|
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
Hey folks,
New to the forums, so Hi!! Happy New Year. Well, problems appear to be a downloader trojan, which my NAV is obsessing about. I have done everything recommended on the Symantec security page, but I cannot get rid of the blasted thing. The infected file is called ''deeOg.dll'', and it seems to be impossible to remove, even in safe mode. I have no idea what it is doing, only that NAV warns about it evry minute. I hope you guys can see something in this H.T log that I haven't spotted. Here's hoping!!Logfile of HijackThis v1.99.0
Scan saved at 22:34:15, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\steve Ault\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} - C:\WINDOWS\system32\dmi95C0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\STEVEA~1\LOCALS~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/axload.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/48odhr0b.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c11.cab
O16 - DPF: {1B3E3251-658E-4F03-8881-68302FE3CE9E} - http://www.winsey.co.uk/friend/Winsey-light.xms
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
|
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
Bump
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11786
Loc: London
|
|
Hi Steveo,
Do you have MessengerPlus If so and you want to keep it but didn't choose the option to refuse the advertising then please uninstall the copy you have then download it again, re-install it at the end of this fix and when you get to the Sponsor Agreement select the option which reads,’I Refuse, do not install the sponsor program’.
Download the program Hoster which gives you the ability to restore the default host file back onto your machine. To do so, download the Hoster program and run it. When it opens, click on the Restore Original Hosts button and then exit Hoster.
Open Highjackthis, take another scan and tick the check-boxes beside to all these entries.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} - C:\WINDOWS\system32\dmi95C0.dll
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\STEVEA~1\LOCALS~1\Temp\MsgPlusUninst.bat"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/axload.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/48odhr0b.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c11.cab
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
OPTIONAL Updater for the MSN toolbar that can be downloaded onto IE. Calls home every day or so to "update" the toolbar "Fix this entry if you wish."
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the Computer
Navigate to C:\DOCUME~1\STEVEA~1\LOCALS~1\Temp\MsgPlusUninst.bat" <<<--- delete this file
Click the "Post Reply" button top right in this post and post a new log in this thread for review and re-evaluation to let us know how the Computer is running.
Joe.
Joe's Website
Understanding Spyware | Spybot Tutorial | Ad-Aware SE Tutorial | TrendMicro Scan | Online Trojan Scan | Kaspersky File Scanner | HijackThis | Windows Updates | AVG7 | Sygate | Spywareblaster
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
Thanks for your reply Joe. I have done everything you suggested. All the items checked seem to have disappeared. However, this has not solved the problem with the original infected file. The file is C\WINDOWS\System32\DeeOg.dll . Norton is unable to access it, and I cannot move it, delete it, or change it's name, even in safe mode and with system restore turned off. Norton is bugging me every minute to warn me of it. However.......it is only active when I am on the internet!?!
Anyway here is my new HJT log, hope you can see if I'm missing something.
Oh and yes I am using Spybot etc.
Logfile of HijackThis v1.99.0
Scan saved at 19:17:24, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\steve Ault\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B3E3251-658E-4F03-8881-68302FE3CE9E} - http://www.winsey.co.uk/friend/Winsey-light.xms
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks!!
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
PS!!! Forgot to mention that on startup on desktop, I am getting the following message:
''C:\WINDOWS\SYSTEM32\AUTOEXEC.NT.The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application.'' (or ignore).
Not sure if this is anything to do with this particular problem, or if it's just a missing file or something. It doesn't seem to hinder any of the programmes I use.
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
Hey guys, Any chance someone can have a quick peek at my new log? I know you are extremely busy so no panic, I'm just getting a little desperate!! Thanks!!!
|
Spoticus
new user
Reg'd: Wed
Posts: 1
|
|
Hi Steveo,
I have the exact same problem. The latest Norton will not/ can not access or delete the .dll file in my Windows/system32 directory that NAV detects as an
downloader trojan. In my case the file is called e14e1.dll (or something like that)
and I get warnign popups constantly, enough so that I've decided not to use my computer until someone has figured out how to delete this file. I've been scanning other msg boards....here is some info I haven't tried yet but I will cut/paste it here
in quotes.....
"Just a quick note on how to get rid of this type of fun stuff. To get rid of this type of persistant file i use a tool called MoveOnBoot which you can find here: http://www.gibinsoft.net/gipoutils/index.htm
This will allow you to select the file to move or delete and where to move it to and what to rename it. This will prevent these pesky files from starting up as they will be in a different directory, with maybe a different name or you just deleted it, all before windows can get its grubby hands on it and make your life hell. BTW, i only mention this as an aside to kyles response above, his method will work well on known virii and trojans but for unknown files i have had to use this. Also note this will let you get back to a working state but there will still be registry values and other stuff left over. I would then clean this all up using Ad-aware, spybot S&D, Hijack This, or even just autoruns.exe from sysinternals.com. Then you should be good to go."
Steveo or ANYONE please lets try and find a solution to this....I believe it's happening all over the world with no easy solutions. Nothing seems to be able to delete this freggin .dll in safe mode or not.
Thanks
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
if you had looked around the forum you would have seen that this problem has been well covered HERE. 
PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM
AVG ANTIVIRUS..SYGATE FIREWALL..ADAWARE SE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..CWSHREDDER.EXE. SPYWARE GUARD..WINZIP
BARNEYS PLACE
Sic biscuitus disintegratum
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
Close all windows,rerun HJT, put a tick beside these and
click FIX CHECKED
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O16 - DPF: {1B3E3251-658E-4F03-8881-68302FE3CE9E} - http://www.winsey.co.uk/friend/Winsey-light.xms
nothing too bad in your log.
there is no sign of C\WINDOWS\System32\DeeOg.dll in your log.you can use THE POCKET KILLBOX to get rid of it. put the files address in the address bar and click on the red button with the white cross.
PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM
AVG ANTIVIRUS..SYGATE FIREWALL..ADAWARE SE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..CWSHREDDER.EXE. SPYWARE GUARD..WINZIP
BARNEYS PLACE
Sic biscuitus disintegratum
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
Thanks both of you, appreciate the input. Bricat I have to say that I have done nothing but look around the forums. I wake up screaming at night, and my wife actually said to me yesterday ''who the hell are you and what are you doing in my house?''!
Seriously the 16-bit thing hasn't bothered me, I just wondered if it was contributing to my problems. The virus on the other hand is a serious pain. I downloaded and ran Killbox as you suggested, and it said the file didn't exist!!!!! Well, I can open C:\WINDOWS\system32\ and there it is, bold as brass, deeOg.dll. It is apparently an application extension, but of course in Microsoft's wisdom they don't tell you which application....that would be too bloody easy.
I'm not even sure what the blasted thing is doing apart from driving Norton nuts. It is supposedly(according to Symantec) reporting back on my internet activities and can do nasty things.
It would be nice if I could at least turn off the NAV infected file alerts but I can't even do that. Oh well.............guess I'm going to have to live with it. Too much stuff waiting to be burned off my pc to think about a reformatt.
In the meantime I have emailed Symantec to see if they have any further advice. But thanks again for your help guys.
Steve.
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
By the way spoticus, I downloaded ''moveonboot'' and installed it. It informed me that the file in question was an incorrect file name!!! Incredible!! I surrender.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
try going to C\WINDOWS\System32 and right clicking on DeeOg.dll and renaming it to Deeogold.dll. reboot into safe mode and then try deleting it.
if that doesn't work try this :-
Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C\WINDOWS\System32\DeeOg.dll
Select Unload DLL, and click OK on the prompts that follow.
let us know how you get on.
PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM
AVG ANTIVIRUS..SYGATE FIREWALL..ADAWARE SE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..CWSHREDDER.EXE. SPYWARE GUARD..WINZIP
BARNEYS PLACE
Sic biscuitus disintegratum
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
OK some progress! Unable to rename...already tried that, and moving it, but access denied.
Downloaded APM, ran it but deeOg.dll not in explorer. Went through all the other processes and eventually found it hiding away in C:\WINDOWS\system32\winlogon.exe. Since I'm not sure what this is/does, I have left well alone until I can hopefully get some more advice from you.
One step further towards a result I pray!
Thanks again for your help so far Bricat....much appreciated.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
try this :-
hit CNTRL ALT DEL. to bring up the task manager. find and end process on WINLOGON.EXE. then try deleting deeOg.dll
just make sure that it is WINLOGON.EXE and not WINIOGON.EXE (capital "i" instead of L) if it is a capital "I", in safe mode delete "WINIOGIN.EXE"
then reboot
PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM
AVG ANTIVIRUS..SYGATE FIREWALL..ADAWARE SE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..CWSHREDDER.EXE. SPYWARE GUARD..WINZIP
BARNEYS PLACE
Sic biscuitus disintegratum
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
yep tried that, definately winlogon.exe, but it is a ''critical windows process and task manager cannot stop it''. having done some research apparently I am not alone. winlogon.exe in google throws up a lot of ppl with the same problem. And the crux is that winlogon is not something to bugger about with.
Ah well. I will get to the bottom of it. Even though it seems to be a downloader of trojans, as I am getting one new one evry couple of days. All easily dealt with by NAV, but a pain nonetheless. At least symantec know about it, who knows they may even come up with a solution.
Once again thanks for all your help!!
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
sorry i couldn't be more help, it is definitely something you can't muck about with. i'm wondering if it could be sorted with a DOS command. anyway let us know if you get a fix.
PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM
AVG ANTIVIRUS..SYGATE FIREWALL..ADAWARE SE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..CWSHREDDER.EXE. SPYWARE GUARD..WINZIP
BARNEYS PLACE
Sic biscuitus disintegratum
|
steveo
new user
Reg'd: Wed
Posts: 12
Loc: Essex UK
|
|
OK!!!!!!!! SUCCESS!!!!! Although I'm not sure which bit did it. Anyway, one of the suggestions was to use a programme called move on boot. Running this prog didn't work, as it said the infected file wasn't there. HOWEVER..... I noticed that if I right-clicked the file in system32, a new option of 'remove file on next boot' had appeared. I clicked this option, then scheduled chkdisc for a sweep on reboot. Lo, the offending file has been removed!!! I am now(at least for the moment) virus and trojan free.
I can only assume that 'move on boot' got rid of it, in which case this is a pretty stupendously helpful piece of software to have.
Anyway, thanks again for helping me clean out the crap, you guys do a fantastic job helping people out....Muchas Gracias!!!!!
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
