I keep getting messages from Norton saying I have a download.trojan in my content.IE5 folder. The file has a different name everytime. When searching for it I can not find it. To make sure I deleted everything in Content.IE5 but I have a feeling these files make themselves invisible (my settings are set to see invisible files and folders). I tried Cwshredder but it came out clean. Adware found 4 data miners which I deleted. When I run Norton It says my drive is clean, so why does it gives me pop ups while surfing telling me I have the download.trojan? Trojanhunter found a file called Q3567836.exe/BKDSG.exe in my content.IE5 which can not be found so also not deleted. The second part of the filename BKDSG.exe is different everytime I scan but the Q3567836.exe is a constant. Trojanhunter says it might be a possible trojan. I also get some warnings about unpacked UPX-packed files in my system volume info. I also have a hijack this logfile, can anyone help me on that also? All help appreciated. Thanks!

Hello Farang, You just realize how a trojan can be a betrayal, some of them are able to destroy or neutralize antivirus programs already installed when you have been corrupted, in order to protect the worm. I suggest now to rid off this situation, you download Trojan Remover 6.15 install the program and perform quickly a scan to check your memory RAM.... do that without any attempt to connect to internet, then use the second scan to hunt, detect and eradicate the worm hidden somewhere into your hard drive. Trojan Remover is a freeware for one month, but fully updated for this trial period. read well the "helpme" file to use it.

farang If what Imp suggests does not work.. The IE5 folder is your temporary internet files. Close all your browser windows Disconnect from internet Double click "internet options" in control panel. Under "General tab" click delete cookies (you will need to sign back in here because the cookie that remembers you here will get deleted) Click "yes" to confirm Click "delete files", also check "delete all offline content" when that window pops up. Click yes to confirm. (this may take a few minuites) The System Volume Info is your system restore. Windows locks that file from anything modifying it including antivirus. To clear out any threats in there you need to turn off system restore, reboot, then turn it back on again. To turn off system restore.. Right click "my computer" Click properties Click the restore tab Check turn off system restore on all drives Click apply Click ok Reboot the computer...that will remove all your restore points and any virus in there. Rescan with norton to ensure you are clean. Turn on system restore Right click "my computer"> Properties> restore tab> uncheck "turn off system restore on all drives"> apply> ok I would quit going to the site that is constantly infecting you..or at least put it in your restricted zone..Here is more info to help prevent reinfection. http://boards.cexx.org/viewtopic.php?t=957 If you still have the problem....go ahead and post your hijack log. We will sort it out.

Hi Thanks for the info so far, I'm gonna try it all right away. In the meanwhile, here is my hijack log. Logfile of HijackThis v1.97.7 Scan saved at 12:40:55 AM, on 1/27/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\NotifyPhoneBook.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSI\PC Alert 4\PCAlert4.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Documents and Settings\Farang\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.448587963 O17 - HKLM\System\CCS\Services\Tcpip\..\{D6124324-0A45-4BCE-9A6F-74A647D37012}: NameServer = 195.238.2.21 195.238.2.22

Did the system restore thing and the scan with trojan remover. Torjan remover came up with nothing, but then I checked and the reference database doesn't mention download.trojan so I guess it can't find it then? Is there a chance that my drive is clean after all and that Norton just gave me the pop ups at the moment when I got in contact with it on a website but that norton made it dissapear after all, although it tells me it couldn't access the file. I got the pop ups on 3 different occassions, mostly when I'm browsing the net for merchandise for my business and when I click on a link promising me to take me to for example a manufacturer of shoes, but in reality it takes me to this download.trojan. I just hate the idea knowing I have no privacy on my computer because this trojan is providing possible access to hackers and virusses.

Hi I don't see anything in your log that indicates infection...Does a Norton scan come up clean? When you emptied the temporary files you also deleted the download.trojan (Norton calls many threats download.trojan) Most likely one of the websites you visit have content on it which contains this threat. Although Norton was unable to delete the file...it was stopped. Can you provide a link to one of these sites creating this warning from Norton? ( I use a different antivirus and may be able to get more info on the specific threat you are recieving alerts on) Many of these threats are prevented with some of the updates from the Microsoft site. Your windows seriously needs updating, as well as your Internet Explorer. I will check back in a bit...

Hi Blender Yes, a Norton virus scan comes up clean. I guess you are right that Norton stopped it from entering my pc, but I was worried since it said in my activity log that it was located in my content.IE5 folder. I deleted my cookies, temp files and history almost every day trying to keep pc clean. If I ever get the pop up from Norton again when visiting one of these sites I will report it here and alert you. At this time I can't remember at all where it happened last time, cause mostly I go from link to link untill it happens and i close all my open windows. Next time I will take note of the url. I know I need windows updates but I read so much about people having problems with the service packs. I checked many forums and 50% seems to have more problems after the updates then before. To all of you who responded: I think it's really great there is a place like this on the web where the less knowledgeable people like me can come and get thise advice from people like you who offer help. Thanks and please keep it up!!!