I have been running and updating Vet daily and have not found a problem. I did a check with Symantec and it said that there was a Trojan found in Windows Downloaded Program Files. I have checked in that folder and it does not show me the file mentioned (even with show hidden files). Vet has checked the folder again and does not come up with a problem - although I can see the file referred to in the Vet programme.
Why would Vet not find the problem - if there is one.
The file apparently was downloaded on 29/3/04 but does not show up when I check for any files downloaded on that date at the appropriate time.
Help on this would be appreciated - thanks

Floss

Floss,

Go to the Downloaded Program Files folder. Right-click on any downloaded program file dated 29/3/04. Select Properties. Select the Version tab. Do you see the Trojan infected file under the Version tab?

Also, disable System Restore in XP and do a Find of the same infected Trojan file to locate other possible file paths.

If your UPDATED antivirus program cannot remove the infected file, you should remove it manually. If you need instructions on removing the Trojan infected file manually, let me know the name of the Trojan and the infected file name and path.

Top Speed

I meant to say, the Version tab should show the company name, and do you see the Trojan infected file under the Dependency tab?

Thanks for the reply.
OK - when I go to the Downloaded Program Files folder under My Computer it does not show the actual file that is supposed to be infected. Show all files is turned on. The same happens under Explorer. The number of files shown is 10 but when I check under properties there are 48 files.
The only way I can actually see the file is to go into Vet and view the folder from there and I can then see 48 files - but of course I can't do anything with the file under Vet.
I happened to be on the Symantec site the other day and it had a section showing "Check your computer for Viruses" so I set it off - and it came up with the note that one Trojan had been found - and named the file - but did not give any other details.
I was loathe to disable System Restore as it will remove all previous restores but it looks as though I may have to do that if I can't find the file any other way than through Vet.
I have told Vet to scan that particular file and it says there is not a problem with it.
?Change to another antivirus program??
Ideas would be appreciated thanks!

Floss

For Windows XP system, it's correct to disable System Restore before running antivirus, so the program can identify possible infected EXE and COM backup system files. Be sure to disable System Restore each time you run antivirus.

I used to buy Norton antivirus from Symantec and haven't used it for a long time. I use free antivirus from Trend Micro and also learned a lot about malware removal from Trend Micro. No antivirus can provide automatic removal 100% of the time, so you will have to remove the malware manually, and Trendmicro offers manual fixes in their virus encyclopedia, which I like a lot. It's up to you how involved you want to in the DIY approach.

Did you write down the Trojan and infected Trojan files identified by Symantec? It's easier for me to access the situation if I know the Trojan name and file paths.

Top Speed

Top Speed

OK, have disabled System Restore, run Vet, it scanned 80545 files and still no virus found. Then went to Trend Micro and ran the checker - that came up with 48202 files - but no virus. Went back to Symantec - it found 50714 files - and a virus. The Status shows - 1 file infected on your disk - no viruses were detected in memory. The virus listed is Download.Trojan. The infected file is in C:\Windows\Downloaded Program Files

I have checked the C drive for the named file and it will not find it - I still can not see that file in the folder specified apart from in Vet. There are still only 10 files that I can see in the specified folder although Vet can see 48.

Next move please!

Thanks a million

Floss

Understood. Are you saying that the Symantec antivirus only idnetified the virus as Download Trojan without a specific file name with a proper file extension? How do we know it's the same file as the one seen in Vet? What is the file name with the extension seen in Vet? What file name did you search under?

We could remove the virus either automatically or manually as long as it is on you OS, but we should identify and know what specific malware file(s) this Download Trojan is and where it resides to remove it, so I can be sure to direct you to delete the right file in the right directories and know we have removed it completely.

What I was asking for was the name(s) of the Download Trojan file name(s) identified by Symantec if any and seen in Vet. What is the whole file name including the extension, whether is an EXE, COM, or DLL, etc. For example, C:\Windows\Downloaded Program Files\ filename.xxx

We shouldn't move forward until we get the affected file name for this Download Trojan. If the antivirus didn't provide you a specfic Downlaod Trojan file name with an extension, we need to do some digging. Please do the following so we are one the same page.

RECONFIGURE WINDOWS EXPLORER FROM VIEW MENU:

1. To show all fies then do a search or find of the file with the file extension.

In Windows Explore, do Show All Files by going up to the View menu bar, select "Folder Options," click View tab, under Files and Folder and under Hidden Files folder, select "Show all files."

And "Hide file extensions for known file types" should be unchecked.

[remember to restore the configuration to deselect "Do not show hidden or system files" after the virus removal process is over and done if you want].

DO A SEARCH OR FIND OF THE FILE DETECTED BY SYMANTEC AND VET

1. Usually, we do not need to do this because the antivirus program shows the the directory path for the malware file

2. Let me know the file names and paths with file extensions if any detected by the antivirus programs as they appear from Symantec and Vet.

3. Then, do a Search or Find, select "MY Computer" in "Look in" box. Write down the search result of the folders where the malware is found.

RUN TREND MICRO ANTIVIUS TO IDENTIFY DOWNLOAD TROJAN

If you don't mind, either tell me what Trend Micro antivirus did you run, or I'd like you to update the free software again after the initial Housecall free scan.

If you already ran the free online Housecall scan, please download and install the free Sysclean Package described below. Both the scan engine and matching virus pattern file (a zip file) have to be updated with each download.

For first time Trendmicro antivirus program user:
Find free online virus scan at, http://housecall.trendmicro.com/

For subsequent Trend Micro users, either purchase or download free antivirus software updates:

For free automatic removal of malware after initial free online scan, use Trend Micro System Cleaner (working well for me and recommended if you want automatic removal of the latest malware).

A free update of this automatic removal software is available for both the matching scan engine and virus pattern file; both should be updated at the same time. Make sure you read the readme.txt for specific instructions, but basically the syclean program should be installed in the same folder as the latest unzipped virus pattern folder.

For free antivirus update after the initial housecall antivirus scan, download and run

Free Sysclean Package: http://www.trendmicro.com/download/dcs.asp

Free Matching update of latest virus pattern file: http://www.trendmicro.com/download/pattern.asp

Did Sysclean remove or identify the Download Trojan file(s)?

Top Speed

Hi Top Speed

An the answer is zip, zilch and zero.

OK - steps taken

1)All files under Hidden Files were showing
2)All extensions under Known File Types were showing.
3) All Protected Operating System Files were showing.

4) Ran Search of C Drive under Windows Explorer for specified file (which is called "download.mp3.exe") for any file by the name of download.mp3.exe. No results.

5) Ran another search in C drive for any file with *mp3.exe. No results.

6) Ran another search in C drive for any file with *.exe - 1478 files but none of them were under C:\Windows\Downloaded Program Files and none of them and none of them had mp3 or download against them.

7) Did a search of C drive for a file containing the word mp3 - 118 files of which 36 were in C:\Windows but none with Downloaded Program Files.

8) Repeated searches 4, 5 and 6 against My Computer as opposed to C Drive just in case it came up with a difference! It didn't.

9) Ran Symantec Security Check again (actual details at the bottom of this list) - found 1 infected file.

10)Ran the free online Housecall scan last night but ran it again after doing the searches. Found nothing.

11) Downloaded the Free Sysclean Package and the latest virus pattern file - ran this but Sysclean did not find the Download Trojan file.

12} Went into Vet - file is still visible but can only copy, scan, select all or invert selection.

So the only way it is found is either by going into Vet - or believing Symantec that the file is infected.

The actual result from Symantec says -
"59714 files scanned, 1 file(s) infected on your disk drives.

No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the virus(s) listed below on the Symentec Secruity Response site for removal information.

C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe is infected with Download.Trojan"

I can't see that it would be any help but I have AdWare running and Spybot - but they would not really find a virus.

Difficult to remove if I can't find it anywhere else but Vet - and why can't it be seen when doing a search throughout the computer. Am now at a complete loss as Symantec are the only ones that detect it as a virus!!!

Bright ideas please!!! (I hope you regard this as a challenge!!!!)

Floss

Hi Floss,

just one thing in Windows XP,

Search => More advanced options => Search hidden files and folders.
did you use it?

Ad-Am

Floss,

I'm going to ask, if you've tried either Adaware or Spybot S&D (updated of course), to take care of this problem.

If you have, and neither helped. You could use HighJackThis, to get rid of it. That, can be found here, and help, for the entries here. Precisely the 016, 016-DPF ones.

The reason I ask, is it's most likely spyware/adware. Just an opinion. Good Luck

Floss,

Thank you very much. The Symantec detection message is exactly what I needed:

C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe is infected with Download.Trojan"

Now, we have the identified malware, we are close to removing it. We have to find it, stop it from running, and then remove the affected files possibily from the registry.

STEP II: TERMINATE MALWARE FROM MEMORY

You will need the name(s) of the file(s) detected earlier.

In your case, it's (there might be more, but this mp3 file is the starting point):

C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe

Open Windows Task Manager.
On Windows 95/98/ME systems, press CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab.

Note: Task Manager running on Windows 95/98/ME may not show certain processes. If you are not sure about your task programs, you could use a third party process viewer to identify suspicious or unknown files. I use Process Explorer, a freeware from Sysinternals.com, http://www.sysinternals.com/ntw2k/freeware/procexp.shtml to help me identify unknown processes and company names.

1. Assume with Windows XP, you have no problem identifying processes running with your Task Manager, and with or without the help of Process Explorer, do you see your detected malware file, dlownload.mp3.exe?

2. In addition to the previously detected malware filename, download.mpe.exe, do you see any other unknown or suspecious programs running? If you aren't sure, use Process Explore I mentioned before to help you identify the processes running.

3. Write down and list any processes with .exe, .dll, extensions running in your Task Manager as well. These are the files you have to track down and remove in Windows system, msconfig Startup, Program Files folders, and the registry depending on the malware files.

4. Select detected malware files one at a time and select "End Task" for Windows 98. It might be End Process for XP.

Let us know what you found and what detected malware files you terminated in Task Manager.

Floss,

In case it was not clear, identify, notate, and terminate MALWARE files only in Task Manager. There are legitimate processes running in Task Manager that should not terminated.

Hi Top Speed,

We're back to zilch, zip and zero.

I openend Task Manager but there were several processes that I was not sure about so I downloaded Process Explorer and checked on that.

The only one I really wasn't sure of was an nvidia.32 - but that one is fine - it part of the graphics on the Toshiba.

Apart from that it showed no processes that shouldn't be running. There was nothing with mp3.exe and no suspicious programmes - I double checked most of them under Properties just to be on the safe side.

There appeared to be no malware files at all!

I had already checked with Adware and Spybot and will try HiJack (see S.T.A.R.) whilst I wait for your next thought.

Floss

Floss,

Appreciate you being thorough when troubleshooting, and it helps. Not finding download.mp3.exe and other malware in Task Manager would make sense since you mentioned that Symantec noted that no virus was detected in memory, but I just wanted to double check. Try hunting for your Download.Trojan in the following three ways:

SEARCH FOR SUSPECIOUS PROGRAM INSTALLATION

1. Click Start>Settings>Control Panel
Double click Add/Remove Programs

Do you see any questionable or suspecious program installed, or names of vendor you are not familiar with?

Do you have either "download.mp3.exe" or “Live On1ine Porta1" on the list?

2. Uninstall the downloaded program of the malware from the system:

Click Start>Settings>Control Panel
Double click Add/Remove Programs
Select the program “Live On1ine Porta1"
Click the Add/Remove… Button

NOTE: Make sure System Restore is disabled to uninstall the program (as when running antivirus).

CHECK MSCONFIG STARTUP TAB FOR MALWARE

Start>Run>type msconfig>click Startup tab
Scroll and review all startup programs
Identify any startup programs from unknown or suspicous vendors and/or relating to download.mp3.exe

CLEAN & SEARCH

1. Delete all *.tmp and *.gid files

Right-click Start>Find
Type in Name box, *.tmp
Look in the hard drive your Windows is installed
Highlight all temp files and delete
Repeat seach and delete with gid files, type *.gid

2. Delete all Temporary, Internet Temmporary Folder, cookies through Windows Explorer.

To your system folder in Windwos Explorer, double-click Internet Temporary folder to open, select all files and delete.

Still in the system folder, double-click to open your Temporary folder, select all and delete.

Report any files or folders not removed.

Note: System is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98 and ME,
C:\WINNT\System32 on Windows NT and 2000, and
C:\Windows\System32 on Windows XP.

3. Empty Recycle Bin.

4. State the outcome for the following 4 searches for detected malware file in Find: All Files dialog box,

In Named type *.exe
Click the Browse button to display Downloaded Program Files folder in Look In:
Select to "include subfolders"
Find

Repeat the above search in Downloaded Program Files for *.mp3

Repeat the above search in Downloaded Program Files but, type download, in Named.

Search for Download.mp3.exe by using the Date tab and the date range you find most appropriate to include 29/3/04.

Floss,

One thing to consider is that since we already have the detected malware filename, it might be better to remove it manually first and search and edit in the Windows registry if we have to.

The more unnecessary software you download and install (free or not), the more you put your pc at risk to exposure and complications and still with mixed results. You can always install more software later. It's up to you. Just keep me updated what changes you have made and if we should move forward.

I do not know how to use HighJackThis. Besides, I wouldn't want to broadcast a log of my computer files on the Internet personally.

Hi Floss,

Seven more ideas for you to find and remove your trojan infected file, Download.mp3.exe. Four finds are maybes from Symantec and three ideas are from me. Although I like my ideas, you may find certain Symantec issues relevant that I wasn't aware of, so see what suits you.

BTW, do you have any idea about how this download.mp3.exe got in your Downloaded Program Files folder, and do you have any other problems with your computer relating to his file? The information might narrow down the identification of the trojan before we edit the registry.

FOUR POSSIBLE RESOLUTIONS FOUND ON SYMANTEC

1. Symantec's technical information on download.trojan. You may want to try updating and rescan in Safe Mode and clear the IE Temporary Folder as instructed (not much different than what we have done but just in case).

http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html

2. Is Download.mp3.exe already quarantined by antivirus?

http://service1.symantec.com/SUPPORT/nav.nsf/aab56492973adccd8825694500552355/6238f5ff586ac19e88256946006d2cf8?OpenDocument&src=bar_sch_nam

3. Did you get a "Access Denied" message? Issues relating to NAV read/write access, "unable to repair, quarantine or delete . . . access denied" when detecting an infected file, scan in Safe Mode, more issues about deleting infected files in temp and IE temp folders, and deleting infected file from MS-DOS

http://service1.symantec.com/SUPPORT/nav.nsf/396b6ccde72d4a4d882569fc006071d4/b06295358f269d6d88256d27005a8eb4?OpenDocument&src=bar_sch_nam

4. Delete infected file that is compressed.

http://service1.symantec.com/SUPPORT/nav.nsf/df0a595864594c86852567ac0063608c/f85883189f254d10882568f50006815b?OpenDocument&src=bar_sch_nam

A FEW OF MY IDEAS

1. What about sending the Downloaded Program Files folder to Recycle Bin and create a new C:\WINDOWS\Downloaded Program Files folder, and then do a copy-and-paste of only the downloaded programs you need to keep to the new folder (DON'T Drag!)? Then,do a another Symantec antivirs scan with System Restore disabled and in Safe Mode of ONLY THE NEW Downloaded Programs folder to see if the infected download.mp3.exe file gets detected. If it's not, then empty your recycle bin.

2. The fastest and most relevent resolution may be to a search for Download.mp3.exe in the Registry and locate the keys where it is and consult the Syamantec and Trendmicro trojan database to confirm the trojan type to remove it manually from the affected keys. For now, we are just searching for the infected file to see if it exists so you don't need to do a backup of the registry if you are careful not to alter any values or data. To open Registry Editor In Windows 98 for example,

Click Start>Run> type regedit, click Ok.
Select Edit>Find, under Look at, Keys, Values, Data should all be checked off.
In Find What, type your malware filename, download.mp3.exe
Click Find Next

Here are the instructions on how to backup your registry if you need it. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617

3. If we still can't find download.mp3.exe in the registry, we could still do a print-screen of your registry keys to locate the infected file (more on that later).

What do you think?

Hi Top Speed,

OK - that list of instructions is enough to last a couple of days!

I had the bright idea of downloading Norton Antivirus - the free trial - to see if that would help - it scanned the whole lot and came up with nothing!! I am beginning to believe that there isn't actually a virus in the file and that it's a huge ploy by Symantec to get me to buy their product!!

Anyway - one of the things on your list - checking the Registry Editor. I have check it as yd and it has found two files -
ab 001 Reg_SZ download.mp3.exe and
ab 002 Reg_SZ download.mp3

As of yet I have not backed up the registry but will go to the site shortly to do that - but I thought this might give you something to work on whilst I go through the other instructions.

Thanks

Floss

Hi Floss,

You asked for bright ideas...just didn't want to disappoint. Besides, I am getting obessed over not finding this trojan. As they say, "ignorance is bliss." The noose is getting tighter. Good teamwork. When you have time or need bedtime reading, you should read at least items #1 and #3 I found from Symantec. #3 talks about deleting a file from MS-DOS, which we may do (remind me) after removing the malware file from the registry and the system folder for a complete annihilation.

I need the following information from you to identify the type of trojan before we could remove the files from the registry:

1. Let me know the results of your findings after you reviewed the installed programs in Add/Remove, msconfig Startup, and any remaining folders/files left after you emptied the IE Temporary folder and Temporary folder in your Windows system folder in Response #13.

2. Go back to the registry editor, Start>Run>regedit.

Select View from menu bar, select Status Bar to display it.

Now, to find the directories where download.mp3.exe is located:

Select Edit from menu bar>Find>
Under Look at, Keys, Values, Data should all be checked off.
In Find What, type your malware filename, download.mp3.exe

Click Find Next (it's a long search)

Transcribe the first search result as is seen on the Status bar, just above the Start button.

Next, either select Edit>Find Next, or press the F3 key to move on to the next search for Download.mp3.exe and transcribe the result again from the Status Bar until the Find ends with a message, "Finished searching through registry, click OK."

NOTE: Be careful with transcribing the paths correctly in the registry. We need the correct directories to lead us back to locating the malware files to remove them from the registry.

Windows registry information from Symantec should be fine, but make sure you look up relevant information about Windows Registry for XP either directly from www.support.microsoft.com or from Help in the Registry Editor and in Windows for supported backup and restore methods so as not to corrupt the registry.

Hi Top Speed

OK - bit by bit I am going nowhere - I shall report what I have done to date.

1) Add/Remove Programs - no there were no suspicious programs or vendors. Did not have "download.mp3.exe" or "Live Online Portal" on the list.

2) Check msconfig. No startup programs from suspicious vendors.

3) Remove all *.tmp files - report what is left - there are 5 files left which are reported as read only - IEC3, IEC4B, IEC6, SET3E.

4) Remove all *.gid files (what is gid anyway - not one i've come across?) - 2 left - eudora - marked as read only.

5) Delete all Temporary, Internet Temporary Folder cookies/files - done. index.dat files left.

6) Recycle bin emptied.

7) Searches done for Find: All Files "*.exe" including sub folders - no mp3 in sight.

8) Repeated search for *.mp3 - none found

9) Repeated search for "download" - none found.

10) Search for "Download.mp3.exe" with ane without date tab - no mp3 found.

11) Searched all files downloaded on that date (29/3/04) no .mp3 files, no .exe files and the last file as being accessed was at 4.09 - the file in question was supposedly downloaded at 4.16

12) Tried sending the Downloaded Program Files to the Recycle Bin - but I can only send the folder as I can't see the actual file - and when the folder is in the recycle bin it can only be restored - not opened.

13) Searched registry and found two - one is in My Computer\HKEY_CURRENT USER (have written down the details carefully; and the other is in ditto but USERS - with a load of numbers etc etc with I have also checked twice - both have Software\Microsoft\SearchAssistant\ACu\5603 on the end of them.

OK - think I've covered most of the points - I did a back up of the registry but only on to the hard drive at present. I'm not sure if the noose is getting tighter on the file or my neck - do we get gold stars if we find this thing!?

I shall look at the bedtime reading at another time - it's late at night and the brain is getting fuddled!

Over to you!

Floss

Floss,

The .gid files are generated when you search in a help file so like .tmp files, they could be deleted.

Let's hope this Download.Trojan is no more than a downloader of another trojan or backdoor trojan.

What are the directories for the four read-only undeleted temp files, IEC3, IEC4B, IEC6, SET3E? Please list them. Right-click on the files and see what you can find out about them.

Instead of asking you to search for the references to the Trojan in the registry, I am going to ask you to do a few printscreens of your registry keys to save us time, but first repeat:

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode (Windows NT).
4. Run a full system scan and delete all the files detected as Download.Trojan.

PRINTSCREENS

If download.mp3.exe is still not removed by your latest anti-trackware and antivirus, then do printscreens (6) of the following two registry keys:

Navigate and double-click to open each of these six registry subkeys and do 6 printscreens with all data values on the right panel fully displayed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-

(?) And the subkeys you identified where download.mp3.exe were, including the two below:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

For example, once you double-click to open the HKEY_LOCAL_MACHINE\... Run subkey, with the right panel fully in disply, press the PrintScreen key

Select Start>Programs>Accessories>Paint, then press Ctrl+V, prssing the Ctrl and V keys at the same time to paste the Printsceen in Paint. In the Paint program, make sure all the values on the right panel are displyed fully before you post or print.

Because Printscreen didn't seem to be able to post a bitmap file on the support forum when I tested it on my end (you could try posting them), you may have to print them out and fax them to me.

If you have to print the registry subkey values out, you could either print in Paint which will print them as a bitmap files so I'll see what you see on your pc, or you could print the values of the registry subkey in Registry Editor as text files. Whatever you do, make sure the subkey values have the correct registry hierarchical paths clearly printed to identify them so there is no question where these subkey values belonged. My incoming fax number is 914-931-1247.

Just one to confirm that (1) with the help of Process Explorer, you are confident that all identified processes running in Task Manager are legitimate, and the running list does not have any suspecious looking .exe file or a download.mp3.exe file; (2) that there are no unintended or unidentified program installed in Add/Remove in the Control Panel.

Once I have have all the information I need stated above (including the temp files), I will be able to search the virus encyclopedia to identify the procedures to remove Download.mp3.exe.

Okay, here is the solution to posting the subkey values in the Support Forum.

Open each of the six subkeys requested to disply data value.

Export each subkey value to a Temp folder and name the file so you can distinquish the six .reg files and identify each subkey under each registry key later (consult the previously posted link for instructions on creating registry and specific registry subkey backups.

Open each .reg file with a text editor, like Notepad or Word, select to display all files *.* so you can see the .reg file.

Copy and paste the texts in each of the six exported registry file and post them as you would when writing in the Support Forum.

You should be able to post your subkey values this way without having to fax them.

Top Speed

Patience might be required here - I think the virus has transferred itself to me through the keyboard.

I will go through this slowly but perhaps not today - which country are you in anyway?

Floss

Agreed. Best to take action when you can focucs and concentrate. One thing to consider also...although Symantec classify Download.Trojan as low threat, but since we haven't found the malware file and haven't defined the type of backdoor trojan downloaded, it may be best to remove it asap.

In case I was too brief when requesting the data values for the six registry subkeys, I didn't want to guess or infer where the dowload.mp3.exe files were when we are working in the registry, so if these malware files were found anywhere else other than the six subkeys I requested, please include and post the data values from any relevant registry subkeys in addition to the six I requested.

I am communicating from the United States, and you?

Floss,

I have a question, if you wouldn't mind. Or maybe a couple :-) Did you get/download the HJT, and use it? You don't have to use it, to fix anything. You could use it, to see, if indeed, the file is where you were told it was. When you use it, start by making a new folder, just for it, and placing it in this folder. That way, if you decide to use it, it will have one central location, and the things you fix, will be backed up there. If, the need to restore, what was fixed, is needed.

As I said in my previous post, look at the
016
016-DPF
Downloaded Program Files
entries.

As you've indicated, that, is where it would be listed. That would also, give some help, as to where this came from. (The HJT log) I'm not asking you, to post a copy of your log. To Top Speed, OK :-) Was just giving you an option. Yes, I see you've run the two programs, but was making sure, you were running updated ones.

Good Luck,
S.T.A.R.

S.T.A.R.

Good to hear from you again. I didn't really understand the resolutions in your first post, the relationships between ActiveX and Download.Trojan, the significance of 016-DPF Downloaded Program Files entries, or how to fix it other than have HiJackThis fix it.

But it must be fate, I happen to read about "expanded security threats outside of commonly known definitions of viruses, worms, and Trojan horses" on the Symantec Security Response website today that referred to unauthorized access caused by programs like Adware (not Lavasoft's Ad-aware), Spyware, and others. This "untraditional" types of access are usually passed on through End-User agreement installation of programs and tools but could be downloade through stealth. So, what you posted initially is only now beginning to be understood.

The questions that I have asked Floss (unidentified installed programs and unusual computer behaviors or symptoms) seem to have ruled out that this Download.Trojan is anything but a Download.Trojan as defined in the traditional sense and not of one in the Expanded-Threat group. However, with this new found understandig, I will keep these possibilities in mind when I look over the data values of the registery subkeys. Once I have a sample of the data values of selective register subkeys, hopefully I will be able to ask for the right entries, identify the Trojan, programs, or tools responsible to know how to remove this malware file.

All these expanded threats only confirm my concerns about downloading more software to remove malware files once they are identified and detected.

Floss,

I ran both the free Symantec security scan and the antivirus scan on my computer today, and the results showed all ports protected and no virus found. I am up-to-date with Windows updates from Microsoft, and my IE has the highest encription or cipher strength of 128-bit.

After you posted the registry data values, it wouldn't hurt to run the free Symantec security scan if you haven't done it and check your IE cypher strength is at 128-bit to rule out that Download.mp3.exe is mostly likely a Download.Trojan in the traditional sense. To check the cipher strength, go to IE, select Help from menu bar, select About IE. If your IE is not, then update your IE and OS with Microsoft asap.

Here is the link to the "Expanded Threats" as defined by Symantec and the types of unatuthorized access S.T.A.R spoke of if you are interested:

http://securityresponse.symantec.com/avcenter/expanded_threats/index.html

If we can't identify the type of Trojan infection from the registry data values, then perhaps S.T.A.R can show us how to read or fix it with HiJackThis? I do not know how to read the log, and computing.net has a strict policy about not posting the log unless and expert asks for it.

Top Speed

Searching the Value Names and Value Data from the registry subkeys using Symantec's Virus Encyclopedia Search Engine should be a fairly direct way in leading us to identifying the Trojan or the Adware/spyware related threats to removing the detected Download.mp3.exe file and associated files.

Also, do you have either IE/homepage problems or any computer problems?

BTW, we found Download.mp3.exe in the registry already. Floss, once you post the name and data values, we can work to remove the file and other associated files.

Also, did you install Adware or other anti-trackware than those already disclosed by chance? Please confirm what software you have installed other than the antivirus updates and Ad-aware from Lavasoft you have mentioned because knowing this background information will assist in identifying (or ruling out) possible types of trojan or trackware.

...including opening or responding to unusual unsolicited "official sounding" email attachments.

Hi Top Speed and S.T.A.R.

Sorry have not tried anything from 23 onwards - have not been online much - obviously we have clever computers at the bottom of the world as it seems the Trojan came bearing virus gifts for humans!!

With luck I should be back on form tomorrow and will start on this again.

Thanks to you both from ?sunny Australia.

Floss

Top Speed,

"the significance of 016-DPF Downloaded Program Files entries, or how to fix it other than have HiJackThis fix it."

You've probably had Floss, check the "Dependency", of each program file in the "Downloaded Program Files" (folder). I'm to lazy, to go back and read everything, sorry ;-) That's right-click one of the program files, and then click "Properties". Then click the "Dependency" (Tab). You will (should) be presented, with the files, ect., and their locations, as to what that program file depends on. Do that, for each file in the "Downloaded Program Files" (folder). That's a rough description/explanation, yours may differ. After/during that, was the file in question shown? If it was, that's the program file,(The one, you were checking it's dependencies, and it showed the file in question) that would need to be removed. (Right-click it & click Remove) And, if needed later, it can be downloaded again. I stress, IF NEEDED
:-)

Floss,

Let us know, the name of the program file, and it's dependencies. The one, that has the file in question, as a dependency, OK. You're welcome.

Good Luck,
S.T.A.R.

STAR, do you have reasons to believe that the associated files to the infected trojan file are restricted to the downloaded program files? My thoughts are: the trojan may or may not have already been executed, and the linking or loading files could be anything from a .dll, an .exe, or even java scripts and could be found anywhere from the system, temporary, cookies, the registry, and program files folders.

Floss's answers about the files extensions and paths for the four Read-Only temp(?) files and the posting of the data values found in the Search Assistant and other registry subkeys will offer substantial clues to get us started to narrowing down the type of backdoor or downloader trojan, and possibly spyware to help us remove this "ghost trojan". I am not so concern about removing the Download.mp3.exe because it could be done in MS-DOS if all else fails. I am more concerned about the possibility of a more sinster download or trojan dropper by the trojan so we need to identify the exact download trojan by identifying how this trojan or spyware works.

Floss, sorry to be such a bottomless pit... more questions for you to help us identify the trojan. But, these tasks are fast to do. In addition to all the questions and requests posted thus far, could you also answer the following:

1. Did you have any unusual browser problems like, redirected homepage, search page, and web page? Did you get Windows logon error messages? Any web reference to Fastwebfinder.com or specific popup?

Go to Start>Run, type edit c:\windows.ini>OK.
Do you have an entry similar to, run=fntldr.exe

2. Search/Find the following files on your hard drive:

ld.exe
dnse.dll
regsv32.exe
wsock32.exe
netd.exe
zshell.js
run_cd.exe
sys.exe
dia4.exe
load.dll
teen.exe
windows.exe

3. In Task Manager, do you have TWO explorer.exe files and a rundll.exe running?

You findings to these questions, the read-only files, and the posting the registry subkey values will direct us to the right direction.

btw, there seems to be quite a bit of known issues about Spybot Search & Destroy, anything from memory leak, program conflicts, making drives and system utility msconfig invisible, and shutting down antivirus in mid process.

Top Speed,

Ok, first, no one/nothing is coming up with anything, but symantec. Second, and the only thing they CLAIM, to be INFECTED, is the "download.mp3.exe". Third, it probably was something agreed/not agreed upon, to be downloaded to the computer in question. As I said before, "And, if needed later, it can be downloaded again. I stress, IF NEEDED" I still believe, it's something from a music site, that's why, I said about the HJT. It would give an indication, as to where it came from. Symantec, says it's infected, but, do they mean the file is infected, or do they mean/think the file, is the infection.

You have everything under control, was just trying to lend a hand. See you around in the forums.

S.T.A.R.

Floss,

Hope you're feeling better, and stay that way :-) Good Luck, in solving your problem. And send some of that sunny weather my way, please. I can go fishing, out my backdoor :-) That's a good thing, at the place at the river, but not, at home base :-)

Again, Good Luck,
S.T.A.R.

Top Speed

OK – I am going to start at the last response and work backwards - I have copied the instructions and put in the answers.

Did you have any unusual browser problems like, redirected homepage, search page, and web page? Did you get Windows logon error messages? Any web reference to Fastwebfinder.com or specific popup?

Answer – No to all of these

Go to Start>Run, type “edit c:\windows.ini>OK”.
Do you have an entry similar to, run=fntldr.exe

Answer – No – there are no entries
at all when I type what is in the inverted commas

2. Search/Find the following files on your hard drive:
ld.exe If this is a lower case l as is love - No such file

dnse.dll No such file
regsv32.exe No such file
wsock32.exe No such file
netd.exe No such file
zshell.js No such file
run_cd.exe No such file
sys.exe No such file
dia4.exe No such file
load.dll 3 files – “psisload.dll”; “Ut_Unload.dll; “psisload.dll”.
The UT says it is a HP program, the first one is in Windows\I386\DRIVER.CAB and the third is in Windows\Driver Casche\i386\driver.cab

teen.exe No such file
windows.exe No such file

3. In Task Manager, do you have TWO explorer.exe files and a rundll.exe running?

Only 1 explorer file and no rundll.exe

I shall now have a look at the preceeding questions.

Cheers

Floss

Top Speed
Re Message 32 - Spybot
I have used this for some time and am not aware of having problems - would it be better to use another agency - is AdAware a superior one or are they all equal?

Floss

S.T.A.R.
Thanks for the help - will send the sun over (although tis winter at present) if you will return the water - we are short!:0)
Have used the HJT and logged the results but not sure if Top Speed needs those yet - am working through this bit by bit.

Floss

Hi Top Speed

OK

Will now go back to Response No 20

QUESTION
What are the directories for the four read-only undeleted temp files, IEC3, IEC4B, IEC6, SET3E? Please list them. Right-click on the files and see what you can find out about them.

ANSWER (there are 5)

IEC3 C:\Documents and Settings\Local Settings\Temp 333 KB Modified 11/4/2001 Although it says it was Created on Friday, 29 August 2003, 9:21:34 PM (the creation date being later than the Modified date). No signature

IEC4B C:\Documents and Settings\Local Settings\Temp 337 KB Modified 5/9/2001 This says it was Created on Monday, 8 September 2003, 8:18:30 PM. No signature.

IEC6 C:\Documents and Settings\Local Settings\Temp 337 KB Modified 1/2/02. This says it was Created on Monday, 16 June 2003, 11:22:13 AM

SET3E C\Windows 14 KB Modified 29/8/02 Digitally signed by Windows Publisher

SET29 C\Windows 1061 KB. Modified 29/8/02 Digitally signed by Windows Publisher

Will try and do the registry keys next.

Floss

Floss,

As I explained/described in Response 30. Could you do that, please. And when you find the file in question, list the program file's name, and it's dependencies, and their locations. Thanks

You say, you have a HJT log. Just curious, do me another favor, please. Look at the 016 -DPF entries, does one of those look something like this;

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
http://www.lyricsdomain.com/download.mp3.exe

As I said, just curious. I know, curiosity killed the cat, but hey, they have nine lives. Well, eight now ;-)

Oh, and about the water. If I could, I'd be a nice neighbor, and send it by airplane, ship, helicopter, submarine, and anything else I could use, and still have enough left for me
:-)

The fish, are even calling their insurance companies, and saying, "Sir, our house was washed away by the water. Do we have water and flood damage coverage?" ;-)

Later,
S.T.A.R.

You're Welcome Floss
p.s. No comment, about the Spybot - Search & Destroy© As it might be biased ;-)

S.T.A.R.
Can't send any rubber dinghies - need them myself as I am already drowning in the sea of unknown.
Just keep paddling for a few minutes whilst I put these registry key details on - I hope they make sense to someone.
With the actual mp3.exe file by the way it cannot actually be seen in the files and folders except when I view files in Vet - the only other place an mp3 is noted is is the registry files.

Floss

Top Speed

OK - here are registry files - the first one is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Class Name: <NO CLASS>
Last Write Time: 24/05/2004 - 7:08 PM
Value 0
Name: 00THotkey
Type: REG_SZ
Data: C:\WINDOWS\System32\00THotkey.exe

Value 1
Name: 000StTHK
Type: REG_SZ
Data: 000StTHK.exe

Value 2
Name: SynTPLpr
Type: REG_SZ
Data: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

Value 3
Name: SynTPEnh
Type: REG_SZ
Data: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

Value 4
Name: Tpwrtray
Type: REG_SZ
Data: TPWRTRAY.EXE

Value 5
Name: TouchED
Type: REG_SZ
Data: C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

Value 6
Name: TFncKy
Type: REG_SZ
Data: TFncKy.exe /Type 28

Value 7
Name: TosHKCW.exe
Type: REG_SZ
Data: "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

Value 8
Name: NDSTray.exe
Type: REG_SZ
Data: "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"

Value 9
Name: TMESBS.EXE
Type: REG_SZ
Data: C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

Value 10
Name: TFNF5
Type: REG_SZ
Data: TFNF5.exe

Value 11
Name: ezShieldProtector for Px
Type: REG_SZ
Data: C:\WINDOWS\System32\ezSP_Px.exe

Value 12
Name: Drag'n Drop CD
Type: REG_SZ
Data: C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

Value 13
Name: NvCplDaemon
Type: REG_SZ
Data: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

Value 14
Name: nwiz
Type: REG_SZ
Data: nwiz.exe /installquiet

Value 15
Name: VetTray
Type: REG_SZ
Data: C:\Vet\VetTray.exe

Value 16
Name: PinnacleDriverCheck
Type: REG_SZ
Data: C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM
Value 0
Name: Installed
Type: REG_SZ
Data: 1

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM
Value 0
Name: Installed
Type: REG_SZ
Data: 1

Value 1
Name: NoChange
Type: REG_SZ
Data: 1

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM
Value 0
Name: Installed
Type: REG_SZ
Data: 1

The next one is in three parts -

1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM
Value 0
Name: Installed
Type: REG_SZ
Data: 1

then 2)

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM
Value 0
Name: Installed
Type: REG_SZ
Data: 1

Value 1
Name: NoChange
Type: REG_SZ
Data: 1

then 3)

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Class Name: <NO CLASS>
Last Write Time: 31/05/2003 - 7:35 AM
Value 0
Name: Installed
Type: REG_SZ
Data: 1

I do no have the following two - the Run Services

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-

The two where the mp3.exe were found are
. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
Class Name: <NO CLASS>
Last Write Time: 02/06/2004 - 3:02 PM
Value 0
Name: 000
Type: REG_SZ
Data: *.tmp

Value 1
Name: 001
Type: REG_SZ
Data: windows.exe

Value 2
Name: 002
Type: REG_SZ
Data: teen.exe

Value 3
Name: 003
Type: REG_SZ
Data: load.dll

Value 4
Name: 004
Type: REG_SZ
Data: dia4.exe

Value 5
Name: 005
Type: REG_SZ
Data: sys.exe

Value 6
Name: 006
Type: REG_SZ
Data: run_cd.exe

Value 7
Name: 007
Type: REG_SZ
Data: zshell.js

Value 8
Name: 008
Type: REG_SZ
Data: netd.exe

Value 9
Name: 009
Type: REG_SZ
Data: wsock32.exe

Value 10
Name: 010
Type: REG_SZ
Data: regsv32.exe

Value 11
Name: 011
Type: REG_SZ
Data: dnse.dll

Value 12
Name: 012
Type: REG_SZ
Data: ld.exe

Value 13
Name: 013
Type: REG_SZ
Data: *.gid

Value 14
Name: 014
Type: REG_SZ
Data: *.cpl

Value 15
Name: 015
Type: REG_SZ
Data: download

Value 16
Name: 016
Type: REG_SZ
Data: *.mp3

Value 17
Name: 017
Type: REG_SZ
Data: *.exe

Value 18
Name: 018
Type: REG_SZ
Data: *mp3.exe

Value 19
Name: 019
Type: REG_SZ
Data: download.mp3.exe

Value 20
Name: 020
Type: REG_SZ
Data: download.mp3

Value 21
Name: 021
Type: REG_SZ
Data: mp3.exe

Value 22
Name: 022
Type: REG_SZ
Data: Video

Value 23
Name: 023
Type: REG_SZ
Data: *.wav

Value 24
Name: 024
Type: REG_SZ
Data: *.dot

and

7. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

Key Name: HKEY_USERS\S-1-5-21-2535869258-4062848261-2145253753-1005\Software\Microsoft\Search Assistant\ACMru\5603
Class Name: <NO CLASS>
Last Write Time: 02/06/2004 - 3:02 PM
Value 0
Name: 000
Type: REG_SZ
Data: *.tmp

Value 1
Name: 001
Type: REG_SZ
Data: windows.exe

Value 2
Name: 002
Type: REG_SZ
Data: teen.exe

Value 3
Name: 003
Type: REG_SZ
Data: load.dll

Value 4
Name: 004
Type: REG_SZ
Data: dia4.exe

Value 5
Name: 005
Type: REG_SZ
Data: sys.exe

Value 6
Name: 006
Type: REG_SZ
Data: run_cd.exe

Value 7
Name: 007
Type: REG_SZ
Data: zshell.js

Value 8
Name: 008
Type: REG_SZ
Data: netd.exe

Value 9
Name: 009
Type: REG_SZ
Data: wsock32.exe

Value 10
Name: 010
Type: REG_SZ
Data: regsv32.exe

Value 11
Name: 011
Type: REG_SZ
Data: dnse.dll

Value 12
Name: 012
Type: REG_SZ
Data: ld.exe

Value 13
Name: 013
Type: REG_SZ
Data: *.gid

Value 14
Name: 014
Type: REG_SZ
Data: *.cpl

Value 15
Name: 015
Type: REG_SZ
Data: download

Value 16
Name: 016
Type: REG_SZ
Data: *.mp3

Value 17
Name: 017
Type: REG_SZ
Data: *.exe

Value 18
Name: 018
Type: REG_SZ
Data: *mp3.exe

Value 19
Name: 019
Type: REG_SZ
Data: download.mp3.exe

Value 20
Name: 020
Type: REG_SZ
Data: download.mp3

Value 21
Name: 021
Type: REG_SZ
Data: mp3.exe

Value 22
Name: 022
Type: REG_SZ
Data: Video

Value 23
Name: 023
Type: REG_SZ
Data: *.wav

Value 24
Name: 024
Type: REG_SZ
Data: *.dot

I hope some of this makes sense to you. Apart from whatever it was that S.T.A.R. has asked about (will look at that shortly) have I covered all of your queries yet or have I missed anything.

Over to you

Floss

S.T.A.R

No - they don't look anything like that - they look like this. Which makes as much sense to me as fish phoning their insurance companies - I shouldn't panic - it's probably only a shell company and sounds pretty fishy to me :0)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Floss

Floss,

"...With the actual mp3.exe file by the way it cannot actually be seen in the files and folders except when I view files in Vet..."

Understand, what you are saying, but I don't think you are understanding, what I asked you to do. So, I'll repeat it.

Open the "Downloaded Program Files" (folder), and right-click one of the program files. Then click "Properties", and then click the "Dependency" (Tab). You will be shown, the files, ect., that the program file depends on, and their locations/address. Do that, for each program file, that you see in that folder. You are looking for the "download.mp3.exe", listed as one of the dependencies. Give the name, of the program file, and all the dependecy files, where you find the file in question listed/shown, ok.

Hope that's clear now. I guess, it might just be a rehash, of the response 30. If that's not clear, ask me to explain better, ok.

S.T.A.R.
OK - got that - of the 11 folders I can see in Downloaded Program Files there are no files that are dependent on mp3.exe or download.mp3.exe - there are 13 files that are dependent on Downloaded Program Files but not mp3 etc.

Allowances for age have to be made!

Floss

Floss,

Is the trojan horse still on your pc? There was no reference to the download.trojan in the registry keys I reviewed. Two more rounds of questioning from me, then you might want to utilize Symantec's free online support to see if they can find this "ghost" trojan horse, or post the hijackthis log in a different support forum, unless STAR has some input. I would be interested to know what Symantec has to say if you do get an answer from them before your trial run ends.

But first about the hijackthis log,

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

These two websites, http://fpdownload.macromedia.com and http://www2.incredimail.com, look suspicious to me, but since I don't know how to read or interpret the log and can only guess on how to get to them in the registry, like search by the ID numbers for one. STAR, are they of any significance?.

In addition, these two cab files may have something to do with either an infected file being compressed and why we can't find Download.mp3.exe, or the Read-Only temp files, which prompts me to ask...

Floss, after NAV detected Download.mp3.exe is infected with download.trojan, what action did you take? Did you get any error messages? Could you have quarantined, repaired, or deleted the malware file?

If Download.mp3.exe is part of a compressed file, then according to Symantec Document ID:2000060418153206, you could determine the name of the infected file by finding the compressed file in the NAV Activity Log and then search to delete the associated files. Check out the log and see if that applies in this case.

Relating to the 5 read-only temporary files:

1. Double-click to open the temp files to see if you recognize the information, if they can be deleted, and if there were any references to the trojan horse or the URLs associated with the two questionable websites from the posted hijackthis log.

2. Follow through with the steps in Symantec Document, "Norton Antivirus displays the message "Unable to repair, quarantine or delete..." when detecting an infected file, to delete the read-only temp files (or save them somewhere else) to remove the compressed malware files.

http://service1.symantec.com/SUPPORT/nav.nsf/396b6ccde72d4a4d882569fc006071d4/b06295358f269d6d88256d27005a8eb4?OpenDocument&src=bar_sch_nam

Make sure you do the last step for XP to terminate the Services to locate download.mp3.exe.

Of the registry subkeys I looked at, there were no references to the trojan, but I need to follow up on a few points:

1. Check and confirm nwiz.exe is from company nVidia and not from Norton Wizzard. The same exe file with Norton Wizzard's signature would be a virus.

2. Please post the registry values for 3 new keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows

3. I didn't get the loading feature for,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

Do you have two Run folders like I do (Run and Run-)? Please confirm if you don't have a Run- folder. You posted the value for one of the Run key okay, but I didn't get the value for the second Run key (Run-) if there is one. You seem to have posted the subkey of Run (OptionalComponents and etc.) instead.

You just need to double-click to open the Run- folder on the left panel to display the value for the Run- key (the value for the subkey is always on the right panel); the registry keys work exactly the same way as Windows Explorer. Please then, export, save, and then post .reg file as before.

If there is no value (a blank right panel) when you open the Run- key, confirm to describe that there is no data value, or I can't tell; but if there is anything on the right panel, including the word "{default}", post the data value as it is, or tell me what I should see as you do on the right panel if the exported .reg file looks different. It shouldn't be unless there is no subkey value.

4. I also didn't get the value for, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

You posted the key but not the value for the key. If there is no value (blank right panel), please describe or confirm.

5. Search, locate, and notate all registry subkey locations for the malware path and file name detected earlier. Type in the Registry Find dialog box, C:\WINDOWS\Downloaded Program Files\dowload.mp3.exe.

Again, either select "Find Next" button or press F3 for the next search result until the registry finder notifies you that the search is completed.

Export and post all registry files to show where the malware path and files are in the registry.

Thanks.

Floss,

Although you said you didn't have any Browser problems, let's take a look at two other common loading points for viruses/trojans for clues. If after you done the steps described in the above reponse and the download.trojan remained, would you please post the .reg files for two more registery keys in addition to the ones requested above:

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main

HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main

I did a search on Google.com, and according to the responses available for hijackthis logs, Shockwave Flash Object and Shockwave ActiveX Control from http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab are trouble-free. Questions remain unanswered for the downloaded programs from x.block.com and www2.incredimail.com, however.

As another option to you if the trojan horse is not removed after we have done the steps above and no hijackthis