Have virus ied_s7_c_7.exe Download Trojan PLS HELP

By tigerlily ยท 22 replies
Jul 1, 2005
  1. Hey there

    First time I post on any kind of tech forum on the Net. I am in need of some assistance in the cold North. My Norton AV (downloaded today) tells me I have the virus ied_s7_c_7.exe Download Trojan on my machine. It also says it can't isolate it or delete it... What now?

    I also had problems with a 540 filost opening a site called oldgames and various porn sites without me opening explorer at all. (This was the reason for me downloading and installing NAV anyway. )

    Are the two connected in some way? I have read all I could find about these things, and I am very confused. What should I do?
    How do I get rid of this ****? I am from Norway btw so if my English is bad sometimes, please be patient with me.

    My computer is running Win XP Pro

    Scared and confused
  2. tigerlily

    tigerlily TS Rookie Topic Starter

    oops sorry

    I am sorry, I was shouting.. Please forgive my manners... Just desperate..
  3. Rickster

    Rickster TS Rookie

  4. IronDuke

    IronDuke TS Rookie Posts: 856

    Welcome to Techspot Tigerlily

    Slight mistake there from Rick. He gave the same link twice.

    How to post your HJT log

    If you haven't paid for Norton.

    Get AVG free version from here.
  5. tigerlily

    tigerlily TS Rookie Topic Starter

    My hjt log in txt format

    Thank you for your welcomes, guys.

    I have run a HJT, and here is my log file - in .txt as requested.
    I would be very happy if you could check it out and see what's wrong. And let me know what to do next.

  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    When you are finished with this, you really should install at least SP1, better would be SP2.
    Get SP2 free from MS on a CD or ask a friend for his/her CD.
    Then do all your Windows updates as well. You will remain vulnerable if you don't!

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    ib.exe or ib.com

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe (FIX only)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [ESS_Audio] c:\ib <<== afterwards delete ib.exe or ib.com ==>>
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  7. tigerlily

    tigerlily TS Rookie Topic Starter

    have tried to install sp2 earlier but...

    Hi realblackstuff

    Thank you for your quick answer realblackstuff, I appreciate it. I will now try to do what you tell me in the description. Have printed it out.

    You mention SP1 and SP2.. I thought I had SP1, now I am confused.. And SP2 I have downloaded it and tried to install it, but my computer refuses to take it in. Are there more types of SP1's and SP2's??

    Where is the best place to download updates? This site's updates?

    If I don't ask, noone will know I want to learn. Thanks for your patience.
  8. IronDuke

    IronDuke TS Rookie Posts: 856

    There are only SP1 & SP2 (at present). SP2 covers everything that is in SP1.

    Try installing SP2 again after you have cleaned up.

    Upgrades come from all over the place. They are issued by original producers of whatever you're updating. Motherboard drivers & bios updates come from their site as an example.
  9. tigerlily

    tigerlily TS Rookie Topic Starter

    SP1 and SP2

    I am sorry but someone has given the impression that there are SP's for Internet explorer AND for Windows XP.. Is this correct?
    How do I know what I have?

    I went ahead and tried analyzing the hijack log, and it also says Nasty on a file called vbsys2.dll. What should I do about that? :eek:
  10. IronDuke

    IronDuke TS Rookie Posts: 856

    Sorry tigerlily misread your question. SP stands for Service Pack and Micro$oft issues them for many programs. As you understood there are both Internet Explorer SP1 and Windows XP SP1, as well as others.

    vbsys2.dll is a nasty and should be fixed and then deleted.
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    SP2 includes updates for both XP and IE.
    The other updates I mentioned, you will get when you click on Start/Windows Update, directly from MS website.
    When you go there, an MS-utility will check your PC and find out what is missing, then prepare a list of 'missing' updates for you to install. Easy-peasy.

    Read my HJT-advise again, the last 'bad' line is this vbsys2.dll and is bold, for you to delete after you finish HJT.
  12. tigerlily

    tigerlily TS Rookie Topic Starter

    Now I have tried but...

    Hi again

    I have done things in the order you put them in the list. Some things did not work out:

    1. none of the processes update.exe or ib.exe/ib.com were running, and therefore I could not shut them down in taskmanager.

    2. When I did a search on the computer, it could not find neither ib.exe/ib.com (found attrib) nor the wx.cab files therefore I could not delete them.

    3. There were only old files and folders in the Temp's. I deleted them.

    I have not turned on the system restore again, because I was not sure what to do. Awaiting your reply.

    Thank you for helping me.
  13. IronDuke

    IronDuke TS Rookie Posts: 856

    Post another log so that we can see how well you've done.
  14. tigerlily

    tigerlily TS Rookie Topic Starter

    my log file

    Here is my new hijack logfile
  15. IronDuke

    IronDuke TS Rookie Posts: 856

    This one has slipped through.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

    Otherwise it looks clean to me, although I'm a bit green at interpreting these logs.

    RBS will be around some time to give you an official all clear.
  16. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Your log is clean. Now please go do some SP1 or SP2 install and Windows-updating.
    Go to www.getfirefox.com and install and use that from now on. IE is only to be used for Windows updates in future.
  17. tigerlily

    tigerlily TS Rookie Topic Starter

    A lot of updates

    Hi again

    Been to the microsoft page checking for updates.
    There are a LOT of updates, are they all necessary? Should I just go ahead and download them all? Even the ones from before 2002-2003?

    Have installed sp1 for IE now and with that my explorer got upgraded to 6.0.2800.1106

    I am also wondering why my machine says it has 64 MB RAM when it starts up, I am sure it said 128 MB before. I do not know when that happened.
  18. IronDuke

    IronDuke TS Rookie Posts: 856

    Look for MSBA (Micro$oft Baseline Analyser). Run this and at least start with the critical & recommended updates.

    Download Everest Home this will give lots of information on your machine. Including the amount of memory you have installed.
  19. IronDuke

    IronDuke TS Rookie Posts: 856

    An alternative idea is to use Autopatcher this is a large download 200+MB, but it will bring you up to May 2005 in one go.
  20. tigerlily

    tigerlily TS Rookie Topic Starter

    what version

    What version of the MBSA should I choose?

    Normally I would think the newest one the 2.0 , but since I am a newbie, I ask you that know about these things.

    Hope I am not too much of a bother to you. I am learning more when you tech guys out there help me. You are all :angel: and I would be :dead: without you.

  21. IronDuke

    IronDuke TS Rookie Posts: 856

    If you don't go with my second thought of using Autopatcher then yes you should use the latest version of MSBA.
  22. tigerlily

    tigerlily TS Rookie Topic Starter

    How does the autopatcher work

    I was thinking, how do I download the autopatcher? I went to the site but when I click on the link, it just opens another page.. Also, should I pick June full 2005 or the may 2005 one?

    both links just opens the same page over and over again. How should I do this?

    Will autopatcher automatically take down the files needed, and install them? If not, how do I know what files/updates to choose?
  23. IronDuke

    IronDuke TS Rookie Posts: 856

    Try this page and choose the ful version.
    After you have downloaded it you need to install the program. Then you run it and there are options to how much of it you actually install. I can't go through it as there are a lot of patches and I can't recall the whole list. Make a start on it and get back with any questions after you have seen it.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...