Sign in with
Sign up | Sign in
Your question

Can't get rid of "downloader" virus

Last response: in Storage
Share
January 9, 2007 12:18:20 PM

A couple of days ago NIS (Norton Internet Security - fully updated) warned me that it had detected the infamous "downloader" virus on my pc. It said that it couldn't remove the virus. As soon as the warning popped up, the NIS icons vanished from the windows tray (XP, with all the updates) and I had to manually restart the machine.

When XP loaded, I did an NAV scan (the pc was noticeably slow now), but it didn't find any viruses. So I formatted the primary hard-drive, installed a fresh copy of XP and was in the middle of installing updates for XP and other programs (quicktime, photoshop etc.) when the same bloody message popped up. So, I thought maybe the virus had got onto the secondary hard-drive just after it infected the primary - and so even though i'd formatted the primary HD, the virus (residing on the secondary HD) had infected the primary HD.

So I formatted both HDs and installed XP again - low and fkn behold, NIS tells me that the virus is still on the primary HD (again, the pc was noticeably slow).

What have I got to do to get rid of this bloody virus (short of nuking the HD)?

Any help/advice'd be much appreciated.

More about : rid downloader virus

January 9, 2007 12:24:09 PM

Have you tried another format utility other than XP's? I can see the virus engineering itself within the hidden (8mb) partition XP creates in order complete the install. Try to use a zero fill and another format utility and also verify your bios is not dirty.
January 9, 2007 1:04:23 PM

Quote:
A couple of days ago NIS (Norton Internet Security - fully updated) warned me that it had detected the infamous "downloader" virus on my pc.


Could you be a bit more specific? Dowloaders are an entire class of Trojans.

Lose Norton and scan/clean with the free AntiVir or avast! packages.
Related resources
January 9, 2007 1:31:13 PM

your computer was connected to the network during the reinstall, wasn't it?
I had some stuff like that infect my PC even before windows completed installation. )) Do all the installations with cable unplugged.

try booting in safe mode, (that way most autorun services/apps don't start), chances are - the trojan won't start either.
track down all the files created in that period of time when you think the downloader appeared, and that look suspicios. and delete them. they'd be in \windows\system32\ folder, and c:\windows. If it's dll's and exe's - right-click 'em to see the version/publisher - if it's not Microsoft - kill them.
run msconfig to check for weird apps in the startup. uncheck if needed.

If you're successful, you won't even need norton's questionable protection tools )).
January 9, 2007 2:21:46 PM

false positive? does NIS indicate what files are infected?
January 9, 2007 2:51:31 PM

Quote:
A couple of days ago NIS (Norton Internet Security - fully updated) warned me that it had detected the infamous "downloader" virus on my pc. It said that it couldn't remove the virus. As soon as the warning popped up, the NIS icons vanished from the windows tray (XP, with all the updates) and I had to manually restart the machine.

When XP loaded, I did an NAV scan (the pc was noticeably slow now), but it didn't find any viruses. So I formatted the primary hard-drive, installed a fresh copy of XP and was in the middle of installing updates for XP and other programs (quicktime, photoshop etc.) when the same bloody message popped up. So, I thought maybe the virus had got onto the secondary hard-drive just after it infected the primary - and so even though i'd formatted the primary HD, the virus (residing on the secondary HD) had infected the primary HD.

So I formatted both HDs and installed XP again - low and fkn behold, NIS tells me that the virus is still on the primary HD (again, the pc was noticeably slow).

What have I got to do to get rid of this bloody virus (short of nuking the HD)?

Any help/advice'd be much appreciated.


Honestly, downloader trojans are quite near impossible to remove. Everyone here may disagree with me, but I have dealt with all types of viruses, and they are 100% different today than they were just two years ago.

First, disconnect your internet, and restart windows in safe mode (restart and tap F8 when it is booting then choose "Safe Mode" from the advanced startup options). Now open My Computer and check your "Folder Options" (from Tools menu in Windows XP) and ensure under the "View" tab that "Show hidden files and folders" is checked, and uncheck "Hide extensions for known file types" and "Hide protected Operating System files (recommended". Click yes that you are sure about that one--viruses love to hide themselves in every way possible, so we must find every last one of them in addition to the downloader, otherwise one will call upon all the others and you'll have done all of this for nothing.

Next, what you have to do, and be extremely careful when you do this, is determine WHEN you obtained the virus. Now search your windows\system32 folder (or winnt\system32) and find every file that was added/changed withen TWO minutes of each other. It helps to arrange items by date so you can easily sort out the baddies. These files would usually have no "version" tab if you checked their properties, or if they did, it would be blank or garbage.

Rename these files and move them to another folder (do not delete them OR put them in recycle bin). Next, check your user temp folder. This should look something like C:\Documents and settings\(username)\Local Settings\Temp. Once there, delete all data from this folder, and remove it from recycle bin as well.

Almost done. Now look in your windows folder (usually C:\Windows or C:\winnt) and look for the "Prefetch" folder. Delete everything in it (this folder is usually fine but can be recreated automatically upon restart, except this time without the viruses possibly sneaking back in).

Finally, go to system properties (from control panel or right click my computer and left click properties) and look at the System Restore tab. Disable system restore completely. After the hour glass goes away, turn it back on. This will make System restore delete all previous data, but the viruses were in there as well.

Remember, if you miss any one of these steps, it is possible that EVERYTHING will return. These downloader trojans are Bitc^es, so you have to eradicate every last peice of them and their downloaded buddies too. Msconfig is good to use if you are familiar with processes, but not required because it doesn't matter as long as the processes do not exist on your PC. If you don't use msconfig, you may get some errors upon restart. That's fine. Just run a registry cleaner utility and it'll fix it.

Restart your PC WITH YOUR INTERNET STILL UNPLUGGED. Let it boot normally (not safe mode). Run some apps, see how your PC works. If you suspect the virus is still lurking around, then we have the worst kind of virus--the polymorphic kind. Here's how you outsmart it:

1. Restart in safe mode WITH command prompt.
2. When you get the DOS menu, hold ctrl+alt+del once and check task manager's processes tab.

Ensure that show processes from all users is checked, and look for problematic processes. The following processes are the names of valid system file processes: svchost.exe, lsass.exe, smss.exe, csrss.exe, winlogon.exe, System, System Idle Process, cmd.exe/command.com, and taskmgr.exe. If explorer.exe is running (note this only applies to safe mode command prompt), our virus is the most clever type. Any other processes are probably bad. End them and see if they return. If they do, you have a valid system file that is infected. If this is the case or explorer.exe is running, continue on. Otherwise, you should be okay.

Very dangerous stuff here, do not restart your PC until you know the file copied--the one we're fixing to deal with. Alright, in the DOS screen, type cd\windows. Next, type del explorer.exe. If you get an "access denied" message, type attrib -r -s -h explorer.exe, press enter, then retype the del explorer.exe and press enter. Our infected system file is now gone--however, this is a critical system file so we need a clean copy of it back on your C:\Windows again.

Alright, now we need to copy the file back from the C:\Windows\ServicePackFiles\i386 folder. In the DOS prompt, type cd\Windows\Servic~1\i386 and press enter. Now, type copy explorer.exe C:\Windows and press enter. Okay, pull task manager back up (ctrl+alt+del) and end any tasks that are not on that list above. REMEMBER THIS ONLY APPLIES TO SAFE MODE COMMAND PROMPT, other processes are needed withen windows in normal mode. Finally, we should be okay. Exit task manager, and in the command prompt type exit and press enter, and/or restart your PC. Now you should be fine.

This is the only method I have used that works 99.9% of the time, all other methods, as well as EVERY SINGLE ANTIVIRUS out there, fail at removing pre-existing downloader trojans. If you fit the (less than) 0.1% category, rootkits are involved. There I have very little advice for you, because the OS itself will hide everything malicious no matter what you do. Try a rootkit remover if you want, but they have the same problems that antiviruses do--reactive updates rather than proactive ones. I'd backup data and format if that happened, though I have yet to see this situation of the hundreds of PCs I've worked on...

Sadley, no antivirus program is able to remove every trace of the virus, they all leave something behind it seems. I use a free antivirus app, but only to alert me if it detects a virus in which case I will remove it myself anyway.
January 9, 2007 3:30:01 PM

Quote:
[Honestly, downloader trojans are quite near impossible to remove. Everyone here may disagree with me, but I have dealt with all types of viruses, and they are 100% different today than they were just two years ago.


Dude, I remove rootkits, remotely, daily. If you can't clean it what are you doing in third tier?

I *hate* Regionals and their thing for pron on the laptop.
January 9, 2007 4:23:27 PM

The OP states he reformatted both his drives. He still gets the pop up. At this point I think the boot sector is where it resides. In this case, since the OP has already wiped things, it would be better to go ahead and delete the partitions on both drives, re-partition, then let Windows format and install. No worm, virus or root-kit I am aware of can survive a partition delete.

Other things that can be overlooked. If you have an USB thumb drive connected to your computer, the virus could be on it and it reinstalls itself as soon as the thumb drive is initialized by the BIOS.

Definitely do your install with no network connected. From long-standing practise when I get a new motherboard I download all the drivers and utilities for the motherboard onto a CD. I also burn a cd with updates for programs I am going to install, drivers for my hardware and another group of CD's with files I've backed up. I also slip-streamed an XP SP1 OEM disc to make an XP SP2 disc. Also burn the most current virus definitions for your anti-virus software onto CD. With all these tools you can refromat and reinstall everything you want and update it without having any connection to the internet. Only when you are up and running and have your anti-virus working is it safe enough to then connect to the internet again.

I haven't looked at the numbers in a while, but I recall that last time I looked 90% of the time it was something a user installed/downloaded that infected the machine. Internet snooping bots can't infect a machine without some kind of user intervention if you are running a firewall and anti-virus. Think about this, the reason we also need anti-adware is due to our surfing habits. Be careful when you are on the internet. What has saved my bacon more than once is allowing Windows Restore to use ten percent of my drive space for restore points. I did get a persistant root-kit type of virus a while ago. I restored to a day before I accidentally clicked ok and a dialog box when I should simply closed it. Months later, with a new anti-virus and firewall suite I'm convinced restore saved my bacon.
January 9, 2007 8:57:51 PM

Quote:
The OP states he reformatted both his drives. He still gets the pop up. At this point I think the boot sector is where it resides. In this case, since the OP has already wiped things, it would be better to go ahead and delete the partitions on both drives, re-partition, then let Windows format and install. No worm, virus or root-kit I am aware of can survive a partition delete.


I've done that too - deleted the partitions on both HDs, formatted both HDs and installed a fresh copy of XP on the primary HD.
a c 152 G Storage
January 9, 2007 9:35:50 PM

as said above....make sure you erase that drive good....use fdisk to blow that sucker away....

and make sure youu software is all legit....more and more cracked stuff is coming with bad stuff(photoshop is a big one).....

better off buying it than putting up with the viruses....not saying yours is not legit....just making sure...
January 9, 2007 10:34:35 PM

Quote:

I've done that too - deleted the partitions on both HDs, formatted both HDs and installed a fresh copy of XP on the primary HD.


What method did you use to reformat your discs? Did you use your XP disc and run diskpart.exe? When you delete all partitions on a hard disc using a boot disc (either a CD/floppy or bootable flash disc) you are eradicating even the boot sector of the disc. No virus can survive that.

If you still get it then one of the media you use to install things has the virus on it.
January 10, 2007 6:23:39 PM

possible but most false positives are identified as bloodhound under nortons, so i would agree with Nukemaster. Cracked software of some kind or another machine is infected on his network and is infecting his machine before he can get his antivirus installed and up to date.

Disconnect network cable.
Delete Partition
Low Level Format
Install OS
Install Antivirus.
You can predownload virus updates for nortons at www.sarc.com and install them before you reconnect to your local network.
January 15, 2007 4:27:04 PM

Actually, low level formats should only be done at the hard disk factory because bad low level formats will destroy a disk's performance. Instead, to make sure that you blow away the virus, destroy the partition, and then create a new partition, and then format it. If the hard disk had an overlay due to an old BIOS not understanding geometry translation, LBA translation, and/or 48-bit LBA, get a BIOS upgrade to make the overlay unnecessary and then use the hard disk manufacturer's formatter to format the disk to remove the overlay. If you know what file is infected, please send it to Symantec, so that the rest of us will get protected from it. You probably will need to know what the address of your outgoing email (SMTP) server to do so because Symantec's Scan and Deliver uses email to send suspected viruses to Symantec. Also, scan your backup files for viruses before restoring them.

I am speaking from experience here because I once dealt with trying to reinstall an OS on a disk with an overlay and because I once had a Trojan dropper that Symantec did not know about. I submitted it to Symantec, and it had so much previously unknown malware in it that Symantec took a couple of weeks to respond to my submission with an email that stated that it had developed definitions for all of the malware contained in it. I also got reinfected by one piece of malware that had accidentally backed up while preparing to reformat my disk due to the Trojan dropper, and then my antivirus software had to get rid of it after I restored the backup.
January 15, 2007 4:47:13 PM

Use AVAST! or Panda Antivirus.....those are the only ones I trust.
!