[infaddict]

Hi LostandConfused

Ok, the Vundofix is still not working as expected. I'm going to ask you to use a new tool to try and fix this infection.

REMOVED LINK

Run Killer.exe from your desktop

Tick the Mark All box

In the file path box type "C:\WINDOWS\Web\Wallpaper\baktapi.dll" (not including quotes) and click the Kill button.

At the confirmation prompt, click Yes. The tool will delete the file and in doing so, your desktop may disappear - this is normal. Give the tool 15 seconds or so to be sure that it has finished. Then click the Restart button and then click the second Restart button to restart your PC.

Please reply with a Fresh HijackThis log and let me know how you did with the above instructions. If everthing worked, we have some small tidy ups to do

[Advertisements]

when doing that i get an error message claiming i do not have permission, error 70i don't have permission.

Edited by Lostandconfused, 05 November 2005 - 05:18 PM.

[Lostandconfused]

when doing that i get an error message claiming i do not have permission, error 70i don't have permission.

Edited by Lostandconfused, 05 November 2005 - 05:18 PM.

[Atribune]

Are you logged in as an administator?

[Lostandconfused]

Are you logged in as an administator?

yes both normal and safe mode I get the same error. what is going on I am about to delete the hard drive and start over.

This bugger is persistent

[infaddict]

Hi Lostandconfused

This is very strange. You have used 2 different tools and both are giving errors which leads me to believe you don't have admin priveliges

Can you confirm this is a stand-alone home PC, rather than a PC connected to a network that signs onto a domain?

Whilst I investigate this further, please can you try to add a new user account (using Control Panel -> User Accounts) and ensure the new user account is given Administrator status. Then reboot and sign on to that new account and retry the Killer instructions given in my last post.

Thanks

[Lostandconfused]

As per your request, I created a new admin account named "Test" I gave this full computer administrator capabilities. I at the same time made my personal account "Kyle" a limited access account.

Things I noticed after doing that. I no longer have issues (on the Kyle account) with Ccap not shutting down, but I do have error messages popping up now saying (on top) Rundll then beneath "cannot load C:\Windows\Web\Wallpaper\baktapi.dll"

I will have approximately 6 messages saying the same thing about 2x a day.

When I run Killer on my admin account named "test" i get that same message I was getting before, error 70 permission denied. Why can't I just delete this flipping thing.

[infaddict]

POST

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

[Lostandconfused]

********
2:03 PM: | Start of Session, Sunday, November 13, 2005 |
2:03 PM: Spy Sweeper started
2:03 PM: Sweep initiated using definitions version 572
2:03 PM: Starting Memory Sweep
2:03 PM: Warning: Failed to load image: C:\WINDOWS\Web\Wallpaper\baktapi.dll
2:04 PM: Found Adware: virtumonde
2:04 PM: Detected running threat: C:\WINDOWS\Web\Wallpaper\baktapi.dll (ID = 77)
2:07 PM: Memory Sweep Complete, Elapsed Time: 00:04:19
2:07 PM: Starting Registry Sweep
2:07 PM: Found Trojan Horse: 2nd-thought
2:07 PM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
2:07 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
2:07 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
2:07 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
2:07 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
2:07 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
2:07 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
2:07 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
2:07 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
2:07 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
2:07 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
2:07 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
2:07 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
2:07 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
2:07 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
2:07 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
2:07 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
2:07 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
2:07 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
2:07 PM: HKLM\software\classes\swrt01.rt\ (3 subtraces) (ID = 102002)
2:07 PM: HKCR\swrt01.rt\ (3 subtraces) (ID = 102024)
2:07 PM: Found Adware: addestroyer
2:07 PM: HKCR\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102730)
2:07 PM: HKCR\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102732)
2:07 PM: HKCR\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102733)
2:07 PM: HKCR\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102734)
2:07 PM: HKCR\swlad1.swlad\ (3 subtraces) (ID = 102736)
2:07 PM: HKLM\software\classes\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 102739)
2:07 PM: HKLM\software\classes\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102741)
2:07 PM: HKLM\software\classes\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 102742)
2:07 PM: HKLM\software\classes\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102743)
2:07 PM: HKLM\software\classes\swlad1.swlad\ (3 subtraces) (ID = 102745)
2:07 PM: HKLM\software\classes\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 102746)
2:07 PM: HKLM\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102747)
2:07 PM: HKCR\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 102750)
2:07 PM: HKCR\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102751)
2:07 PM: Found Adware: aksoft
2:07 PM: HKLM\software\aksoft\.support\ (10 subtraces) (ID = 103365)
2:07 PM: HKLM\software\aksoft\.target\ (80 subtraces) (ID = 103366)
2:07 PM: Found Adware: altnet
2:07 PM: HKLM\software\classes\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 103494)
2:07 PM: Found Adware: couponage
2:07 PM: HKLM\software\couponage\ (4243 subtraces) (ID = 112524)
2:08 PM: Found Adware: topsearch
2:08 PM: HKCR\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 143925)
2:08 PM: HKLM\software\classes\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143928)
2:08 PM: HKCR\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143930)
2:08 PM: Found Adware: virtualbouncer
2:08 PM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
2:08 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
2:08 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
2:08 PM: Found Adware: websearch toolbar
2:08 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
2:08 PM: Found Adware: winad
2:08 PM: HKLM\software\winad client\ (1 subtraces) (ID = 147237)
2:08 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
2:08 PM: HKLM\software\classes\clsid\{18bbdf4d-611d-41ce-a7e7-b2dd23c250d1}\ (11 subtraces) (ID = 392390)
2:08 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
2:08 PM: HKLM\software\aksoft\ (34385 subtraces) (ID = 639132)
2:08 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
2:08 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
2:08 PM: HKCR\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749140)
2:08 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
2:08 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
2:08 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (ID = 749160)
2:08 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749166)
2:08 PM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\progid\ (1 subtraces) (ID = 749172)
2:08 PM: Registry Sweep Complete, Elapsed Time:00:00:43
2:08 PM: Starting Cookie Sweep
2:08 PM: Found Spy Cookie: adlegend cookie
2:08 PM: user@adlegend[1].txt (ID = 2074)
2:08 PM: Found Spy Cookie: atwola cookie
2:08 PM: [email protected][1].txt (ID = 2256)
2:08 PM: user@atwola[1].txt (ID = 2255)
2:08 PM: Found Spy Cookie: bravenet cookie
2:08 PM: user@bravenet[1].txt (ID = 2322)
2:08 PM: Found Spy Cookie: ic-live cookie
2:08 PM: user@ic-live[1].txt (ID = 2821)
2:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:08 PM: Starting File Sweep
2:09 PM: inneradinstall.log (ID = 49035)
2:32 PM: cacore.dll (ID = 54694)
2:32 PM: 29766496-d637-47d9-81f0-79c28d (ID = 49675)
2:32 PM: carules.dll (ID = 54699)
2:34 PM: casync.dll (ID = 54700)
2:38 PM: Warning: Unhandled Archive Type
2:38 PM: Warning: Unhandled Archive Type
2:40 PM: Warning: Invalid Stream
2:40 PM: File Sweep Complete, Elapsed Time: 00:32:19
2:40 PM: Full Sweep has completed. Elapsed time 00:37:22
2:40 PM: Traces Found: 39218
2:43 PM: Removal process initiated
2:43 PM: Quarantining All Traces: 2nd-thought
2:43 PM: Quarantining All Traces: virtumonde
2:43 PM: virtumonde is in use. It will be removed on reboot.
2:43 PM: C:\WINDOWS\Web\Wallpaper\baktapi.dll is in use. It will be removed on reboot.
2:43 PM: Quarantining All Traces: websearch toolbar
2:43 PM: Quarantining All Traces: addestroyer
2:43 PM: Quarantining All Traces: aksoft
2:44 PM: Quarantining All Traces: altnet
2:44 PM: Quarantining All Traces: couponage
2:45 PM: Quarantining All Traces: topsearch
2:45 PM: Quarantining All Traces: virtualbouncer
2:45 PM: Quarantining All Traces: winad
2:45 PM: Quarantining All Traces: adlegend cookie
2:45 PM: Quarantining All Traces: atwola cookie
2:45 PM: Quarantining All Traces: bravenet cookie
2:45 PM: Quarantining All Traces: ic-live cookie
2:46 PM: Preparing to restart your computer. Please wait...
2:46 PM: Removal process completed. Elapsed time 00:02:36
2:51 PM: BHO Shield: found: -- BHO installation denied at user request
2:51 PM: BHO Shield: found: -- BHO installation denied at user request
********
2:00 PM: | Start of Session, Sunday, November 13, 2005 |
2:00 PM: Spy Sweeper started
2:00 PM: Your spyware definitions have been updated.
2:03 PM: | End of Session, Sunday, November 13, 2005 |

[infaddict]

Hi

Please restart you computer and post a fresh HijackThis log... also let me know how your system is now running

[Lostandconfused]

Logfile of HijackThis v1.99.1
Scan saved at 7:03:23 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\Wallpaper\baktapi.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...411/mcfscan.cab
O20 - Winlogon Notify: baktapi - C:\WINDOWS\Web\Wallpaper\baktapi.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



so far so good it hasn't really slowed down. I am going to try and start to back things up but for some reason my Nero burning program won't work now...

The VIRUS IS GONE!!!!!

[infaddict]

Hi Lostandconfused

Great News!!!!

Ok, lets remove the final traces of Vundo from your log...

Please run HijackThis, perform a scan and then place a check next to the following items :

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\Wallpaper\baktapi.dll (file missing)
O20 - Winlogon Notify: baktapi - C:\WINDOWS\Web\Wallpaper\baktapi.dll (file missing)

Then close all other windows or browsers except HijackThis and click Fixed Checked. Close HijackThis.

As a final precaution, please run an online Panda ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Then please reply with the results of the ActiveScan and a fresh HijackThis log. I can then hopefully confirm you are clean

[infaddict]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.