Trojan Downloader

Discussion in 'malware problems & news' started by Rosie, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hello,

    My friend has Windows XP Home, which I am not very familier with.

    Every time he connects to IE , an alert box from Norton informs that Trojan Downloader is in his:-

    C Windows-Temp Internet Files.

    I did an online scan with Trend and it found three infected Temp Int. files but could not clean so I deleted.

    I followed all the removal instructions from Symantec,
    Updated Norton Anti virus
    Ran a full system scan (this came up clean-no infection found)
    Followed rest of instructions from Symantec
    no reference to Trojan Downloader was found in the registry keys that Symantec advised to check.

    However when connection to IE is made, the alert box still appears saying Downloader Trojan is in his Windows Temp Internet files

    Norton activity log shows at every IE connection (with time and date)
    access denied and removal unsuccessful.

    Now, my friend never empties his Temp Internet files.
    If I open Norton and do a Web Clean Up should this delete the offending files from his pc or should it be done online through tools>options>delete files??

    Ijust hope that deleting his Temp Internet Files will get rid of the Trojan, as it is no longer being detected in the Norton full system scan.

    As it is not my pc, I am reluctant to do anything without first asking your advice and whether to use Norton Web Clean Up or through IE.

    Thank you so much for any advice/support.

    Rosie
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Rosie,

    Make sure to disable System Restore on the system in question and run a full system scan once more, preferably in the Safe Mode. In case of a clean bill of health, clean out/delete the temp files in question. After doing so, reboot as usual and enable System Restore again.

    regards.

    paul
     
  3. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Thank you so much,

    Is it best to clean out the files through Norton Web Clean Up or through Internet Explorer Tools>Options>Delete Files.

    Regards

    Rosie
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure Rosie.

    You can clean up through IE first, and let NWCleaner do its job after that as a double check.

    regards.

    paul
     
  5. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Thank you,

    Will not see him again until Monday, I will let you know how it goes.

    Rosie
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Looking forward to it ;)

    regards.

    paul
     
  7. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Paul,

    I am sorry, one more question.

    How can I delete IE temp Internet Files in Safe Mode as I will not be able to get an Internet Connection in Safe Mode?

    Sorry to be a pain

    Rosie
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Rosie,

    There's no need for an internet connection - perform all off-line.

    No need to feel embarassed ;).

    regards.

    paul
     
  9. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Thanks

    Rosie
     
  10. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hello,

    Did all of the above and all went well.

    Norton full system scan was clear, however when connecting to the internet, a red dialog box still appears stating pc is infected with downloader trojan.

    Went back into Norton to review reports and two different files are showing as having the trojan.

    FirstOne:-
    C:\Documentsand Settings\PCUser Name\Local Settings\Temporary Internet Files\Content.IE5\MZ6ZY9YZ\EXPLOITS(1).CHM

    Details:- Downloader Trojan

    Second One:-
    Exactly the same apart from the Number which is \MZ6ZY9YZ\.CHM

    Details-Downloader Trojan

    Both with same date of login.

    Any advice/help would be very much appreciated.

    Many thanks

    Rosie
     
  11. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Anyoneo_O

    Rosie
     
  12. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Rosie, please check your autostart programs and give us the list. also tell us when that red box appears, when he connects to the Net or just surfing the Net. sometimes when we visit a webpage a trojan gets downloaded in our system. the Temporary Internet Files is the folder where its downloaded. try this link to get an autostart viewer.
     
  13. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hello amrx

    Thank you for replying to my plea.

    My friend gets the red warning box, on his 'Home Page', just after he has connected to the net.

    I will not be able to get an auto start list now, until I see him again, probably later next week.

    I will post the list as soon as I can get one. It is no good contacting him to get the list himself as he nearly passes out if he is asked to do anything like downloading.

    Thanks anyway.

    Rosie
     
  14. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    we are here to help and learn. by the way changing his Home Page will do the trick.
     
  15. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    If we change his 'Home Page' I assume that the warning box will re-appear at subsequent visits to that page?

    Thanks

    Rosie
     
  16. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Rosie, the answer is yes if the webpage in question is the root of all trouble. why don't you remove this homepage and see for yourself.
     
  17. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hi,

    Thanks, I will do that when I next see him, I will let you know what happens.

    Rosie
     
  18. arch

    arch Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    1
    I got the similiar problem.
    After I change homepage address, it automatically open the wrong link again.
    I've followed the instructions on Norton website to kill this, however it can't detect the infected file during the scan.
    Any suggestions? Thanks!!!!!
     
  19. cmo

    cmo Guest

    Hello, I have a server and a good number of my clients have the forum from yabbse. Everytime when someone connects to the forum the Norton Antivirus will alert virus activity. This is the same for the photo galeries and chat rooms.

    We checked the linux server for trojan and nothing was found.

    We noticed that the forum has a hidden link to a site in another server that is inffected with the virus.

    So far, we couldn't find the hidden link.

    Anyone with same problem?

    Carlos
     
  20. Kc7LGT

    Kc7LGT Guest

    Man I got the Trojan Exploit-ByteVerify what ever you do keep updating you AV software. It came in thru a number of email attachments from someone I know on Ham radio. He is from England and one day he sent me an attachment so I emailed back out of courtesy that I thought it was funny ( It really wasnt) anyway withinn a weeks time he sent about 40 more and I finaly got the Trojan, so I emailed back and thanked him for that. As it stands right now is I cant get rid of it and I use this computer for business. I went thru the registrey and and a bunch of other things with no success at the time I was using AVG and it was updated but it didnt catch it. AVG is a good VS and it runs off of F-prot which is mainly used by alot of ISP's. Well being I using Win 98 secound addition there is not much support out there for the ByteVerify Trojan for 98. I may have to pull all my needed files from the com and do a complete format on the HD.

    Joe. Washington State.
     
  21. kc7lgt

    kc7lgt Guest

    its a bad trojan
     
Loading...
Thread Status:
Not open for further replies.