Trojan Downloader

[Rosie]

Hello,

My friend has Windows XP Home, which I am not very familier with.

Every time he connects to IE , an alert box from Norton informs that Trojan Downloader is in his:-

C Windows-Temp Internet Files.

I did an online scan with Trend and it found three infected Temp Int. files but could not clean so I deleted.

I followed all the removal instructions from Symantec,
Updated Norton Anti virus
Ran a full system scan (this came up clean-no infection found)
Followed rest of instructions from Symantec
no reference to Trojan Downloader was found in the registry keys that Symantec advised to check.

However when connection to IE is made, the alert box still appears saying Downloader Trojan is in his Windows Temp Internet files

Norton activity log shows at every IE connection (with time and date)
access denied and removal unsuccessful.

Now, my friend never empties his Temp Internet files.
If I open Norton and do a Web Clean Up should this delete the offending files from his pc or should it be done online through tools>options>delete files??

Ijust hope that deleting his Temp Internet Files will get rid of the Trojan, as it is no longer being detected in the Norton full system scan.

As it is not my pc, I am reluctant to do anything without first asking your advice and whether to use Norton Web Clean Up or through IE.

Thank you so much for any advice/support.

Rosie

[Paul Wilders]

Rosie,

Make sure to disable System Restore on the system in question and run a full system scan once more, preferably in the Safe Mode. In case of a clean bill of health, clean out/delete the temp files in question. After doing so, reboot as usual and enable System Restore again.

regards.

paul

[Rosie]

Thank you so much,

Is it best to clean out the files through Norton Web Clean Up or through Internet Explorer Tools>Options>Delete Files.

Regards

Rosie

[Paul Wilders]

My pleasure Rosie.

You can clean up through IE first, and let NWCleaner do its job after that as a double check.

regards.

paul

[Rosie]

Thank you,

Will not see him again until Monday, I will let you know how it goes.

Rosie

[Paul Wilders]

Looking forward to it

regards.

paul

[Rosie]

Paul,

I am sorry, one more question.

How can I delete IE temp Internet Files in Safe Mode as I will not be able to get an Internet Connection in Safe Mode?

Sorry to be a pain

Rosie

[Paul Wilders]

Rosie,

There's no need for an internet connection - perform all off-line.

No need to feel embarassed .

regards.

paul

[Rosie]

Thanks

Rosie

[Rosie]

Hello,

Did all of the above and all went well.

Norton full system scan was clear, however when connecting to the internet, a red dialog box still appears stating pc is infected with downloader trojan.

Went back into Norton to review reports and two different files are showing as having the trojan.

FirstOne:-
C:\Documentsand Settings\PCUser Name\Local Settings\Temporary Internet Files\Content.IE5\MZ6ZY9YZ\EXPLOITS(1).CHM

Details:- Downloader Trojan

Second One:-
Exactly the same apart from the Number which is \MZ6ZY9YZ\.CHM

Details-Downloader Trojan

Both with same date of login.

Any advice/help would be very much appreciated.

Many thanks

Rosie

[Rosie]

Anyone

Rosie

[Arin]

dear Rosie, please check your autostart programs and give us the list. also tell us when that red box appears, when he connects to the Net or just surfing the Net. sometimes when we visit a webpage a trojan gets downloaded in our system. the Temporary Internet Files is the folder where its downloaded. try this link to get an autostart viewer.

[Rosie]

Hello amrx

Thank you for replying to my plea.

My friend gets the red warning box, on his 'Home Page', just after he has connected to the net.

I will not be able to get an auto start list now, until I see him again, probably later next week.

I will post the list as soon as I can get one. It is no good contacting him to get the list himself as he nearly passes out if he is asked to do anything like downloading.

Thanks anyway.

Rosie

[Arin]

we are here to help and learn. by the way changing his Home Page will do the trick.

[Rosie]

If we change his 'Home Page' I assume that the warning box will re-appear at subsequent visits to that page?

Thanks

Rosie

[Arin]

dear Rosie, the answer is yes if the webpage in question is the root of all trouble. why don't you remove this homepage and see for yourself.

[Rosie]

Hi,

Thanks, I will do that when I next see him, I will let you know what happens.

Rosie

[arch]

I got the similiar problem.
After I change homepage address, it automatically open the wrong link again.
I've followed the instructions on Norton website to kill this, however it can't detect the infected file during the scan.
Any suggestions? Thanks!!!!!

Hello, I have a server and a good number of my clients have the forum from yabbse. Everytime when someone connects to the forum the Norton Antivirus will alert virus activity. This is the same for the photo galeries and chat rooms.

We checked the linux server for trojan and nothing was found.

We noticed that the forum has a hidden link to a site in another server that is inffected with the virus.

So far, we couldn't find the hidden link.

Anyone with same problem?

Carlos

Man I got the Trojan Exploit-ByteVerify what ever you do keep updating you AV software. It came in thru a number of email attachments from someone I know on Ham radio. He is from England and one day he sent me an attachment so I emailed back out of courtesy that I thought it was funny ( It really wasnt) anyway withinn a weeks time he sent about 40 more and I finaly got the Trojan, so I emailed back and thanked him for that. As it stands right now is I cant get rid of it and I use this computer for business. I went thru the registrey and and a bunch of other things with no success at the time I was using AVG and it was updated but it didnt catch it. AVG is a good VS and it runs off of F-prot which is mainly used by alot of ISP's. Well being I using Win 98 secound addition there is not much support out there for the ByteVerify Trojan for 98. I may have to pull all my needed files from the com and do a complete format on the HD.

Joe. Washington State.

its a bad trojan