any advice on how to remove this virus would be appreciated. Norton is unable to remove it?

Hi Helen,

Norton should give you the filepath of the virus. If it's in..

C:\_Restore\

or

C:\System Volume Information\

..then you need to disable System Restore, (See here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
) for XP, or here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239) for ME, if you need advice on how to do this) run your updated Norton, then set a new restore point.

If it isn't one of the above filepaths, then please download 'Hijack This!' from here (http://www.thespykiller.co.uk/), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

Cheers

Liam

E-Liam thanks for the offer of help, followed your instructions except how do I paste it in a reply? ......it's quite lengthy

H49

Hi Helen,

The log opens in notepad. Start at the top left, and highlight the entire contents by dragging the mouse whilst holding down the left button (Keep dragging until you get to the very end.). Once you've hilighted the whole thing, press Ctrl + C (copy).

Open up a reply here, click the cursor somewhere in the text box and click Ctrl + V (paste). I'll have a look at it. Please disable smiley though.. :)

Cheers

Liam

I've also had the misfortune to be afflicted by both the Downloader.Trojan and Download.Ject viruses.

The report read as follows:

C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\EB7F1O8C\main[1].htm
is infected with the Download.Ject virus.
Unable to repair this file.

C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\EB7F1O8C\main[1].htm
is infected with the Download.Ject virus.
Access to the file was denied.

C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\MQDW8NNR\shellscript[1].js
is infected with the Downloader.Trojan virus.
Unable to repair this file.

C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\MQDW8NNR\shellscript[1].js
is infected with the Downloader.Trojan virus.
Access to the file was denied.

I have to admit to being somewhat confused.
Norton Anti-Virus is always as up to date as possible and having run subsequent scans neither virus shows up. Incidentally, I was alerted to these nasties by a Norton 'Pop Up' rather than a system scan. Am I correct in summising that deleting Temporary Internet Files disposed of these malign presences?

Apologies for butting in, but help and advice would be gratefully received.

E- Liam

Pasted the data into an email to you

H49

Hi Helen,

I'm just off out for a drink with the better half. I'll be back later, and I can see the problem you have, so I'll post up the results when I get back.. :ok:

Cheers

Liam

E-Liam.....enjoy the drink!

Make the instructions simple!!

H49

Hi Helen,

It looks like an old variant of CoolWebSearch, going by the BHO entry msiokn.dll entry.

Please go here (http://www.thepykiller.co.uk) and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here (http://v4.windowsupdate.microsoft.com/en/default.asp), click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…

O2 - BHO: FFB1 - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - CWINDOWS\msiokn.dll

O4 - HKLM\..\Run: [WinInit] Win86.exe

O4 - HKLM\..\Run: [WinLogin] win32x.exe

O4 - Global Startup: Digimax Viewer 2.1.lnk = ?

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWS\web\related.htm

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...

C:\WINDOWS\msiokn.dll

Win86.exe

win32x.exe

(you will need to search for the bottom two files, by going to Start | Find | Files or Folders)

Then please boot back into normal mode and download AdAware 6 181 from here (http://www.lavasoftusa.com/support/download/).

Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.

Now to set it up for optimum performance...

Make sure the following settings are configured. Remember that ON=GREEN.

From main window click Start | Activate in-depth scan.

Then click Use custom scanning options | Customize and have these options switched ON...

Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files

Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..

Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.

and uncheck..

Automatically try to unregister objects prior to deletion.

Then click Proceed, to save your settings.

Now click the Scan button.

When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.


Next, reboot again and download Spybot - Search & Destroy, from here (http://security.kolla.de): if you haven't already got the program.

Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.

Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.

Cheers

Liam

-----------------------------------------------------------------------------------
Hi noneofthe above,

sorry.. I didn\'t see your post first time around. Please follow the instructions for posting a HJT log, and I\'ll have a look in the morning. :) 5 pints of real ale (T.E.A. (Traditional English Ale) by the Hogs Back Brewery) and it\'s now beddy bies... :D:D

Cheers

Liam

Liam.......

I've had a couple of goes at sending the Logfile via PM, but it doesn't show up in the "Sent Items" folder.
Any luck at your end?

N o t a

Hi Nota,

It was good ale.. I never got to the bit about deleting temp files last night. Yep.. that'll do it. I got the HJT log twice, so it's just a problem with your end, and it's squeaky clean.. :ok: :)

Cheers

Liam

Hi Liam..so far so good, no critical updates to download. Not sure I follow your instructions regarding new HJT scan particularly the bit where you say 'check to fix the following etc'. A little more info required if poss.

many thanks H49

Hi Helen,

When you run HJT's scan, you'll see a little check box to the left of each entry.. if you click the box it will put a tick in it.. that's "check to fix."

Cheers

Liam

Hi Liam....stuck again [I realised the answer to the previous question as soon as I had sent it]. I have got as far as downloading spybot1.3 but the menu choices don't match yours? Any thoughts? I found the menu refering to beta versions eventually but no 'Online' choice evident??

H49

Hi Helen,

Just update and run it.. It's just a second check over Adaware.

Cheers

Liam

Liam.......

Thanks very much for your help with that. I'm very grateful to you.

I'll bow out now.

N o t a

E-Liam.....did you get the email I sent mid-afternoon?

H49

E-Liam....did you get the email I sent mid-afternoon?

H49

Hi Helen,

Just read it. Clean log.. :ok: :)

If Norton's about to expire, then I'd suggest AVG (http://www.grisoft.com/us/us_dwnl_free.php) as the way to go. It's free and very good. You can set it up to run automatically when you want (mine runs at 4am every morning) as well as it running in the background. When you start the machine it also automatically checks the boot sector, which if infected can cause serious problems.

I'd also suggest a firewall. Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=pdb_za1) is also free and about the best out there, certainly for ease of use. Read the "Read Me" when installing, and also take advantage of the 15 day trials of ZA Pro, given out everytime it's updated.

How did I get infected (http://computercops.biz/postt7736.html) is a good read. It's written by Tony Klein, considered one of the world's leading authorities on Internet security. There is a second article on BHOs in the same post. Don't worry about understanding it all.. you don't need to.

Ask if you need any more help. I'm happy to do so. :)

Cheers

Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals (http://asap.maddoktor2.com/) since 2004.

E-Liam.........did you get my email mid aft?
H49

ELiam....don\'t know what has been happening, but I have yours now. Once again thanks for all the excellent help!

H49

Hi Helen,

You're very welcome.. :ok:

I received the notification for this afternoon's PM, but my inbox was full.. :(

I've now emptied it.. :)

Cheers

Liam