Hi i recently experienced a DOS prompt running at startup named dl.exe. I have searched many sites to help me remove items from registry. These items were not there. There were 2 copies of this dl.exe one in the c:\srcds (halflfe 2 server dir) and one in Documents and settings. I have managed to delete the file in c:\srcds but the one in docs still remians and is appartenly in use?! despite it not running.

The PC has also lost its connection to the internet but i have managed to run hijackthis on it and the log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 2048, on 02/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\LULUBE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\LuluBelle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096392715650
O17 - HKLM\System\CCS\Services\Tcpip\..\{7545EBC0-8531-419D-B672-52A7A7BEA360}: NameServer = 192.168.0.1,192.168.0.2
O23 - Service: NVIDIA Display Driver Service (Omega 1.6177) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe



Thank you in advance. Johnny.

Hello,Bruza & Welcome

First i need you to place HijackThis in a folder in C:\Drive like so C:\HJT

We ask that you please have a look at these 2 links here first

http://www.d-a-l.com/help/showthread.php?t=15083

http://www.d-a-l.com/help/showthread.php?t=605

then once that is done we here will be more then happy to
help with your HijackThis logfile.

HGD

thank you for your response. it seem sthe PC in question has a serious fault. that being that the dreaded "your computer is going to restart in 1min" I am sure it is sue to this virus and therefore I have decided to reformat. If u feel this is not nessesary then please say. Otherwise a fresh install will do her good.

Hi,Bruza

Yes as far as i can see a fresh install just make no sence
from the looks of it you do have a Virus of some type &
some spyware so just have a look at the info i first posted

lit's try to get your PC back in are hands

HGD

Hi,
I also have a similar problem recently. 30 second after startup. a dos prompt running dl.exe appears on my screen. after that I was not able to use the internet, Im using a ADSL/Router. The dl.exe file is located on my desktop and another on the documents folder(cannot be deleted, seems to be in use).
what I did so far was end the process tree for explorer.exe, use cmd locate the file dl.exe and deleted it, turn explorer.exe back on, access my router changed my connection settings from pppoe to bridged, manually connect to my ISP. This allows me to atleast use the internet to post this message. But the connection speed has been reduced 10times when im using IE so it took me a loooong time to switch from page to page. The prompt appeard with a message that im not able to tell you at the moment until it returns. At the moment I need all the help i can get. I do not wish to install a fresh windows. I tried using system restore but the problem remained.

Hello,soongteck & Welcome

First it would be a big help to us if you start your
own Thread & also give me more in like what OS
you are running & so on.

so please start a new Thread of your own
& make sure to place HijackThis in a folder
in C:\Drive like so C:\HJT

then run a scan show us the logfile

http://www.isecurity.org.uk/downloads/hijackthis.exe

instructions for posting a log can be found at
http://www.isecurity.org.uk/misc/hijackthis.html

HGD

Hi,
Regret to say, I woke up this morning, turned on my PC to find a blue screen appear in front of my face. no access to windows and to safe mode... the worst has come. Having no other choice I have to reinstall a fresh windows . Thanks anyway...hope this thing does not happen again.
Rgds,

Hi,soongteck

Sorry to hear this my friend but the good thing is you will
start a new.this gives us the chance for you to come back
here after you install & get all updates.

we have some free software for you to keep this
from happning again so please install Windows get all
updates then get back to us

do not go running all over the net get this done
as soon as you can

HGD

Done installing the fresh windows...updated and problem free. Ran norton antivirus caught 2 fixed them. Some may be still around undetected in my backup drive...but i'll nver know.

Hello, I have the same promlem of dl.exe prompt at Start Up and several times afterwards. Below is my logfile of hijackthis...

Logfile of HijackThis v1.99.1
Scan saved at 07:41:17, on 04.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Dap\DAP.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\xxxx\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsf.org.tr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\Dap\dapbho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Winoldapp] C:\WINDOWS\system32\Winoldapp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\Dap\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\Dap\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: MynetKing - http://oyunsunucu1.mynet.com/game/WebRoot/King.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

If somebody can help me remove this virus, that'd be great. I really need to use the computer, but have generous problems.

Waiting for some helper's response.

Kind Regards