No Reponse Since 7-7 Posting

I know you are all busy but I posted this first a week ago. Here is my original posting. I have redone everything again today and run another log which I am putting at the bottom. Please look to see if there is anything I can do to fix this. I don't know what else to do. Thanks.


July 7th, 2004, 01:51 PM
Val-Dan Val-Dan is online now
Junior Member

Join Date: Jul 2004
Posts: 1
Default Please check Hijack This Log
I have run Adaware, Spybot S&D and CWShredder many times in the last two weeks and this bug just keeps coming back. I had the about:blank web page problem for a long time until someone helped me block that page. Now IE keeps being redirected to MSN upon startup. I have since downloaded Mozilla Firefox and I am using it but the problems still show up in a CWShredder scan. When I run the CWShredder it occasssionally "fixes" cws.searchx but that keeps coming back. My computer is slow, sometimes stopping completely and I keep getting a message that says virtual memory is low. Below is the most recent HijackThis log. Thank you for any help you can give me.

Logfile of HijackThis v1.97.7
Scan saved at 2:38:56 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\notepad.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CD Burning\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/springfield
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/securi...b?1065734229765
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce...bles/ie/IDA.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB



Today I turned off system restore, ran CWShredder, Adaware, Spybot S&D, rebooted and turned system restore back on. I then ran Hijack this and posted here.

Logfile of HijackThis v1.97.7
Scan saved at 2:01:15 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Downloads-Security\HijackThis7-14.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065734229765
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB



Please tell me if there is something else I can do to get rid of this mess. Thanks.

Valeri

 

Help!!! Now my Norton Utilities is alerting me that I have "Backdoor.Trojan" and it can't be fixed. When I booted up my computer today it took more than 10 minutes due to the virtual memory problem. While working on a newletter in MS Publisher the last couple of days sometimes my computer shuts down in the middle of my project. It also can't find my document when I go to look for it about half the time and when it can find it, it sometimes can only open it in Safe mode. I have no idea what any of this means but my problems are getting worse and worse. Please someone help! I am afraid I am about to loose everything on my computer!

Valeri

 

Hello,

Not much is jumping out at me from your log.

Run this online virus scan and let me know the results:

http://housecall.trendmicro.com/housecall/start_corp.asp
There is an autofix check box to check before you scan.

I would also like to take a look at something that may look funny to you but maybe it will show us a hidden dll:

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Double click on Appinit.bat
This will create a file on the desktop named windows.txt, do a search for it if it doesn't show up on your desktop.
Copy and paste that log here.

 

I ran the Virus Scan and nothing showed up. I found a reference to Panda ActiveScan on another Thread yesterday and ran it. It showed I had Exploit/iFrame virus which it couldn't fix and StartPage.FH virus which it could fix.

My Norton is still showing this alert:
Norton AntiVirus has detected a virus on your computer.
C:\WINNT\System32\winp.dll
Virus Name: Backdoor.Trojan
Action Taken: Unable to repair this file.
Action Taken: Access to file was denied.

Everything I click on OK it keeps repeating itself, continuously!

I have done everything else you said and here is the log:

regf





L *"

@ - ·ß 

 *"

- ·ß 

H *"

 0 cß *"

 . ·ß 

+@

þå 3 ·ß 

0 



4æ 3 ·ß 

<




Næ 3 ·ß + °ß 

0@

pæ 3 ·ß 

 



¦æ 3 ·ß >
p M8L"

# *

# - éá 
äå 3 éá 
  
^Gå¸ hbin  °1úw\*úwøÃõwpEúw”(úw¨ÿÿÿnk, º¥ªˆiVÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ð x ÿÿÿÿ 0 6 , \  Windows ÿÿÿskçwx x
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 ¥‹ËƒØÿÿÿvk 6


fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N N T \ S y s t e m 3 2 \ w i n p . d l l { a t  h
Ðÿÿÿvk  

ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  ( ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €' 
zGDIProcessHandleQuota"þàÿÿÿvk  x

°ºSpooler2ðÿÿÿy e s
Ñ_å h
Ø
( X  àÿÿÿvk  €

5swapdiskÐÿÿÿvk  

. TransmissionRetryTimeoutàÿÿÿh
Ø
( X  À  Ðÿÿÿvk  €' 
a USERProcessHandleQuotac À [ÉQÃU‹ìƒìLE´PÿuÿuèC …Àt;‹EV·uØÀFF;Æ‚š j VÿuÿuÜÿuÿ¬¿v…Àt·EØ@@;ðuNN‹ÆÑè^É U‹ìƒì W3ÿWjEàPWÿuÿH¿v;ÇŒ+ 9}‹EäSV‹5¬¿v‹ØtnWjEøPƒÃSÿuÿÖ…Àtr‹Eø;Ç„ WXjEüPSÿuÿÖ…ÀtS‹Eü;Äð WjLÿuƒÀøPÿuÿÖ…Àt5‹E‹H;Mt‹@‰EüëÒ3À@^[_ÉÂ WjMQƒÀPÿuÿÖ…À…zÿÿÿ3ÀëÝÿÿÿÿ¿v’¿vÿÿÿÿ©¿vº¿vSV‹D$Àu‹L$‹D$3Ò÷ñ‹Ø‹D$÷ñ‹ÓëA‹È‹\$‹T$‹D$ÑéÑÛÑêÑØÉuô÷ó‹ð÷d$‹È‹D$÷æÑr;T$wr$v
N3Ò‹Æ^[ U‹ìƒìSVWUü‹]‹E÷@ uw‰Eø‹E‰EüEø‰Cü‹s‹{ƒþÿtVvƒ| t:VUkÿT]^‹]Àt(x1‹{SèS ƒÄkVSèˆ ƒÄv‹‰CÿT‹{v‹4문 ë¸
ëUkjÿSèS ƒÄ]¸
]_^[‹å]ÃU‹ìSVWUj j h¦¿vÿuè° ]_^[‹å]ËL$÷A ¸
t‹D$‹T$‰¸ ÃSVW‹D$Pjþh®¿vdÿ5 d‰% ‹D$ ‹X‹pƒþÿt ;t$$t4v‹³‰L$‰Hƒ|³ u×ÿT³ëÑd ƒÄ_^[ÃPÿT¿vPÿ\¿v3ÀéêûÿÿSÿ´¿vVÿT¿vPë Sÿ´¿vjÿ\¿véÊûÿÿPëSÿ´¿vVÿT¿vPÿ\¿vé²üÿÿ‹Eì‹ ‹ ‰…¼þÿÿ3À@ËeèÿµÀþÿÿÿ´¿vÿµ¼þÿÿë&‹Eì‹ ‹ ‰…¸þÿÿ3À@ËeèÿµÀþÿÿÿ´¿vÿµ¸þÿÿÿT¿vPÿ\¿vƒMüÿéNüÿÿ‹EélúÿÿPÿT¿vPÿ\¿v3Àé;ýÿÿjÿ\¿véKýÿÿ‹ðé_üÿÿèõ è| éÏùÿÿè" éÅùÿÿU‹ìì
…äþÿÿPÿuè1úÿÿ…ÀtC… ÿÿÿH
Š@„Òuù+ÁP
9U‹Âs‹ESVW‹}‹È‹ÙÁéµ ÿÿÿó¥‹Ëƒá;Âó¤_^[u
HÉÂ SW‹|$Wj ÿ¸¿v‹Ø…Ût:VWSÿt$è|ÿÿÿ‹ð…öt;÷sF
Wÿt$PSj j ÿÀ¿v…Àu3öSÿ´¿v‹Æ^_[Â SW‹|$Wj ÿ¸¿v‹Ø…Ût:VWSÿt$è ùÿÿ‹ð…öt;÷sF
Wÿt$PSj j ÿÀ¿v…Àu3öSÿ´¿v‹Æ^_[Â U‹ìì EPh …ðýÿÿPjÿuÿuÿL¿v…À}PÿT¿vPÿ\¿v3Àë;·•òýÿÿ‹MÉ‹Â;Ès‹ÁSV‹µôýÿÿW‹}‹È‹ÙÁéó¥‹Ëƒá;Âó¤_^[uHHÑèÉ U‹ìSV‹uW6P3ÿWÿ¸¿v‹Ø;ßu3Àë6VSÿuÿuèWÿÿÿ;ƉEs
@WWVÿuPSWWÿ°¿v…Àu‰}Sÿ´¿v‹E_^[] h„ hx9¿vèùÿÿ3ÛSjEÐPSÿuÿH¿v;Ã}PÿT¿vPÿ\¿véï SjEÌP‹EÔƒÀPÿu‹5¬¿vÿÖ…À„Î ‹ẼÀ‰EÈSjMÄQPÿuÿÖ…À„° ‹}Áï‰]À‹EÄ;EÈt]ƒÀøSjLtÿÿÿQPÿuÿÖ…À„„ 9}Às‰]ü‹EŒ‹M‹UÀ‰‘ƒMüÿÿEÀ‹…|ÿÿÿ‰EÄ뺋Eì‹ ‹ ‰…pÿÿÿ3À@Ëeèÿµpÿÿÿë13À@‰Eü‹MÀÁá‹U‰
ƒMüÿë-‹Eì‹ ‹ ‰…lÿÿÿ3À@ËeèÿµlÿÿÿÿT¿vPÿ\¿vƒMüÿ3Àèõøÿÿ U‹ìSV‹u6P3ÛSÿ¸¿v;ÉEu3Àë;WVPÿuÿuèÕøÿÿ‹ø;þsG
SSVÿuPÿuSSÿ°¿v…Àu3ÿÿuÿ´¿v‹Ç_^[] U‹ìƒìLE´Pÿuÿuèåøÿÿ…Àt9‹EV·uàÀFF;Æs‹ðj Vÿuÿuäÿuÿ¬¿v…Àt·Eà@@;ðuNN‹ÆÑè^É U‹ìSV‹u6P3ÛSÿ¸¿v;ÉEu3Àë;WVPÿuÿuè|ÿÿÿ‹ø;þsG
SSVÿuPÿuSSÿ°¿v…Àu3ÿÿuÿ´¿v‹Ç_^[] jdh9¿vèÉöÿÿƒ}s
jzÿ\¿vë^EœP‹uVÿuèøÿÿ…ÀtJ‰u‹E¼‰E”‹E¸‰E˜ƒeü u‹}¥¥¥ƒMüÿ3À@ë'‹Eì‹ ‹ ‰EŒ3À@ËeèÿuŒÿT¿vPÿ\¿vƒMüÿ3ÀèY÷ÿÿ U‹ìƒìDE¼Pÿ¨¿vj j EàPj
ÿuÿH¿v…À|$ƒMèÿƒMìÿj EàPj
ÿuÿDPÿT¿vPÿ\¿v3Àë3À@ÉÂ j ÿt$ÿt$j
j ÿt$ÿL¿v…À}PÿT¿vPÿ\¿v3Àë3À@Â U‹ìQQ3ÀPPÿuMøÿuQPPPÿuÿ@¿vÉÂ U‹ì¸lú è§ SV‹5P¿v3ÛSj,E”PSÿÖ;ÉEüŒA 8AP¿vWt2EÐPh ú …”ÿÿPjÿÖ;ÉEü» Phü:¿vèO AP¿vYY‹}Ø‹Eœ£˜d¿vd¡ ‹@0‰EÀ‹@‹@‰EÌ‹EÀ‹@‹M̃À;È„à Aø‹X‹ p,‹@ h
j ‰M̉EØÿŒ¿vPÿ¿v…À‰Eä„' ·QÿvMøQh
Pÿ$¿v‹Uø‹Mä€$
…À‰Eü„:
Qj ÿŒ¿vPÿ”¿véxÿÿÿ‹5(¿v…”ÿÿ‰EÈEõPSj
j½˜ÿÿ‰]ÔÿÖ…À»
|;Ãu
PhÄ:¿vèd YYEöPj j
jÿÖ…À‰Eü|;Ã…ÿÿÿÿuüh:¿vè: YYéïþÿÿ€=AP¿v „< ‹EÔ‹MÈ;
ƒ. ·GD8Pÿ˜¿v@P j ‰EĉMÜÿŒ¿v‹5¿vPÿÖ…À‰Eä„) ·OL9QPÿœ¿v‹G‹_‰EØ‹E܃ÀPj ÿŒ¿vPÿÖ‹ð…ö„ô ÿuÄF‰F·OL9QMøQÿuÜPÿ,¿vf‹Eø‹MäÇ
ÿEÔf‰¡<P¿v€e÷ ƒeø …Àv+ÇEäèl¿v‰E܉Eø‹Uä;uÆE÷
ƒEä4ÿMÜuì€}÷ …þÿÿkÀ4‰˜èl¿v‰°m¿v‰ˆm¿v‹M؉ˆôl¿v‹50¿vƒeè ‰˜ðl¿vÇ€m¿v
‹Á‹
0P¿vÁàÓèj» 0 SƒÀ‰EàEàPj EèPjÿÿÖ…À‰EüŒ  ¡<P¿v‹MèkÀ4‹0P¿v‰ˆøl¿v‹Màjÿÿ5DP¿v‰ˆ m¿vˆm¿v‰ÿ° m¿vÿ°øl¿vRÿ°ôl¿vÿ°ðl¿v€àl¿vjÿPÿ4¿v…À‰Eü…Ì
8LP¿vtj!EèjSEàPj EèPjÿÿÖ‹ð…öŒ¼


Is there anything else I need to do?

BTW, I am certainly not happy with Norton AV. Is something else better? What about the Micro-Trend you suggested or the Panda AV? I don't want this to come back if I can ever get rid of it!

Valeri

 

Hello,

I found a hidden dll we need to get rid of, which by the way is what Norton is picking up. But first I need some info.

Do you have XP home or pro?

Is your file system NTFS or Fat32? To check this out just go to Start>My Computer and highlight your C: drive and right click on it. Select properties and a box will pop up. That will tell you what file system you have.

As far as your question, this is my opinion only, I like TrendMicro. Most do a pretty good job, just need to keep it updated and do it often.

 

I have XP Home and the file system is NTFS. Is there something I can do about the Backdoor Trojan?

As far as the AV - My Norton is supposed to be doing continuous updates but things are getting in. I am considering Panda or Trend Micro Internet Security. Trend Micro says it will also protect my PDA plus it also has Automatic updates, so that is why I was asking around. A friend is the Webmaster for the local library system and she says that they just went to Trend Micro for their system.

Thanks!

 

Hello,

No matter what AV you have, expect things to get through. None of them are fool proof. In fact, there are things out there that will disable your AV. Just be careful where you go and what you download.

Ok, now we continue. I don't know if you have CWShredder installed but if not, download it from here. You will run it later:
Download CWShredder

Copy the contents in this quote box into NotePad and name it hiving.bat and save it on your desktop.

Code:

@echo off 
Echo Working

Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
If ERRORLEVEL==1 GoTo End  
 GoTo DOIT
:End

 echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
Wscript.exe not.vbs
del not.vbs
Exit

:DOIT
If exist backup.hiv del  backup.hiv
If exist f.hiv del f.hiv

reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
:one

PING 1.1.1.1 -n 2 -w 1000 >NUL
if not exist backup.hiv goto one

Reg Delete  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f


Reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
:Notthere

PING 1.1.1.1 -n 2 -w 1000 >NUL
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
IF ERRORLEVEL ==1 Go to Notthere

reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv

:two

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls 
IF ERRORLEVEL==1   GOTO two

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
:appy

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
If Not ERRORLEVEL==1   GOTO appy

Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
:three

PING 1.1.1.1 -n 4 -w 1000 >NUL
if not exist f.hiv GOTO three

Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f

Reg Add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
:four

PING 1.1.1.1 -n 1 -w 1000 >NUL
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
If ERRORLEVEL==1 GOTO  four

:five



PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
If ErrorLevel==1  GOTO five

If exist f.hiv ren f.hiv fbackup.hiv

Echo > finished.vbs MsgBox "Done"
Wscript.exe finished.vbs
del finished.vbs

Double click on hiving.bat. Reboot your computer.

You run Home and so you will restart into Safe mode.

Restart into Safe mode and find this file:
C:\WINNT\System32\winp.dll

Use the security tab on winp.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
log.dll>bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file restart into Regular Windows mode.

Extract and Run CWShredder immediately.
Press the fix button to clean, not scan.

Restart and run hijackThis again.

Post your new log here in your next reply.

Also please create a new Windows.txt and attach it so we can doublecheck.

 

Sorry, I am a novice at this. I did everything before this section and found this file - winp.dll. I can do the things after this section but I need more explanation of this part of your directions:

Use the security tab on winp.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
log.dll>bleh.txt
bleh.txt > badfile.111

Sorry. Thanks for your help.

 

Hello,

No problem. First thing first, you need to boot your computer into Safe Mode or you will not get the security tab on the file.

So boot into safe mode and find that file winp.dll. Right click on the file and choose properties. Now click on the security tab. Next, click on the advanced tab and then the owner tab. Select
you> with Admin rights-> FULL control. Go to the permsissions tab and check that you have full control, if not you can edit that.

Now close the properties box. Right click on the file again and this time choose rename. Rename it something like bleh.txt and then after it is renamed, right click on it again and try to delete it. You may need to do the renaming part again, if so, try another name and extention.

Once you have successfully deleted the file restart into Regular Windows mode.

Extract and Run CWShredder immediately.
Press the fix button to clean, not scan.

Restart and run hijackThis again.

Post your new log here in your next reply.

Also please create a new Windows.txt and attach it so we can doublecheck.

 

Here is the new HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 4:13:35 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Downloads-Security\HijackThis7-14.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iconusersgroup.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065734229765
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

From Windows.txt:

regf




l l   s y s t e m  s y s t e m . d r v (  s y s t r a y . e x e c a d (  t 2 e m b e d . d l l c b c (  T A B C T L 3 2 . O C X c o  t a p i . d l l o d  t a p i 3 . d l l  t a p i 3 2 . d l l (  t a p i p e r f . d l l S E (  t a p i s r v . d l l l . d  t a p i u i . d l l ( \u[f hbin  3 3 2 . D L L p o ÿÿÿnk, Ø¥žžqÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 6 , \  Windowsows vk ÿÿÿsk € €
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Ðÿÿÿvk 


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  p
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk  

°ºSpooler2ðÿÿÿy e s
Ñ_åàÿÿÿvk  €

5swapdisk p
¸
ø
( ` Ðÿÿÿvk  è


. TransmissionRetryTimeoutÐÿÿÿvk  €' 
a USERProcessHandleQuotac àÿÿÿp
¸
ø
( `  v s
n f i g . x m l  v s d a t a . d l l (  v s d a t a n t . s y s (  V S F L E X 3 . O C X p s  v s i n i t . d l l (  v s m o n a p i . d l l p s (  V S P R I N T 7 . o c x p s (  v s p u b a p i . d l l p s (  v s r e g e x p . d l l p s (  v s s a d m i n . e x e p s  v s s a p i . d l l  v s s v c . e x e  v s s _ p s . d l l  v s u t i l . d l l  v s x m l . d l l d (  w 3 2 t i m e . d l l H . A  w 3 2 t m . e x e G (  w 3 2 t o p l . d l l v b s (  w 9 5 i n f 1 6 . d l l (  w 9 5 i n f 3 2 . d l l d l (  w a t c h d o g . s y s e s (  w a v e m s p . d l l p s r (  w b c a c h e . d e u f . d (  w b c a c h e . e n u l (  w b c a c h e . e s n (  w b c a c h e . f r a (  w b c a c h e . i t a (  w b c a c h e . n l d q d (  w b c a c h e . s v e d . d (  w b d b a s e . d e u l l L (  w b d b a s e . e n u l i g (  w b d b a s e . e s n (  w b d b a s e . f r a (  w b d b a s e . i t a (  w b d b a s e . n l d (  w b d b a s e . s v e   w b e m l l (  w d i g e s t . d l l  w d l . t r m  w d m a u d . d r v (  w e b c h e c k . d l l (  w e b c l n t . d l l (  w e b f l d r s . m s i (  w e b h i t s . d l l o c x (  W E B P O S T . D L L s i c  w e b v w . d l l t (  w e x t r a c t . e x e e V  w f w n e t . d r v (  w i a a c m g r . e x e Q _ (  w i a d e f u i . d l l Q _  w i a d s s . d l l  w i a s c r . d l l (  w i a s e r v c . d l l  w i a s f . a x r a (  w i a s h e x t . d l l r a (  w i a v i d e o . d l l r a (  w i a v u s d . d l l r a (  w i f e m a n . d l l r a  w i n . c o m  w i n 3 2 k . s y s (  w i n 3 2 s p l . d l l (  w i n 8 7 e m . d l l (  w i n b r a n d . d l l (  w i n c h a t . e x e r a 8 * W i n d o w s L o g o n . m a n i f e s t x  w i n f a x . d l l  W I N G 3 2 . D L L (  w i n h e l p . h l p e . e (  w i n h l p 3 2 . e x e l l (  w i n h t t p . d l l (  W I N I N E T . D L L (  w i n i p s e c . d l l r a (  w i n l o g o n . e x e r a (  w i n m i n e . e x e d y c  w i n m m . d l l c  w i n m s d . e x e  w i n n l s . d l l (  w i n n t b b u . d l l (  w i n o l d a p . m o d  w i n r n r . d l l   w i n s l i (  w i n s c a r d . d l l d . (  w i n s o c k . d l l d l l (  w i n s p o o l . d r v (  w i n s p o o l . e x e  w i n s r v . d l l  w i n s t a . d l l (  w i n s t r m . d l l x e S (  w i n t r u s t . d l l  w i n v e r . e x e


Is this what you need?

The Norton Alert Window is gone and my computer boots up faster and runs smoother than it has in a long time. Thank you, thank you, thank you!

 

Hello,

Glad to hear things are better. It looks like the hidden dll is gone and that is great. Log looks good.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
https://www.wilderssecurity.com/showthread.php?t=27971

Happy Surfing!