# Backgoor Sdbot



## cindyvdg (Dec 28, 2002)

Hello!

My computer has been invaded by the Backdoor Sdbot trojan. Norton Antivirus found the infected files, a setup file for a game. I deleted the files but can not find the changes in the registry that need to be deleted. I checked out the Symantec website & found none of the files they mentioned in the run folders. The virus scan took 76 hours to complete.

My computer is running so slow that it takes over an hour to boot & I can not log onto the internet. Loading a webpage takes forever. I'm concerned that information is being accessed while online. Something is working in the background to slow it this much. That problem makes it impossible to download any trojan scanners, etc.

Does anyone have any information as to what else I can look for in the registry & where it may be. I've been fighting with this for a few weeks now. I've searched for all of the files mentioned on the Symantec website with no luck. I'm running Windows ME.

Thanks!


----------



## Rollin' Rog (Dec 9, 2000)

We really would need to look at a post of the registry locations for all startups to have much hope of helping. If you can get the StartupList application from this site, copy the exe to the problem system, then run it and save the txt file it creates to a floppy and copy it back here, we might be able to give some specific advice:

http://www.lurkhere.com/~nicefiles/

Alternately, you can try running *msconfig* and disabling the "Startup group" to see if any thing in there is causing the issue. Bear in mind that when entries are disabled there they will not display in the Startuplist, so if you want to show us that, you should run it first.

This MS link on clean booting may also be helpful.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q267288


----------



## TOGG (Apr 2, 2002)

cindyvdg,

If your A drive is OK there is a program called Trojan Remover which can be d/l to two floppies and then installed on the infected machine.

Take a look at this website;http://www.simplysup.com/tremover/

(I assume, since you can post here, that you have access to a working computer)

The program is free for 30 days and as long as it covers your OS it may help you. I have used it with no problems but my machine was OK before it was scanned.

Perhaps the experts here know something about Trojan Remover and will offer you better advice.


----------



## cindyvdg (Dec 28, 2002)

Thanks for the suggestions!

I am sending the startup list from my computer as an attachment. I see the Runndll32.exe file in LoadPowerProfile under the "Run" file & again under "Run Services". Is that the trojan?

When I run "regedit" & look for these things under the "run" folders I can not find them. In fact, the "run services" file was there one minute & then disappeared from the "regedit" screen after clicking on it.

If this is the trojan, how can I get access to it & delete it if it is not showing in Regedit? This rundll32 file is not a needed Window ME file? 

I have gone to Folder Options in the control panel & enabled "Show all files & folders" and unchecked "hide file extensions for known file types".

If I get this out of my computer will the System Restore put it right back in? Do I need to change that too?

Thanks!


----------



## Rollin' Rog (Dec 9, 2000)

All the rundll32 entries are legit. However you have some very intrusive ad/spy ware entries in

nscheck
ossproxy
hotbar

These can be removed with the program Spybot if you can get it. But for starters I would suggest running *msconfig* and unchecking everything under there except ScanRegistry, System Tray and statemgr. Or you can try just unchecking the entire startup group on the general page. See if this allows you any better web access.

Also you have a mysterious dll in yor Winsock LSP entries. Are you familiar with this program:

http://www.freedom.net/support/article.html?article=110

I would uninstall it.

Good instructions for Spybot are here:

http://tomcoyote.com/SPYBOT/

I'm also puzzled by this entry:
ScardSvr = ScarSvr.xxx

supposedly for a smart card, but the extension is not executable.

I would also recommend downloading the lsp-fix application from here and using it after the program has been uninstalled which replaced normal winsock protocols with:

C:\WINDOWS\SYSTEM\ZKLSPR.DLL

the CSLOA protocols were for McAfee Internet Security but the files are "missing". The LSP-FIX should repair that as well:

http://www.cexx.org/lspfix.htm


----------



## cindyvdg (Dec 28, 2002)

I went into msconfig & unchecked all but the three things you suggested. The computer loaded up quickly, desktop came up fine. THEN it slowed again. It booted a lot faster then it has been but was still working for quite a while after everything on the screen was loaded. 

I connected the computer to the router & tried getting online to download Spybot. Again the computer's working light was on but the browser would not load. I unplugged it after about 20 minutes, afraid my computer was being invaded. I was unable to access the Spybot software.

How can I get Spybot to download onto two disks? The file is a bit too large for one disk. The computer I can access the internet with only has an "A" drive to copy to.


----------



## TOGG (Apr 2, 2002)

cindyvdg,

If nobody here can advise you about getting Spybot on floppies you could always post a question on the Spybot forum;

http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi

As I said in my earlier post, the Trojan Remover program will d/l to two floppies because that's the way I downloaded it. I also checked back and it does work with ME, the only MS OS it hasn't been tested with is 2000.


----------



## Rollin' Rog (Dec 9, 2000)

Try the File Splitter:

http://www.dekabyte.com/filesplitter/

Also if you are using a Network Interface Card, you may want to remove and reinstall the software for that. Or even remove and reseat the card itself.


----------



## cindyvdg (Dec 28, 2002)

Back again!

I got the computer connected to the internet by clicking on IE while unplugged & waiting for it to come up. Then I plugged the computer in & downloaded both the Trojan Remover & Spybot software.

I ran both & checked for updates. Spybot found many files that were questionable & fixed them all. I then ran the Trojan Remover. That didn't show any problems. I went back to "msconfig" and rechecked a lot but not all of the programs in "start up". Then I ran both programs again. It is till taking about 45 minutes to boot though. Before being infected by this trojan it booted very fast. That makes me think something is still lurking about in there, hidden. The computter is just not working the way it did.

When the antivirus program found the trojan I deleted the infected files but did nothing to repair the registry. Could these things be hiding in there so the programs are missing them? They had to be in there to do their nasty deeds, right? After years of using computers, being online & downloading many things, this is the first virus I have dealt with, so this is all new to me.

The "run services" file just disappeared from "regedit" after I clicked on it to look inside. That was weird!

Cindy


----------



## Rollin' Rog (Dec 9, 2000)

Now that you've run Spybot, can you give us another look at the startuplist? Just copy/paste it to a reply if possible, others are more likely to review it that way as well.

How much faster does it boot with all startups unchecked in msconfig?


----------



## cindyvdg (Dec 28, 2002)

Here is the startup list with most things in msconfig-startup checked. It took exactly one hour for the computer to boot this time.

I right clicked on-My Computer-Prperties-Performance and found it runs at 84% system resources free.

When I clicked on Internet Explorer it took three minutes to come up. This was without the computer being plugged into the router. It takes much longer to load IE if it is connected. If I bring up the browser first, then plug into the router I can access webpages much faster.

I haven't tried uninstalling the network card software or reseating the card itself yet. I'm not at home & need to check to see if I brought the disk with me.

When I unchecked all but the three items you suggested in msconfig-startup it still took one full hour to boot the computer and had 95% system resources free in System Properties. Internet Explorer loaded up immediately (not connected).

Half of the desktop icons load within a few minutes. The rest of the icons are not fully loaded (no pictures on them). The working/busy light remains on & you can not click on anything until it is completely booted.

Before being infected the computer fully loaded within a minute or so, at most.

I also ran both Spybot & Trojan Remover with each startup. It found nothing after the first run & fix.

Startup List

StartupList report, 12/29/2002, 5:34:29 PM
StartupList version: 1.50
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder
HPLogiFinder = \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
NPROTECT = C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
SpyBotSnD = "C:\PROGRAM FILES\COMPUTER PROGRAMS\SPYBOT\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE"
TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe
TaskMonitor = C:\WINDOWS\taskmon.exe
MMTray = 
hpsysdrv = c:\windows\system\hpsysdrv.exe
MotiveMonitor = C:\Program Files\Motive\motmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Delay = C:\WINDOWS\delayrun.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~2\ADVTOOLS\ADVCHK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
CSINJECT.EXE = C:\Program Files\Norton CleanSweep\CSINJECT.EXE
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
NPROTECT = C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 14/12/2002, 15:28:56)

[Rename]
C:\PROGRA~1\NORTON~1\CSCORE.DLL=C:\PROGRA~1\NORTON~1\CSC568D.TMP
C:\PROGRA~1\NORTON~1\NCSLIVE.DLL=C:\PROGRA~1\NORTON~1\NCS5690.TMP
C:\WINDOWS\SYSTEM\QDCSPI.DLL=C:\WINDOWS\SYSTEM\QDC5690.TMP
NUL=C:\WINDOWS\REQUIRED.REG
C:\PROGRA~1\NORTON~2\BOOTWARN.EXE=C:\PROGRA~1\NORTON~2\BOOTWARN.EX^
C:\PROGRA~1\NORTON~2\ABOUTPLG.DLL=C:\PROGRA~1\NORTON~2\ABOUTPLG.DL^
C:\PROGRA~1\NORTON~2\APWUTIL.DLL=C:\PROGRA~1\NORTON~2\APWUTIL.DL^
C:\PROGRA~1\NORTON~2\CCIMSCAN.DLL=C:\PROGRA~1\NORTON~2\CCIMSCAN.DL^
C:\PROGRA~1\NORTON~2\CCIMSCAN.EXE=C:\PROGRA~1\NORTON~2\CCIMSCAN.EX^
C:\PROGRA~1\NORTON~2\CFGWIZ.DLL=C:\PROGRA~1\NORTON~2\CFGWIZ.DL^
C:\PROGRA~1\NORTON~2\CFGWIZ.EXE=C:\PROGRA~1\NORTON~2\CFGWIZ.EX^
C:\PROGRA~1\NORTON~2\DEC2.DLL=C:\PROGRA~1\NORTON~2\DEC2.DL^
C:\PROGRA~1\NORTON~2\DEC2AMG.DLL=C:\PROGRA~1\NORTON~2\DEC2AMG.DL^
C:\PROGRA~1\NORTON~2\DEC2ARJ.DLL=C:\PROGRA~1\NORTON~2\DEC2ARJ.DL^
C:\PROGRA~1\NORTON~2\DEC2CAB.DLL=C:\PROGRA~1\NORTON~2\DEC2CAB.DL^
C:\PROGRA~1\NORTON~2\DEC2EXE.DLL=C:\PROGRA~1\NORTON~2\DEC2EXE.DL^
C:\PROGRA~1\NORTON~2\DEC2GZIP.DLL=C:\PROGRA~1\NORTON~2\DEC2GZIP.DL^
C:\PROGRA~1\NORTON~2\DEC2HQX.DLL=C:\PROGRA~1\NORTON~2\DEC2HQX.DL^
C:\PROGRA~1\NORTON~2\DEC2ID.DLL=C:\PROGRA~1\NORTON~2\DEC2ID.DL^
C:\PROGRA~1\NORTON~2\DEC2LHA.DLL=C:\PROGRA~1\NORTON~2\DEC2LHA.DL^
C:\PROGRA~1\NORTON~2\DEC2LZ.DLL=C:\PROGRA~1\NORTON~2\DEC2LZ.DL^
C:\PROGRA~1\NORTON~2\DEC2RTF.DLL=C:\PROGRA~1\NORTON~2\DEC2RTF.DL^
C:\PROGRA~1\NORTON~2\DEC2SS.DLL=C:\PROGRA~1\NORTON~2\DEC2SS.DL^
C:\PROGRA~1\NORTON~2\DEC2TAR.DLL=C:\PROGRA~1\NORTON~2\DEC2TAR.DL^
C:\PROGRA~1\NORTON~2\DEC2TEXT.DLL=C:\PROGRA~1\NORTON~2\DEC2TEXT.DL^
C:\PROGRA~1\NORTON~2\DEC2TNEF.DLL=C:\PROGRA~1\NORTON~2\DEC2TNEF.DL^
C:\PROGRA~1\NORTON~2\DEC2UUE.DLL=C:\PROGRA~1\NORTON~2\DEC2UUE.DL^
C:\PROGRA~1\NORTON~2\DEC2ZIP.DLL=C:\PROGRA~1\NORTON~2\DEC2ZIP.DL^
C:\PROGRA~1\NORTON~2\DECSDK.DLL=C:\PROGRA~1\NORTON~2\DECSDK.DL^
C:\PROGRA~1\NORTON~2\DEFALERT.DLL=C:\PROGRA~1\NORTON~2\DEFALERT.DL^
C:\PROGRA~1\NORTON~2\N32CALL.DLL=C:\PROGRA~1\NORTON~2\N32CALL.DL^
C:\PROGRA~1\NORTON~2\N32EXCLU.DLL=C:\PROGRA~1\NORTON~2\N32EXCLU.DL^
C:\PROGRA~1\NORTON~2\N32VLIST.DLL=C:\PROGRA~1\NORTON~2\N32VLIST.DL^
C:\PROGRA~1\NORTON~2\NAVAP32.DLL=C:\PROGRA~1\NORTON~2\NAVAP32.DL^
C:\PROGRA~1\NORTON~2\NAVAPI.VXD=C:\PROGRA~1\NORTON~2\NAVAPI.VX^
C:\PROGRA~1\NORTON~2\NAVAPI32.DLL=C:\PROGRA~1\NORTON~2\NAVAPI32.DL^
C:\PROGRA~1\NORTON~2\NAVAPSCR.DLL=C:\PROGRA~1\NORTON~2\NAVAPSCR.DL^
C:\PROGRA~1\NORTON~2\NAVCOMUI.DLL=C:\PROGRA~1\NORTON~2\NAVCOMUI.DL^
C:\PROGRA~1\NORTON~2\NAVDEFS.DLL=C:\PROGRA~1\NORTON~2\NAVDEFS.DL^
C:\PROGRA~1\NORTON~2\NAVDX.EXE=C:\PROGRA~1\NORTON~2\NAVDX.EX^
C:\PROGRA~1\NORTON~2\NAVDX.OVL=C:\PROGRA~1\NORTON~2\NAVDX.OV^
C:\PROGRA~1\NORTON~2\NAVEMAIL.DLL=C:\PROGRA~1\NORTON~2\NAVEMAIL.DL^
C:\PROGRA~1\NORTON~2\NAVERROR.DLL=C:\PROGRA~1\NORTON~2\NAVERROR.DL^
C:\PROGRA~1\NORTON~2\NAVEVENT.DLL=C:\PROGRA~1\NORTON~2\NAVEVENT.DL^
C:\PROGRA~1\NORTON~2\NAVINOC.DLL=C:\PROGRA~1\NORTON~2\NAVINOC.DL^
C:\PROGRA~1\NORTON~2\NAVKRNLO.VXD=C:\PROGRA~1\NORTON~2\NAVKRNLO.VX^
C:\PROGRA~1\NORTON~2\NAVLCOM.DLL=C:\PROGRA~1\NORTON~2\NAVLCOM.DL^
C:\PROGRA~1\NORTON~2\NAVLNCH.DLL=C:\PROGRA~1\NORTON~2\NAVLNCH.DL^
C:\PROGRA~1\NORTON~2\NAVLOGV.DLL=C:\PROGRA~1\NORTON~2\NAVLOGV.DL^
C:\PROGRA~1\NORTON~2\NAVLUCBK.DLL=C:\PROGRA~1\NORTON~2\NAVLUCBK.DL^
C:\PROGRA~1\NORTON~2\NAVOPTS.DLL=C:\PROGRA~1\NORTON~2\NAVOPTS.DL^
C:\PROGRA~1\NORTON~2\NAVPROD.DLL=C:\PROGRA~1\NORTON~2\NAVPROD.DL^
C:\PROGRA~1\NORTON~2\NAVSCAN.DLL=C:\PROGRA~1\NORTON~2\NAVSCAN.DL^
C:\PROGRA~1\NORTON~2\NAVSHEXT.DLL=C:\PROGRA~1\NORTON~2\NAVSHEXT.DL^
C:\PROGRA~1\NORTON~2\NAVSTATS.DLL=C:\PROGRA~1\NORTON~2\NAVSTATS.DL^
C:\PROGRA~1\NORTON~2\NAVSTUB.EXE=C:\PROGRA~1\NORTON~2\NAVSTUB.EX^
C:\PROGRA~1\NORTON~2\NAVTASKS.DLL=C:\PROGRA~1\NORTON~2\NAVTASKS.DL^
C:\PROGRA~1\NORTON~2\NAVTSKWZ.DLL=C:\PROGRA~1\NORTON~2\NAVTSKWZ.DL^
C:\PROGRA~1\NORTON~2\NAVUI.DLL=C:\PROGRA~1\NORTON~2\NAVUI.DL^
C:\PROGRA~1\NORTON~2\NAVW32.EXE=C:\PROGRA~1\NORTON~2\NAVW32.EX^
C:\PROGRA~1\NORTON~2\NETBREXT.DLL=C:\PROGRA~1\NORTON~2\NETBREXT.DL^
C:\PROGRA~1\NORTON~2\OEHEUR.DLL=C:\PROGRA~1\NORTON~2\OEHEUR.DL^
C:\PROGRA~1\NORTON~2\OFFICEAV.DLL=C:\PROGRA~1\NORTON~2\OFFICEAV.DL^
C:\PROGRA~1\NORTON~2\PATCH32I.DLL=C:\PROGRA~1\NORTON~2\PATCH32I.DL^
C:\PROGRA~1\NORTON~2\QCONRES.DLL=C:\PROGRA~1\NORTON~2\QCONRES.DL^
C:\PROGRA~1\NORTON~2\QCONSOLE.EXE=C:\PROGRA~1\NORTON~2\QCONSOLE.EX^
C:\PROGRA~1\NORTON~2\QSPAK32.DLL=C:\PROGRA~1\NORTON~2\QSPAK32.DL^
C:\PROGRA~1\NORTON~2\QUAR32.DLL=C:\PROGRA~1\NORTON~2\QUAR32.DL^
C:\PROGRA~1\NORTON~2\S32ALOGO.DLL=C:\PROGRA~1\NORTON~2\S32ALOGO.DL^
C:\PROGRA~1\NORTON~2\S32INTEG.DLL=C:\PROGRA~1\NORTON~2\S32INTEG.DL^
C:\PROGRA~1\NORTON~2\S32NAVO.DLL=C:\PROGRA~1\NORTON~2\S32NAVO.DL^
C:\PROGRA~1\NORTON~2\SAVRT.VXD=C:\PROGRA~1\NORTON~2\SAVRT.VX^
C:\PROGRA~1\NORTON~2\SAVRT32.DLL=C:\PROGRA~1\NORTON~2\SAVRT32.DL^
C:\PROGRA~1\NORTON~2\SAVRTPEL.VXD=C:\PROGRA~1\NORTON~2\SAVRTPEL.VX^
C:\PROGRA~1\NORTON~2\SCANDLVR.DLL=C:\PROGRA~1\NORTON~2\SCANDLVR.DL^
C:\PROGRA~1\NORTON~2\SCANDRES.DLL=C:\PROGRA~1\NORTON~2\SCANDRES.DL^
C:\PROGRA~1\NORTON~2\SCANMGR.DLL=C:\PROGRA~1\NORTON~2\SCANMGR.DL^
C:\PROGRA~1\NORTON~2\SCRIPTUI.DLL=C:\PROGRA~1\NORTON~2\SCRIPTUI.DL^
C:\PROGRA~1\NORTON~2\SDFLT32I.DLL=C:\PROGRA~1\NORTON~2\SDFLT32I.DL^
C:\PROGRA~1\NORTON~2\SDPCK32I.DLL=C:\PROGRA~1\NORTON~2\SDPCK32I.DL^
C:\PROGRA~1\NORTON~2\SDSND32I.DLL=C:\PROGRA~1\NORTON~2\SDSND32I.DL^
C:\PROGRA~1\NORTON~2\SDSOK32I.DLL=C:\PROGRA~1\NORTON~2\SDSOK32I.DL^
C:\PROGRA~1\NORTON~2\SDSTP32I.DLL=C:\PROGRA~1\NORTON~2\SDSTP32I.DL^
C:\PROGRA~1\NORTON~2\SFSTR32I.DLL=C:\PROGRA~1\NORTON~2\SFSTR32I.DL^
C:\PROGRA~1\NORTON~2\SMSTR32I.DLL=C:\PROGRA~1\NORTON~2\SMSTR32I.DL^
C:\PROGRA~1\NORTON~2\SYMNAVO.DLL=C:\PROGRA~1\NORTON~2\SYMNAVO.DL^
C:\PROGRA~1\NORTON~2\TKNV16O.DLL=C:\PROGRA~1\NORTON~2\TKNV16O.DL^
C:\PROGRA~1\NORTON~2\TKNV32O.DLL=C:\PROGRA~1\NORTON~2\TKNV32O.DL^
C:\PROGRA~1\NORTON~2\UNDOBOOT.EXE=C:\PROGRA~1\NORTON~2\UNDOBOOT.EX^
C:\PROGRA~1\NORTON~2\V32SCAN.DLL=C:\PROGRA~1\NORTON~2\V32SCAN.DL^
C:\WINDOWS\SYSTEM\SAVRTGUI.DLL=C:\WINDOWS\SYSTEM\SAVRTGUI.DL^
C:\PROGRA~1\NORTON~2\APWCMD9X.DLL=C:\PROGRA~1\NORTON~2\APWCMD9X.000
C:\PROGRA~1\NORTON~2\NAVAPW32.DLL=C:\PROGRA~1\NORTON~2\NAVAPW32.000
C:\PROGRA~1\COMMON~1\SYMANT~1\CCAPP.EXE=C:\PROGRA~1\COMMON~1\SYMANT~1\CCAPP.EX^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLUI.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLUI.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCERRDSP.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCERRDSP.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCEVT.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCEVT.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCEVTMGR.EXE=C:\PROGRA~1\COMMON~1\SYMANT~1\CCEVTMGR.EX^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCLGVIEW.EXE=C:\PROGRA~1\COMMON~1\SYMANT~1\CCLGVIEW.EX^
C:\WINDOWS\SYSTEM\CCPASSWD.DLL=C:\WINDOWS\SYSTEM\CCPASSWD.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPWDSVC.EXE=C:\PROGRA~1\COMMON~1\SYMANT~1\CCPWDSVC.EX^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCREGMON.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCREGMON.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCREGVFY.EXE=C:\PROGRA~1\COMMON~1\SYMANT~1\CCREGVFY.EX^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCSHTDWN.EXE=C:\PROGRA~1\COMMON~1\SYMANT~1\CCSHTDWN.EX^
C:\WINDOWS\SYSTEM\CCTRUST.DLL=C:\WINDOWS\SYSTEM\CCTRUST.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCWEBWND.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCWEBWND.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\SRNEW.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\SRNEW.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\SROLD.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\SROLD.DL^
C:\PROGRA~1\COMMON~1\SYMANT~1\CCAPPHLP.DLL=C:\PROGRA~1\COMMON~1\SYMANT~1\CCAPPHLP.000

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

@C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off
REM
REM

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

[Persits Software XUpload]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\XUPLOAD.OCX
CODEBASE = http://www.walmartphotocenter.com/photo/upload/XUpload.ocx

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

[{0335A685-ED24-4F7B-A08E-3BD15D84E668}]
CODEBASE = http://www.photoparade.com/autoinstall/phpsetup.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002112801/housecall.antivirus.com/housecall/xscan53.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security1.norton.com/SSC/SharedContent/common/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\SYSTEM\ZKLSPR.DLL
Protocol #2: C:\WINDOWS\SYSTEM\ZKLSPR.DLL
Protocol #3: C:\WINDOWS\SYSTEM\ZKLSPR.DLL
Protocol #4: C:\WINDOWS\SYSTEM\ZKLSPR.DLL
Protocol #5: C:\WINDOWS\SYSTEM\ZKLSPR.DLL
Protocol #6: C:\WINDOWS\SYSTEM\ZKLSPR.DLL
Protocol #7: CSLOA.DLL (file MISSING)
Protocol #8: CSLOA.DLL (file MISSING)
Protocol #9: CSLOA.DLL (file MISSING)
Protocol #10: CSLOA.DLL (file MISSING)
Protocol #11: CSLOA.DLL (file MISSING)
Protocol #12: CSLOA.DLL (file MISSING)
Protocol #14: CSLOA.DLL (file MISSING)
Protocol #20: C:\WINDOWS\SYSTEM\ZKLSPR.DLL

--------------------------------------------------
End of report, 16,968 bytes
Report generated in 0.416 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TOGG (Apr 2, 2002)

cindyvdg,

Trojan Remover has IRC\Sdbot listed in its database as a trojan used for denial of service attacks. I wonder if that is what NAV found on your machine?. The database was updated again on 28th December.

I know you have scanned with Trojan Remover but was that just the short scan or did you allow it to scan your whole HD?. The short scan covers the usual places that trojans are launched from and I have no idea if Sdbot is capable of hiding itself somewhere else. Just a thought.

Rollin' Rog is the expert on startup lists and it will be interesting to see what he makes of yours, particularly whether the loads of Norton entries or missing Winsock files mean anything.


----------



## cindyvdg (Dec 28, 2002)

TOGG

I am running the Trojan Remover program again now. I followed the instructions to the "Options" on the search screen & made sure everything was checked, then ran it again. I've run it quite a few times, after any changes & on startup, but it has only taken a few minutes to run. Now it has taken at least an hour and is still not finished. It gets hung up on some files for a long time. Nothing negative so far though.

I also ran the updates on both Spybot & Trojan Remover & got the newest December 28 update.

NAV found the files that were infected, in the file folder & in C:\Windows\Temp\. I think there were four of them. It did not list any registry entries.

From what I've read about this Trojan, it gives someone control of your computer through an IRC Chat. Access to private information stored on the computer, passwords, account numbes, email programs, etc. That has me very concerned. Symantec listed the files that are added by this Trojan & where to look for them in regedit, but I couldn't find them. I also read that they can disguise themselves as "Default" settings. Scary!

The computer acts as though something is running behind the scenes. If I try to move the mouse at times it freezes & I have to restart the computer. You can not click on anything until the "working/busy" light goes off. It seems to just use all of the memory for that time. This happened even when not connected to the internet. It was taking very long to open anything, if it would open at all. At least now the programs are working. Slowly & still locking up, but better then before removing those program files. 


I was a bit confused by the NAV entries too. Seemed like an awful lot. I really don't know what Winsock files are. I'll have to look that up.


----------



## Rollin' Rog (Dec 9, 2000)

The wininit.bak file represents file changes that were made during an update or uninstall. In this case it looks like you updated NAV on the 14th?

There is nothing suspicious in Startups or Running Processes. The only visible issue I can see are those Winsock protocols. Have you run the LSP-FIX program yet? That should restore the defaults. As I mentioned the "missing" ones are for McAfee's firewall, which evidently has been uninstalled. And the others appear related to a Parental Controls or other program from the freedom.net site.

http://www.cexx.org/lspfix.htm

And I don't think you've answered as to whether you have any knowledge of this program:

http://www.freedom.net/support/article.html?article=110

Is there anything by them in Add/Remove programs?

Does it boot up any faster in Safe Mode? Press and hold the ctrl key starting up until the Startup Menu displays and try Safe Mode from there.

Also, when in Normal mode, if you right click on My Computer and select Properties > Performance, does it say configured for "optimal performance" or "compatibility mode"?


----------



## cindyvdg (Dec 28, 2002)

Rollin Rog

The Trojan Remover is STILL running since last night. I can't access anything else on that computer as a result. It freezes if I click on anything. This is what NAV does too. It took 76 hours to run. Seems a bit much.

I'll check for the system resources as soon as I can to see if it is operating in Optimum or Compatibility mode.

The Freedom software came with the router. It is for the firewall, parental controls, ad control, etc. I'll check that out too along with the Winsock link.

What exactly is Winsock? What does it do?

Thanks!.


----------



## Rollin' Rog (Dec 9, 2000)

The Winsock protocols are a part of the tcp/ip interface to the web. That is they specify settings that are used for connecting to servers on the web. MS installs a default set with Dialup Networking and tcp/ip. However some third party programs insert their own in to the "stack" of protocols which are inclueded in the Winsock2.vxd. Often when the programs are removed or corrupt it makes browsing and connecting impossible. Since I can't see anything else in the background there, I have to think this is a problem with either the network adapter itself, or the protocols.

One thing you might try as a test, and of course you will not be able to connect to the net if you are networked or using broadband, is to go to the Device Manager Properties page for your NIC and on the settings page put a check in "disable in this hardware profile" and reboot. If you don't have a bootup problem, then the network adapter is involved somehow. Of course you will need to uncheck that for it to work at all.

You can do a ctrl-alt-del and end task everything there except Explorer to kill the trojan remover and anything else in the background.


----------



## TOGG (Apr 2, 2002)

cindyvdg,

I understand why you are fed up with waiting so long for scans to complete and, if I were in your shoes, I would probably have given up hours ago!

It would have been nice to know if TR can do what it claims but there is no reason why you should be the long suffering subject of a trial of its abilities.

I'm sure that, with Rog's expert guidance, you will be able to use one of the manual tools to defeat this trojan and I shall keep tracking this thread to see happens. Good luck!


----------



## TOGG (Apr 2, 2002)

cindyvdg,

In the absence of any new posts I assume you are no further forward with your problem?.

At risk of insulting your intelligence can I ask if you read the Trojan Remover Read me file?. If you disabled your antivirus and any background programs, like [email protected] or United Devices, then there is no reason why the scan should not have completed (other than whatever it is that is bugging your computer of course!)

TR has been updated again today but that may not make any difference to your problem even if you bothered to get the update.

Have you been able to do any of the things Rog recommended to repair Winsock?.


----------



## cindyvdg (Dec 28, 2002)

Hello & Happy New Year!

No, I haven't been able to resolve the computer problems, I just have not had the time to do much with it this week. Everything is time consuming with the very slow boots.

Yes, the programs were disabled before running the Trojan Remover (no insult taken). I am still running it with just three programs in startup. I stopped the scan after a day & a half of it running on a full scan.

I also ran the ISPFIX. It found and corrected seven items. 

I uninstalled the Smart Card reader too, with the ScardSvr = ScarSvr.xxx entry, before running this fix.

I attempted to run the Freedom Diagnostic program, as the Freedom diagnostic center webpage suggested. I got an error message that there was a missing DLL file, LIBEAY32.DLL. I did a search for the file but could not find it on the computer or the software cd. 

I then tried to reinstall the program from the CD. Another error message came up that a file, WINDOWS\TEMP\_is30C5\setup.ini could not be moved to a temporary location.

The freedom program will not run at all now & won't reinstall or uninstall. I sent a message to Freedom Tech Support. I had written them with a question after installing the software & have not received an answer, so I won't hold mt breath on that one. 

After trying to remove the Freedom program the second computer would not connect to the internet. I had to unplug the cable modem from the power for a few minutes, then pkug it back in. That computer is running okay again now.

I tried to remove the program through the Add/Remove option in the Control Panel. It had the same errors & was terminated before removing it.

I checked the system preferences and the computer is working at "Optimal Performance".

I tested the internet connection by clicking on the browser while the computer was unplugged from the router. The browser was taking a very long time to load up, sometimes an hour or more. Now it is up much quicker. I allowed the browser to load, then plugged into the router & it connected right away. So, it appears that the browser was experiencing the problem. Once the browser loads up & I plug it in it works fine.

I restarted in Safe Mode, to see if it is any faster. I tried that when the computer was at it's worst & it did boot much faster in Safe Mode. It is booting a lot faster now, probably about 20-30 minutes. I will try it again now.

Before I realized it was infected & removed the actual files, it would take hours. I could reset it at night & it would still be booting the next morning. Everything I did froze it up.

Now, if I click on anything while the computer is working, the mouse freezes. It is slow, has to be reset often & acts as though it is low on memory. 

Still baffled by this thing but not giving up!


----------



## TOGG (Apr 2, 2002)

cindyvdg,

Hello again and a Happy New Year to you!

I imagine that it is obvious to you by now that I am not an expert in these matters and, hopefully, Rollin Rog will be along soon with some more useful advice.

Looking back over this thread, I have been wondering if there might be some clues in the background to your problem. In your first post you said you had had the problem for a 'few weeks'. How long exactly is it since you were infected?. According to the Symantec site their definitions for Sdbot were last updated on 9th December - were you infected before then. If so this might partly explain why the latest removal instructions didn't clear this up (unless its a Norton false positive). Rog could see traces of an NAV update on 14/12 - does this mean that you were still OK then?.

Can you explain briefly what your setup was prior to the infection?. You have at least two computers connecting via a router, covered by NAV and this Freedom software which you say you had problems with on installation, suggesting that it was added fairly recently. Rog saw traces of a McAfee firewall, was that also installed at this time?. I see from the Freedom website that it acts as AV, anti trojan, anti pop up, firewall and parental control. Did the version you have do all that and was it running at the same time as NAV or McAfee?.

I know nothing about routers or networking. Did your security software run on all the computers, on one of them or on the router itself (if thats possible)?. 

In one of his posts Rog said he couldn't see anything much in your startups except Winsock (which you've now fixed) and the Trojan Remover scan of the places trojans lurk also found nothing.
He also thought that your problem could be with your network adapter or protocols. I wonder if whatever Norton found, or the removal steps you took, aggravated a pre- existing conflict in your setup. I see that you currently cannot uninstall Freedom but, hopefully, Rog will know of a way to do it in Safe Mode so that we can see if that helps.

Finally, you seem to be suggesting that one computer is OK. Is it the one you use to post?. Is it 'behind' the infected one on your network and so wasn't infected?.

Sorry to go on at such length but, if your computer were a sick human being, we would take a full history wouldn't we?.


----------



## Rollin' Rog (Dec 9, 2000)

Hi Cindy, unfortunately the complexity of your setup makes it a bit difficult for me to take it all in, especially as I, like TOGG have no personal experience with networking, routers or that type of configuration.

However you say it boots up relatively normally when disconnected from the router. Then once connected, you experience freezes.

I'm wondering if the DSL fix posted by Del in this thread might have relevance to your problem. It really sounds like this is not a problem with IE or Windows particularly, but a configuration issue with the router or networking setup.

http://forums.techguy.org/t100596/s8e099f66468cf63e79622cc58a317f6a.html


----------



## cindyvdg (Dec 28, 2002)

TOGG

There are two computers on the home network. One is a bit older & slower (the one I now use to access the internet & make posts here while the other is sick). The other is not quite two years old. 

I networked them through a router so they could both be used to access the internet. The cable modem only allows one connection. The router connects to the cable modem & allows up to four computers to access the same connection.

The older computer has it's own Norton Anti Virus running & Black Ice. The newer one had McAfee online services preinstalled. I had trouble accessing the web services, so I uninstalled that program quite a while ago.

The Freedom software was installed about the third week of November after purchasing the router. The problem I initially had with the program was not knowing how to set it up to keep out intruders. I emailed them with questions & they never responded. I later figured some of it out by playing with the settings. You can control what goes through the router with the Freedom software, both outgoing and incoming. I just don't know what to restrict without causing problems with the computers logging on, receiving email, etc. It was running when I first ran the AV & the trojan was found, but don't know that there were really any blocks being used. Now it is not working at all but I don't have it starting at startup either. I ran the Trojan Remover & Spybot after unchecking it from startup.

The computer was infected around November 10th through a file I downloaded off of an MP3 Download site that I have a membership with. I guess I was a bit too trusting because I had never had a problem before. That is why it went undetected for so long. At first I thought it was a memory problem. I even bought additional RAM & installed it. Of course that made no difference at all. By that time nothing on the computer worked, so I couldn't run a virus scan. As soon as I was able to connect I ran an online scan. That found the trojan first, after more then three days of scanning. It could not remove the files through that online scan for some reason, so I then installed, updated & ran Norton. I do believe I had to manually remove the infected program files. So, the trojan was in the computer for about six weeks before finding & deleting it. Of course I was frantic by then, thinking the computer was plugged into the nodem all that time & someone could have had access to who knows what information on my computer. The Black Ice program on the other computer did send alerts that an intrusion was attempted & detected. It looked as though it may have been the other, infected computer. I now unplug one before plugging in the other to be safe. 

Things are working much better but still far from normal.

Cindy


----------



## cindyvdg (Dec 28, 2002)

Rollin' Rog,

Thanks for the suggestions!

The computer is still taking an hour to boot when unplugged from the router. The browser is now coming up pretty fast. It was taking hours also. I click on IE while it is not connected to the modem, then I plug it in & it works okay. If I boot the computer while it is plugged into the router/modem it takes longer and the browser doesn't load as fast. The Yahoo Messenger takes longer then it use to, to log in also.

The network & router setup are pretty simple. The internet cable modem plugs into the router, the router plugs into the electrical outlet, both computers plug into the router. All it does is allow both computers to access the internet through one modem. No changes were made to the older computer. It was just a matter of plugging it in. I installed the Freedom software onto the other computer because it is newer and faster. The software is an option. You only need it if you choose to use the fire wall, ad popup control, etc.

I know little about networks & routers myself. I just went into Circuit City & asked how to accomplish what I wanted to do, connect the two computers. That is what they advised. So, this is all new to me too.

Now that I'm thinking about it I installed the router after the trojan got into the computer. It started getting slow gradually. I think that it why I suspected low memory at first. It didn't get to the 8+ hour boots for a while, days. It may have worsened each time I reset the computer. I rarely shut the computer down before. It was on & connected to the internet 24 hours a day until this trouble started. It still locks up a few times a day but is now useable. At least to check things out & get online to download the programs, fixes, etc., that I need. I installed the Freedom Software om November 21st, about 11 days after the trojan was downloaded. The computer was working well enough to install the program. Hmmm! It didn't seem like that much time elapsed between. I just checked the properties for the program to get the install date. Perhaps the undetected trojan affected the Freedom installation?

I will try uninstalling Freedom in safe mode & see if that works.

Cindy


----------



## Rollin' Rog (Dec 9, 2000)

Well, the slow bootup even in SafeMode is the most puzzling. Two things I would suggest. One try creating a DOS level scanner and running it following the instructions in this post. It's a good alternative to have handy and worth the extra time to create it:

http://forums.techguy.org/showthread.php?postid=406115#post406115

The second thing would be to let us see a post of the "BootLog Analzyer". Now for this to work you have to do a fresh "logged boot" you can do this either by going to the Startup Menu, which gives it as an option along with Safe Mode and the others, or BLA (boot log analyzer) will give you a prompt when you run it.

Once you have run it, click on the "Show Delays" option, then save the file as a text file and upload or post it here.

http://www.vision4.dial.pipex.com/


----------



## TOGG (Apr 2, 2002)

cindyvdg,

Well, I'm completely out of my depth now ( it doesn't take much!)

I do know that some people have had serious problems from running more than one security program on the same computer at the same time but I don't know how that can affect networks.

I wonder if there would be any point in transferring this to the Networking forum in case someone there could help?.


----------



## cindyvdg (Dec 28, 2002)

Rollin' Rog,

I will download & run the F-Prot scanner as soon as the computer gets finished booting again.

I tried starting in Safe Mode last night, to uninstall the Freedom program. No luck! It still gave an error message saying a needed dll file was missing. The program is still in there but not working.

The Safe Mode boot took ten minutes. Less time then the hour long boot in Normal Mode, but still way too slow.

I will also do the "Bootlog Analyzer" ASAP. These are all new things to me so may take a little time to do correctly.

This sure has been a learning experience!

Cindy


----------



## Rollin' Rog (Dec 9, 2000)

Just one more thing, have you ever checked to see if Windows is recognizing all your installed ram? You can do this easily enough by looking at the Advanced tab in msconfig. Under the "limit" option, you should see your full amount of ram listed.

Also how much free space is left on the hard drive?
In System Properties > Performance > Virtual Memory, how much is shown there? You should also see amt of recognized memory on the Performance tab.

You can Right Click on My Computer and select Properties to get there.


----------



## cindyvdg (Dec 28, 2002)

Rollin' Rog,

A question! The Bootlog Analyzer download site says it is a Windows 95/98 program. Will it work okay with Windows ME?

Thanks!


----------



## Rollin' Rog (Dec 9, 2000)

Yes, it was written in pre ME days, but it will work.


----------



## cindyvdg (Dec 28, 2002)

Hello again!

Well...the computer is now taking hours to boot. In fact, it hasn't actually booted completely since my last post. The desktop looks ok but the "busy" light never goes off now & if you click on anything it takes forever to even come up.

I downloaded and ran the F-prot program. It ran for a few days before getting hung up on a file for about 12 hours. I had to reset the computer to stop the scan. It had a screen full of "possible corrupt exe files" in Windows that were encrypted & could not be scanned. They were from programs like ACDSee, etc., that have been in the computer for a long time. The file it was stuck on was an incomplete download from an MP3 site. I deleted all of the incomplete files from that folder after resetting the computer. The computer booted OK (Still an hour) after trying to run F-prot.. It found one infected file, a JS/NoClose in ACDSee. I looked that up and read that it is not an acual virus but a behind the scenes ad banner or something? Sneaky! Wonder why that was not found by NAV? 

Then I downloaded & ran the Bootlog Analyzer. The screen came up but was blank. The Busy light was on another day & a half before I decided to reset the computer again. I couldn't use Ctrl+Alt+Delete. It wouldn't come up.

Now the computer doesn't boot completely at all. Yet another problem! Oh well...I'm learning more about these things, that's for sure. 

The full RAM (128 MB) is showing. I took the additional RAM that I installed out until I get this thing running right again. I have 23.8 GB of memory free on the hard drive with 14.2 being used on a 40 GB hard drive.

Any idea what else I can try? Should I try running F-Prot & Bootlog Analyzer again if this computer ever finishes loading? I'd like to know what they find. 

After the desktop icons looked ok I pressed ctrl+alt+delete to see if it would show what was trying to run. There is a new program, Qwdlls along with the systray & explorer. nprotect (NAV) is also in there again. I had it disabled in msconfig & it is now back to loading at startup. I haven't a clue as to what the other program Qwdlls is. I haven't been able to search for it on that computer yet. Could it be the Bootlog Analyzer? They said they did not install on the machine but ran right from exe files. That was the only thing I could think of. It shouldn't take that long though, should it? At the speed this thing has been going it wouldn't surprise me though. Should I just leave it alone for as long as it takes to get done loading? It isn't connected to the router or modem. I did quit the program but it still didn't boot completely. I'm letting it boot with that program now but I'm sure it will take days.

Thanks!
Cindy


----------



## Rollin' Rog (Dec 9, 2000)

Ok, well f-prot runs entirely in memory, having created a "ram drive" to do its work. The fact that it took that long must mean that the disk is seriously corrupt and it was having trouble reading files. I don't think it would have run much at all if the memory was corrupt.

Do you know the hard drive manufacturer? You should visit their site and get a disk diagnostic program that can be run from a floppy.

You could try running scandisk from a DOS prompt, but it would be a real crapshoot as to whether you would be able to boot at all afterwards, unless you ran it as scandisk /checkonly which won't automatically fix errors. And lord knows how long it will take if it completes at all, which I doubt.

I think you should be formatting and starting over, provided that you can verify the disk itself is in good health.

qwdlls
Quickens quick launch utility which loads Quicken
DLLs at startup


----------



## bairdja (Mar 6, 2003)

If you can afford to do this, it may be easier than trying to manually remove your infection.

Install another hard disk in the system. Load it with a fresh copy of your OS. Install your original drive as a slave and move data and other necessary items, i.e. address books, etc. to the new disk. 

Instead of fighting through this problem, just go around it, if you can afford a disk, or possibly borrow one.

You will also be SURE that you have a clean starting point for your OS, i.e. no lurking hidden pieces of trouble.


----------



## bairdja (Mar 6, 2003)

Qwdlls--

Quickens quick launch utility which loads Quicken DLLs at startup so that Quicken can start quicker whenever you invoke it. ...


----------



## cindyvdg (Dec 28, 2002)

Hi!

Thanks for the suggestion about the hard drive. I think I'll just do that instead of messing with this any longer. 

I've been trying to get it to a point where I can at least copy files & programs that I don't have on disk, to CD, to save them. It was booting in Safe Mode & clean boot, but now locks up before fully booting. So...if it does boot it takes hours & freezes if I click on anything. Very frustrating!!! I have very little in the startup at this time. 

After unsuccesfully attempting to uninstall the Freedom software it no longer runs & has totally messed the computer up. The tech support for Zero Knowledge hasn't answered mumerous emails I've sent. I hoped they could guide me through manually removing the program completely. I can't get inline with that computer now, if it did boot. The program won't uninstall through the uninstall option or the install/uninstall programs in the Control Panel. I get a "missing dll file" error & uninstall stops.

I'll check into getting another hard drive ASAP & transfer all of my data, then start over from scratch. 

Thanks again!
Cindy


----------

