|
|
|
Trojan horse generic4.RNT in manager.dll
|
|
|
nana2
Newbie
|
30. May 2007 @ 07:08 |
Link to this message
|
My AVG gives me alert about "manager.dll" in c:windows/system32"
as a "Trojan horse generic4.RNT"
I was not able to get rid off:
AppInit_DLLs: C:\WINDOWS\system32\Manager.dll
Here are my HjT and CompoFix printouts.
Your help is appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 9:56:41 AM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
D:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
D:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\TOM\Desktop\USEFULL CHORTCUTS\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce
O4 - HKCU\..\Run: [SkinClock] D:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [XarkaToday] C:\Program Files\Today Application\Today.exe
O4 - HKCU\..\Run: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup
O4 - Startup: CaptureWiz.lnk = D:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
O4 - Startup: MailWasherPro.lnk = D:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?763eb53e35e74837a012bde971f2d744
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?763eb53e35e74837a012bde971f2d744
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1165097492687
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Here is the txt from CompoFix:
"TOM" - 2007-05-30 10:00:28 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\TOM\Desktop\USEFULL CHORTCUTS\911-FORCE\combofix\"
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))
2007-05-29 14:09 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-29 13:54 <DIR> d-------- C:\VundoFix Backups
2007-05-28 14:55 1,298 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-28 14:28 15,204,352 --a------ C:\Documents and Settings\TOM\ntuser.dat
2007-05-28 14:28 15,204,352 --a------ C:\DOCUME~1\TOM\ntuser.dat
2007-05-26 12:03 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\iolo
2007-05-26 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2007-05-18 19:21 <DIR> d-------- C:\Program Files\Speed Startup
2007-05-12 12:39 20,471 --a------ C:\WINDOWS\hpoins01.dat
2007-05-12 12:39 16,618 --------- C:\WINDOWS\hpomdl01.dat
2007-05-12 12:38 81,920 -ra------ C:\WINDOWS\system32\hpovst08.dll
2007-05-11 09:05 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Yahoo!
2007-05-09 16:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 20:49 <DIR> d-------- C:\WINDOWS\Paltalk Messenger
2007-05-07 20:49 <DIR> d-------- C:\Program Files\Paltalk Messenger
2007-05-03 19:21 4,733,788 --a------ C:\WINDOWS\system32\dmap_01200015035.exe
2007-05-03 19:21 0 --a------ C:\WINDOWS\sdfsdfjl.dll
2007-05-02 22:12 <DIR> d-------- C:\Program Files\AxBx
2007-05-02 19:39 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Uniblue
2007-05-02 19:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-02 19:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-02 19:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-02 09:24 <DIR> d-------- C:\WINDOWS\system32\070411
2007-05-01 22:17 0 --a------ C:\WINDOWS\004g.dll
2007-05-01 22:05 0 --a------ C:\WINDOWS\qh3.dll
2007-05-01 21:34 2,358,634 --a------ C:\WINDOWS\system32\UUSEE_konglong_Setup_186.exe
2007-05-01 21:33 146,432 --a------ C:\WINDOWS\regbin.exe
2007-05-01 21:31 0 --a------ C:\WINDOWS\Setup(37).dll
2007-05-01 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoGen
2007-04-30 11:36 <DIR> d-------- C:\Program Files\Jufsoft
2007-04-29 10:45 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-28 23:38 913,408 --a------ C:\WINDOWS\system32\contfilt.dll
2007-04-28 23:38 90,112 --a------ C:\WINDOWS\inst_tsp.exe
2007-04-28 23:38 9,488 --a------ C:\WINDOWS\sporder.dll
2007-04-28 23:38 7,680 --a------ C:\WINDOWS\sporder.exe
2007-04-28 23:38 335,872 --a------ C:\WINDOWS\system32\mwtsp.dll
2007-04-28 23:38 146,432 --a------ C:\WINDOWS\R.COM
2007-04-28 23:38 135,680 --a------ C:\WINDOWS\system32\T.COM
2007-04-28 23:38 130,560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL
2007-04-28 23:38 125,440 --a------ C:\WINDOWS\system32\UNZDLL.DLL
2007-04-28 23:38 123,878 --a------ C:\WINDOWS\winsbak2.reg
2007-04-28 23:38 12,946 --a------ C:\WINDOWS\winsbak.reg
2007-04-28 23:38 110,592 --a------ C:\WINDOWS\system32\mwnsp.dll
2007-04-28 23:38 <DIR> d-------- C:\WINDOWS\system32\FLCSS.EXE
2007-04-28 23:38 <DIR> d-------- C:\Program Files\Common Files\MicroWorld
2007-04-28 23:38 <DIR> d-------- C:\DOCUME~1\REMOTE~1\Documents
2007-04-28 23:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Documents
2007-04-25 16:22 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-04-21 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Eset
2007-04-21 13:36 12,245,711 --------- C:\AVG7QT.DAT
2007-04-21 11:52 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-04-21 11:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-19 20:01 <DIR> d-------- C:\Program Files\SHOUTcast
2007-04-12 20:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-03 21:51 <DIR> d-------- C:\Program Files\GetRight
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-30 13:34:36 9,857 ----a-w C:\WINDOWS\mozver.dat
2007-05-30 12:42:28 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-30 11:21:58 -------- d-----w C:\DOCUME~1\TOM\APPLIC~1\MailWasherPro
2007-05-28 11:16:03 -------- d-----w C:\Program Files\Trend Micro Cleaner Tool
2007-05-28 00:08:01 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-10 23:02:52 -------- d-----w C:\Program Files\MPEG Audio Collection
2007-05-06 18:05:38 -------- d-----w C:\DOCUME~1\TOM\APPLIC~1\Vso
2007-04-19 18:17:44 -------- d-----w C:\Program Files\Winamp
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 01:42:00 -------- d-----w C:\Program Files\Today Application
2007-04-01 02:14:59 -------- d-----w C:\Program Files\Belarc
2007-03-31 00:42:29 87,608 ----a-w C:\DOCUME~1\TOM\APPLIC~1\ezpinst.exe
2007-03-31 00:42:29 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-03-31 00:42:29 47,360 ----a-w C:\DOCUME~1\TOM\APPLIC~1\pcouffin.sys
2007-03-31 00:42:27 -------- d-----w C:\Program Files\vso
2007-03-31 00:41:09 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-03-22 20:47:35 46,344 ----a-w C:\WINDOWS\NSSetDefaultBrowser.EXE
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 02:07:31 13 ----a-w C:\WINDOWS\ffs.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=D:\Program Files\Companion\Installs\cpn0\yt.dll [2006-10-26 11:28]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2006-06-13 20:36]
{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-10-11 00:26]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 20:38 C:\WINDOWS\system32\P17.dll]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 16:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="D:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2006-01-16 17:09]
"XarkaToday"="C:\Program Files\Today Application\Today.exe" [2007-04-13 13:33]
"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2007-01-25 13:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousUserGroupPolicy"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="D:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 16:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\Manager.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup
~ ~ ~ ~ ~ ~ ~ ~ HijackThis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Contents of the 'Scheduled Tasks' folder
2007-05-30 13:04:01 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-05-12 20:38:23 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1165335067.job
2007-05-30 11:23:48 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-05-30 11:20:45 C:\WINDOWS\tasks\XoftSpySE 2.job
2006-12-08 16:30:42 C:\WINDOWS\tasks\XoftSpySE.job
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 10:01:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-30 10:02:10
C:\ComboFix-quarantined-files.txt ... 2007-05-30 10:02
--- E O F ---
2004-08-04 03:56 135680 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2004-08-04 03:56 146432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
2006-11-07 06:40 112640 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.skn.vir
2007-02-15 11:19 1837 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\vermini_x1.ini.vir
2007-02-15 11:19 2020 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\vermini.ini.vir
2007-02-15 11:19 997 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\vermini_x.ini.vir
2007-03-16 03:08 21616 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\patch_cmd.exe.vir
2007-03-21 15:10 5 --a------ C:\Qoobox\Quarantine\C\WINDOWS\TEMP.EXE.vir
2007-03-25 23:58 595584 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\ARMP.ocx.vir
2007-03-26 00:00 344192 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\in_psp.dll.vir
2007-03-26 00:01 157824 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\MultiVMR9.dll.vir
2007-03-26 00:02 97920 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\out_mmshttp.dll.vir
2007-03-26 00:04 41088 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\updateC2.ocx.vir
2007-03-26 00:05 116352 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.dll.vir
2007-03-26 00:08 272000 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UURecorder.exe.vir
2007-03-26 00:09 485504 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\uusee_video.dll.vir
2007-03-26 00:12 324736 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUSeePlayer.exe.vir
2007-03-26 00:13 313472 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUSEEAudioDec.ax.vir
2007-03-26 00:14 100480 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\u264Dec.ax.vir
2007-03-26 00:16 153728 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UFDeMux.ax.vir
2007-04-05 03:51 38416 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUPlayer.ocx.vir
2007-05-01 21:24 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\ntters.dll.vir
2007-05-01 21:31 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\179.dll.vir
2007-05-01 21:31 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\ma.dll.vir
2007-05-01 21:34 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\186.dll.vir
2007-05-01 21:34 41570 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\uninst.exe.vir
2007-05-01 21:34 46 --a------ C:\Qoobox\Quarantine\C\Program Files\uusee\UUSee.url.vir
2007-05-02 08:15 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\10.dll.vir
2007-05-06 14:16 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\20297.dll.vir
Folder PATH listing
Volume serial number is 201F-AF7E
C:\QOOBOX
\---Quarantine
+---C
| +---Program Files
| | \---uusee
| | ARMP.ocx.vir
| | in_psp.dll.vir
| | MultiVMR9.dll.vir
| | out_mmshttp.dll.vir
| | patch_cmd.exe.vir
| | u264Dec.ax.vir
| | UFDeMux.ax.vir
| | uninst.exe.vir
| | updateC2.ocx.vir
| | UUPlayer.dll.vir
| | UUPlayer.ocx.vir
| | UUPlayer.skn.vir
| | UURecorder.exe.vir
| | UUSee.url.vir
| | UUSEEAudioDec.ax.vir
| | UUSeePlayer.exe.vir
| | uusee_video.dll.vir
| | vermini.ini.vir
| | vermini_x.ini.vir
| | vermini_x1.ini.vir
| |
| \---WINDOWS
| | 10.dll.vir
| | 179.dll.vir
| | 186.dll.vir
| | 20297.dll.vir
| | ma.dll.vir
| | ntters.dll.vir
| | REGEDIT.COM.vir
| | TEMP.EXE.vir
| |
| \---system32
| TASKMGR.COM.vir
|
\---Registry_backups
|
|
Advertisement
|
|
|
|
|
MasterChu
Suspended due to non-functional email address
|
30. May 2007 @ 09:04 |
Link to this message
|
|
Moving to Langjökull in Iceland - so all the info I posted is moving with me!
This message has been edited since posting. Last time this message was edited on 11. June 2007 @ 16:34
|
|
nana2
Newbie
|
30. May 2007 @ 10:25 |
Link to this message
|
MasterChu thank you for your response,
exactly that was the way with which i deleted the entry in
C:\WINDOWS\system32\Manager.dll
but as you can see in my reports, it is not there anymore and I am trying to delete the corresponding registry entry:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\Manager.dll
Also i tried to rename in registry the windows to windows2 and delete the whole key AppInit_Dlls or the value of the key to "", but it is coming back after reboot.
I would like someone to look the HjT report and let me know what to do next.
Thanks
|
|
bluecoal
Suspended due to non-functional email address
|
31. May 2007 @ 20:23 |
Link to this message
|
There are still some weird dlls in your combofix log. You could try another round with vundofix.
I am not totally familiar with Ewido antispyware yet. If the guard.exe program is protecting the registry or some files from being changed, you need to disable it right now while you are trying to fix your system.
Hidden files and folders need to be shown temporarily:
http://www.bleepingcomputer.com/tutorials/tutorial62.html
You can set that back after your computer is fixed.
Please rename HijackThis.exe to nana2.exe (or another name of your choosing). Some malware is programmed to hide from the HijackThis file name.
Please download atf cleaner here:
http://www.atribune.org/content/view/25/2/
and print the instructions. (Please note the comments about saving cookies when you run it later.)
Please download VundoFix here:
http://www.atribune.org/content/view/24/2/
and print the instructions.
(please delete your current version and the c:\vundofix.txt log file and do this step so you will have the most current version.)
Please check Ewido antispyware for updates and update if necessary.
Please Run vundofix according to its instructions.
After the last reboot required by vundofix,
Please run atf cleander according to its instructions.
Please run ewido/avg antispyware and save a log.
Run run HijackThis and save its log.
Then post the C:\vundofix.txt log, the ewido/avg antispyware log, and the HijackThis log.
|
|
nana2
Newbie
|
2. June 2007 @ 16:33 |
Link to this message
|
|
thank you very much for your help, problem solved with an old fashioned system restore to a previoud date.
|
|
Advertisement
|
|
|
|
bluecoal
Suspended due to non-functional email address
|
2. June 2007 @ 20:40 |
Link to this message
|
Hi,
I'm glad you got the system running properly again.
I would still have a concern that there are infected files on your system and would still recommend that vundofix and at least one online scan (AVG or kaspersky - or both) be run to check your system over. As I said before, there are some odd looking dll files in that combofix log.
Regards.
bc
|
|
