0

Hi,

I have tried Adaware, CWShredder, Spybot and Norton Anti Virus, but I still keep getting "Trojan.Bookmarker.gen removed" notices on my system. I've run Hijak This and thought I'd found it (log below), but it keeps coming back. I've noticed a temp file appears after rebooting, so it must be in my registry somewhere, right? But where?

Any help much appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 18:27:01, on 24/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by netbreeze
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM..\Run: [BootWarn] D:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM..\Run: [System Process] C:\WINDOWS\csrss.exe /i
O4 - HKLM..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKCU..\Run: [System Update] C:\WINDOWS\System\update.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.netbreeze.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093338746131
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38217.3676041667
O17 - HKLM\System\CCS\Services\Tcpip..{66E68CAB-933D-48C8-B6EA-67F062BBDCE9}: NameServer = 194.168.4.100 194.168.8.100

Edited by Dani: Formatting fixed

4
Contributors
5
Replies
6
Views
13 Years
Discussion Span
Last Post by crunchie
0

This worked for me with the same problem; first go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.

0

This worked for me with the same problem; first go to:
http://www.resplendence.com/reglite
Download and install Registrar Lite, and then run the program. Copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "GO" tab. On the right side panel find the "Appinit_Dlls" value; double-click it (if you don't double-click, it won't work), and then copy and post the information that comes up in the "Value" field here in this thread for instructions on what to do next.

Hello from the Hollow,
Well, I have the same Trojan Bookmark problem. I've followed the instructions above and hwere is the "value" that the program responded with.

C:\WINNT\System32\wdm.dll

What's next please?

0

-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\wdm.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible & delete it.

0

Hello from the Hollow,

Thanks a LOT. That seems to have done it.

I've fought this beast for months and it's a great relief to be done with it.

Again, many, many thanks.

The Headless Horseman

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.