0

-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\ctlek.dll <- delete this line , (the name may have changed since you played with it)
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible.

If it is, delete it.

I'm afraid I'm a bit confused. I ran reglite and renamed the folder, but after that it became unclear so I changed the name back until I get some clarification.

Where do I click on "AppInit_DLLs"? In the right hand pane? If so, nothing happens, so there's nothing to delete.

After that part is cleared up, my next question will be, if the dll's name changes, how will I know which one to delete?

0

What is there now? Do you still see C:\WINDOWS\System32\ctlek.dll ?
You need to right click & delete value. Then rename the folder back to Windows. Then go to the system32 folder & delete the ctlek.dll file.

0

Ok, never mind, I got it. I forgot to double-click it. It's still there, I'll work on it now.

0

Before doing anything else, I went to the system32 folder to try to find it and it wasn't there. That's the same thing that keeps happening with Norton, it says the .dll file is there, but it isn't. The Folder Options are set to Show hidden files and the file extensions (in case you were going to ask).

I went ahead and renamed the folder and deleted that line. Then changed the folder name back to Windows and rebooted. I ran reglite again and the AppInit value was still clear. I went into the system32 folder and, low and behold, ctlek.dll was there now! I deleted it. Is my problem supposed to be fixed now?

0

Glad that that worked to make the file visible :) . Time will now tell if you are clear. Does Norton still give you the warning?
I would also post another hijackthis log after a reboot in case there are more entries created by the hijacker.

Update hijackthis to version 1.98.1. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. Remove 1.97 from the folder it is in & replace it with 1.98.1.

0

-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\ctlek.dll <- delete this line , (the name may have changed since you played with it)
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible.

If it is, delete it.

I'd like to know how you knew, or even suspected, this might work?

0

I hope you guys solve this because I have a ladies PC here that has almost the identical problem. :sad:

You should probably install (or update) HiJackThis and post your own log in a new thread. I think my problem has been solved so there's hope!

0

Glad that that worked to make the file visible :) . Time will now tell if you are clear. Does Norton still give you the warning?
I would also post another hijackthis log after a reboot in case there are more entries created by the hijacker.

Update hijackthis to version 1.98.1. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. Remove 1.97 from the folder it is in & replace it with 1.98.1.

Well, been using the computer pretty much non-stop all day (all users) and no warnings! I think you finally got it! Thanks!! Here's the new, updated, hjt log:

Logfile of HijackThis v1.98.1
Scan saved at 12:53:04 AM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Utilities\hijackthis1981\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Utilities\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

0

That looks good :) . The fix was created a while ago to combat about:blank. Since then there has been updated fixes, FindnFix being one that works (but cannot be used without permission). Thought it was worth giving the old fix a try.
Glad that it worked out for you. So, I can mark this thread as solved, you think?

0

That looks good :) . The fix was created a while ago to combat about:blank. Since then there has been updated fixes, FindnFix being one that works (but cannot be used without permission). Thought it was worth giving the old fix a try.
Glad that it worked out for you. So, I can mark this thread as solved, you think?

Yes, I think you can mark this one as solved! Thank you so much for all your time and effort!

0

Thank you for having the faith to stay & go the distance :) .
Marking this as solved. Anyone else with the same problem, please start your own thread. Thank you.

0

Thank you for having the faith to stay & go the distance :) .
Marking this as solved. Anyone else with the same problem, please start your own thread. Thank you.

I don't think it was as much faith as determination! :) Still clean! Thanks again!

0

Hello...I am what you call a retarded home PC user...
I am also trying to rid my system of this trojan virus...
I was studying the thread and have 2 questions:
1)what is the difference between regedit and reglite?
2)I am running Windows XP, not NT...do I have to do anything differently in the registry?
thanks ahead of time

0

Hi dominomack,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforu...b_faq#faq_rules


Thanks for understanding.

0

I too have this nastry about:blank virus. I have been reading the forums and trying everything that is posted. I have downladed to many of this programs to list but I do have hijackthis. I have Norton and it deleted this virus before but its back and its mad. Norton list a file known as dlg.dll but it will not delete it and I cannot delete it in safe mode either. I will post my hijackthis log. I have alos tried tried to downlaod cwsshredder but the link said the page had expireed. I would appreciate anyones help on this one. I have assignments due and I can't get to the software I need. Thanks. :-|

Logfile of HijackThis v1.98.2...

0

hercules220tx,

Did you not see my post directly above yours regarding our policy of not posting questions in another member's thread. You need to start your own thread for your question and post your HJT log there.

Thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.