Hi all,

Almost 30 minutes ago my Norton Anti-Virus informed me I had 2 Trojans on my PC, i checked the log to learn a little more about the Trojans but happened to notice neither were removed, I can't seem to identify the Trojan names so heres what Norton pointed me to:

http://securityresponse.symantec.com/avcen...oad.trojan.html

http://securityresponse.symantec.com/avcen...oad.trojan.html

I'm a real newbie when it comes to virus' / trojans and am desperate for help, as I type this I'm preparing a System Restore 'restore point' just in case, though I know its usually a last resort, and have my Norton running a full virus scan and Adaware.

I noticed a process in the Windows task manager which was called cclgview.exe, after punching it into google, I found out its a rather unpleasant virus that attempts to delete some Windows files so I ended the process.

Please any help would be tremendous, I notice in a few posts you ask for a hijackthis log, I will edit my post soon to attach it.

Thank you very much for any and all help, please feel free to inform me of anything I missed, sorry for the long post.

[edit]here is the hijackthis log,

Hijackthis.

I'm not sure if it's necessary but I really don't know what to do. [/edit]

[Edit 2]Norton AV finished and informed me there were no virus' detected, I'm not sure wether or not to believe it or not, I'd still like a second opinion though, thanks again. [/edit2]

Hi Newbie and welcome to the forum

Your link doesn't work for me.

Do a new scan with Hijackthis and wait for it to change to *Save log* (it should then open a text editor when you click on *save log*) and then just copy and paste the text it displays into your reply here.

Thanks for replying so fast guys, strange the link didnt work, anywho heres the copy/paste from the hijackthis.log:

Logfile of HijackThis v1.97.2
Scan saved at 12:56:58, on 12/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Stephen Powell.POWELL\My Documents\Software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {38D2A281-0444-433C-9ED6-A2851795F32A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O16 - DPF: {00b71cfb-6864-4346-a978-c0a14556272c} (Checkers Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - ftp://download2.us4.outblaze.com/download...ail_mcea115.cab
O16 - DPF: {2917297f-f02b-4b9d-81df-494b6333150b} (Minesweeper Flags Class) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
O16 - DPF: {74EC7845-3C16-44A0-9CB3-37C593F5A36C} (Button Property Page) -
O16 - DPF: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (MessengerStatsClient Class) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {AE1C01E3-0283-11d3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -
O16 - DPF: {FA980E7E-9E44-4d2f-B3C2-9A5BE42525F8} (MSN Chat Control 4.5 Settings) -

I haven't got round to visiting the link you posted, but I will take a gander now, and edit this post should I discover something. Again thanks alot. lol I'm too scared to reboot my PC. :lol:

[edit]Thanks for the link CalamiyJane, fortunatley I think I use all the specific software like Adaware and SpyBot, after just running both, they have apparently wiped all spyware, I can't say I know what programs are ok to remove with hikackthis so I usually let it sit in it's own folder.

The below boxed paragraph is a little odd to me as I followed the directory (which Norton directed me to) to find the apparently infected folders but couldn't find it:

--------

Source: C:\Documents and Settings\Stephen Powell.POWELL\Local Settings\Temporary Internet Files\Content.IE5\4XYJOL6N\download_plugin[1].exe
Click for more information about this virus : Download.Trojan

--------

Strangely when I run a full-scan (currently running it for the 2nd time) it tells me no virus. But the log insists both attempts at removing it failed, I'm so confused, I'm sorry if I'm making us go round in circles.

Also would it be of any help to post the current programs running on my PC? as I personally wouldn't understand if one or two were mallicious.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

These are your search/start pages, etc. You can fix them and reset to your preferred pages in Internet Options if you like:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

Most of these are orphaned items....the one in bold is a dialer however
O3 - Toolbar: (no name) - {38D2A281-0444-433C-9ED6-A2851795F32A} - (no file)

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -

O16 - DPF: {74EC7845-3C16-44A0-9CB3-37C593F5A36C} (Button Property Page) -

O16 - DPF: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (MessengerStatsClient Class) -

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) -

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab <--Coulomb Dialer Variant


O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -

O16 - DPF: {FA980E7E-9E44-4d2f-B3C2-9A5BE42525F8} (MSN Chat Control 4.5 Settings) -
.....................................................
Reboot your PC

Scan once more with HijackThis and post a new log to make sure we got everything.

oooooooooops! You have a really old version of Hijackthis (Logfile of HijackThis v1.97.2)

Before you run the next scan, please download the latest version of HJT (v. 1.97.7)

http://www.spywareinfo.com/downloads/tools/HijackThis.exe

Thank you so much CalamityJane, just before I close all windows, run hijackthis and reboot, are any of the items you highlighted dangerous? I mean are they possible Trojans? or maybe harmless pop-ups?

I edited my last post a couple of times, adding a few notes, just it case it helps, before I do as you asked, does anything in my last post suggest I do anything else on top of running hijackthis?

i.e. the apparently none-existant trojan folder? or would me listing my currently running programs help? Sorry for the constant questions, I don't doubt your right, I'm just making sure I haven't missed anything out.

Your running processes are listed on the log already :)

The item I highlighted is the one harmful item:

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab <--Coulomb Dialer Variant
Premium-rate dialer, most likely for adult-rated material. If installed, it could dial to an overseas toll number without you knowing and cause large charges on your phone bill.

Checkmarking it with HJT as instructed above, and then a reboot will remove the program from your Downloaded Programs folder. Make sure you have all browsers...any open programs closed and only HijackThis open.

But please see my notes about downloading the latest version of HijackThis. Do that and then scan again and post a new log please.

I'm not sure what may have already been removed by NAV, Adaware or spybot, but that file is in your Temporary Internet Files Folder. Emptying the contents (clear your cache) will get rid of it, if it still exists.

Heres the new log:

Logfile of HijackThis v1.97.7
Scan saved at 14:22:35, on 12/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Stephen Powell.POWELL\My Documents\Software\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O16 - DPF: {00b71cfb-6864-4346-a978-c0a14556272c} (Checkers Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - ftp://download2.us4.outblaze.com/download...ail_mcea115.cab
O16 - DPF: {2917297f-f02b-4b9d-81df-494b6333150b} (Minesweeper Flags Class) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
O16 - DPF: {AE1C01E3-0283-11d3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

*Fingers crossed* Hope everythings ok.

Is it ok to delete everything is in the "Local Settings>Tempory Internet Files" folder? Just to be sure?

That looks good, the dialer is gone :thumb:

These are just some more orphans you can fix with HijackThis (they aren't really doing anything, just leftover of removed stuff)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank

O16 - DPF: {00b71cfb-6864-4346-a978-c0a14556272c} (Checkers Class) -

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

O16 - DPF: {2917297f-f02b-4b9d-81df-494b6333150b} (Minesweeper Flags Class) -

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -

O16 - DPF: {AE1C01E3-0283-11d3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
.........................................
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

Great to hear the dialers gone, thanks alot!

And thanks for the link too, I decided to browse around the forum a little and found this thread about Trojans, which details trojans and is generous enough to offer some trial / freeware trojan-killer links, which I'm testing now.

ATM I've tested a few, all clear so far, just waiting for The Cleaner to finish it's thorough scan, by that I mean it takes a good while to scan your system.

But with the 30 day trial version of Trojan Hunter it seems to freeze about 10 mins in on Full Scan, and before it does it tells me theres a suspicious, possible trojan in:

C:\windows\system32\xmforget.exe

^ which results in virtually nothing on Google, except a foreign site which refuses to translate. :huh:

Sorry to bombard you with questions but would it be ok to delete any folders in my Tempory Internet Files folder?

I didn't read real closely your reference to the above, however, it appears you have mistaken Common Client Log Viewer (cclgview.exe) for a trojan or virus, which is not the case. The Sophos link you listed there shows the processes of the WM97/Ortant-A, in which, if you read carefully, it does not create the cclgview.exe file - the virus attempts to delete it to hide itself from your AV. You did not have that virus and cclgview is a legitimate application and part of your Norton Antivirus program.

The downloader trojan could be anything looking at Symantec's vague description. It may well have been part of a spyware program already removed by one of the other programs as well. Since they have detected it, it should have removed all of it since it has had detection for it for a while.

As for what you have found with Trojan Hunter, that say it is only suspicious meaning you should look at the file carefully. Many times it is saying to you, for instance, only that it is packed with a packer that trojans often use - but so are many legitimate applications. Posting more details of what Trojan Hunter has said might help determine what it is reporting to you. If you are still in doubt as to what it is, it would be best to submit to Trojan Hunter for analysis: (submit file in a password protected zip attachment to email)
submit@trojanhunter.com

Wow, that pretty much covers everything. :)

Thanks for being so helpful, I haven't had a single NAV warning of a virus/trojan since, and even removed a nasty dialler (eternal gratitude to CalamityJane BTW!).

One last thing though, can I delete the contents of my "...\Tempory Internet Files" folder?

Again, thanks so much! Great forum.

Ooooh, Yes, sorry - you can clean out your TIF files and your TEMP folder too!

Why not give this little free program a try (written by a GSF member here, WYBaugh) :thumb:

Here is the thread - It's called CleanCache
http://forum.gladiator-antivirus.com/index...showtopic=10565

And here is his site
http://www.buttuglysoftware.com/

Clean Cache 2.0

And download for the software
http://www.majorgeeks.com/download4122.html

Let us know how it works

Great, I'll delete the contents of the TIF folder without fear of something happening, should I delete the ...\Tempory Internet Folder\Content.IE5\*other folders*. Should I delete whatevers in the Content.IE5 folder or just it's contents? As I'm using IE6.

As for the CleanCache, believe it or not, I actually stumbled upon it earlier while having a poke round the forum. :lol:

Unfortunatley once I installed it I got this error when I tried to run it:



I wouldn't be surprised if my PC simply has a faulty registry or something, I will probably run RedClean and have another go. Just letting you know.

Hi Newbie,

Bill is the author of CleanCache ....so I will help you..

The error you are receiving is due CleanCache requiring Microsoft's .NET Framework 1.1 to run (It's written in C#.NET).

If you would like to download the framework, please follow this link:

http://msdn.microsoft.com/netframework/tec...et/default.aspx


Thanks for trying out his program! it works great !

Hi Hunter,

I d/l'ed and installed the .NET framework SDK 1.1, strangely I had to tweak some options to install it, then reinstall it to select the others options. :huh:

The CleanCache still showed the error message, so I checked back with the SDK 1.1 and it informed me I needed something like Microsoft Visual J# .NET on top of the SDK 1.1.

And unfortunatley still get the error message after d/l'ing the Visual J# software, IIRC that pointed me to somewhere else for some patch or something, but couldn't find it.

It's more then likely my PC just wants to be awkward, I guess if it's ok to do so, I will just delete the contents of mt TIF folder manually, though if you have anymore suggestions on how to fix this problem, I'm all ears.

Stupid PC.... :lol:

Hey Newbie and Hunter,

I think the problem is that you downloaded the Software Development Kit rather than jut the framework. You should be able to download the framework through Windows update. I direct everyone to the Microsoft site so that they can make sure they know how to get the framework, but I can see where it's confusing with so many download links.

Uninstall the SDK then install the framework through Windows Update...this should solve the problem.

Thanks,

Bill

Hi WYBaugh,

You hit the nail on the head, I d/l'ed the wrong thing.... though in my defence they do sound ridiculasly similar. :lol:

I'm just giving CleanCache a whirl for the 1st time right now, looks very sophisticated stuff IMO, with a welcoming interface.

Thanks everyone at Gladiator Security Forums! :)

Edit: After using 'Run Complete Cleanup' why is it that I now have to select my user account everytime I reboot my PC? Before it would always log me on regardless. Still a great piece of software though!

Go easy where you put all those checkmarks on each tab... :lol: you will be cleaning that PC in places you never knew exisited. Find out what each one does first.

If you default clean you could end up forgeting all those passwords and user names.

Point taken, I made sure I never cleaned any cookies, I prefer to do that manually anyway. :)

I don't suppose you know why I have to log in everytime I reboot my PC now do you? Or what I need to do to make the current user account the default, auto-loaded one? I took a look around the Control Panel > User Accounts, but couldn't find what I was after.

Edit: Hunter I replied to your PM, but I'm not sure if it got through as my IE went down during the transfer, anyway I removed the avatar.