 |  |  |  |  |  |  |  |
How do I get rid of trojan.bookmarker.gen?
 |
Hi,
I have tried Adaware, CWShredder, Spybot and Norton Anti Virus, but I still keep getting "Trojan.Bookmarker.gen removed" notices on my system. I've run Hijak This and thought I'd found it (log below), but it keeps coming back. I've noticed a temp file appears after rebooting, so it must be in my registry somewhere, right? But where?
Any help much appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 18:27:01, on 24/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)[/COLOR]
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by netbreeze
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] D:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\update.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.netbreeze.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093338746131
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...217.3676041667
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E68CAB-933D-48C8-B6EA-67F062BBDCE9}: NameServer = 194.168.4.100 194.168.8.100
I have tried Adaware, CWShredder, Spybot and Norton Anti Virus, but I still keep getting "Trojan.Bookmarker.gen removed" notices on my system. I've run Hijak This and thought I'd found it (log below), but it keeps coming back. I've noticed a temp file appears after rebooting, so it must be in my registry somewhere, right? But where?
Any help much appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 18:27:01, on 24/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)[/COLOR]
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by netbreeze
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] D:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\update.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.netbreeze.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093338746131
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...217.3676041667
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E68CAB-933D-48C8-B6EA-67F062BBDCE9}: NameServer = 194.168.4.100 194.168.8.100
This worked for me with the same problem; first go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.
•
•
Join Date: Sep 2004
Posts: 2
Reputation: 
Solved Threads: 0
Newbie Poster
•
•
•
•
Originally Posted by dlh6213
This worked for me with the same problem; first go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.
Well, I have the same Trojan Bookmark problem. I've followed the instructions above and hwere is the "value" that the program responded with.
C:\WINNT\System32\wdm.dll
What's next please?
•
•
Join Date: Feb 2004
Posts: 10,129
Reputation: 
Solved Threads: 770
-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.
-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.
-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\wdm.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.
-Rename the NotWindows folder back to its
original name Windows
-Restart computer
Check in the system32 folder if the culprit dll is visible & delete it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.
-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.
-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\wdm.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.
-Rename the NotWindows folder back to its
original name Windows
-Restart computer
Check in the system32 folder if the culprit dll is visible & delete it.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Sep 2004
Posts: 2
Reputation:
Solved Threads: 0
Newbie Poster
Hello from the Hollow,
Thanks a LOT. That seems to have done it.
I've fought this beast for months and it's a great relief to be done with it.
Again, many, many thanks.
The Headless Horseman
Thanks a LOT. That seems to have done it.
I've fought this beast for months and it's a great relief to be done with it.
Again, many, many thanks.
The Headless Horseman
. |
Similar Threads
- Help with Trojan.bookmarker.gen (Viruses, Spyware and other Nasties)
- Trojan.bookmarker.gen (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: How to remove prosearch toolbar
- Next Thread: About:blank Trusted start page (tried everything now!!)
Views: 5595 | Replies: 5
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime ddos e-mafia education email europe exam exploit explorer fake fancheckvirus firefox gaming google gumblar halloween herss.exe hijack hosting ie8 internet kaspersky legal links mail malware mcafee messagelabs microsoft mobile nazi news obama onlinethreats paedophile parents patch pc phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus rootkit samhain sans school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system threat trojan unwanted update usa virus viruses vista volume war warning windows worm yahoo zero-day zeroday
