I receieved notice on the downloader.trojan last night from Norton. Got the following...

Date: 5/9/2004, Time: 21:24:30, Owner on XXXX
The file
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IV1X3K0O\index4[1].htm
is infected with the Downloader.Trojan virus.
Unable to repair this file.

Date: 5/9/2004, Time: 21:24:32, Owner on XXXX
The file
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IV1X3K0O\index4[1].htm
is infected with the Downloader.Trojan virus.
Access to the file was denied.

Since it said access was denied, does that mean the virus was not able to do it's job? I deleted temp. internet files after i saw that.
I then followed instructions from Symantec website and found no issues. The instruction said to check two registry keys, what am I looking for?

OK these instructions are for XP.

1- Disable system restore by right clicking on my computer in the start menu and clicking properties then click the system restore tab and turn it off by checking the box. Click yes on the popup box.

2 - Update your virus definitions.

3 - Start in safe mode by shutting the pc off for 30 seconds (allows it to cool down) and tapping the f8 key (if you do it too soon you may get a keyboard error and need to do it again) and using the arrow keys scroll to safe mode and enter that mode. (Sorry but safe mode wont let you install anything). You will now need to run NAV again and it should find and delete the files.

4 - The registry keys you should delete are located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Deleet the ones which are used with downloader.trojan

Hope this helps! ;)

jeffinsc, According to Symantec's instructions below you would be looking for any entries of the files that Norton detected (index4[1].htm).

5. Editing the registry

----------------------
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to each of these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For each one, in the right pane, delete any values that refer to any files that were detected as Downloader.Trojan.

Exit the Registry Editor.

Downloader.Trojan Removal Instructions

Make sure that you follow all instructions at the link above.

Tufenuf

I did not download an .exe to get this. I got it while opening a web page and I immeditely deletd temp internet files. I then followed instructions 1-5. NAV never detected anything after I did that. I was not sure about the registry stuff.

1) Does the NAV notice that "Access to the file was denied" mean that it was not allowed to infect to other parts of the pc?

2) I did not see any reference to (index4[1].htm)or downloader.trojan in the registry (right pane) or any of the other names listed from Norton. So does this mean I am good?

3) What about the system restore? Can I turn it back on and not fear this virus?

hi jeffinsc,
by disabling your system restore you are flushing out your system restore folder, that's why norton can't delete the trojan,cause its in your restore folder, and is being used by your os.
you disable your sys restore, update your defs, go to safe mode, clean your registry (if file is there), scan to delete, clean your cache (if file is there), temp folder, cookies, and history, defrag, and scan disk, reboot to regular mode, re enable your system restore, all because it is a more complete way of doing your housework(keepin your computer clean and safe).
all the best,
murve

where would I look at the cache? NAV did not mention that.

jeffinsc, The cache is another name for your Temporary Internet Files. Open Internet Explorer/Tools/Internet Options/General tab, click the Delete Files button and when the pop-up window appears put a checkmark in front of "delete all offline content" and click OK. This will clean out your cache.

Tufenuf

I did not see any reference to (index4[1].htm)or downloader.trojan in the registry (right pane) or any of the other names listed from Norton. So does this mean I am good?

jeffinsc, As long as you followed the Removal Instructions then ran another virus scan if the scan came up clean you should be OK.

Tufenuf

thanks for the help.

What is the procedure for a win2000 pc ?

mjlichatz, The Removal Procedure would be the same as Windows XP except that Windows 2000 does not have a System Restore feature so you don't have to worry about that. Just follow the instructions at the link I posted in my Response Number 2 in this thread.

Tufenuf