I am getting a virus warning message from Norton Antivirus 2003 when logging into windows XP. The dialog window has an OK button, but when pressed, the window re-opens. The message says that the file c:\windows\system32\como.dll is infected with a backdoor.trojan and cannot be repaired.

I cannot see the file to manually delete it, even if I boot XP to DOS.

The message does not appear in safe mode.
The file is not found during a normal Norton Antivirus scan.

I'm not sure if this is due to spyware, or simply a Norton problem, but the system was loaded with spyware (I ran Adaware and Spybot S&D)

Here is my hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 8:21:07 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~2\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mfcfa32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\mssr32.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vfnbq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vfnbq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sureseeker.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6EAC716C-F009-0D6C-7589-B4EF59BABCC7} - C:\WINDOWS\ipxl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [mssr32.exe] C:\WINDOWS\mssr32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [mfcfa32.exe] C:\WINDOWS\system32\mfcfa32.exe
O4 - HKLM\..\RunOnce: [ntzl32.exe] C:\WINDOWS\ntzl32.exe
O4 - HKLM\..\RunOnce: [javatu32.exe] C:\WINDOWS\javatu32.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\ntmw.exe
O4 - HKLM\..\RunOnce: [mfccg32.exe] C:\WINDOWS\mfccg32.exe
O4 - HKLM\..\RunOnce: [addrv32.exe] C:\WINDOWS\addrv32.exe
O4 - HKLM\..\RunOnce: [atlry32.exe] C:\WINDOWS\system32\atlry32.exe
O4 - HKLM\..\RunOnce: [ieyi32.exe] C:\WINDOWS\system32\ieyi32.exe
O4 - HKLM\..\RunOnce: [iekq32.exe] C:\WINDOWS\system32\iekq32.exe
O4 - HKLM\..\RunOnce: [apiwy32.exe] C:\WINDOWS\apiwy32.exe
O4 - HKLM\..\RunOnce: [ntcz.exe] C:\WINDOWS\ntcz.exe
O4 - HKLM\..\RunOnce: [netzo32.exe] C:\WINDOWS\system32\netzo32.exe
O4 - HKLM\..\RunOnce: [msni32.exe] C:\WINDOWS\system32\msni32.exe
O4 - HKLM\..\RunOnce: [sysov.exe] C:\WINDOWS\sysov.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbar.CAB
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.care2.com/go/z/3578/C2GTU.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8529f50959d38823f2e7f1480873126d8874013c60dc3076 2e1cf5488609cc34a151472fb4bac17cbe9dd9062b8b50468e 27ec:81cdf9d7d7b5213528f9ada6c0957f1c
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD753A87-B1A3-41D8-9480-7171EA5900E0}: NameServer = 206.13.28.12,206.13.29.12


Any ideas?

Thanks

Delete the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sureseeker.com/

O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbar.CAB

O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} - http://www.care2.com/go/z/3578/C2GTU.cab

As for the como.dll file, it is a hidden file. You will need to go to 'tools'>Folder Options>View> and under hidden files and folder checkmark 'show hidden files and folders' Then do a search for the file, rename it, reboot to see if you can boot into Windows with the file renamed. If you can, then delete the file all together.

Thanks. I will try removing those four items.

I already had the option to view hidden files and folders enabled. It is still not visible. Not found with a search, not visible booted into DOS. I tried saving another file on top of it with the same name, but it said there is already a file there and could not be overwritten, so it is definately there, but I can't find it.

I HATE WINDOWS...

Also, Spybot is very good, but have found on 1 persons machine...
something turned OFF 3 ID's...
I turned them back on, and it worked fine.

I removed those four items and the problem still exists. Any other ideas?

This is a virus not spyware.

Reboot in SafeMode or using a Norton Recovery CD. Do a complete scan .. Deep as possible.

If problem still exists your S.O.L.

1) Backup All Importing Documents
2) Fdisk ~ Format
3) Reinstall Windows & Misc. Progs
4) Recover Data

See you in a week. =(