Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desperate for answers


  • Please log in to reply
13 replies to this topic

#1 margiemorgan

margiemorgan

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 23 October 2004 - 05:20 PM

I am looking for help with this problem. Here is what I have: Norton tells me I have the download.trojan but can't delete and can't repair. I am denied access.

Here is what I have done: used adware, noadware, cwshredder, hijack this, killbox to try and delete the files with no luck. I tried killbox with automatic file delete and delete on next reboot but neither deleted the file. I have tried to delete the files in safe mode, dos, using a boot disk and deleting in dos. I have tried to rename. I have tried it with norton on and off. I have turned off my system restore. When I use noadware, it also tells me that I also have bridge, ncase and w32.hllw.gaobot every time I run it. It tells me it will delete on next reboot but it is there each time. No other program lists those particular trojans. I have run out of options. I read about BartPE but I am saving that as a last resort. My hijack this log is empty so there is no need in me posting one to the site.

Help - before I lose my mind!

Thanks

Margie

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 AM

Posted 23 October 2004 - 09:29 PM

Where is it telling you it is seeing the virus? What directory?

#3 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:02:08 AM

Posted 23 October 2004 - 09:43 PM

noadware is a Rogue/Suspect Anti-Spyware product. You can go to spywarewarrior.com, and check out their list. Scroll down to the first list, and you will find it listed there.

While you're there, check out your "adware" product, and see if it is also on the list.


I suggest you boot to safe mode, and uninstall anything on that list, that you have. Then reboot to normal mode.

Now go and download these programs:
aČ free
Ad-Aware
Spybot S&D
SpywareBlaster
SpywareGuard

Update them, and then run them.

Please read this tutorial on Spybot S&D before using it. Spybot can do serious damage if not used properly.

After doing this, if you still have problems, post back here.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#4 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 24 October 2004 - 09:19 PM

Thanks for the reply. Question 1: The files are residing in the windows/system32 file and they all end with .tlb.

#2. I found different sites that said noadware was and was not part of the problem. I have had it off and on. I also had spyware guard and spyware blaster but they did not fix it either. I have adaware (sorry, I typed the name wrong on the first post) and spybot s&d. Spybot doesn't find anything. Adaware finds stray files but not the download.trojan. At least it does not list that name. Last night I downloaded zone alarm and that is the only way I am able to stay on the interent for any length of time.

I had this download.trojan before I installed noadware. I will go to safe mode and uninstall and download the ad2 free file and install.

I will try the spyware programs again.

It may be a day or 2 but I will get back with you.

Thanks

Margie

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 AM

Posted 24 October 2004 - 09:44 PM

If all else fails post a hijackthis log and someone will take a look at it for you. If you decide to post a log, post it in the HijackThis logs and Analysis forum

#6 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 27 October 2004 - 09:10 AM

It will be next week before I can post stuff from my home computer. Bell South came out to fix a phone line problem and disconnected my computer line. They said they will be back sometime on Friday. :thumbsup:

However, I have done all of the stuff on the list including the A-squared program. So far no luck. Could it be that Norton's is confused and these may be rouge files or am I just going to have to live with the darned thing?

I will get back to this site when my line is reconnected.

Margie

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 AM

Posted 27 October 2004 - 10:36 AM

What location is the file located? It could be in a spot Norton can not clean from like the system volume information directory or c:\_restore if its windows me

#8 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:03:08 AM

Posted 27 October 2004 - 04:05 PM

According to Symantic,, you need to disable system restore, the boot into safe mode, and have your AV do a complete scan of your hard drive(s).

See:

http://securityresponse.symantec.com/avcen...oad.trojan.html

MAny viruses or trojans will hide themselves in Windows system files that are (rightly so) protected; running your AV without system restored turned on, and in safe mode will open many of these files for removal. Be sure to turn system restore back on and set a manual restore date.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#9 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 27 October 2004 - 09:48 PM

My OS is Windows XP home edition and I do have SP2 installed. I have already turned off my system restore. I have done everything that Norton's web site said do, but nothing cleans it. From the list above, A squared nor Spywareguard did not delete it either. I tried in safe mode as well as regular mode. One glitch in safe mode is that not all of my user logins show up. Only 2 out of 4 show up. I cannot figure out how to make them show up. I went to microsoft but can't seem to find a solution for this. I am wondering if the trojan is hiding under one of the logins that does not show up in safe mode. Could this be possible? If you think it could be, can you tell me how to make the other users show up.

Thanks

Margie

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 AM

Posted 27 October 2004 - 10:52 PM

You still have not told us where and what the file is that Norton is finding. Having that information will help us. Btw, ignore what noadware tells you. It gives many false positives and is not to be trusted

#11 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 28 October 2004 - 08:32 AM

Thanks for the reply. Norton's says it has found a virus called DOWNLOAD.TROJAN. Then it says 'can't repair', you hit OK then it says 'can't delete' then 'can't quarantine'. There are 4 files i.e. 5r4ffofuarsj.tlb. They all end in .tlb.

No other program finds these files. They reside in the system32 folder. I can see them but I can't delete either in DOS, will a kill program or in safe mode. It says 'access denied'. I also cannot move or rename the files.

I know I have some type of trojan because when I log onto the internet, my firewall is regularly telling me that a program is trying to access the internet.

Noadware has been delete on my computer.

Thanks

Margie

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 AM

Posted 28 October 2004 - 02:03 PM

Create a directory on your hardrive, to save HijackThis.exe, called c:\hijackthis. This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.

Download the latest version, from here.

Read the pinned post in the HJT forum, here

Then, run a log, and post it in the HJT forum. Do not fix anything, yet.
A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.

#13 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 28 October 2004 - 07:12 PM

I will do this after my phone line is fixed. I will uninstall my hijack this program and re-install taking care to follow instructions carefully.

I will be sure to be patient. I have been working on this since 7-30 so one or two more weeks to find a solution isn't a problem.

Thanks Grinler.

Margie

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 AM

Posted 28 October 2004 - 07:14 PM

Sounds good...we will be here when your ready




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users