Trojan or not?

Hi everyone,

As you can tell this is my first post. I'm not gonna make out that I know anything about computers really, because i dont!!

Anyway, I've got a pc that I'm running Windows XP on. Not knowing much about them really, I purchased some anti virus software (Norton Anti Virus 2005) from the shop as it was recommended to me by the salesman.

I always do weekly live updates and scan my pc for virus's. I've never had anything register on it telling me that I've been infected or that there was anything even trying to attach itself to me whilst on the net . . . until last week!

My home page had been hijacked and every time I went on the net I was getting shed loads of pop up windows, redirected to other sites and my anti virus was going crazy giving me loads of alerts.

Not knowing alot about removal of spyware and trojans, I was searching the net when I stumbled across your smart site. Reading through some threads etc, I carried out your READ ME FIRST BEFORE ASKING FOR SUPPORT:Basic spyware, trojan and virus removal. I carried it out to the letter and it found shed loads of things. I removed or fix the problems that were flagged up my the downloads and everything seemed ok.

I did a system scan with my Norton and it keeps findind a Trojan in my C drive. It sais:compressed file ied.exe with C:\ied_s7m.cab is infected with the Downloaded.Trogan virus. But I've run 3 other Trojan search downloads and they have all found nothing.

So after all that, do you think I've stil got a Trojan sitting in my C: drive or is my Norton chatting rubbish??

Also how would I have got so many spyware issues and trojans as I keep my Norton bang up to date? Shouldnt it have picked them up?

Any help would be greatly appreciated.

Cheers
Nick

 

Welcome

If you have done everything in the TUTORIAL, then do the following:

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

Good Luck

 

I think I've done this right????

 

Let's get you started.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

DeskadServ (or something like that)

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

prvdi.exe
DeskAdServ.exe


Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.160.98/affiliates/msits.php?id=acc0000::/acc0000.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\WINDOWS\System32\prvdi.exe
C:\Program Files\DeskAd Service--->The Folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

I have done all what you instructed and have attached second log file. After i'd done all of that I ran my Norton again and it still flagged up a Trojan, in the same directory as it listed before. It also flagged up saying something about a Trojan called Bloodhound 6.

 

Go to this link Bloodhound
and install the proper patch if you haven't already done it.

Let me know if it helps and try to give me any info that Norton tells you if it stills perceives a problem.

 

Hello again!

Ran the patch about Bloodhound trojan. Updated all that it said to do. Ran my Norton and it sais problem with file ied.exe, thread name Download.Trojan. And it reads The compressed file ied.exe within C:\ied_s7m.cab is infected with the Download.Trojan virus.

Is this any help?

 

And again!

Just ran RAV antivirus and that said i've got 1 infected file.

File - C:\windows\system32\dload.exe.tcf
Virus - Trojandownloader:win32/small.MV

 

Norton recommends that you run your AV in safe mode. Have you done that? If not try that, delete all files it can, restart and scan again.

Let me know. Here is what it says. Download.trojan

 

You should also run the Trend micro online scan mentioned in the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal. I see you didn't do that. Do that in safe mode also.

 

Hiya sarg,

I've got a couple of points. Firstly, I cant run the Trend scan, as whenever i go onto it and put in the country I'm from then press "go" it just sais page cannot be displayed.

Secondly, in safe mode I cannot run my broadband internet. Whatever i do, it doesnt work.

Lastly, I've run a scan on Norton and it still only flags up an error in a compressed file ied.exe within C:\ied_s7m.cab. Now, in that link you gave me it says to use internet explorer in safe mode and find the file and delete it. My question is, how do I get into a cab file? I've found the icon and you have to unzip it. But how do I find it from there? I dont want to be messing about with files if I dont know what i'm doing?

Thanks in advance

Nick

 

Do not open the file. We will probably just delete it. I need to do a little more checking. I will let you know today what you should do.

 

Try and get some info on that file. Right click it, properties, and get version, company etc.

 

When you right click on the win zipped ied_s7m.cab icon, my Norton AV goes crazy telling me i'm at high risk. If you then unzip the icon there are 2 parts to it. One icon when you write click on it sais, its an ied.exe that is an application and the file size is 32,768. The other is start7.inf thats setup information and the file size is 133. All other information in the properties tab are question marks for both files.

The only other thing is its a hidden file, as when you go into "tools", then "view" then show hidden files it appears. If you uncheck show hidden files, it disappears.

Do i need to extract something from the ied.exe file? Are these cab files all part of how your pc runs?

 

Some cabs are, others are not. I did not tell you to unzip it. You should not do that. I only said to right click and look at properties of the cab. Unzipping it can unleash the problem. Do not do anything else with that file until instructed.

 

Let's delete that file. Navigate to the file, probably C:\ied_s7m.cab and delete it. Then empty recycle bin. Rerun your Norton scan and see what it says. If you unzipped it somewhere delete those files as well.

 

Well after many hours on this problem, I think I can whisper that the problems I had have gone after I delected that file and emptied my recycled bin now!!

I've done full system scans, and everything has come back clear. My next question really is to ask if you can point me in the right direction of links or posts etc on getting better security on my pc. Things like firewalls and stuff?

And lastly to say, many many thanks on helping me out on this problem. What a legend.

Adios

 

Your welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

If everything seems to be working OK then turn system restore back on.

Be sure to use Firefox as your browser, Spyware Blaster, and software firewall. Keep your OS and AV updated.

Happy and safe surfing.