The following virus popped up : MSplg7.dll. Norton identifies it as a Trojan. It is preventing Explorer from opening. Mozilla works just fine. I do not know what other probems it may be causing.

The annoying part is that the virus has parked itself in the system32 folder. Therefore Norton will not fix, delete or quarantine the file. Nor can I delete or move the file - probably for the same reason.

Any advice? I don't mind buying another anti-viral program if it will remove this file.

Second question: How can I remove or delete a file when Windows give the "access denied . . ." message?

Reg

try restarting in safe mode then renaming the file manually.
I don't recommend deleting the file as it may be critical to your systems function.
If you want to be totally thorough restart your computer in safe mode with command prompt. Then use that to rename & replace with a dummy dll file. If you don't know how to do that I have detailed the procedure as follows.

On the command prompt type the following and press enter after each one except the line that reads ctrl+z it should type the character ^Z or something if you do this line correctly.

cd\
cd windows\system32
ren MSplg7.dll MSplg7.bak
copy con MSplg7.dll
#null
//press ctrl+z
exit

Should do the trick. Restart in normal mode to find out if that works.

one quick detail. press the F8 key during bootup(but after the Power On Self Test screen) and select safemode with command prompt.
Hope this helps

I don't recommend deleting the file as it may be critical to your systems function.

That file is dropped/created by the trojan; it should be deleted.

Simply deleting the file will not, however, remove the infection itself. Infections usually drop several different components and make several modifications to your Registry in order to make it more difficult to eradicate them. If you do not fully clean the infection, chances are very good that it will simply "respawn" itself. Additionally, if you've identified one infection on your computer, you probably have other "unwanted guests" as well.

Here are some general virus/spyware/etc. detection and removal steps that you can try:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php


2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

DMR,

I could not get any of these:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.phpto work.

Some only supported Explorer which is what the virus seems to be attacking. The problem is worsening. This morning I simply could not open Explorer. This evening when I tried to open it 59 windows opened the screen started blinking.

I did get the ewido to download and it found a hyjacking file but did not find the Trojan. I will reboot and see what happens. If things do not go well then:

I will try to rename. If that does not work I will try to restore. If that doesn't work I will recovery the hard drive. Reformatting is the last choice.

Or just stop using Explorer.

Thanks for all the help.

Reg

DMR,

The ewido did the trick in finding a hijacking program that was not only causing the recent Explorer problem but also cured another I had posted in the "Web Browsers" forum. See : Can not log into yahoo mail using IE 6.0.

Explorer now works again. I am quite impressed. Not a common thing for me.

What is curious is this: If the second problem (this post) did not show up until today when the Trojan appeared yet removing the hijacking file which has been there for some time solved all problems then what caused today's problem. The Trojan or the hijacker? Or both?

Ironic that Spysweeper, which I bought never found it and this free program did.

The Trojan remains and I will work on that problem tomorrow.

Thank you and all for your time and advice. I may end up bringing the total sum to bear on the Trojan virus. If anyone thinks of anything else feel free to add.

Reg

I ran Trendmicro House Call which found the virus WORM_WOOTBOT.GEN and the Trojan worm WORM_SDBOT.BDL It said it deleted them. The original virus-MSplg7.dll which was found by Norton remains in the system32 folder. I went to the Microsoft linked site from the trendmicro to study up on the worm and noted they had patches. However the patches are for systems other than mine. They look like professional software.

Patch availability
Download locations for this patch
Since this bulletin was originally published, Microsoft has made available an re-released patch for SQL 2000 that is packaged with an installer. Details are discussed above in the FAQ.
The re-released SQL 2000 patch is available at the following location:
http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech
The original patches are available at:
• Microsoft SQL Server 7.0: http://support.microsoft.com/default.aspx?scid=kb;en-us;327068&sd=tech
• Microsoft SQL Server 2000: http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech

I have no idea what SQL Server 7.0 or 2000 are.

Trend micro also suggest to scan the Window's System Restore areas however you must disable the resore feature.

Windows states that turning OFF Restore will delete all stored restore points. How can turn OFF restore without losing all past points? I will have nowhere to return if things go badly.
With the MSplg7.dll still on the computer should I continue to try and remove it or is it futile since two viral scan programs and two sweeper programs can not?

Since my original writing of this response more malware programs continue to be found. Is there no end to this?


Reg

1. SQL is a database program; the patches mentioned don't apply to you.


2. You can't selectively delete Restore Points; you either flush them all or you don't. Also, there's nothing to say that files in the Restore Points you choose to keep might not be infected also. A bit more info on that can be found here. However, for just the reason you mention, I'd suggest waiting until your system is clean before deleting your old Restore Points.


3. The infection you have places an entry in the Windows Registry which automatically runs the malicious MSplg7.dll file every time Winodws starts. This is what is making the file difficult to delete.

Please do the following so that I can (hopefully) see exactly where/what that Registry entry is:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

I will do this Wednesday afternoon and post the results. Thank you.

Is there anyway to identify a keystoke logging program? I am restricting my use of sensitive sites -banking etc.


Reg

Also what is the better method/combination/programs for firewall and virus checking and protecting? It appears that running a combination of programs do best, but which do the job? I would rather avoid having to buy and and run an ending flow of programs. I understand that programs do need updating and have a useful life span. And that there is no "cure all".

Again, thanks.

Reg

Is there anyway to identify a keystoke logging program?

There are certainly programs which target trojan keyloggers, and even the usual suspects of SpyBot, Microsoft Antispyware beta, and ewido Security Suite accomplish this to a degree. However, identifying possible components of a keylogger "by eye" isn't something the average user is going to be able to do; after all, one of the main goals of keyloggers is to install themselves in very obscure ways in order to avoid being noticed.

In terms of a "cure all" for all of the threats that exist out there, unfortunately- no such beast exists. You do need a combination of programs, but you don't need to spend hundreds of $$ for those programs, as many free programs exist (some of which often do a better job than "pay for" products). I need to log off shortly, but I'll post some of the recommendations when we take this up tomorrow.

DMR,

Here's the log. I did not read your response carefully. I have had hijack-this on the computer for months. I have run it occasionally but have only fixed what really stood out as odd. My version is 1.97. I went ahead and downloaded the newer version and you see the results below. Hope this helps.


Logfile of HijackThis v1.99.1
Scan saved at 8:33:42 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\BMUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4E81DE3-29E2-490A-9452-6F195957052A}: NameServer = 207.68.32.39 151.199.0.39
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Something look familiar here?

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

Sincerely,


Reg

Something look familiar here?

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

Bingo- that's what I was looking for. Let's try this:


1. Download the Killbox utility and save it to your desktop, but don't run it yet.


2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run HijackThis and have it fix:
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

- While still in Safe Mode, Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\SYSTEM32\MSplg7.dll

Select the "Replace on reboot", "Use Dummy" options, and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.

- Click YES at the request to reboot and let the computer reboot normally.


3. Run HijackThis and another anti-virus scan; see if any references to MSplg7.dll still exist.

DMR,

I ran HijackThis and Killbox as suggested. After rebooting and running Norton no references to MSplg7.dll existed. Norton did find another Adware threat but did not find any viral ones. I had HijackThis to fix the Adware file, ran Norton again and nothing was found. I also had a ewido security sweep run and according to my daughter nothing was found. I can not however get ewido to open this evening to do a confirmation scan. Timed out?

MSplg7.dll does still exists in the system32 folder. Is it dead or just dormant?

I want to extend my thanks and gratitude for the investment of your and other's efforts in helping me with these problems. Thank you for your time and attention.

With all due sincerity,

Reg Robinson

Only certain features of ewido expire after the trial (automatic updates, real-time protection, etc.), but you should still be able to do manual updates and run scans. More on this tomorrow; it's dinner time for me right now....

ewido will not properly run. It tries to shut itself down at about 27% completion due to "encountering a problem and needing to close".

Actually that dialog box pops up and I can see the scan going on behind it. When calling up task manager it says dialog not responding but shows the program as running. I suppose I could let it run but it should not be doing that.

Explorer used to constantly do it.

P.S. Windows has begun ignoring the restart order about 50% of the time. During these times I have to do a hard boot.

MSplg7.dll does still exists in the system32 folder. Is it dead or just dormant?

Sorry I didn't address that earlier. Can you give us the creation date, modification date, and size of the file please?

As for ewido, try running it in Safe Mode. There may be something else running in normal mode that's conflicting with it.

Can you give us the creation date, modification date, and size of the file please?

The creation and modification date is: Thursday, July 07, 2005, 7:11:58 AM which was when I ran the HijackThis and Killbox. The size is 56 bytes (56 bytes), sized on disk is 4.00 kilobytes (4096 bytes).

For my education why the significant size differences? Compression?

Is it possible to have windows overwrite the system32 folder? There has to be some way to eliminate or modify files even there. Did Microsoft create the Colossus* of computer folders?

* The name of a supercomputer in an old movie that could not be shut down.

I'll let DMR finish this up; I just have a couple of things to throw in here...

There's some info on protecting your computer in this thread:
http://www.daniweb.com/techtalkforums/thread27519.html

And see if this will help with that file you're trying to get rid of:

Download, install, and update CWShredder 2.15 --http://www.intermute.com/products/cwshredder.html. Run it, and press Fix (not scan). Close any open windows, other then CWS, before hitting the Fix button.

Thanks. I will do that tomorrow.

AFP

DMR,

MSplg7.dll does still exists in the system32 folder. Is it dead or just dormant?

Any ideas?

AFP

Open NotePad (or WordPad), copy the contents of the 'Code' below , and paste it into NotePad:

cd System32
attrib -s -r -h MSplg7.dll
del MSplg7.dll

Go to File, Save As and type the filename as Remove.bat, save it to your Desktop, and then close NotePad.

Reboot into Safe Mode.

Scan with Hijackthis and have it fix the following entry:

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

Close any open windows and hit Fix checked.

Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.)

Go to C:\WINDOWS\SYSTEM32 and delete MSplg7.dll.

Do a search for MSplg7.dll and delete any instances found.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log please.

Open NotePad (or WordPad), copy the contents of the 'Code' below , and paste it into NotePad:

cd System32
attrib -s -r -h MSplg7.dll
del MSplg7.dll

Go to File, Save As and type the filename as Remove.bat, save it to your Desktop, and then close NotePad. I did this

Reboot into Safe Mode. Done

Scan with Hijackthis and have it fix the following entry:

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll That file was not there.


Close any open windows and hit Fix checked.

Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.) I did this anyway.

Go to C:\WINDOWS\SYSTEM32 and delete MSplg7.dll. I did this first thing after restarting in Safe Mode before doing anything else.

Do a search for MSplg7.dll and delete any instances found. The search function would not stop in Safe Mode. (Not responding per Task Manager) But after rebooting normally the Search found nothing in system32.

Empty your Recycle Bin and reboot normally. Done
Close any open browser windows, scan with HJT, and post a new log please. Will post tomorrow.

Thanks.

AFP

I went ahead and ran a new scan.


Logfile of HijackThis v1.99.1
Scan saved at 8:38:07 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\BMUpdate.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4E81DE3-29E2-490A-9452-6F195957052A}: NameServer = 207.68.32.39 151.199.0.39
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I don't see anything else in your log, are you still having problems?

No problems thus far. I did a Norton scan today and nothing showed up. The MSplg7.dll file is gone from system32.

I think we can put this one to bed. Again a sincere thank you to all.

AFP

Since your system appears clean now, you might want to flush out your old System Restore points and set a new, clean Restore Point. More information on why you should do this, and instructions on how to do it, can be found here.

DMR,

Already done. Thanks.

AFP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.