The following virus popped up : MSplg7.dll. Norton identifies it as a Trojan. It is preventing Explorer from opening. Mozilla works just fine. I do not know what other probems it may be causing.

The annoying part is that the virus has parked itself in the system32 folder. Therefore Norton will not fix, delete or quarantine the file. Nor can I delete or move the file - probably for the same reason.

Any advice? I don't mind buying another anti-viral program if it will remove this file.

Second question: How can I remove or delete a file when Windows give the "access denied . . ." message?

Reg

try restarting in safe mode then renaming the file manually.
I don't recommend deleting the file as it may be critical to your systems function.
If you want to be totally thorough restart your computer in safe mode with command prompt. Then use that to rename & replace with a dummy dll file. If you don't know how to do that I have detailed the procedure as follows.

On the command prompt type the following and press enter after each one except the line that reads ctrl+z it should type the character ^Z or something if you do this line correctly.

cd\
cd windows\system32
ren MSplg7.dll MSplg7.bak
copy con MSplg7.dll
#null
//press ctrl+z
exit

Should do the trick. Restart in normal mode to find out if that works.

one quick detail. press the F8 key during bootup(but after the Power On Self Test screen) and select safemode with command prompt.
Hope this helps

That file is dropped/created by the trojan; it should be deleted.

Simply deleting the file will not, however, remove the infection itself. Infections usually drop several different components and make several modifications to your Registry in order to make it more difficult to eradicate them. If you do not fully clean the infection, chances are very good that it will simply "respawn" itself. Additionally, if you've identified one infection on your computer, you probably have other "unwanted guests" as well.

Here are some general virus/spyware/etc. detection and removal steps that you can try:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php


2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

DMR,

I could not get any of these:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.phpto work.

Some only supported Explorer which is what the virus seems to be attacking. The problem is worsening. This morning I simply could not open Explorer. This evening when I tried to open it 59 windows opened the screen started blinking.

I did get the ewido to download and it found a hyjacking file but did not find the Trojan. I will reboot and see what happens. If things do not go well then:

I will try to rename. If that does not work I will try to restore. If that doesn't work I will recovery the hard drive. Reformatting is the last choice.

Or just stop using Explorer.

Thanks for all the help.

Reg

DMR,

The ewido did the trick in finding a hijacking program that was not only causing the recent Explorer problem but also cured another I had posted in the "Web Browsers" forum. See : Can not log into yahoo mail using IE 6.0.

Explorer now works again. I am quite impressed. Not a common thing for me.

What is curious is this: If the second problem (this post) did not show up until today when the Trojan appeared yet removing the hijacking file which has been there for some time solved all problems then what caused today's problem. The Trojan or the hijacker? Or both?

Ironic that Spysweeper, which I bought never found it and this free program did.

The Trojan remains and I will work on that problem tomorrow.

Thank you and all for your time and advice. I may end up bringing the total sum to bear on the Trojan virus. If anyone thinks of anything else feel free to add.

Reg

I ran Trendmicro House Call which found the virus WORM_WOOTBOT.GEN and the Trojan worm WORM_SDBOT.BDL It said it deleted them. The original virus-MSplg7.dll which was found by Norton remains in the system32 folder. I went to the Microsoft linked site from the trendmicro to study up on the worm and noted they had patches. However the patches are for systems other than mine. They look like professional software.

Patch availability
Download locations for this patch
Since this bulletin was originally published, Microsoft has made available an re-released patch for SQL 2000 that is packaged with an installer. Details are discussed above in the FAQ.
The re-released SQL 2000 patch is available at the following location:
• http://support.microsoft.com/default...316333&sd=tech
The original patches are available at:
• Microsoft SQL Server 7.0: http://support.microsoft.com/default...327068&sd=tech
• Microsoft SQL Server 2000: http://support.microsoft.com/default...316333&sd=tech

I have no idea what SQL Server 7.0 or 2000 are.

Trend micro also suggest to scan the Window's System Restore areas however you must disable the resore feature.

Windows states that turning OFF Restore will delete all stored restore points. How can turn OFF restore without losing all past points? I will have nowhere to return if things go badly.
With the MSplg7.dll still on the computer should I continue to try and remove it or is it futile since two viral scan programs and two sweeper programs can not?

Since my original writing of this response more malware programs continue to be found. Is there no end to this?


Reg

1. SQL is a database program; the patches mentioned don't apply to you.


2. You can't selectively delete Restore Points; you either flush them all or you don't. Also, there's nothing to say that files in the Restore Points you choose to keep might not be infected also. A bit more info on that can be found here. However, for just the reason you mention, I'd suggest waiting until your system is clean before deleting your old Restore Points.


3. The infection you have places an entry in the Windows Registry which automatically runs the malicious MSplg7.dll file every time Winodws starts. This is what is making the file difficult to delete.

Please do the following so that I can (hopefully) see exactly where/what that Registry entry is:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downl...HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

I will do this Wednesday afternoon and post the results. Thank you.

Is there anyway to identify a keystoke logging program? I am restricting my use of sensitive sites -banking etc.


Reg

Also what is the better method/combination/programs for firewall and virus checking and protecting? It appears that running a combination of programs do best, but which do the job? I would rather avoid having to buy and and run an ending flow of programs. I understand that programs do need updating and have a useful life span. And that there is no "cure all".

Again, thanks.

Reg