downloader.trojan

[steveo]

Hey folks,
New to the forums, so Hi!! Happy New Year. Well, problems appear to be a downloader trojan, which my NAV is obsessing about. I have done everything recommended on the Symantec security page, but I cannot get rid of the blasted thing. The infected file is called ''deeOg.dll'', and it seems to be impossible to remove, even in safe mode. I have no idea what it is doing, only that NAV warns about it evry minute. I hope you guys can see something in this H.T log that I haven't spotted. Here's hoping!!Logfile of HijackThis v1.99.0
Scan saved at 22:34:15, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\steve Ault\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.halifax-online.co.uk/_me...ce=halifaxcouk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} - C:\WINDOWS\system32\dmi95C0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\STEVEA~1\LOCALS~1\Temp\MsgPlusUninst. bat"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/axload.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net...b/48odhr0b.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c11.cab
O16 - DPF: {1B3E3251-658E-4F03-8881-68302FE3CE9E} - http://www.winsey.co.uk/friend/Winsey-light.xms
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



<hr width=100% size=1>

[steveo]

Bump

<hr width=100% size=1>

[Joe_London]

Hi Steveo,

Do you have MessengerPlus</font color=blue> If so and you want to keep it but didn't choose the option to refuse the advertising then please uninstall the copy you have then download it again, re-install it at the end of this fix and when you get to the Sponsor Agreement select the option which reads,’I Refuse, do not install the sponsor program’.

Download the program Hoster</font color=blue> which gives you the ability to restore the default host file back onto your machine. To do so, download the Hoster program and run it. When it opens, click on the Restore Original Hosts button and then exit Hoster.

Open Highjackthis, take another scan and tick the check-boxes beside to all these entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} - C:\WINDOWS\system32\dmi95C0.dll
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\STEVEA~1\LOCALS~1\Temp\MsgPlusUninst. bat"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll (file missing)
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/axload.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net...b/48odhr0b.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c11.cab

<font color=red>O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"</font color=red>
<font color=blue>OPTIONAL</font color=blue> Updater for the MSN toolbar that can be downloaded onto IE. Calls home every day or so to "update" the toolbar "Fix this entry if you wish."

Close all open Windows except Hijackthis and click on "fix Checked".

Reboot the Computer

Navigate to C:\DOCUME~1\STEVEA~1\LOCALS~1\Temp\MsgPlusUninst.bat" <<<--- delete this file

Click the "Post Reply" button top right in this post and post a new log in this thread for review and re-evaluation to let us know how the Computer is running.

Joe.

<hr width=100% size=1><font color=red>Joe's</font color=red><font color=blue> Website</font color=blue>

| <A target="_blank" HREF=http://www.bleepingcomputer.com/forums/index.php?showtutorial=43>Spybot Tutorial | | <A target="_blank" HREF=http://housecall.trendmicro.com/>TrendMicro Scan | | <A target="_blank" HREF=http://www.kaspersky.com/scanforvirus>Kaspersky File Scanner | | <A target="_blank" HREF=http://v4.windowsupdate.microsoft.com/>Windows Updates | Sygate | <A target="_blank" HREF=http://www.javacoolsoftware.com/sbdownload.html>Spywareblaster</A>

[steveo]

Thanks for your reply Joe. I have done everything you suggested. All the items checked seem to have disappeared. However, this has not solved the problem with the original infected file. The file is C\WINDOWS\System32\DeeOg.dll . Norton is unable to access it, and I cannot move it, delete it, or change it's name, even in safe mode and with system restore turned off. Norton is bugging me every minute to warn me of it. However.......it is only active when I am on the internet!?!
Anyway here is my new HJT log, hope you can see if I'm missing something.
Oh and yes I am using Spybot etc.
Logfile of HijackThis v1.99.0
Scan saved at 19:17:24, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\steve Ault\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.halifax-online.co.uk/_me...ce=halifaxcouk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B3E3251-658E-4F03-8881-68302FE3CE9E} - http://www.winsey.co.uk/friend/Winsey-light.xms
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks!!


<hr width=100% size=1>

[steveo]

PS!!! Forgot to mention that on startup on desktop, I am getting the following message:
''C:\WINDOWS\SYSTEM32\AUTOEXEC.NT.The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application.'' (or ignore).
Not sure if this is anything to do with this particular problem, or if it's just a missing file or something. It doesn't seem to hinder any of the programmes I use.

<hr width=100% size=1>

[steveo]

Hey guys, Any chance someone can have a quick peek at my new log? I know you are extremely busy so no panic, I'm just getting a little desperate!! Thanks!!!

<hr width=100% size=1>

[Spoticus]

Hi Steveo,

I have the exact same problem. The latest Norton will not/ can not access or delete the .dll file in my Windows/system32 directory that NAV detects as an
downloader trojan. In my case the file is called e14e1.dll (or something like that)
and I get warnign popups constantly, enough so that I've decided not to use my computer until someone has figured out how to delete this file. I've been scanning other msg boards....here is some info I haven't tried yet but I will cut/paste it here
in quotes.....

"Just a quick note on how to get rid of this type of fun stuff. To get rid of this type of persistant file i use a tool called MoveOnBoot which you can find here: http://www.gibinsoft.net/gipoutils/index.htm
This will allow you to select the file to move or delete and where to move it to and what to rename it. This will prevent these pesky files from starting up as they will be in a different directory, with maybe a different name or you just deleted it, all before windows can get its grubby hands on it and make your life hell. BTW, i only mention this as an aside to kyles response above, his method will work well on known virii and trojans but for unknown files i have had to use this. Also note this will let you get back to a working state but there will still be registry values and other stuff left over. I would then clean this all up using Ad-aware, spybot S&D, Hijack This, or even just autoruns.exe from sysinternals.com. Then you should be good to go."

Steveo or ANYONE please lets try and find a solution to this....I believe it's happening all over the world with no easy solutions. Nothing seems to be able to delete this freggin .dll in safe mode or not.

Thanks


<hr width=100% size=1>

[bricat]

if you had looked around the forum you would have seen that this problem has been well covered <A target="_blank" HREF=http://www.webuser.co.uk/cgi-bin/forums/showflat.pl?Cat=&Board=tips&Number=136162&page=0&v iew=collapsed&sb=5&o=93&part=> HERE</A>. [img]/images/forums/icons/wink.gif[/img]

<hr width=100% size=1><font color=red>PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM</font color=red>
..<A target="_blank" HREF=http://smb.sygate.com/products/spf_standard.htm>SYGATE FIREWALL....<A target="_blank" HREF=http://www.javacoolsoftware.com/spywareblaster.html>SPYWAREBLASTER....<A target="_blank" HREF=http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us>WINDOWS UPDATE.. SPYWARE GUARD..BARNEYS PLACE

<font color=red>Sic biscuitus disintegratum</font color=red>

[bricat]

Close all windows,rerun HJT, put a tick beside these and
click <font color=blue>FIX CHECKED</font color=blue>

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O16 - DPF: {1B3E3251-658E-4F03-8881-68302FE3CE9E} - http://www.winsey.co.uk/friend/Winsey-light.xms

nothing too bad in your log.

there is no sign of C\WINDOWS\System32\DeeOg.dll in your log.you can use <A target="_blank" HREF=http://www.bleepingcomputer.com/files/killbox.php> THE POCKET KILLBOX</A> to get rid of it. put the files address in the address bar and click on the red button with the white cross.


<hr width=100% size=1><font color=red>PLEASE DO NOT PM ME WITH YOUR HIJACK THIS LOG, POST IT ON THE FORUM</font color=red>
..<A target="_blank" HREF=http://smb.sygate.com/products/spf_standard.htm>SYGATE FIREWALL....<A target="_blank" HREF=http://www.javacoolsoftware.com/spywareblaster.html>SPYWAREBLASTER....<A target="_blank" HREF=http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us>WINDOWS UPDATE.. SPYWARE GUARD..BARNEYS PLACE

<font color=red>Sic biscuitus disintegratum</font color=red>

[steveo]

Thanks both of you, appreciate the input. Bricat I have to say that I have done nothing but look around the forums. I wake up screaming at night, and my wife actually said to me yesterday ''who the hell are you and what are you doing in my house?''!
Seriously the 16-bit thing hasn't bothered me, I just wondered if it was contributing to my problems. The virus on the other hand is a serious pain. I downloaded and ran Killbox as you suggested, and it said the file didn't exist!!!!! Well, I can open C:\WINDOWS\system32\ and there it is, bold as brass, deeOg.dll. It is apparently an application extension, but of course in Microsoft's wisdom they don't tell you which application....that would be too bloody easy.
I'm not even sure what the blasted thing is doing apart from driving Norton nuts. It is supposedly(according to Symantec) reporting back on my internet activities and can do nasty things.
It would be nice if I could at least turn off the NAV infected file alerts but I can't even do that. Oh well.............guess I'm going to have to live with it. Too much stuff waiting to be burned off my pc to think about a reformatt.
In the meantime I have emailed Symantec to see if they have any further advice. But thanks again for your help guys.
Steve.

<hr width=100% size=1>