[rainking26]

Hi Guys,

It would be greatly appreciated if someone could help me with what I think is the hclean.exe problem. Every time I open IE, I get the Nortons pop-up saying that the Trojan hclean.exe exists, but it can not be removed. It then creates pop-ups to various sites.

Below is a copy of my Hijack This log, and would greatly appreciate your help:

Logfile of HijackThis v1.99.1
Scan saved at 7:26:33 PM, on 1/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\essspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Copernic Summarizer\CSAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\CAP4RSK.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\Software Programs\Hi-Jack This\HijackThis.exe
C:\WINDOWS\System32\ctpdesrv.exe

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AppPatch\vgamp3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vxdman] powerdll.exe
O4 - HKLM\..\Run: [bnui] NukeSpan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TrackerNotificationExtensions.exe] "C:\Program Files\Copernic Tracker\TrackerNotificationExtensions.exe" /loadunread /c
O4 - HKCU\..\Run: [CopernicSummarizerWatchdog] "C:\Program Files\Copernic Summarizer\CSAgent.exe" /thisismandatory
O4 - HKCU\..\Run: [jopplerg] prcmon.exe
O4 - HKCU\..\Run: [trycrt] forces_elite.exe
O4 - HKCU\..\Run: [control64] cmon14.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add Feed to Tristana Reader - res://C:\Program Files\Tristana Reader\Reader.exe/AddContent.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Summarize Using Copernic Summarizer - C:\Program Files\Copernic Summarizer\Web\SummarizePage.htm
O8 - Extra context menu item: Track Target Using Copernic Tracker - C:\Program Files\Copernic Tracker\Web\TrackTargetExt.htm
O8 - Extra context menu item: Track Using Copernic Tracker - C:\Program Files\Copernic Tracker\Web\TrackCurrentExt.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Track Page - {0CFE98C9-A0F8-4E6E-94D7-C8F9157B0A43} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: Summarize - {0F2D17A0-E7DF-4847-995B-6F3ABF5BF187} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O9 - Extra button: (no name) - {12200C1F-1E6B-4F57-8222-2811B123688C} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Tracker - {12200C1F-1E6B-4F57-8222-2811B123688C} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: LiveSummarizer - {6170AB22-F1E5-4D4F-8F6C-826C73838581} - C:\Program Files\Copernic Summarizer\CopernicSummarizerApp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B533C4C2-3FE2-4728-8661-AC93DF5D35A2} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Summarize Using Copernic Summarizer - {B533C4C2-3FE2-4728-8661-AC93DF5D35A2} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Protocol: copernictracker - {BACF7D7D-DEB2-4B11-8C6D-1693DC2555B8} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O20 - Winlogon Notify: vgamp3 - C:\WINDOWS\AppPatch\vgamp3.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Advertisements]

Hello RainKing and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have got two of the worst infections known to mankind, namely Vundo and Wareout. We will be conversing frequently to beat these two. I estimate at least 8 posts each. Let’s see what we can do with the first sweep, we’ll go for Vundo first.

BTW, with your luck being this good, don’t bother buying lottery tickets or doing any jay-walking, and carry an umbrella with you wherever you go.

Please download VundoFix.zip to your desktop.

• Double-click VundoFix.zip and extract it to your C:\ directory.
• Copy the instructions below and paste them into Notepad for reference.
  • All other windows need to be closed while doing this fix!
• Navigate to the new folder C:\VundoFix
• Double click on KillVundo.bat
  • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
• Please press any key to continue.
• Wait for HiJackThis to open.
• When HiJackThis opens, click Do a system scan only. Place a checkmark or tick next to the following items, if found:
  
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AppPatch\vgamp3.dll
  O4 - HKLM\..\Run: [vxdman] powerdll.exe
  O4 - HKLM\..\Run: [bnui] NukeSpan.exe
  O4 - HKCU\..\Run: [jopplerg] prcmon.exe
  O4 - HKCU\..\Run: [trycrt] forces_elite.exe
  O4 - HKCU\..\Run: [control64] cmon14.exe
  O20 - Winlogon Notify: vgamp3 - C:\WINDOWS\AppPatch\vgamp3.dll
  
• Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.

You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal! Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix

Post back a fresh HijackThis log and I will take another look.

[Crustyoldbloke]

Hello RainKing and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have got two of the worst infections known to mankind, namely Vundo and Wareout. We will be conversing frequently to beat these two. I estimate at least 8 posts each. Let’s see what we can do with the first sweep, we’ll go for Vundo first.

BTW, with your luck being this good, don’t bother buying lottery tickets or doing any jay-walking, and carry an umbrella with you wherever you go.

Please download VundoFix.zip to your desktop.

• Double-click VundoFix.zip and extract it to your C:\ directory.
• Copy the instructions below and paste them into Notepad for reference.
  • All other windows need to be closed while doing this fix!
• Navigate to the new folder C:\VundoFix
• Double click on KillVundo.bat
  • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
• Please press any key to continue.
• Wait for HiJackThis to open.
• When HiJackThis opens, click Do a system scan only. Place a checkmark or tick next to the following items, if found:
  
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AppPatch\vgamp3.dll
  O4 - HKLM\..\Run: [vxdman] powerdll.exe
  O4 - HKLM\..\Run: [bnui] NukeSpan.exe
  O4 - HKCU\..\Run: [jopplerg] prcmon.exe
  O4 - HKCU\..\Run: [trycrt] forces_elite.exe
  O4 - HKCU\..\Run: [control64] cmon14.exe
  O20 - Winlogon Notify: vgamp3 - C:\WINDOWS\AppPatch\vgamp3.dll
  
• Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.

You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal! Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix

Post back a fresh HijackThis log and I will take another look.

[rainking26]

Hi Crusty,

Thanks so much for taking the time out to help.

Does not sound good!

I will do the first action and then post back.

Once again thanks for your help.

[rainking26]

Sorry,

We have two identities on this PC but we only ever use 1.

[Crustyoldbloke]

I'm just glad it's not my PC.

I'll check the second ID when this one is clean (brave words).

[rainking26]

Hi Crusty,

You have got me really scared now!

Below is the new HiJack Log and then the Vundofix file.

Logfile of HijackThis v1.99.1
Scan saved at 9:07:41 PM, on 1/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\essspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Copernic Summarizer\CSAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\CAP4RSK.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\VundoFix\HijackThis.exe

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AppPatch\vgamp3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TrackerNotificationExtensions.exe] "C:\Program Files\Copernic Tracker\TrackerNotificationExtensions.exe" /loadunread /c
O4 - HKCU\..\Run: [CopernicSummarizerWatchdog] "C:\Program Files\Copernic Summarizer\CSAgent.exe" /thisismandatory
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add Feed to Tristana Reader - res://C:\Program Files\Tristana Reader\Reader.exe/AddContent.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Summarize Using Copernic Summarizer - C:\Program Files\Copernic Summarizer\Web\SummarizePage.htm
O8 - Extra context menu item: Track Target Using Copernic Tracker - C:\Program Files\Copernic Tracker\Web\TrackTargetExt.htm
O8 - Extra context menu item: Track Using Copernic Tracker - C:\Program Files\Copernic Tracker\Web\TrackCurrentExt.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Track Page - {0CFE98C9-A0F8-4E6E-94D7-C8F9157B0A43} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: Summarize - {0F2D17A0-E7DF-4847-995B-6F3ABF5BF187} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O9 - Extra button: (no name) - {12200C1F-1E6B-4F57-8222-2811B123688C} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Tracker - {12200C1F-1E6B-4F57-8222-2811B123688C} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: LiveSummarizer - {6170AB22-F1E5-4D4F-8F6C-826C73838581} - C:\Program Files\Copernic Summarizer\CopernicSummarizerApp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B533C4C2-3FE2-4728-8661-AC93DF5D35A2} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Summarize Using Copernic Summarizer - {B533C4C2-3FE2-4728-8661-AC93DF5D35A2} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Protocol: copernictracker - {BACF7D7D-DEB2-4B11-8C6D-1693DC2555B8} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O20 - Winlogon Notify: vgamp3 - C:\WINDOWS\AppPatch\vgamp3.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Vundofix file:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 556 'smss.exe'
Threads [560][564][568]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1644 'explorer.exe'
Killing PID 676 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 628 'winlogon.exe'
Killing PID 628 'winlogon.exe'
Sucessfully Deleted

[Crustyoldbloke]

This next bit is easy, although I am not sure that Vundo is gone, this should confirm it.

Please use search to find any files with this name with any suffix: 3pmagv

Any that you find, you must delete, but please tell what and where they were.

Edited by Crustyoldbloke, 01 September 2005 - 05:26 AM.

[rainking26]

Hi Crusty,

There were 3 files:

3pmagv.bak1 and that was in c:\windows.AppPatch
3pmagv.bak2 and that was in c:\windows.AppPatch
3pmagv.ini and that was in c:\windows.AppPatch

I deleted all of them.

Not good?

[Crustyoldbloke]

Fantastic.

This next bit is in 4 parts.

FIRST POST

Please RIGHT-CLICK HERE to download Silent Runner's.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[rainking26]

Hi Crusty,

Downloaded as a .vbs file?

When I click on it a windows pop-up says "Cannot find script engine......

Sorry, I am not sure what this means.

[Crustyoldbloke]

Not sure what you did, but right click, not left

[rainking26]

Hi Crusty,

If you look at the link you put up it goes to a SilentRunner.vbs file.

Is that the correct link?

Because I did right click and selected save link as....

[rainking26]

Hi Crusty,

Is silent runner a application?

Thanks again for you help.

Kind Regards

[Crustyoldbloke]

Yes its a script application Silent Runners.vbs

[rainking26]

Hi Crusty,

Hope you are back and still able to help with this problem.

When I double click on "Silent Runners.vbs" I get the following windows pop-up error:

Windows Script Host
Can't find script engine "VBScript" for script

What do you suggest?