download full working trojan hunter trial version ,scan computer . .
http://www.misec.net/trojanhunter/

Are you sure you spelled the name of the file correctly in your post? I get no results at all when I Google for dmid32.dll.



Does Norton tell you the exact name of the trojan? If so, let us know what it is.

In terms of the error about the dll being missing, that's most likely a result of Ad Aware having deleted the file but there still being a reference to the file in your Registry. In my signature below there is a link to the HijackThis utility. Create a C:\HijackThis folder on your computer, download HJT into this folder, and run the program (close all other programs before doing so).

At this point, have HJT only perform a scan; do not have it fix anything yet! Save the log file it generates in a convenient location, open the log in Window's Notepad, and cut-n-paste the contents of the log here.

Thx very much, I will try the solutions and get back with results and/or logs :O)

And I made a missspell, the file name is cmid32.dll'

The virus name is backdoor.trojan, when I clik on the link, norton just tells me that it is a standard name for that type of virus....

This is the Hijack log:

Logfile of HijackThis v1.98.0
Scan saved at 20:55:17, on 20-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\mstasks2.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rdw.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: (no name) - {845DB2CF-FCE1-4B00-A8C3-874E88779F79} - C:\WINDOWS\System32\jlepia.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Filter: text/html - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O18 - Filter: text/plain - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll
O21 - SSODL: System - {C7916D83-690E-45ED-A129-E5002FF613D0} - C:\WINDOWS\system32\system32.dll (file missing)

HI I have posted the log not as a quote, but as a reply, and thank you very much for your help so far :O)

OK, you're right- that dll does seem to be associated with a couple of trojans.

Trend Micro's report on one of those trojan variants indicates that it is often installed by another malicious program, so you should check your system thoroughly, making sure you have the absolute latest virus definition updates installed in your anti-virus program. You should also download and run Ad Aware and SpyBot if you haven't already; links to those utilities are in my sig below. Before running Ad Aware, configure it as follows:

Click the “use custom scanning� options, and then click “Customize�

- In Settings, under 'scanning' - have it set to:
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'

- In 'tweaks':

under 'scanning engine', set it to: 'unload recognized processes during scanning.'
under 'cleaning engine', set it to: 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

- Select 'activate in-depth scan' before starting scan.

Looks like we were posting at the same time. Your log does show that you've got "unwanted guests" in your system, so run Ad Aware and SpyBot as I indicated above; let them fix everything they find.

Also- I believe the "Search-For-You" crap is associated with some version of the Cool Web Search trojan. You should download and run CWShredder (again, link is in my sig) to try to remove the stuff.

Once you've run the utilities, delete all of your browser cookies and all Temp/Temporary Internet files (including "offline content"), empty your trash, and reboot.


After you've done the above, post a fresh HJT log and we'll take it from there.

Now I have done all you asked :O) and this is the new log

Logfile of HijackThis v1.98.0
Scan saved at 10:19:58, on 21-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rdw.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll

Norton didn't find anything new, but all the other did :O)

But I still think that there is something there because:

Everytime I start/restart the computer I get the following messege when windows start:

Winupd.exe - this component was not found
This program could not start, because cmid.dll was not found, the problem could perhaps be solved by installing the program again.
(I have translatet this message to english, so the error message isn't the exact word for word, but the basics of the error should be of use to you)

When norton start I get this message:

Notton AntiVirus has detected at virus on your computer:

Object name: C:\windows\system32\\log.dll
Virus name: Backdoor. trojan
Action taken: Uable to repair this file

Then I press th ok button, and emidiatly the same windos pop up, but in action taken it writes: Acces to the file was denied.
And I can pres the ok button, and these two windows take turns on popping up.

Further more, I have a proces in my task manager call mstasks2.exe and that occupies 99 % of the cpu, so I have the end that process if I wan't to to anything on the machene.

Hope the information can be usefull.

And thanks again

by the way.

I alson ran adaware, spybot at cwshredder, and they all found and fixed at least 10 files.

I also deleted my temporary internet files, and cookies, but I'm not sure, that they were deleted properly, because, it didn't take very long, and knowing my friend he would never delete those things on his own.