Viruses, Spyware and...

MSplg7.dll Trojan. How to delete?

Thread Solved

« First

•

Join Date: Apr 2005

Posts: 37

Reputation: afinepoint is an unknown quantity at this point

Solved Threads: 0

afinepoint afinepoint is offline

Offline

Light Poster

Re: MSplg7.dll Trojan. How to delete?

#21

Jul 13th, 2005

•

Originally Posted by afinepoint

DMR,

MSplg7.dll does still exists in the system32 folder. Is it dead or just dormant?

Any ideas?

AFP

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: MSplg7.dll Trojan. How to delete?

#22

Jul 13th, 2005

Open NotePad (or WordPad), copy the contents of the 'Code' below , and paste it into NotePad:

cd System32
attrib -s -r -h MSplg7.dll
del MSplg7.dll

Go to File, Save As and type the filename as Remove.bat, save it to your Desktop, and then close NotePad.

Reboot into Safe Mode.

Scan with Hijackthis and have it fix the following entry:

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

Close any open windows and hit Fix checked.

Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.)

Go to C:\WINDOWS\SYSTEM32 and delete MSplg7.dll.

Do a search for MSplg7.dll and delete any instances found.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log please.

•

Join Date: Apr 2005

Posts: 37

Reputation: afinepoint is an unknown quantity at this point

Solved Threads: 0

afinepoint afinepoint is offline

Offline

Light Poster

Re: MSplg7.dll Trojan. How to delete?

#23

Jul 15th, 2005

•

Originally Posted by dlh6213

Open NotePad (or WordPad), copy the contents of the 'Code' below , and paste it into NotePad:

cd System32
attrib -s -r -h MSplg7.dll
del MSplg7.dll

Go to File, Save As and type the filename as Remove.bat, save it to your Desktop, and then close NotePad. I did this

Reboot into Safe Mode. Done

Scan with Hijackthis and have it fix the following entry:

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll That file was not there.

Close any open windows and hit Fix checked.

Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.) I did this anyway.

Go to C:\WINDOWS\SYSTEM32 and delete MSplg7.dll. I did this first thing after restarting in Safe Mode before doing anything else.

Do a search for MSplg7.dll and delete any instances found. The search function would not stop in Safe Mode. (Not responding per Task Manager) But after rebooting normally the Search found nothing in system32.

Empty your Recycle Bin and reboot normally. Done
Close any open browser windows, scan with HJT, and post a new log please. Will post tomorrow.

Thanks.

AFP

•

Join Date: Apr 2005

Posts: 37

Reputation: afinepoint is an unknown quantity at this point

Solved Threads: 0

afinepoint afinepoint is offline

Offline

Light Poster

Re: MSplg7.dll Trojan. How to delete?

#24

Jul 16th, 2005

I went ahead and ran a new scan.

Logfile of HijackThis v1.99.1
Scan saved at 8:38:07 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\BMUpdate.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4E81DE3-29E2-490A-9452-6F195957052A}: NameServer = 207.68.32.39 151.199.0.39
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: MSplg7.dll Trojan. How to delete?

#25

Jul 17th, 2005

I don't see anything else in your log, are you still having problems?

•

Join Date: Apr 2005

Posts: 37

Reputation: afinepoint is an unknown quantity at this point

Solved Threads: 0

afinepoint afinepoint is offline

Offline

Light Poster

Re: MSplg7.dll Trojan. How to delete?

#26

Jul 17th, 2005

No problems thus far. I did a Norton scan today and nothing showed up. The MSplg7.dll file is gone from system32.

I think we can put this one to bed. Again a sincere thank you to all.

AFP

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 363

DMR

Offline

Wombat At Large

Re: MSplg7.dll Trojan. How to delete?

#27

Jul 17th, 2005

Since your system appears clean now, you might want to flush out your old System Restore points and set a new, clean Restore Point. More information on why you should do this, and instructions on how to do it, can be found here.

"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.