filename: C:\dload.exeMachine:CX390325-A This file is infected with Download.Trojan

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

joyoflife

Thread Starter
Joined
Sep 16, 2003
Messages
226
I have Windows ME and Aparantely I have a Trojan virus on my computer...according to Norton. Below they are telling me to delete this file and replace it if neccessary......but I dont know what this file is or how to delete and replace it!!

PLEASE HELP!:confused:

Norton Says:
We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\dload.exe
machine: CX390325-A
result: This file is infected with Download.Trojan

Developer notes: C:\dload.exe is non-repairable threat. Please delete this file and replace it if neccessary.

Also, I created my Rescue Disks and when I was told to test them and boot up with the Basic Rescue Boot Floppy Disk the following happened:
I was told that the following files were missing or corrupted:
A:\IFSHLP.SYS
A:\SYSTEM\VM32.VXD
It also said Cannot Find System.INI

I typed in SCANREG\RESTORE and it said:
The following files are missing or corrupted: SCANREG\RESTORE.

I dont know how to boot up in Basic Rescue Boot....I am not that computer savvy....does this mean that I didn't create my Rescue Disks properly or is it because of this Dload.exe that is infected with the download trojan?

What am I supposed to do?

How do I delete and replace dload.exe because I dont know what that files is or what it does. :(

Also My Hijack File:
Logfile of HijackThis v1.97.2
Scan saved at 7:03:37 AM, on 9/19/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\COMPUTER FIXES\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\StopzillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\nsched32.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: Talk City EZTalk 3.0 - http://chat.talkcity.com/java/ezmed/ezmed.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://content.communities.msn.com/cs/MsnPUpld.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/090a6b7469d32fed4620/netzip/RdxIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,9/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37880.268912037
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
 
Joined
Mar 9, 2003
Messages
4,699
Let's start here.

SWAT IT a free trojan program and free updates for life. Checks for bots used in DoS attacks. http://swatit.org/download.html

Click on the Update and download all updates before running.

Let us know what it finds/fixes.

Thanks
 

joyoflife

Thread Starter
Joined
Sep 16, 2003
Messages
226
Okay...I will do that...I have scanned my system with Norton and have tried to quaranteen or delete the infected files and it wont let me! I also can't find dload.exe on my computer either. :confused: The other infected files are:
C:\_RESTORE\TEM\A0002110.CPY
C:\_RESTORE\TEM\A0002115.CPY
C:\_RESTORE\TEM\A0002112.CPY
C:\_RESTORE\TEM\A0002165.CPY
C:\_RESTORE\TEM\A0002169.CPY
C:\_RESTORE\TEM\A0002173.CPY

Do you think I got this virus from my Yahoo Email? Because...I have been getting suspicious emails that look like they are from Microsoft but, I am getting several every hour and they are with attachments and are big in size...I haven't opened any of them. I have been deleting them.

I scanned my C:\ with swat it and it took a long time...but it says: found zero infected files!
I also scanned my pc with Panda Active Scan and it said that I have no viruses.
But..Norton says I have 6 infected files (listed above).
What Next?:confused:
 
Joined
Mar 9, 2003
Messages
4,699
Antivirus products can scan the files in System Restore, BUT they can’t clean, disinfect, or delete/quarantine those files.

IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

Turn off System Restore and scan again.

Remember to turn it back on and create a new restore point when you are finished.
 

joyoflife

Thread Starter
Joined
Sep 16, 2003
Messages
226
I ran Norton Scan on my C:\ after turning off system restore...and it says that I have no viruses.

Problem solved?
 

joyoflife

Thread Starter
Joined
Sep 16, 2003
Messages
226
I just got another virus allert from Norton:

It says this file has a virus and it quarantined it...so do I still have the trojan?

C:\WINDOWS\Temporary Internet Files\Content.IE5\135F80Y6\ActiveData[1].cab
 
Joined
Mar 9, 2003
Messages
4,699
Anything in C:\WINDOWS\Temporary Internet Files and all it's subfolders can be safely deleted. It's all garbage.

C:\WINDOWS\Temporary Internet Files and all it's subfolders are what I refer to as Windows Landfill.
 

joyoflife

Thread Starter
Joined
Sep 16, 2003
Messages
226
Thanks so much for your help....I couldn't save my computer without all the help I get from you way cool people!:cool:

-joyoflife
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top