download.trojan
download.trojan
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Helen,
Norton should give you the filepath of the virus. If it's in..
C:\_Restore\
or
C:\System Volume Information\
..then you need to disable System Restore, (See here for XP, or here for ME, if you need advice on how to do this) run your updated Norton, then set a new restore point.
If it isn't one of the above filepaths, then please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Cheers
Liam
Norton should give you the filepath of the virus. If it's in..
C:\_Restore\
or
C:\System Volume Information\
..then you need to disable System Restore, (See here for XP, or here for ME, if you need advice on how to do this) run your updated Norton, then set a new restore point.
If it isn't one of the above filepaths, then please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Cheers
Liam
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Helen,
The log opens in notepad. Start at the top left, and highlight the entire contents by dragging the mouse whilst holding down the left button (Keep dragging until you get to the very end.). Once you've hilighted the whole thing, press Ctrl + C (copy).
Open up a reply here, click the cursor somewhere in the text box and click Ctrl + V (paste). I'll have a look at it. Please disable smiley though..
Cheers
Liam
The log opens in notepad. Start at the top left, and highlight the entire contents by dragging the mouse whilst holding down the left button (Keep dragging until you get to the very end.). Once you've hilighted the whole thing, press Ctrl + C (copy).
Open up a reply here, click the cursor somewhere in the text box and click Ctrl + V (paste). I'll have a look at it. Please disable smiley though..
Cheers
Liam
Joined: May 2003
Posts: 307
Likes: 0
From: South East England
I've also had the misfortune to be afflicted by both the Downloader.Trojan and Download.Ject viruses.
The report read as follows:
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\EB7F1O8C\main[1].htm
is infected with the Download.Ject virus.
Unable to repair this file.
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\EB7F1O8C\main[1].htm
is infected with the Download.Ject virus.
Access to the file was denied.
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\MQDW8NNR\shellscript[1].js
is infected with the Downloader.Trojan virus.
Unable to repair this file.
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\MQDW8NNR\shellscript[1].js
is infected with the Downloader.Trojan virus.
Access to the file was denied.
I have to admit to being somewhat confused.
Norton Anti-Virus is always as up to date as possible and having run subsequent scans neither virus shows up. Incidentally, I was alerted to these nasties by a Norton 'Pop Up' rather than a system scan. Am I correct in summising that deleting Temporary Internet Files disposed of these malign presences?
Apologies for butting in, but help and advice would be gratefully received.
The report read as follows:
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\EB7F1O8C\main[1].htm
is infected with the Download.Ject virus.
Unable to repair this file.
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\EB7F1O8C\main[1].htm
is infected with the Download.Ject virus.
Access to the file was denied.
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\MQDW8NNR\shellscript[1].js
is infected with the Downloader.Trojan virus.
Unable to repair this file.
C:\Documents and Settings\*******\Local Settings\Temporary Internet Files\Content.IE5\MQDW8NNR\shellscript[1].js
is infected with the Downloader.Trojan virus.
Access to the file was denied.
I have to admit to being somewhat confused.
Norton Anti-Virus is always as up to date as possible and having run subsequent scans neither virus shows up. Incidentally, I was alerted to these nasties by a Norton 'Pop Up' rather than a system scan. Am I correct in summising that deleting Temporary Internet Files disposed of these malign presences?
Apologies for butting in, but help and advice would be gratefully received.
Last edited by None of the above; 9th July 2004 at 19:53.
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Helen,
It looks like an old variant of CoolWebSearch, going by the BHO entry msiokn.dll entry.
Please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.
CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O2 - BHO: FFB1 - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - CWINDOWS\msiokn.dll
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWS\web\related.htm
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...
C:\WINDOWS\msiokn.dll
Win86.exe
win32x.exe
(you will need to search for the bottom two files, by going to Start | Find | Files or Folders)
Then please boot back into normal mode and download AdAware 6 181 from here.
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy, from here: if you haven't already got the program.
Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.
Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
Cheers
Liam
-----------------------------------------------------------------------------------
Hi noneofthe above,
sorry.. I didn\'t see your post first time around. Please follow the instructions for posting a HJT log, and I\'ll have a look in the morning. :) 5 pints of real ale (T.E.A. (Traditional English Ale) by the Hogs Back Brewery) and it\'s now beddy bies... :D:D
Cheers
Liam
It looks like an old variant of CoolWebSearch, going by the BHO entry msiokn.dll entry.
Please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.
CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O2 - BHO: FFB1 - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - CWINDOWS\msiokn.dll
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWS\web\related.htm
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...
C:\WINDOWS\msiokn.dll
Win86.exe
win32x.exe
(you will need to search for the bottom two files, by going to Start | Find | Files or Folders)
Then please boot back into normal mode and download AdAware 6 181 from here.
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy, from here: if you haven't already got the program.
Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.
Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
Cheers
Liam
-----------------------------------------------------------------------------------
Hi noneofthe above,
sorry.. I didn\'t see your post first time around. Please follow the instructions for posting a HJT log, and I\'ll have a look in the morning. :) 5 pints of real ale (T.E.A. (Traditional English Ale) by the Hogs Back Brewery) and it\'s now beddy bies... :D:D
Cheers
Liam
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Nota,
It was good ale.. I never got to the bit about deleting temp files last night. Yep.. that'll do it. I got the HJT log twice, so it's just a problem with your end, and it's squeaky clean..
Cheers
Liam
It was good ale.. I never got to the bit about deleting temp files last night. Yep.. that'll do it. I got the HJT log twice, so it's just a problem with your end, and it's squeaky clean..
Cheers
Liam
Thread Starter
Joined: Apr 2003
Posts: 488
Likes: 9
From: UK
E-Liam
Hi Liam..so far so good, no critical updates to download. Not sure I follow your instructions regarding new HJT scan particularly the bit where you say 'check to fix the following etc'. A little more info required if poss.
many thanks H49
many thanks H49
Thread Starter
Joined: Apr 2003
Posts: 488
Likes: 9
From: UK
E-Liam
Hi Liam....stuck again [I realised the answer to the previous question as soon as I had sent it]. I have got as far as downloading spybot1.3 but the menu choices don't match yours? Any thoughts? I found the menu refering to beta versions eventually but no 'Online' choice evident??
H49
H49
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Helen,
Just read it. Clean log..
If Norton's about to expire, then I'd suggest AVG as the way to go. It's free and very good. You can set it up to run automatically when you want (mine runs at 4am every morning) as well as it running in the background. When you start the machine it also automatically checks the boot sector, which if infected can cause serious problems.
I'd also suggest a firewall. Zone Alarm is also free and about the best out there, certainly for ease of use. Read the "Read Me" when installing, and also take advantage of the 15 day trials of ZA Pro, given out everytime it's updated.
How did I get infected is a good read. It's written by Tony Klein, considered one of the world's leading authorities on Internet security. There is a second article on BHOs in the same post. Don't worry about understanding it all.. you don't need to.
Ask if you need any more help. I'm happy to do so.
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
Just read it. Clean log..
If Norton's about to expire, then I'd suggest AVG as the way to go. It's free and very good. You can set it up to run automatically when you want (mine runs at 4am every morning) as well as it running in the background. When you start the machine it also automatically checks the boot sector, which if infected can cause serious problems.
I'd also suggest a firewall. Zone Alarm is also free and about the best out there, certainly for ease of use. Read the "Read Me" when installing, and also take advantage of the 15 day trials of ZA Pro, given out everytime it's updated.
How did I get infected is a good read. It's written by Tony Klein, considered one of the world's leading authorities on Internet security. There is a second article on BHOs in the same post. Don't worry about understanding it all.. you don't need to.
Ask if you need any more help. I'm happy to do so.
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
