Have virus ied_s7_c_7.exe Download Trojan PLS HELP

Hey there

First time I post on any kind of tech forum on the Net. I am in need of some assistance in the cold North. My Norton AV (downloaded today) tells me I have the virus ied_s7_c_7.exe Download Trojan on my machine. It also says it can't isolate it or delete it... What now?

I also had problems with a 540 filost opening a site called oldgames and various porn sites without me opening explorer at all. (This was the reason for me downloading and installing NAV anyway. )

Are the two connected in some way? I have read all I could find about these things, and I am very confused. What should I do?
How do I get rid of this ****? I am from Norway btw so if my English is bad sometimes, please be patient with me.

My computer is running Win XP Pro

Scared and confused

oops sorry

I am sorry, I was shouting.. Please forgive my manners... Just desperate..

Hello!
I'm not a tech but I think I can help get you started in the right direction, so that they can help you.

First read this post: http://www.techspot.com/vb/topic17297.html
Follow the directions.

Then you need to post a HJT log, so they can further help you.
Learn how to here: http://www.techspot.com/vb/topic19133.html

I hope this helps.
-Rick

Edit: oops, fixed

Welcome to Techspot Tigerlily

Slight mistake there from Rick. He gave the same link twice.

How to post your HJT log

If you haven't paid for Norton.

Get AVG free version from here.

My hjt log in txt format

Thank you for your welcomes, guys.

I have run a HJT, and here is my log file - in .txt as requested.
I would be very happy if you could check it out and see what's wrong. And let me know what to do next.

:bounce:

When you are finished with this, you really should install at least SP1, better would be SP2.
Get SP2 free from MS on a CD or ask a friend for his/her CD.
Then do all your Windows updates as well. You will remain vulnerable if you don't!

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
update.exe
ib.exe or ib.com

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe (FIX only)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ESS_Audio] c:\ib <<== afterwards delete ib.exe or ib.com ==>>
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

have tried to install sp2 earlier but...

Hi realblackstuff

Thank you for your quick answer realblackstuff, I appreciate it. I will now try to do what you tell me in the description. Have printed it out.

You mention SP1 and SP2.. I thought I had SP1, now I am confused.. And SP2 I have downloaded it and tried to install it, but my computer refuses to take it in. Are there more types of SP1's and SP2's??

Where is the best place to download updates? This site's updates?

If I don't ask, noone will know I want to learn. Thanks for your patience.

There are only SP1 & SP2 (at present). SP2 covers everything that is in SP1.

Try installing SP2 again after you have cleaned up.

Upgrades come from all over the place. They are issued by original producers of whatever you're updating. Motherboard drivers & bios updates come from their site as an example.

SP1 and SP2

I am sorry but someone has given the impression that there are SP's for Internet explorer AND for Windows XP.. Is this correct?
How do I know what I have?

I went ahead and tried analyzing the hijack log, and it also says Nasty on a file called vbsys2.dll. What should I do about that?

Sorry tigerlily misread your question. SP stands for Service Pack and Micro$oft issues them for many programs. As you understood there are both Internet Explorer SP1 and Windows XP SP1, as well as others.

vbsys2.dll is a nasty and should be fixed and then deleted.

SP2 includes updates for both XP and IE.
The other updates I mentioned, you will get when you click on Start/Windows Update, directly from MS website.
When you go there, an MS-utility will check your PC and find out what is missing, then prepare a list of 'missing' updates for you to install. Easy-peasy.

Read my HJT-advise again, the last 'bad' line is this vbsys2.dll and is bold, for you to delete after you finish HJT.

Now I have tried but...

Hi again

I have done things in the order you put them in the list. Some things did not work out:

1. none of the processes update.exe or ib.exe/ib.com were running, and therefore I could not shut them down in taskmanager.

2. When I did a search on the computer, it could not find neither ib.exe/ib.com (found attrib) nor the wx.cab files therefore I could not delete them.

3. There were only old files and folders in the Temp's. I deleted them.

I have not turned on the system restore again, because I was not sure what to do. Awaiting your reply.

Thank you for helping me.

Post another log so that we can see how well you've done.

my log file

Here is my new hijack logfile

This one has slipped through.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

Otherwise it looks clean to me, although I'm a bit green at interpreting these logs.

RBS will be around some time to give you an official all clear.

Your log is clean. Now please go do some SP1 or SP2 install and Windows-updating.
Go to www.getfirefox.com and install and use that from now on. IE is only to be used for Windows updates in future.

A lot of updates

Hi again

Been to the microsoft page checking for updates.
There are a LOT of updates, are they all necessary? Should I just go ahead and download them all? Even the ones from before 2002-2003?

Have installed sp1 for IE now and with that my explorer got upgraded to 6.0.2800.1106

I am also wondering why my machine says it has 64 MB RAM when it starts up, I am sure it said 128 MB before. I do not know when that happened.

Look for MSBA (Micro$oft Baseline Analyser). Run this and at least start with the critical & recommended updates.

Download Everest Home this will give lots of information on your machine. Including the amount of memory you have installed.

An alternative idea is to use Autopatcher this is a large download 200+MB, but it will bring you up to May 2005 in one go.

what version

What version of the MBSA should I choose?

Normally I would think the newest one the 2.0 , but since I am a newbie, I ask you that know about these things.

Hope I am not too much of a bother to you. I am learning more when you tech guys out there help me. You are all :angel: and I would be :dead: without you.

Thanks