunderbird
    2007-05-30 11:21:58 -------- d-----w C:\DOCUME~1\TOM\APPLIC~1\MailWasherPro
    2007-05-28 11:16:03 -------- d-----w C:\Program Files\Trend Micro Cleaner Tool
    2007-05-28 00:08:01 -------- d-----w C:\Program Files\SpywareBlaster
    2007-05-10 23:02:52 -------- d-----w C:\Program Files\MPEG Audio Collection
    2007-05-06 18:05:38 -------- d-----w C:\DOCUME~1\TOM\APPLIC~1\Vso
    2007-04-19 18:17:44 -------- d-----w C:\Program Files\Winamp
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-18 01:42:00 -------- d-----w C:\Program Files\Today Application
    2007-04-01 02:14:59 -------- d-----w C:\Program Files\Belarc
    2007-03-31 00:42:29 87,608 ----a-w C:\DOCUME~1\TOM\APPLIC~1\ezpinst.exe
    2007-03-31 00:42:29 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
    2007-03-31 00:42:29 47,360 ----a-w C:\DOCUME~1\TOM\APPLIC~1\pcouffin.sys
    2007-03-31 00:42:27 -------- d-----w C:\Program Files\vso
    2007-03-31 00:41:09 -------- d-----w C:\Program Files\Common Files\Download Manager
    2007-03-22 20:47:35 46,344 ----a-w C:\WINDOWS\NSSetDefaultBrowser.EXE
    2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
    2007-03-16 02:07:31 13 ----a-w C:\WINDOWS\ffs.dat
    2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
    2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
    2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
    2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {02478D38-C3F9-4EFB-9B51-7695ECA05670}=D:\Program Files\Companion\Installs\cpn0\yt.dll [2006-10-26 11:28]
    {31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2006-06-13 20:36]
    {53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]
    {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29]
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-10-11 00:26]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "P17Helper"="P17.dll" [2005-05-03 20:38 C:\WINDOWS\system32\P17.dll]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 16:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SkinClock"="D:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2006-01-16 17:09]
    "XarkaToday"="C:\Program Files\Today Application\Today.exe" [2007-04-13 13:33]
    "SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2007-01-25 13:56]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "SynchronousUserGroupPolicy"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"="D:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 16:18]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
    avgwlntf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=C:\WINDOWS\system32\Manager.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
    backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup



    ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
    Contents of the 'Scheduled Tasks' folder
    2007-05-30 13:04:01 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
    2007-05-12 20:38:23 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1165335067.job
    2007-05-30 11:23:48 C:\WINDOWS\tasks\MP Scheduled Scan.job
    2007-05-30 11:20:45 C:\WINDOWS\tasks\XoftSpySE 2.job
    2006-12-08 16:30:42 C:\WINDOWS\tasks\XoftSpySE.job

    ********************************************************************

    catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-30 10:01:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0


    ********************************************************************

    Completion time: 2007-05-30 10:02:10
    C:\ComboFix-quarantined-files.txt ... 2007-05-30 10:02

    --- E O F ---


    Code:
    2004-08-04 03:56      135680    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
    2004-08-04 03:56      146432    --a------    C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
    2006-11-07 06:40      112640    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.skn.vir
    2007-02-15 11:19      1837    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\vermini_x1.ini.vir
    2007-02-15 11:19      2020    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\vermini.ini.vir
    2007-02-15 11:19      997    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\vermini_x.ini.vir
    2007-03-16 03:08      21616    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\patch_cmd.exe.vir
    2007-03-21 15:10      5    --a------    C:\Qoobox\Quarantine\C\WINDOWS\TEMP.EXE.vir
    2007-03-25 23:58      595584    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\ARMP.ocx.vir
    2007-03-26 00:00      344192    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\in_psp.dll.vir
    2007-03-26 00:01      157824    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\MultiVMR9.dll.vir
    2007-03-26 00:02      97920    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\out_mmshttp.dll.vir
    2007-03-26 00:04      41088    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\updateC2.ocx.vir
    2007-03-26 00:05      116352    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.dll.vir
    2007-03-26 00:08      272000    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UURecorder.exe.vir
    2007-03-26 00:09      485504    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\uusee_video.dll.vir
    2007-03-26 00:12      324736    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UUSeePlayer.exe.vir
    2007-03-26 00:13      313472    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UUSEEAudioDec.ax.vir
    2007-03-26 00:14      100480    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\u264Dec.ax.vir
    2007-03-26 00:16      153728    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UFDeMux.ax.vir
    2007-04-05 03:51      38416    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.ocx.vir
    2007-05-01 21:24      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\ntters.dll.vir
    2007-05-01 21:31      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\179.dll.vir
    2007-05-01 21:31      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\ma.dll.vir
    2007-05-01 21:34      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\186.dll.vir
    2007-05-01 21:34      41570    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\uninst.exe.vir
    2007-05-01 21:34      46    --a------    C:\Qoobox\Quarantine\C\Program Files\uusee\UUSee.url.vir
    2007-05-02 08:15      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\10.dll.vir
    2007-05-06 14:16      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\20297.dll.vir
    
    
    Folder PATH listing
    Volume serial number is 201F-AF7E
    C:\QOOBOX
    \---Quarantine
        +---C
        |   +---Program Files
        |   |   \---uusee
        |   |           ARMP.ocx.vir
        |   |           in_psp.dll.vir
        |   |           MultiVMR9.dll.vir
        |   |           out_mmshttp.dll.vir
        |   |           patch_cmd.exe.vir
        |   |           u264Dec.ax.vir
        |   |           UFDeMux.ax.vir
        |   |           uninst.exe.vir
        |   |           updateC2.ocx.vir
        |   |           UUPlayer.dll.vir
        |   |           UUPlayer.ocx.vir
        |   |           UUPlayer.skn.vir
        |   |           UURecorder.exe.vir
        |   |           UUSee.url.vir
        |   |           UUSEEAudioDec.ax.vir
        |   |           UUSeePlayer.exe.vir
        |   |           uusee_video.dll.vir
        |   |           vermini.ini.vir
        |   |           vermini_x.ini.vir
        |   |           vermini_x1.ini.vir
        |   |           
        |   \---WINDOWS
        |       |   10.dll.vir
        |       |   179.dll.vir
        |       |   186.dll.vir
        |       |   20297.dll.vir
        |       |   ma.dll.vir
        |       |   ntters.dll.vir
        |       |   REGEDIT.COM.vir
        |       |   TEMP.EXE.vir
        |       |   
        |       \---system32
        |               TASKMGR.COM.vir
        |               
        \---Registry_backups
    
     
  2. MasterChu

    MasterChu Guest

    Moving to Langjökull in Iceland - so all the info I posted is moving with me!
     
    Last edited by a moderator: Jun 11, 2007
  3. nana2

    nana2 Member

    Joined:
    May 30, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    MasterChu thank you for your response,
    exactly that was the way with which i deleted the entry in
    C:\WINDOWS\system32\Manager.dll

    but as you can see in my reports, it is not there anymore and I am trying to delete the corresponding registry entry:

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=C:\WINDOWS\system32\Manager.dll

    Also i tried to rename in registry the windows to windows2 and delete the whole key AppInit_Dlls or the value of the key to "", but it is coming back after reboot.
    I would like someone to look the HJT report and let me know what to do next.
    Thanks
     
  4. bluecoal

    bluecoal Guest

    There are still some weird dlls in your combofix log. You could try another round with vundofix.


    I am not totally familiar with Ewido antispyware yet. If the guard.exe program is protecting the registry or some files from being changed, you need to disable it right now while you are trying to fix your system.

    Hidden files and folders need to be shown temporarily:
    http://www.bleepingcomputer.com/tutorials/tutorial62.html
    You can set that back after your computer is fixed.

    Please rename HijackThis.exe to nana2.exe (or another name of your choosing). Some malware is programmed to hide from the HijackThis file name.

    Please download atf cleaner here:
    http://www.atribune.org/content/view/25/2/
    and print the instructions. (Please note the comments about saving cookies when you run it later.)

    Please download VundoFix here:
    http://www.atribune.org/content/view/24/2/
    and print the instructions.
    (please delete your current version and the c:\vundofix.txt log file and do this step so you will have the most current version.)

    Please check Ewido antispyware for updates and update if necessary.

    Please Run vundofix according to its instructions.

    After the last reboot required by vundofix,
    Please run atf cleander according to its instructions.
    Please run ewido/avg antispyware and save a log.
    Run run HijackThis and save its log.

    Then post the C:\vundofix.txt log, the ewido/avg antispyware log, and the HijackThis log.
     
  5. nana2

    nana2 Member

    Joined:
    May 30, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    thank you very much for your help, problem solved with an old fashioned system restore to a previoud date.
     
  6. bluecoal

    bluecoal Guest

    Hi,

    I'm glad you got the system running properly again.

    I would still have a concern that there are infected files on your system and would still recommend that vundofix and at least one online scan (avg or kaspersky - or both) be run to check your system over. As I said before, there are some odd looking dll files in that combofix log.

    Regards.
    bc
     

Share This Page