Virus & PF Usage Problem

[Adam007]

Recently I got the Trojan.Vundo.B virus which infected C:/Windows/cursors/infodb.dll. It spread to 5 other files, which Norton was able to quarantine. That one though, Norton can't delete or do anything with (access denied). I tried system restore, which didn't work. It had it's own process for a little bit which slowed the computer. I killed that, but now it's slow again, and Norton is taking like 10-20% of my cpu, and at a huge 220k memory usage. Even worse is that my PF Usage is at a whopping 1.30 GB. The CPU usage seems fine, but I had like really nothing running except firefox and the usual norton yesterday, and windows had to create more virtual memory for me. Seems what I have to do is get rid of the virus, but I have no clue how to, since I couldn't delete it in safe mode, and Norton isn't able to do anything. Help would be VERY MUCH appreciated. :)

 

 

 

(Let me know if you need any other info, such as a hijackthis)

[Hannibal]

I think you're best off posting a hijackthislog here, AND deleting that file. Google seems to never have heard of it, and the cursors directory shouldn't contain dll files anyway.

[Adam007]

I've tried a lot of ways to delete the file, it won't let me (access denied). I'll post a hijackthis log eventually if nobody else knows what I should do.

[zonda]

Can you actually manually find the file? Is it hidden? It it protected?

[Adam007]

It didn't show up in the actual cursors file, but when I searched for the file name inside the cursor file it did. I tried deleting it in safe mode even, but the usual "this is used by another program, so you can't delete it" message came up. And Norton gives me an access denied message. My computer is running extremely slow, so I'd like to get this fixed soon. :?

[Adam007]

Here's my log:

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 1:36:15 PM, on 4/30/2005

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\drivers\KodakCCS[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\ScsiAccess[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

 

 

 

C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09[Caution: ExecutableFile]

 

 

 

C:\Program Files\HP\hpcoretech\hpcmpmgr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\hphmon05[Caution: ExecutableFile]

 

 

 

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2[Caution: ExecutableFile]

 

 

 

C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\HPZipm12[Caution: ExecutableFile]

 

 

 

C:\Program Files\SpywareGuard\sgmain[Caution: ExecutableFile]

 

 

 

C:\Program Files\SpywareGuard\sgbhp[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\taskmgr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\notepad[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971[Caution: ExecutableFile]

 

 

 

C:\Program Files\Microsoft Office\Office\WINWORD[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\msagent\AgentSvr[Caution: ExecutableFile]

 

 

 

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

 

 

 

C:\Program Files\Spybot - Search & Destroy\SpybotSD[Caution: ExecutableFile]

 

 

 

C:\DOCUME~1\LIEBER~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

 

 

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

 

 

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lieberman\Application Data\Mozilla\Profiles\default\iihmt62h.slt\prefs.js)

 

 

 

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

 

 

 

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Cursors\infodb.dll

 

 

 

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

 

 

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

 

 

 

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

 

 

 

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

 

 

 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

 

 

 

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

 

 

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

 

 

 

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime

 

 

 

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim[Caution: ExecutableFile] -cnetwait.odl

 

 

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background

 

 

 

O4 - Startup: PowerReg SchedulerV2[Caution: ExecutableFile]

 

 

 

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: ExecutableFile]

 

 

 

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html

 

 

 

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html

 

 

 

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html

 

 

 

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html

 

 

 

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

 

 

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile]

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

 

 

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab

 

 

 

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab

 

 

 

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab

 

 

 

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

 

 

 

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

 

 

O20 - Winlogon Notify: admp3 - C:\WINDOWS\

 

 

 

O20 - Winlogon Notify: faxacc - C:\WINDOWS\

 

 

 

O20 - Winlogon Notify: infodb - C:\WINDOWS\Cursors\infodb.dll

 

 

 

O20 - Winlogon Notify: wavekb - C:\WINDOWS\Fonts\wavekb.dll (file missing)

 

 

 

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS[Caution: ExecutableFile]

 

 

 

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12[Caution: ExecutableFile]

 

 

 

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd[Caution: ExecutableFile]" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

 

 

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile]

 

 

 

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

 

 

 

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile]

 

 

 

 

 

 

 

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Cursors\infodb.dll is the problem but it won't remove.

 

 

 

 

 

 

 

O20 - Winlogon Notify: admp3 - C:\WINDOWS\

 

 

 

O20 - Winlogon Notify: faxacc - C:\WINDOWS\

 

 

 

O20 - Winlogon Notify: infodb - C:\WINDOWS\Cursors\infodb.dll

 

 

 

O20 - Winlogon Notify: wavekb - C:\WINDOWS\Fonts\wavekb.dll (file missing)

 

 

 

 

 

 

 

Those don't look good either. Wavekb.dll was once infected with the virus, but I was able to delete that one after renaming it to a .txt file, opening it, and erasing all the f483lksdf type text. Not sure if that did anything, but I was able to kind of delete it. And again, there's the infodb.dll which is the main problem right now. Those couldn't be removed/fixed either.

 

 

 

And also Norton isn't at 200k memory usage anymore, and is now at around 4k with 5-10 cpu.

[Adam007]

NAVAPSVC[Caution: ExecutableFile] is now at 300k (back up again) and the Page File usage is still climbing, now at 1.64 GB. I could really use some help, this computer is getting really slow. :?

 

 

 

 

 

 

 

-(edit)- Ended NAVAPSVC[Caution: ExecutableFile]'s process, restarted norton, now it's back to 576k and the computer's going fine right now with PF usage of 638MB. Just hoping things stay ok for now, even though I have this virus.

[Mercifull]

http://www.pcreview.co.uk/forums/showth ... post244261