Solved

Trojan.download detected but can't be removed

Posted on 2003-11-20
13
3,084 Views
Last Modified: 2013-11-16
I have Norton system works with the latest virus list available (11/19/03)
Lately I have been getting an error message from Norton telling me it has found a trojan.download virus.

So far it has given me two different paths:
c:\windows\system\sleep.exe       and
c:\documents & settings\jms\local settings\...\apdl[1].exe

when i follow norton's recommended solution to removing the virus it does not find anything. I have turned off stystem restore and started up in Safe mode -- I have even scanned the exact files -- but it does not find anything.
I have also downloaded trojan remover and hijack this -- neither of these programs finds anything.

Could someone please shed some light on this -- as I know I must have something (not to mention all the popups that appear when starting the internet).
0
Comment
Question by:jsnyn
13 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9789504
0
 

Author Comment

by:jsnyn
ID: 9789841
yes - those are the directions i have followed. problem is norton does not find anything -- even though when i start ie, norton will occasionally give me an error message telling me that i have the trojan.download virus detected but it could not repair the file.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9789910
see if HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}\InProcServer32 exists in the registry and delete it if it does
0
 

Author Comment

by:jsnyn
ID: 9789970
thanks for the help chicagoan - but i do not find that file in the registry
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9790052
tried deleting rather than repairing?
0
 

Author Comment

by:jsnyn
ID: 9790178
Well - i thought about deleting the sleep.exe file - but wasn't sure if that was an important file -- do you know?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:WillHudson
ID: 9795620
Sleep.exe allows you pc to go into standby mode. It's not part of windows, so its safe to delete it.
Apdl[1].exe looks really suspicious - this is definately not part of windows.

After checking, APDL is a Automatic Porn DownLoader program - so i would delete this also.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9796478
If a executable file's been inserted by the malware, you can't repair it.
You can repair data files usually... .doc.xls, etc.
You can always rename a suspicious file until you've had an opportunity to compare it to a known copy.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9800916
Consider also scanning registry for those names, but look in the keys for running at startup. Delete any in task manager before HD and rebooting. Worst case, revert to prior registry configuration, or simply reInstall the OS, for that often takes less time than debugging unless you want to get into forensics. Don't forget to grab also a personal firewall like sygate or zonealrm that can block and quickly identify the activity of these "auto" background wares, which can get you a better idea of where they came from in the first place. I think Sleep pgm is downloadable, if you want to check that.
0
 

Expert Comment

by:Zam-Buk
ID: 9829480
Delete the APDL and overwrite the sleep.exe with a fresh copy.
Reinstall your spyware/trojan remover and update them.
You may want to enable OS (eg:XP) firewall too other than external firewall programs.
End some of your suspicious system processes especially if they do not belong to system.

As for pop ups, personally I use pop-up stopper to block it. Its free =)
http://www.panicware.com/process_download.html?prdid=PSFREE
0
 
LVL 6

Expert Comment

by:dorkestra
ID: 9835339
Another thing you might try is booting the pc to dos and manually deleting those files....If you find them there.  If you get an access denied message trying to do that it's likely that the virus files are read only (many viruses are) and you can take care of that using the attrib command ex.

attrib -r apdl[1].exe

then

del apdl[1].exe
0
 

Expert Comment

by:khofer
ID: 9841923
try this software, it's really good.. and free
http://www.safer-networking.org/
0
 

Accepted Solution

by:
cdhill earned 125 total points
ID: 9949965
This may be overly simplistic, but have you looked in your quarantine?  I have found that Symantec AV puts things safely into quarantine but will continue to give you warnings until you deal with the quarantined item.  Searching for the item in the path given is always fruitless, and some have mistaken these warnings false positives because of it.  Unfortunately the warning doesn't actually say that the item is in the quarantine.  You may have already done this, but if not it might be worth the 20 seconds it takes.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now