Hi Top Speed An the answer is zip, zilch and zero. OK - steps taken 1)All files under Hidden Files were showing 2)All extensions under Known File Types were showing. 3) All Protected Operating System Files were showing. 4) Ran Search of C Drive under Windows Explorer for specified file (which is called "download.mp3.exe") for any file by the name of download.mp3.exe. No results. 5) Ran another search in C drive for any file with *mp3.exe. No results. 6) Ran another search in C drive for any file with *.exe - 1478 files but none of them were under C:\Windows\Downloaded Program Files and none of them and none of them had mp3 or download against them. 7) Did a search of C drive for a file containing the word mp3 - 118 files of which 36 were in C:\Windows but none with Downloaded Program Files. 8) Repeated searches 4, 5 and 6 against My Computer as opposed to C Drive just in case it came up with a difference! It didn't. 9) Ran Symantec Security Check again (actual details at the bottom of this list) - found 1 infected file. 10)Ran the free online Housecall scan last night but ran it again after doing the searches. Found nothing. 11) Downloaded the Free Sysclean Package and the latest virus pattern file - ran this but Sysclean did not find the Download Trojan file. 12} Went into Vet - file is still visible but can only copy, scan, select all or invert selection. So the only way it is found is either by going into Vet - or believing Symantec that the file is infected. The actual result from Symantec says - "59714 files scanned, 1 file(s) infected on your disk drives. No viruses were detected in memory. Your computer is infected with at least one known virus or Trojan horse. Search for the name of the virus(s) listed below on the Symentec Secruity Response site for removal information. C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe is infected with Download.Trojan" I can't see that it would be any help but I have AdWare running and Spybot - but they would not really find a virus. Difficult to remove if I can't find it anywhere else but Vet - and why can't it be seen when doing a search throughout the computer. Am now at a complete loss as Symantec are the only ones that detect it as a virus!!! Bright ideas please!!! (I hope you regard this as a challenge!!!!) Floss

0

Hi Floss, just one thing in Windows XP, Search => More advanced options => Search hidden files and folders. did you use it? Ad-Am

0

Floss, I'm going to ask, if you've tried either Adaware or Spybot S&D (updated of course), to take care of this problem. If you have, and neither helped. You could use HighJackThis, to get rid of it. That, can be found here, and help, for the entries here. Precisely the 016, 016-DPF ones. The reason I ask, is it's most likely spyware/adware. Just an opinion. Good Luck

0

Floss, Thank you very much. The Symantec detection message is exactly what I needed: C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe is infected with Download.Trojan" Now, we have the identified malware, we are close to removing it. We have to find it, stop it from running, and then remove the affected files possibily from the registry. STEP II: TERMINATE MALWARE FROM MEMORY You will need the name(s) of the file(s) detected earlier. In your case, it's (there might be more, but this mp3 file is the starting point): C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab. Note: Task Manager running on Windows 95/98/ME may not show certain processes. If you are not sure about your task programs, you could use a third party process viewer to identify suspicious or unknown files. I use Process Explorer, a freeware from Sysinternals.com, http://www.sysinternals.com/ntw2k/freeware/procexp.shtml to help me identify unknown processes and company names. 1. Assume with Windows XP, you have no problem identifying processes running with your Task Manager, and with or without the help of Process Explorer, do you see your detected malware file, dlownload.mp3.exe? 2. In addition to the previously detected malware filename, download.mpe.exe, do you see any other unknown or suspecious programs running? If you aren't sure, use Process Explore I mentioned before to help you identify the processes running. 3. Write down and list any processes with .exe, .dll, extensions running in your Task Manager as well. These are the files you have to track down and remove in Windows system, msconfig Startup, Program Files folders, and the registry depending on the malware files. 4. Select detected malware files one at a time and select "End Task" for Windows 98. It might be End Process for XP. Let us know what you found and what detected malware files you terminated in Task Manager.

0

Floss, In case it was not clear, identify, notate, and terminate MALWARE files only in Task Manager. There are legitimate processes running in Task Manager that should not terminated.

0

Hi Top Speed, We're back to zilch, zip and zero. I openend Task Manager but there were several processes that I was not sure about so I downloaded Process Explorer and checked on that. The only one I really wasn't sure of was an nvidia.32 - but that one is fine - it part of the graphics on the Toshiba. Apart from that it showed no processes that shouldn't be running. There was nothing with mp3.exe and no suspicious programmes - I double checked most of them under Properties just to be on the safe side. There appeared to be no malware files at all! I had already checked with Adware and Spybot and will try HiJack (see S.T.A.R.) whilst I wait for your next thought. Floss

0

Floss, Appreciate you being thorough when troubleshooting, and it helps. Not finding download.mp3.exe and other malware in Task Manager would make sense since you mentioned that Symantec noted that no virus was detected in memory, but I just wanted to double check. Try hunting for your Download.Trojan in the following three ways: SEARCH FOR SUSPECIOUS PROGRAM INSTALLATION 1. Click Start>Settings>Control Panel Double click Add/Remove Programs Do you see any questionable or suspecious program installed, or names of vendor you are not familiar with? Do you have either "download.mp3.exe" or “Live On1ine Porta1" on the list? 2. Uninstall the downloaded program of the malware from the system: Click Start>Settings>Control Panel Double click Add/Remove Programs Select the program “Live On1ine Porta1" Click the Add/Remove… Button NOTE: Make sure System Restore is disabled to uninstall the program (as when running antivirus). CHECK MSCONFIG STARTUP TAB FOR MALWARE Start>Run>type msconfig>click Startup tab Scroll and review all startup programs Identify any startup programs from unknown or suspicous vendors and/or relating to download.mp3.exe CLEAN & SEARCH 1. Delete all *.tmp and *.gid files Right-click Start>Find Type in Name box, *.tmp Look in the hard drive your Windows is installed Highlight all temp files and delete Repeat seach and delete with gid files, type *.gid 2. Delete all Temporary, Internet Temmporary Folder, cookies through Windows Explorer. To your system folder in Windwos Explorer, double-click Internet Temporary folder to open, select all files and delete. Still in the system folder, double-click to open your Temporary folder, select all and delete. Report any files or folders not removed. Note: System is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. 3. Empty Recycle Bin. 4. State the outcome for the following 4 searches for detected malware file in Find: All Files dialog box, In Named type *.exe Click the Browse button to display Downloaded Program Files folder in Look In: Select to "include subfolders" Find Repeat the above search in Downloaded Program Files for *.mp3 Repeat the above search in Downloaded Program Files but, type download, in Named. Search for Download.mp3.exe by using the Date tab and the date range you find most appropriate to include 29/3/04.

0

Floss, One thing to consider is that since we already have the detected malware filename, it might be better to remove it manually first and search and edit in the Windows registry if we have to. The more unnecessary software you download and install (free or not), the more you put your pc at risk to exposure and complications and still with mixed results. You can always install more software later. It's up to you. Just keep me updated what changes you have made and if we should move forward. I do not know how to use HighJackThis. Besides, I wouldn't want to broadcast a log of my computer files on the Internet personally.

0

Hi Floss, Seven more ideas for you to find and remove your trojan infected file, Download.mp3.exe. Four finds are maybes from Symantec and three ideas are from me. Although I like my ideas, you may find certain Symantec issues relevant that I wasn't aware of, so see what suits you. BTW, do you have any idea about how this download.mp3.exe got in your Downloaded Program Files folder, and do you have any other problems with your computer relating to his file? The information might narrow down the identification of the trojan before we edit the registry. FOUR POSSIBLE RESOLUTIONS FOUND ON SYMANTEC 1. Symantec's technical information on download.trojan. You may want to try updating and rescan in Safe Mode and clear the IE Temporary Folder as instructed (not much different than what we have done but just in case). http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html 2. Is Download.mp3.exe already quarantined by antivirus? http://service1.symantec.com/SUPPORT/nav.nsf/aab56492973adccd8825694500552355/6238f5ff586ac19e88256946006d2cf8?OpenDocument&src=bar_sch_nam 3. Did you get a "Access Denied" message? Issues relating to NAV read/write access, "unable to repair, quarantine or delete . . . access denied" when detecting an infected file, scan in Safe Mode, more issues about deleting infected files in temp and IE temp folders, and deleting infected file from MS-DOS http://service1.symantec.com/SUPPORT/nav.nsf/396b6ccde72d4a4d882569fc006071d4/b06295358f269d6d88256d27005a8eb4?OpenDocument&src=bar_sch_nam 4. Delete infected file that is compressed. http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/f85883189f254d10882568f50006815b?OpenDocument&src=bar_sch_nam A FEW OF MY IDEAS 1. What about sending the Downloaded Program Files folder to Recycle Bin and create a new C:\WINDOWS\Downloaded Program Files folder, and then do a copy-and-paste of only the downloaded programs you need to keep to the new folder (DON'T Drag!)? Then,do a another Symantec antivirs scan with System Restore disabled and in Safe Mode of ONLY THE NEW Downloaded Programs folder to see if the infected download.mp3.exe file gets detected. If it's not, then empty your recycle bin. 2. The fastest and most relevent resolution may be to a search for Download.mp3.exe in the Registry and locate the keys where it is and consult the Syamantec and Trendmicro trojan database to confirm the trojan type to remove it manually from the affected keys. For now, we are just searching for the infected file to see if it exists so you don't need to do a backup of the registry if you are careful not to alter any values or data. To open Registry Editor In Windows 98 for example, Click Start>Run> type regedit, click Ok. Select Edit>Find, under Look at, Keys, Values, Data should all be checked off. In Find What, type your malware filename, download.mp3.exe Click Find Next Here are the instructions on how to backup your registry if you need it. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 3. If we still can't find download.mp3.exe in the registry, we could still do a print-screen of your registry keys to locate the infected file (more on that later). What do you think?

0

Hi Top Speed, OK - that list of instructions is enough to last a couple of days! I had the bright idea of downloading Norton Antivirus - the free trial - to see if that would help - it scanned the whole lot and came up with nothing!! I am beginning to believe that there isn't actually a virus in the file and that it's a huge ploy by Symantec to get me to buy their product!! Anyway - one of the things on your list - checking the Registry Editor. I have check it as yd and it has found two files - ab 001 Reg_SZ download.mp3.exe and ab 002 Reg_SZ download.mp3 As of yet I have not backed up the registry but will go to the site shortly to do that - but I thought this might give you something to work on whilst I go through the other instructions. Thanks Floss

0

Hi Floss, You asked for bright ideas...just didn't want to disappoint. Besides, I am getting obessed over not finding this trojan. As they say, "ignorance is bliss." The noose is getting tighter. Good teamwork. When you have time or need bedtime reading, you should read at least items #1 and #3 I found from Symantec. #3 talks about deleting a file from MS-DOS, which we may do (remind me) after removing the malware file from the registry and the system folder for a complete annihilation. I need the following information from you to identify the type of trojan before we could remove the files from the registry: 1. Let me know the results of your findings after you reviewed the installed programs in Add/Remove, msconfig Startup, and any remaining folders/files left after you emptied the IE Temporary folder and Temporary folder in your Windows system folder in Response #13. 2. Go back to the registry editor, Start>Run>regedit. Select View from menu bar, select Status Bar to display it. Now, to find the directories where download.mp3.exe is located: Select Edit from menu bar>Find> Under Look at, Keys, Values, Data should all be checked off. In Find What, type your malware filename, download.mp3.exe Click Find Next (it's a long search) Transcribe the first search result as is seen on the Status bar, just above the Start button. Next, either select Edit>Find Next, or press the F3 key to move on to the next search for Download.mp3.exe and transcribe the result again from the Status Bar until the Find ends with a message, "Finished searching through registry, click OK." NOTE: Be careful with transcribing the paths correctly in the registry. We need the correct directories to lead us back to locating the malware files to remove them from the registry.

0

Windows registry information from Symantec should be fine, but make sure you look up relevant information about Windows Registry for XP either directly from www.support.microsoft.com or from Help in the Registry Editor and in Windows for supported backup and restore methods so as not to corrupt the registry.

0

Hi Top Speed OK - bit by bit I am going nowhere - I shall report what I have done to date. 1) Add/Remove Programs - no there were no suspicious programs or vendors. Did not have "download.mp3.exe" or "Live Online Portal" on the list. 2) Check msconfig. No startup programs from suspicious vendors. 3) Remove all *.tmp files - report what is left - there are 5 files left which are reported as read only - IEC3, IEC4B, IEC6, SET3E. 4) Remove all *.gid files (what is gid anyway - not one i've come across?) - 2 left - eudora - marked as read only. 5) Delete all Temporary, Internet Temporary Folder cookies/files - done. index.dat files left. 6) Recycle bin emptied. 7) Searches done for Find: All Files "*.exe" including sub folders - no mp3 in sight. 8) Repeated search for *.mp3 - none found 9) Repeated search for "download" - none found. 10) Search for "Download.mp3.exe" with ane without date tab - no mp3 found. 11) Searched all files downloaded on that date (29/3/04) no .mp3 files, no .exe files and the last file as being accessed was at 4.09 - the file in question was supposedly downloaded at 4.16 12) Tried sending the Downloaded Program Files to the Recycle Bin - but I can only send the folder as I can't see the actual file - and when the folder is in the recycle bin it can only be restored - not opened. 13) Searched registry and found two - one is in My Computer\HKEY_CURRENT USER (have written down the details carefully; and the other is in ditto but USERS - with a load of numbers etc etc with I have also checked twice - both have Software\Microsoft\SearchAssistant\ACu\5603 on the end of them. OK - think I've covered most of the points - I did a back up of the registry but only on to the hard drive at present. I'm not sure if the noose is getting tighter on the file or my neck - do we get gold stars if we find this thing!? I shall look at the bedtime reading at another time - it's late at night and the brain is getting fuddled! Over to you! Floss

0

Floss, The .gid files are generated when you search in a help file so like .tmp files, they could be deleted. Let's hope this Download.Trojan is no more than a downloader of another trojan or backdoor trojan. What are the directories for the four read-only undeleted temp files, IEC3, IEC4B, IEC6, SET3E? Please list them. Right-click on the files and see what you can find out about them. Instead of asking you to search for the references to the Trojan in the registry, I am going to ask you to do a few printscreens of your registry keys to save us time, but first repeat: 1. Disable System Restore (Windows Me/XP). 2. Update the virus definitions. 3. Restart the computer in Safe mode or VGA mode (Windows NT). 4. Run a full system scan and delete all the files detected as Download.Trojan. PRINTSCREENS If download.mp3.exe is still not removed by your latest anti-trackware and antivirus, then do printscreens (6) of the following two registry keys: Navigate and double-click to open each of these six registry subkeys and do 6 printscreens with all data values on the right panel fully displayed: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices- (?) And the subkeys you identified where download.mp3.exe were, including the two below: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- For example, once you double-click to open the HKEY_LOCAL_MACHINE\... Run subkey, with the right panel fully in disply, press the PrintScreen key Select Start>Programs>Accessories>Paint, then press Ctrl+V, prssing the Ctrl and V keys at the same time to paste the Printsceen in Paint. In the Paint program, make sure all the values on the right panel are displyed fully before you post or print. Because Printscreen didn't seem to be able to post a bitmap file on the support forum when I tested it on my end (you could try posting them), you may have to print them out and fax them to me. If you have to print the registry subkey values out, you could either print in Paint which will print them as a bitmap files so I'll see what you see on your pc, or you could print the values of the registry subkey in Registry Editor as text files. Whatever you do, make sure the subkey values have the correct registry hierarchical paths clearly printed to identify them so there is no question where these subkey values belonged. My incoming fax number is 914-931-1247. Just one to confirm that (1) with the help of Process Explorer, you are confident that all identified processes running in Task Manager are legitimate, and the running list does not have any suspecious looking .exe file or a download.mp3.exe file; (2) that there are no unintended or unidentified program installed in Add/Remove in the Control Panel. Once I have have all the information I need stated above (including the temp files), I will be able to search the virus encyclopedia to identify the procedures to remove Download.mp3.exe.

0

Okay, here is the solution to posting the subkey values in the Support Forum. Open each of the six subkeys requested to disply data value. Export each subkey value to a Temp folder and name the file so you can distinquish the six .reg files and identify each subkey under each registry key later (consult the previously posted link for instructions on creating registry and specific registry subkey backups. Open each .reg file with a text editor, like Notepad or Word, select to display all files *.* so you can see the .reg file. Copy and paste the texts in each of the six exported registry file and post them as you would when writing in the Support Forum. You should be able to post your subkey values this way without having to fax them.

0

Top Speed Patience might be required here - I think the virus has transferred itself to me through the keyboard. I will go through this slowly but perhaps not today - which country are you in anyway? Floss

0

Agreed. Best to take action when you can focucs and concentrate. One thing to consider also...although Symantec classify Download.Trojan as low threat, but since we haven't found the malware file and haven't defined the type of backdoor trojan downloaded, it may be best to remove it asap. In case I was too brief when requesting the data values for the six registry subkeys, I didn't want to guess or infer where the dowload.mp3.exe files were when we are working in the registry, so if these malware files were found anywhere else other than the six subkeys I requested, please include and post the data values from any relevant registry subkeys in addition to the six I requested. I am communicating from the United States, and you?

0

Floss, I have a question, if you wouldn't mind. Or maybe a couple :-) Did you get/download the HJT, and use it? You don't have to use it, to fix anything. You could use it, to see, if indeed, the file is where you were told it was. When you use it, start by making a new folder, just for it, and placing it in this folder. That way, if you decide to use it, it will have one central location, and the things you fix, will be backed up there. If, the need to restore, what was fixed, is needed. As I said in my previous post, look at the 016 016-DPF Downloaded Program Files entries. As you've indicated, that, is where it would be listed. That would also, give some help, as to where this came from. (The HJT log) I'm not asking you, to post a copy of your log. To Top Speed, OK :-) Was just giving you an option. Yes, I see you've run the two programs, but was making sure, you were running updated ones. Good Luck, S.T.A.R.

0

S.T.A.R. Good to hear from you again. I didn't really understand the resolutions in your first post, the relationships between ActiveX and Download.Trojan, the significance of 016-DPF Downloaded Program Files entries, or how to fix it other than have HiJackThis fix it. But it must be fate, I happen to read about "expanded security threats outside of commonly known definitions of viruses, worms, and Trojan horses" on the Symantec Security Response website today that referred to unauthorized access caused by programs like Adware (not Lavasoft's Ad-aware), Spyware, and others. This "untraditional" types of access are usually passed on through End-User agreement installation of programs and tools but could be downloade through stealth. So, what you posted initially is only now beginning to be understood. The questions that I have asked Floss (unidentified installed programs and unusual computer behaviors or symptoms) seem to have ruled out that this Download.Trojan is anything but a Download.Trojan as defined in the traditional sense and not of one in the Expanded-Threat group. However, with this new found understandig, I will keep these possibilities in mind when I look over the data values of the registery subkeys. Once I have a sample of the data values of selective register subkeys, hopefully I will be able to ask for the right entries, identify the Trojan, programs, or tools responsible to know how to remove this malware file. All these expanded threats only confirm my concerns about downloading more software to remove malware files once they are identified and detected. Floss, I ran both the free Symantec security scan and the antivirus scan on my computer today, and the results showed all ports protected and no virus found. I am up-to-date with Windows updates from Microsoft, and my IE has the highest encription or cipher strength of 128-bit. After you posted the registry data values, it wouldn't hurt to run the free Symantec security scan if you haven't done it and check your IE cypher strength is at 128-bit to rule out that Download.mp3.exe is mostly likely a Download.Trojan in the traditional sense. To check the cipher strength, go to IE, select Help from menu bar, select About IE. If your IE is not, then update your IE and OS with Microsoft asap. Here is the link to the "Expanded Threats" as defined by Symantec and the types of unatuthorized access S.T.A.R spoke of if you are interested: http://securityresponse.symantec.com/avcenter/expanded_threats/index.html If we can't identify the type of Trojan infection from the registry data values, then perhaps S.T.A.R can show us how to read or fix it with HiJackThis? I do not know how to read the log, and computing.net has a strict policy about not posting the log unless and expert asks for it. Top Speed

0

Searching the Value Names and Value Data from the registry subkeys using Symantec's Virus Encyclopedia Search Engine should be a fairly direct way in leading us to identifying the Trojan or the Adware/spyware related threats to removing the detected Download.mp3.exe file and associated files. Also, do you have either IE/homepage problems or any computer problems?

0

BTW, we found Download.mp3.exe in the registry already. Floss, once you post the name and data values, we can work to remove the file and other associated files. Also, did you install Adware or other anti-trackware than those already disclosed by chance? Please confirm what software you have installed other than the antivirus updates and Ad-aware from Lavasoft you have mentioned because knowing this background information will assist in identifying (or ruling out) possible types of trojan or trackware.

0

...including opening or responding to unusual unsolicited "official sounding" email attachments.

0

Hi Top Speed and S.T.A.R. Sorry have not tried anything from 23 onwards - have not been online much - obviously we have clever computers at the bottom of the world as it seems the Trojan came bearing virus gifts for humans!! With luck I should be back on form tomorrow and will start on this again. Thanks to you both from ?sunny Australia. Floss

0

Top Speed, "the significance of 016-DPF Downloaded Program Files entries, or how to fix it other than have HiJackThis fix it." You've probably had Floss, check the "Dependency", of each program file in the "Downloaded Program Files" (folder). I'm to lazy, to go back and read everything, sorry ;-) That's right-click one of the program files, and then click "Properties". Then click the "Dependency" (Tab). You will (should) be presented, with the files, ect., and their locations, as to what that program file depends on. Do that, for each file in the "Downloaded Program Files" (folder). That's a rough description/explanation, yours may differ. After/during that, was the file in question shown? If it was, that's the program file,(The one, you were checking it's dependencies, and it showed the file in question) that would need to be removed. (Right-click it & click Remove) And, if needed later, it can be downloaded again. I stress, IF NEEDED :-) Floss, Let us know, the name of the program file, and it's dependencies. The one, that has the file in question, as a dependency, OK. You're welcome. Good Luck, S.T.A.R.

0

STAR, do you have reasons to believe that the associated files to the infected trojan file are restricted to the downloaded program files? My thoughts are: the trojan may or may not have already been executed, and the linking or loading files could be anything from a .dll, an .exe, or even java scripts and could be found anywhere from the system, temporary, cookies, the registry, and program files folders. Floss's answers about the files extensions and paths for the four Read-Only temp(?) files and the posting of the data values found in the Search Assistant and other registry subkeys will offer substantial clues to get us started to narrowing down the type of backdoor or downloader trojan, and possibly spyware to help us remove this "ghost trojan". I am not so concern about removing the Download.mp3.exe because it could be done in MS-DOS if all else fails. I am more concerned about the possibility of a more sinster download or trojan dropper by the trojan so we need to identify the exact download trojan by identifying how this trojan or spyware works. Floss, sorry to be such a bottomless pit... more questions for you to help us identify the trojan. But, these tasks are fast to do. In addition to all the questions and requests posted thus far, could you also answer the following: 1. Did you have any unusual browser problems like, redirected homepage, search page, and web page? Did you get Windows logon error messages? Any web reference to Fastwebfinder.com or specific popup? Go to Start>Run, type edit c:\windows.ini>OK. Do you have an entry similar to, run=fntldr.exe 2. Search/Find the following files on your hard drive: ld.exe dnse.dll regsv32.exe wsock32.exe netd.exe zshell.js run_cd.exe sys.exe dia4.exe load.dll teen.exe windows.exe 3. In Task Manager, do you have TWO explorer.exe files and a rundll.exe running? You findings to these questions, the read-only files, and the posting the registry subkey values will direct us to the right direction.

0

btw, there seems to be quite a bit of known issues about Spybot Search & Destroy, anything from memory leak, program conflicts, making drives and system utility msconfig invisible, and shutting down antivirus in mid process.

0

Top Speed, Ok, first, no one/nothing is coming up with anything, but symantec. Second, and the only thing they CLAIM, to be INFECTED, is the "download.mp3.exe". Third, it probably was something agreed/not agreed upon, to be downloaded to the computer in question. As I said before, "And, if needed later, it can be downloaded again. I stress, IF NEEDED" I still believe, it's something from a music site, that's why, I said about the HJT. It would give an indication, as to where it came from. Symantec, says it's infected, but, do they mean the file is infected, or do they mean/think the file, is the infection. You have everything under control, was just trying to lend a hand. See you around in the forums. S.T.A.R. Floss, Hope you're feeling better, and stay that way :-) Good Luck, in solving your problem. And send some of that sunny weather my way, please. I can go fishing, out my backdoor :-) That's a good thing, at the place at the river, but not, at home base :-) Again, Good Luck, S.T.A.R.

0

Top Speed OK – I am going to start at the last response and work backwards - I have copied the instructions and put in the answers. Did you have any unusual browser problems like, redirected homepage, search page, and web page? Did you get Windows logon error messages? Any web reference to Fastwebfinder.com or specific popup? Answer – No to all of these Go to Start>Run, type “edit c:\windows.ini>OK”. Do you have an entry similar to, run=fntldr.exe Answer – No – there are no entries at all when I type what is in the inverted commas 2. Search/Find the following files on your hard drive: ld.exe If this is a lower case l as is love - No such file dnse.dll No such file regsv32.exe No such file wsock32.exe No such file netd.exe No such file zshell.js No such file run_cd.exe No such file sys.exe No such file dia4.exe No such file load.dll 3 files – “psisload.dll”; “Ut_Unload.dll; “psisload.dll”. The UT says it is a HP program, the first one is in Windows\I386\DRIVER.CAB and the third is in Windows\Driver Casche\i386\driver.cab teen.exe No such file windows.exe No such file 3. In Task Manager, do you have TWO explorer.exe files and a rundll.exe running? Only 1 explorer file and no rundll.exe I shall now have a look at the preceeding questions. Cheers Floss

0

Top Speed Re Message 32 - Spybot I have used this for some time and am not aware of having problems - would it be better to use another agency - is AdAware a superior one or are they all equal? Floss

0

S.T.A.R. Thanks for the help - will send the sun over (although tis winter at present) if you will return the water - we are short!:0) Have used the HJT and logged the results but not sure if Top Speed needs those yet - am working through this bit by bit. Floss

0

Hi Top Speed OK Will now go back to Response No 20 QUESTION What are the directories for the four read-only undeleted temp files, IEC3, IEC4B, IEC6, SET3E? Please list them. Right-click on the files and see what you can find out about them. ANSWER (there are 5) IEC3 C:\Documents and Settings\Local Settings\Temp 333 KB Modified 11/4/2001 Although it says it was Created on Friday, 29 August 2003, 9:21:34 PM (the creation date being later than the Modified date). No signature IEC4B C:\Documents and Settings\Local Settings\Temp 337 KB Modified 5/9/2001 This says it was Created on Monday, 8 September 2003, 8:18:30 PM. No signature. IEC6 C:\Documents and Settings\Local Settings\Temp 337 KB Modified 1/2/02. This says it was Created on Monday, 16 June 2003, 11:22:13 AM SET3E C\Windows 14 KB Modified 29/8/02 Digitally signed by Windows Publisher SET29 C\Windows 1061 KB. Modified 29/8/02 Digitally signed by Windows Publisher Will try and do the registry keys next. Floss

0

Floss, As I explained/described in Response 30. Could you do that, please. And when you find the file in question, list the program file's name, and it's dependencies, and their locations. Thanks You say, you have a HJT log. Just curious, do me another favor, please. Look at the 016 -DPF entries, does one of those look something like this; O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} http://www.lyricsdomain.com/download.mp3.exe As I said, just curious. I know, curiosity killed the cat, but hey, they have nine lives. Well, eight now ;-) Oh, and about the water. If I could, I'd be a nice neighbor, and send it by airplane, ship, helicopter, submarine, and anything else I could use, and still have enough left for me :-) The fish, are even calling their insurance companies, and saying, "Sir, our house was washed away by the water. Do we have water and flood damage coverage?" ;-) Later, S.T.A.R. You're Welcome Floss p.s. No comment, about the Spybot - Search & Destroy© As it might be biased ;-)

0

S.T.A.R. Can't send any rubber dinghies - need them myself as I am already drowning in the sea of unknown. Just keep paddling for a few minutes whilst I put these registry key details on - I hope they make sense to someone. With the actual mp3.exe file by the way it cannot actually be seen in the files and folders except when I view files in Vet - the only other place an mp3 is noted is is the registry files. Floss

0

Top Speed OK - here are registry files - the first one is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Class Name: <NO CLASS> Last Write Time: 24/05/2004 - 7:08 PM Value 0 Name: 00THotkey Type: REG_SZ Data: C:\WINDOWS\System32\00THotkey.exe Value 1 Name: 000StTHK Type: REG_SZ Data: 000StTHK.exe Value 2 Name: SynTPLpr Type: REG_SZ Data: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe Value 3 Name: SynTPEnh Type: REG_SZ Data: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Value 4 Name: Tpwrtray Type: REG_SZ Data: TPWRTRAY.exe Value 5 Name: TouchED Type: REG_SZ Data: C:\Program Files\TOSHIBA\TouchED\TouchED.exe Value 6 Name: TFncKy Type: REG_SZ Data: TFncKy.exe /Type 28 Value 7 Name: TosHKCW.exe Type: REG_SZ Data: "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" Value 8 Name: NDSTray.exe Type: REG_SZ Data: "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" Value 9 Name: TMESBS.exe Type: REG_SZ Data: C:\Program Files\TOSHIBA\TME3\TMESBS32.exe /Client Value 10 Name: TFNF5 Type: REG_SZ Data: TFNF5.exe Value 11 Name: ezShieldProtector for Px Type: REG_SZ Data: C:\WINDOWS\System32\ezSP_Px.exe Value 12 Name: Drag'n Drop CD Type: REG_SZ Data: C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp Value 13 Name: NvCplDaemon Type: REG_SZ Data: RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup Value 14 Name: nwiz Type: REG_SZ Data: nwiz.exe /installquiet Value 15 Name: VetTray Type: REG_SZ Data: C:\Vet\VetTray.exe Value 16 Name: PinnacleDriverCheck Type: REG_SZ Data: C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Value 0 Name: Installed Type: REG_SZ Data: 1 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Value 0 Name: Installed Type: REG_SZ Data: 1 Value 1 Name: NoChange Type: REG_SZ Data: 1 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Value 0 Name: Installed Type: REG_SZ Data: 1 The next one is in three parts - 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Value 0 Name: Installed Type: REG_SZ Data: 1 then 2) Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Value 0 Name: Installed Type: REG_SZ Data: 1 Value 1 Name: NoChange Type: REG_SZ Data: 1 then 3) Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS Class Name: <NO CLASS> Last Write Time: 31/05/2003 - 7:35 AM Value 0 Name: Installed Type: REG_SZ Data: 1 I do no have the following two - the Run Services HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices- The two where the mp3.exe were found are . HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key Name: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 Class Name: <NO CLASS> Last Write Time: 02/06/2004 - 3:02 PM Value 0 Name: 000 Type: REG_SZ Data: *.tmp Value 1 Name: 001 Type: REG_SZ Data: windows.exe Value 2 Name: 002 Type: REG_SZ Data: teen.exe Value 3 Name: 003 Type: REG_SZ Data: load.dll Value 4 Name: 004 Type: REG_SZ Data: dia4.exe Value 5 Name: 005 Type: REG_SZ Data: sys.exe Value 6 Name: 006 Type: REG_SZ Data: run_cd.exe Value 7 Name: 007 Type: REG_SZ Data: zshell.js Value 8 Name: 008 Type: REG_SZ Data: netd.exe Value 9 Name: 009 Type: REG_SZ Data: wsock32.exe Value 10 Name: 010 Type: REG_SZ Data: regsv32.exe Value 11 Name: 011 Type: REG_SZ Data: dnse.dll Value 12 Name: 012 Type: REG_SZ Data: ld.exe Value 13 Name: 013 Type: REG_SZ Data: *.gid Value 14 Name: 014 Type: REG_SZ Data: *.cpl Value 15 Name: 015 Type: REG_SZ Data: download Value 16 Name: 016 Type: REG_SZ Data: *.mp3 Value 17 Name: 017 Type: REG_SZ Data: *.exe Value 18 Name: 018 Type: REG_SZ Data: *mp3.exe Value 19 Name: 019 Type: REG_SZ Data: download.mp3.exe Value 20 Name: 020 Type: REG_SZ Data: download.mp3 Value 21 Name: 021 Type: REG_SZ Data: mp3.exe Value 22 Name: 022 Type: REG_SZ Data: Video Value 23 Name: 023 Type: REG_SZ Data: *.wav Value 24 Name: 024 Type: REG_SZ Data: *.dot and 7. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- Key Name: HKEY_USERS\S-1-5-21-2535869258-4062848261-2145253753-1005\Software\Microsoft\Search Assistant\ACMru\5603 Class Name: <NO CLASS> Last Write Time: 02/06/2004 - 3:02 PM Value 0 Name: 000 Type: REG_SZ Data: *.tmp Value 1 Name: 001 Type: REG_SZ Data: windows.exe Value 2 Name: 002 Type: REG_SZ Data: teen.exe Value 3 Name: 003 Type: REG_SZ Data: load.dll Value 4 Name: 004 Type: REG_SZ Data: dia4.exe Value 5 Name: 005 Type: REG_SZ Data: sys.exe Value 6 Name: 006 Type: REG_SZ Data: run_cd.exe Value 7 Name: 007 Type: REG_SZ Data: zshell.js Value 8 Name: 008 Type: REG_SZ Data: netd.exe Value 9 Name: 009 Type: REG_SZ Data: wsock32.exe Value 10 Name: 010 Type: REG_SZ Data: regsv32.exe Value 11 Name: 011 Type: REG_SZ Data: dnse.dll Value 12 Name: 012 Type: REG_SZ Data: ld.exe Value 13 Name: 013 Type: REG_SZ Data: *.gid Value 14 Name: 014 Type: REG_SZ Data: *.cpl Value 15 Name: 015 Type: REG_SZ Data: download Value 16 Name: 016 Type: REG_SZ Data: *.mp3 Value 17 Name: 017 Type: REG_SZ Data: *.exe Value 18 Name: 018 Type: REG_SZ Data: *mp3.exe Value 19 Name: 019 Type: REG_SZ Data: download.mp3.exe Value 20 Name: 020 Type: REG_SZ Data: download.mp3 Value 21 Name: 021 Type: REG_SZ Data: mp3.exe Value 22 Name: 022 Type: REG_SZ Data: Video Value 23 Name: 023 Type: REG_SZ Data: *.wav Value 24 Name: 024 Type: REG_SZ Data: *.dot I hope some of this makes sense to you. Apart from whatever it was that S.T.A.R. has asked about (will look at that shortly) have I covered all of your queries yet or have I missed anything. Over to you Floss

0

S.T.A.R No - they don't look anything like that - they look like this. Which makes as much sense to me as fish phoning their insurance companies - I shouldn't panic - it's probably only a shell company and sounds pretty fishy to me :0) O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab Floss

0

Floss, "...With the actual mp3.exe file by the way it cannot actually be seen in the files and folders except when I view files in Vet..." Understand, what you are saying, but I don't think you are understanding, what I asked you to do. So, I'll repeat it. Open the "Downloaded Program Files" (folder), and right-click one of the program files. Then click "Properties", and then click the "Dependency" (Tab). You will be shown, the files, ect., that the program file depends on, and their locations/address. Do that, for each program file, that you see in that folder. You are looking for the "download.mp3.exe", listed as one of the dependencies. Give the name, of the program file, and all the dependecy files, where you find the file in question listed/shown, ok. Hope that's clear now. I guess, it might just be a rehash, of the response 30. If that's not clear, ask me to explain better, ok.

0

S.T.A.R. OK - got that - of the 11 folders I can see in Downloaded Program Files there are no files that are dependent on mp3.exe or download.mp3.exe - there are 13 files that are dependent on Downloaded Program Files but not mp3 etc. Allowances for age have to be made! Floss

0

Floss, Is the trojan horse still on your pc? There was no reference to the download.trojan in the registry keys I reviewed. Two more rounds of questioning from me, then you might want to utilize Symantec's free online support to see if they can find this "ghost" trojan horse, or post the hijackthis log in a different support forum, unless STAR has some input. I would be interested to know what Symantec has to say if you do get an answer from them before your trial run ends. But first about the hijackthis log, O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab These two websites, http://fpdownload.macromedia.com and http://www2.incredimail.com, look suspicious to me, but since I don't know how to read or interpret the log and can only guess on how to get to them in the registry, like search by the ID numbers for one. STAR, are they of any significance?. In addition, these two cab files may have something to do with either an infected file being compressed and why we can't find Download.mp3.exe, or the Read-Only temp files, which prompts me to ask... Floss, after NAV detected Download.mp3.exe is infected with download.trojan, what action did you take? Did you get any error messages? Could you have quarantined, repaired, or deleted the malware file? If Download.mp3.exe is part of a compressed file, then according to Symantec Document ID:2000060418153206, you could determine the name of the infected file by finding the compressed file in the NAV Activity Log and then search to delete the associated files. Check out the log and see if that applies in this case. Relating to the 5 read-only temporary files: 1. Double-click to open the temp files to see if you recognize the information, if they can be deleted, and if there were any references to the trojan horse or the URLs associated with the two questionable websites from the posted hijackthis log. 2. Follow through with the steps in Symantec Document, "Norton Antivirus displays the message "Unable to repair, quarantine or delete..." when detecting an infected file, to delete the read-only temp files (or save them somewhere else) to remove the compressed malware files. http://service1.symantec.com/SUPPORT/nav.nsf/396b6ccde72d4a4d882569fc006071d4/b06295358f269d6d88256d27005a8eb4?OpenDocument&src=bar_sch_nam Make sure you do the last step for XP to terminate the Services to locate download.mp3.exe. Of the registry subkeys I looked at, there were no references to the trojan, but I need to follow up on a few points: 1. Check and confirm nwiz.exe is from company nVidia and not from Norton Wizzard. The same exe file with Norton Wizzard's signature would be a virus. 2. Please post the registry values for 3 new keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows 3. I didn't get the loading feature for, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- Do you have two Run folders like I do (Run and Run-)? Please confirm if you don't have a Run- folder. You posted the value for one of the Run key okay, but I didn't get the value for the second Run key (Run-) if there is one. You seem to have posted the subkey of Run (OptionalComponents and etc.) instead. You just need to double-click to open the Run- folder on the left panel to display the value for the Run- key (the value for the subkey is always on the right panel); the registry keys work exactly the same way as Windows Explorer. Please then, export, save, and then post .reg file as before. If there is no value (a blank right panel) when you open the Run- key, confirm to describe that there is no data value, or I can't tell; but if there is anything on the right panel, including the word "{default}", post the data value as it is, or tell me what I should see as you do on the right panel if the exported .reg file looks different. It shouldn't be unless there is no subkey value. 4. I also didn't get the value for, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run You posted the key but not the value for the key. If there is no value (blank right panel), please describe or confirm. 5. Search, locate, and notate all registry subkey locations for the malware path and file name detected earlier. Type in the Registry Find dialog box, C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe. Again, either select "Find Next" button or press F3 for the next search result until the registry finder notifies you that the search is completed. Export and post all registry files to show where the malware path and files are in the registry. Thanks.

0

Floss, Although you said you didn't have any Browser problems, let's take a look at two other common loading points for viruses/trojans for clues. If after you done the steps described in the above reponse and the download.trojan remained, would you please post the .reg files for two more registery keys in addition to the ones requested above: HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main I did a search on Google.com, and according to the responses available for hijackthis logs, Shockwave Flash Object and Shockwave ActiveX Control from http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab are trouble-free. Questions remain unanswered for the downloaded programs from x.block.com and www2.incredimail.com, however. As another option to you if the trojan horse is not removed after we have done the steps above and no hijackthis or Symantec expert reponded, if you post your most updated hijack log after you run another updated Ad-aware and antivirus scans and with your knowledge and experience using the software, I can tell you the identifiable system files, registry entries, and BOH that need to be deleted either from Hijackthis or the registry directly if you can't get anyone to respond to your log. I just can't direct you how to use the Hijackthis software because I haven't used it. We can research any questionable files if need be. Some of the hijacksthis upport forums however are very user-unfriendly which is partially the reason why I am still sitting on the sideline on using this software. Issues relating to Microsoft and antivirus software updates take up enough time.

0

Hi Top Speed OK - at great expense to the Management(!)and against my better judgement and principles I downloaded the trial version of Norton - despite the fact that the DSL seemed to be on a slow go. I have run the Virus Scan - it found one virus (our friend download.mp3.exe) and fixed it. I have checked in the Vet folder and it is there no longer!! Do you still want me to go ahead and try Response 44 and 45 - if the virus has been fixed do we still need to check the Registries? My other concern at this stage is why VET did not find it but Norton did - I am loathe to use Norton as I have had major problems with it in the past and would like to remove it from my computer as soon as possible but as it seemingly has found more than VET I am scratching my head as to what to do. Your expertise would be greatly appreciated. Floss

0

Floss, Great news and congratulations! Finally, I could stop dreaming about download.mp3.exe in my sleep! Often there are additional required steps to remove the malware manually even when the antivirus removed it automatically depending on the type of security threat. I go by the virus encyclopedia as defined by the antivirus vendor. The virus pattern file probably made the difference here as far as why Norton picked up the trojan horse while Vet did not. It is a good idea to run at least two different antivirus scans. I bought Symantec Internet Security a few years ago to protect my data and had no clue what to do with the quarantined files and didn't find much help from Symantec website. Now, I just use free antivirus from TrendMicro and Norton and Ad-aware from Lavasoft and force myself to learn to be more engaged with dealing with computer security threats. Surprisingly, I now find Symantec's Support Search engine and support documents useful. I guess the upside of experiencing computer problems is that one does gain skills and confidence operating and care for one's computer. I would be interested to know of all the antivirus you are using, which ones you prefer and why, and which ones I should not waste my time and money on when you are ready to make the judgment. Did the latest Norton scan or log disclose any new information about download.mp3.exe and the associated files? It's up to you how far you want to take this. But I suppose if the latest Norton scan didn't offer any additional information about the Download.Trojan, we could compare the before (the old hijackthis log before the download.trojan was removed) and after hijackthis logs to see what files have been removed and then search virus encyclopedias to see if there is a description of how this trojan horse worked and why we couldn't locate this infected file. Besides, I might spot something that should be removed on the log for you, but I am not making any gurantees since I have no experiece with the software and just working from my knowledgebase and reference materials on Winwdos registry and system and startup files. Where do you go to get expert help on Hijackthis? Do you find the Hijackthis support forums yield sporadic results and quite time-comsuming? Do you find the software useful? Also, it's good to know that Spybot works well for you. What purpose does Spybot Search and Destroy serve, and how is it different from Ad-aware? You probably know more about the workings of hijackthis and how to post a fresh hijackthis log than I, but I assume you should update and run ad-aware and antivirus and reboot the computer to get the latest log if you want to post the two logs.

0

It does bother me a little why we can't locate this detected file. Let's hope it's not Norton's marketing ploy as you suspected to get you to buy their products.

0

Hi, I was wondering why, if I may ask? If you knew the name of the Trojan/Virus file, why didn't you just goto your command prompt? Reboot your computer in the safe mode and goto Dos, there you would have to navigate to the directory and more than likely would've seen the file. I had the Urbin virus and my McAfee found it but couldn't delete it. I went to the command prompt and found it and tried to delete it but it stated Access Denied. So, I rebooted in the safe mode and went back found it again and then deleted it. Then when I ran McAfee again it found the exe program and another DLL in two different restore points which I have turned off. By doing that it wiped it out, course it wiped out my restore points too. I was just wondering. Thanks Thanks, Jim

0

Thanks, Jim. Appreciate the information and the steps taken in DOS worked. I chose to remove the infected file in DOS last because I wanted to have a chance to look over the registry keys before I remove the infected file. The reasons are: first, I didn't want to leave any uploading system, program, or dll files behind if I could avoid it (looks like System Restore and antivirus would have taken care of these issues); and second, because we couldn't get to the infected file that was detected outside of the _Restore Folder and no apparent error messages, I wanted to look at the registry to see what is causing this file access gap (detected but can't be accessed or seen) before I remove the infected file. Also, having the System Restore feature seems to be a mixed blessing. Since I couldn't see the _Restore directory, I thought it would be complicated and difficult to determine where this infected file is in relation to the data volume in System Restore to direct Floss to remove it. I wanted to avoid trouble-shooting System Restore issues relating to resizing or manually purging the data store remotely. Any tips on how to trouble-shoot and purge the exact restore points remotely in an easy and safe way? Was it fairly transparent? Did you wipe out the restored points in System Troubleshooting Tab, and could the infected file in _Restore be removed directly from DOS instead? Was your Urbin infected file detected outside of the _Restore Folder as well? Although we don't have a complete picture of what was in the registry, do you have an explanation of why an infected file outside of the _Restore Folder couldn't be seen or accessed in Windows yet it was detected? Something to do with the shell or Explorer or type of trojan horse?

0

Hi Top Speed, All that you have said are very good points! Yes, the virus I had was detected first in "Windows\System32" directory. This at the time was the ONLY file found to be infected. The file was "Msvsres.dll" and the only way I could see it was through MS-DOS. But, even then I couldn't delete it because I was denied the access to it. So, I decided to reboot in safe mode and go through MS-DOS again. It was then that I could delete it. After that while still in safe mode, I ran McAfee again and that's when it came up with the rest of the virus in two different restore points. One was another DLL file and another was an EXE file. McAfee was able to delete those two files. However, after learning that the A-holes like to store and run their viruses from the restore points and with the advise of others that have posted here, I have decide to turn off the option there by wiping out all restore points. I will no longer have it turned on. The times that I have tried to do a restore, it didn't work and I had to reformat the harddrive anyway. So, for me, I can live without that option. Take care, Thanks, Jim

0

Very interesting. It's very common to have associated malware files, such as .dll, .com, or .exe files in the system folder, and often they could be identified or released from three places, msconfig Startup, the Task Manager, and the Windows Temp folder, and be traced to the System Folder and the registry Run or other subkeys, but I thought it was interesting in Floss's case to have a detected malware file that "can't be traced" anywhere, although our search was somewhat incomplete, and can't be located and without any error messages but was detected. I was researching another antivirus issue that made me wonder whether installing antivirus programs in Safe mode and in the case for XP/NT/2000 systems after doing a clean boot in general would be a preferred method of installing and running antivirus programs and may prevent this discrepancy of detection and access. See Symantec article below, http://service1.symantec.com/SUPPORT/nav.nsf/b69c799adfa31ecc85256aa30052f4d0/53839793a3a37c2288256ac600484c28?OpenDocument&src=bar_sch_nam

0