Norton anti-virus can't remove Download.Trojan

[RedFox]

I have been running NAV on an installation of
Win2k, now with SP4, for almost two years. I cannot
remember installing WMP and I was not interested
in it. Meantime I ran NAV at least every week on
the drive.

A couple of weeks ago I was surprised to see
Windows Media Player in the C:\program files
folder. I clicked on the folder for some reason
and NAV popped up a message Virus Alert - object
name C:\prog files\Windows Media Player\wmplayer.exe.
Virus name: Download.Trojan. It indicated that the virus
was automatically deleted.

Curiously there was no wmplayer.exe but there was
a mplayer2.exe and 4 other files: 3 dlls and a
logagent.exe. In the past few months there were
several attempts by mplayer2.exe to access the
Internet but Zonealarm blocked it. At that time I
didn't know where this program was. At one time I
noticed it in the control panel and I removed it.
Mplayer2.exe has a file version 6.4.9.1109

Today I clicked on that folder again and the NAV
virus alert popped again with the same message as
before. I then tried to delete the files but
within ten seconds they were back. I renamed a
few but very soon the original files were back.
Now I know that windows 2k has an auto mechanism
that replaces system files if they are deleted, but
these are not system files and I suspect that
there is a virus there.

I used NAV to quarantine the two .exe files but
I doubt that will do any good.

I have been an NAV subscriber for two years and,
the first time I need to contact them, I see that they charge
$30 or $3 an minute. Does the competition have these kind
of charges? I would think subscribers should at least have
one or two free incidents per year.

I went to the Norton Support - KB and searched. Here's what I got:
-------------------------------------------------
Results for: +download.trojan


No results were found for your search.
Try changing some of the words in your query.

------------------------------------------------
Is this *company* real?

TIA

RF

 

[null]

I have been running NAV on an installation of
Win2k, now with SP4, for almost two years. I cannot
remember installing WMP and I was not interested
in it. Meantime I ran NAV at least every week on
the drive.

A couple of weeks ago I was surprised to see
Windows Media Player in the C:\program files
folder. I clicked on the folder for some reason
and NAV popped up a message Virus Alert - object
name C:\prog files\Windows Media Player\wmplayer.exe.
Virus name: Download.Trojan. It indicated that the virus
was automatically deleted.

Curiously there was no wmplayer.exe but there was
a mplayer2.exe and 4 other files: 3 dlls and a
logagent.exe. In the past few months there were
several attempts by mplayer2.exe to access the
Internet but Zonealarm blocked it. At that time I
didn't know where this program was. At one time I
noticed it in the control panel and I removed it.
Mplayer2.exe has a file version 6.4.9.1109

Today I clicked on that folder again and the NAV
virus alert popped again with the same message as
before. I then tried to delete the files but
within ten seconds they were back. I renamed a
few but very soon the original files were back.
Now I know that windows 2k has an auto mechanism
that replaces system files if they are deleted, but
these are not system files and I suspect that
there is a virus there.

I used NAV to quarantine the two .exe files but
I doubt that will do any good.

<snip>

The newsgroups and forums seem to be almost flooded recently with
similar reports. I'm certainly not clear on what's going on but seems
that NAV might be false alarming on some WMP file, for one thing. Some
have reported that updating WMP fixed the problem. However, they
sometimes have found some actual Trojan as well, and had it removed by
some on-line antivirus service (in addition to updating WMP or maybe
dumping it).

You might want to try the Sys-Up download from my web site. Run
Trend's Sysclean in Safe mode.


Art
http://www.epix.net/~artnpeg

 

[Randroid Terminator]

..
..I went to the Norton Support - KB and searched. Here's what I got:
..-------------------------------------------------
.. Results for: +download.trojan
..
..
..No results were found for your search.
..Try changing some of the words in your query.
..
..------------------------------------------------
..Is this *company* real?

Google brought up the Norton page you're looking for as the very first
hit:
http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html

--

http://web.newsguy.com/commonsense/intro.html#2cherry-skirvin
"They were playing to an anti-intellectual mob,
and the better educated people online were
usually the ones targeted. Anti-intellectualism
is as much a form of bigotry as is anything else,
and as anybody who has ever had to deal with
bigotry knows firsthand, you can't win with a
bigot. He remembers what he wants to remember,
and is consumed with contemptuous rage when you
remind him of the rest."

--

http://web.newsguy.com/commonsense/cherryintro.html
"In an argument between somebody who is a relative
jerk and somebody who is reasonable, the jerk is
having fun. That's what makes him a jerk."

"The existence of the mail function in Usenet was billed as a
"corrective measure" for this problem. It turned out to be exactly the
opposite. It was a failure, because, like Usenet in general, it was
designed for use by human beings without human nature being taken into
account in its design." (A lot like Marxism, and
Libertarianism...)

 

[Randroid Terminator]

..I went to the Norton Support - KB and searched. Here's what I got:
..-------------------------------------------------
.. Results for: +download.trojan
..
..
..No results were found for your search.
..Try changing some of the words in your query.
..
..------------------------------------------------
..Is this *company* real?

Yes, it is. Also, I went to Symantec's search page at
http://www.symantec.com/search/
put in 'download.trojan,' and came up with the page you wanted on the
very first hit.

--

http://web.newsguy.com/commonsense/intro.html#2cherry-skirvin
"They were playing to an anti-intellectual mob,
and the better educated people online were
usually the ones targeted. Anti-intellectualism
is as much a form of bigotry as is anything else,
and as anybody who has ever had to deal with
bigotry knows firsthand, you can't win with a
bigot. He remembers what he wants to remember,
and is consumed with contemptuous rage when you
remind him of the rest."

--

http://web.newsguy.com/commonsense/cherryintro.html
"In an argument between somebody who is a relative
jerk and somebody who is reasonable, the jerk is
having fun. That's what makes him a jerk."

"The existence of the mail function in Usenet was billed as a
"corrective measure" for this problem. It turned out to be exactly the
opposite. It was a failure, because, like Usenet in general, it was
designed for use by human beings without human nature being taken into
account in its design." (A lot like Marxism, and
Libertarianism...)

 

[Jim Tedder]

Hi Mate,
--snip--

Curiously there was no wmplayer.exe but there was
a mplayer2.exe and 4 other files: 3 dlls and a
logagent.exe. In the past few months there were
several attempts by mplayer2.exe to access the
Internet but Zonealarm blocked it. At that time I
didn't know where this program was. At one time I
noticed it in the control panel and I removed it.
Mplayer2.exe has a file version 6.4.9.1109

Today I clicked on that folder again and the NAV
virus alert popped again with the same message as
before. I then tried to delete the files but
within ten seconds they were back. I renamed a
few but very soon the original files were back.
Now I know that windows 2k has an auto mechanism
that replaces system files if they are deleted, but
these are not system files and I suspect that
there is a virus there.

It's possible that the reason they keep coming back is that they are running
in the background all the time and as soon as you delete them they simply
copy themselves back. I have had similar problems with spyware that addaware
gets rid of but if you run it again immediately it finds the same items
again. You need to do a Ctrl/Alt/Delete and check to see if any of the
programs you list are running, if so close them down and then delete the
files.
Not sure if this is the problem but it is worth a try mate.

--
LLAP Jim

Why not visit us at

http:\www.the-bear-necessities.org.uk

 

[RedFox]

Thanks RT.

That reminds me of the days when I was learning Windows and spent hours
searching the MS web site, only to fail more often or not. Then I found
Google a far better source.

I followed the Symantec instructions and did the scan in Safe Mode - but
found nothing

RF

 

[RedFox]

Hi Mate,
--snip--
It's possible that the reason they keep coming back is that they are running
in the background all the time and as soon as you delete them they simply
copy themselves back. I have had similar problems with spyware that addaware
gets rid of but if you run it again immediately it finds the same items
again. You need to do a Ctrl/Alt/Delete and check to see if any of the
programs you list are running, if so close them down and then delete the
files.
Not sure if this is the problem but it is worth a try mate.

Hello Jim and a big thanks for your effort.

I had searched numerous times for suspicious running progs but never found
any.

The "windows media player" folder was written like that which suggests to me
that this folder was not a MS installation - it would have been Windows
Media Player. On a few occasions when I was using Windows Explorer (WE) and
I touched the folder name or one of the files in it with the mouse, the
computer crashed (shut down instantly). I could never remove either the
files or the folder - they came right back. Then I tried the freebee
ExplorerXP and yesterday I managed to delete the folder and all the files.
Then I went into the registry and deleted all the mplayer2 entries - almost
all of them in HKEY_CURRENT_USER - tons of them there.

I rebooted and the folder "windows media player" was back again but empty. I
searched the registry and found that the mplayer2 entries were not there. I
tried to delete the folder with WE and ExplorerXP and neither can delete it.
I get the ms " Cannot delete windows media player: There is a sharing
violation. The source or destination file may be in use." I changed the
permissions on it to give me full control but it didn't help to delete it.

Clearly there is still something wrong.

RF

Art - thanks for your suggestion and the prog. Will try that soon.

 

[Randroid Terminator]

..
..Thanks RT.
..
..That reminds me of the days when I was learning Windows and spent
hours
..searching the MS web site, only to fail more often or not. Then I
found
..Google a far better source.

Maybe. But a few minutes later I searched with the Symantec search
engine and found the same link, and also posted that result the same
day.

Sorry about your problems; if you could send me your pc I would fix it
up for you, but I sincerely doubt that will happen.

--

http://web.newsguy.com/commonsense/intro.html#2cherry-skirvin
"They were playing to an anti-intellectual mob,
and the better educated people online were
usually the ones targeted. Anti-intellectualism
is as much a form of bigotry as is anything else,
and as anybody who has ever had to deal with
bigotry knows firsthand, you can't win with a
bigot. He remembers what he wants to remember,
and is consumed with contemptuous rage when you
remind him of the rest."

--

http://web.newsguy.com/commonsense/cherryintro.html
"In an argument between somebody who is a relative
jerk and somebody who is reasonable, the jerk is
having fun. That's what makes him a jerk."

"The existence of the mail function in Usenet was billed as a
"corrective measure" for this problem. It turned out to be exactly the
opposite. It was a failure, because, like Usenet in general, it was
designed for use by human beings without human nature being taken into
account in its design." (A lot like Marxism, and
Libertarianism...)