I have been watching this page for some time and have also been reading through all the messages on the Download.Trojan Virus that I have recently been infected with. I know there is alot of advise out there on how to resolve this trojan but as of this point I believe I have tried everything that has been suggested in all the past messages.

Symptoms:
*Constant pop-ups caused by Ad-Ware and Spy-Ware programs downloaded by the Download.Trojan virus.
*Continuous detection notices from Norton Antivirus stating that Download.Trojan has been detected in the Content.IE5 Folders of my current profile.

What I have done:
*Deleted everything in all Temp and Temporary Internet Files on my computer.
*Run Norton Virus Scan - Results came up with nothing found.
*Downloaded/Installed and Ran Scans from Trojan Remover and CWShredder with nothing found by either program.
*Ran Ad-Aware a couple time a day but each time it finds new Spyware and Ad-ware programs as a cause of Download.Trojan.
*Installed NOD32 Anti-virus but it does not even show the occasional pop-up with Virus Detection Warning like Norton does.
*Download/Install and ran AVG Anti-Virus. It found two Trojans which it named Download.Dyfica.AJ and Download.Istbar.CW which were either Healed or Wiped from my system. It still pops up with the occasional warning that a virus was detected in the same file that Norton has detected but under the name of Trojan Horse Dropper.Inor.S instead of Download.Trojan that Norton says it is. But it still shows nothing in Complete scans even just after getting the message that it was detected at random.
*On the occasional warning from AVG you have the option to Delete, Heal and Quarentine but when I try to do either of those three I get a message that "Not Available for this object"
*Tried to Run Norton in Safe Mode but the program just freezes and does not get to a point where I can even start a Scan.
*Run AVG Anti-Virus in Safe Mode but it came up with nothing found.

As of this point I am out of ideas and have done everything that has been past suggested... Does anyone have any other suggestions, Please...

Thanks

This is an old post of mine......
http://www.computing.net/security/wwwboard/forum/9036.html
Response Number 4

It seems you have covered just about all it offers though.

You may have a bug that disables Norton from running properly.
You could try F-Prot for DOS, and see if that can sniff out the devil. It works differently to other AV I have tried and can find things that other AV's don't.
www.f-prot.com (it's free also).

The clue may be Norton freezing in safemode.

Format Time...

Micheal2:
I have read that thread before that you mentioned, have noticed that every time someone says Download.Trojan you refer back to that thread so it was apart of my original troubleshooting.

Now I ran F-Prot for DOS and it only scanned 16 files instead of everything on my HD.(Possibly due to NTFS Drive instead of FAT32) So I downloaded the trial of F-Prot for Windows and it scanned everything but came up with nothing.

Crassh:
Thanks for the info, I am hoping to not have to reach that point... I realy dislike letting a virus win, even though I am getting Windows XP here shortly.. I still have stuff that I would much rather not have to delete.

Any other suggestions would be helpfull, I am out of ideas at this point.

Don't format yet. One, go to www.mozilla.org and download a more secure browser. Internet Explorer has become the #1 security risk on
Windows machines now. Two, download and install the free version of Zone Alarm. Set the Program Wizard to manually permit internet access. That way you'll see exactly what process on your computer is trying to connect to the net (one of these will be your trojan downloader). Take some notes if need be. Three, download HijackThis and run it. More than likely, your problem is in the O4's somewhere. Post the log here if need be.

Does Win 2000 have UPNP?
http://www.computing.net/security/wwwboard/forum/942.html

Free Trojan scan....
http://www.trojanscan.com/trojanscan

Running out of ideas....

N-CASE (ncase) also brings on targeted pop-up's.
It contains a file (msbb.exe) that calls out to the Internet to fetch adverts related to the site you have visited. It is found and deleted by Spybot if run in safemode.

Download Trojan is hand in hand with this file.

I had a user today that was experiencing symptoms similar to those from "download.trojan". She had Symantec anti-virus, which detected it, but could not remove it. I had her try ZoneAlarm and told her to send me a HijackThis log.

ZoneAlarm immediately found C:\WINDOWS\System32\wintsvsu.exe trying to make an outbound connection.

HijackThis also showed this suspicious entry

O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsvsu.exe

which was in this Registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Usually I find a lot of viruses/worms hiding in

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

but the Run key in HKEY_CURRENT_USER was new to me.

The user deleted the entry from her Registry, went into TaskManager->Processes and killed the wintsvsu.exe entry, and was then able to delete the file from System32.

There isn't a lot of info about wintsvsu.exe through Google, but the 1 or 2 references to it do mention spyware.

Good luck

Hi All! I also have been infected with this friggin monster of a trojan.
Id say ive tried everything also to rid this
from my machine. I have Pest Patrol , Spysweeper, HiJackThis, Trojan remover, NortonAV 04, SpyBotS&D and I have ZoneAlarm Pro installed. The Zone Alarm still has alot of blocked exe programs that try to start going out to the internet once my computer starts up. I have run all these programs and come clean but Im not sure if I have rid it from my pc or not yet. Obviously I deleted all temp ie files then what I did was run NortonAntivirus 2004 in
safemode until i could delete all traces of this threat. Then there was one exe named
00008917.exe or similar to that which would could not be deleted. I then ran safemode with command prompt and went to the location where norton said the file was c:\recycler\nprotect and deleted everything out of the nprotect folder. Booted back up and still has some strange activity like mouse flickering and some exe processes trying to access the ie -- I swear im not sure if i rid the sucker and btw I just formatted like not even (3) wks ago and picked this up right after format!!!! What a cruel world. Anyways my dears here is my hijack log --- PLEASE ADVISE ME IM SO SCREWED
And I have Windows 2000 so no system restore worry

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\system32\btiein.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B1EB61F8-B721-34B4-3EAF-1E38A84BF8E1} - (no file)
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINNT\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PGStub.exe] C:\Documents and Settings\Administrator\dp-b23011805.exe
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [mpnotqify.exe] C:\WINNT\system32\mpnotqify.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [3g48fjt1.exe] C:\WINNT\3g48fjt1.exe /dk
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintsv.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - HKCU\..\Run: [mpnotqify.exe] C:\WINNT\system32\mpnotqify.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [3g48fjt1.exe] C:\WINNT\3g48fjt1.exe /dk
O4 - Startup: 3g48fjt1.lnk = C:\WINNT\3g48fjt1.exe
O4 - Global Startup: 3g48fjt1.lnk = C:\WINNT\3g48fjt1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.9556597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Ok.. first of all

*mzkhrissy
you would get a better response if you took your entry and created a thread of your own.

*micheal2
Win 2000 Pro does not have UPNP and the GFiTrojan Scan came up with nothing aswell.
Spybot did not detect anything by the name of n-case but it did detect all the same ad-ware that Ad-Aware did.

*wahro02
I checked those sections of my registry and found nothing under the names you had suggested, but I also downloaded and ran HijackThis.

Here are my logs if anyone can help me understand if there is something there that should not be.

Logfile of HijackThis v1.97.7
Scan saved at 10:55:13 AM, on 4/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINNT\akxnZ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Download\Inet\HijackThis.exe

R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\system32\toolbar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\system32\toolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EEEED638-3B9A-4616-9A13-B3F7DE2B3B85} - C:\WINNT\z9p97X.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [jvOk3l] C:\WINNT\akxnZ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\toolbar.dll/SEARCH.HTML
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2484009c2b5379d5ab06/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37827.4313541667
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I have XP and Northon Antivirus.
I also have been infected with this friggin monster of a trojan.
But now : it's gone.
I simply went to the DOS-promt, type c:\windows, erase wast.exe
Then I did a scan with NA an there was no infection. That's it.

* Lieven
There is no file called erasewaste.exe or any variation of it in windows 2000 Pro... Searched through all directories..

Please if anyone has any other ideas or can decipher that Hijack This log please let me know...

*snakedog

I posted the log from Hijack this... please let me know if you can find anything... these pop-ups are driving me crazy.

Thanks.