Hi, I hope this is the right forum for this query, else please suggest the appropriate one.

My Norton Auto-Protect is continually flashing this message "Auto-Protect blocked security risk Trojan Horse. Your computer is secure" on the bottom right corner of the screen. This has been happening for a day now (after I used an infected pen drive).

I've noticed a msn.exe file being place in all partitions (C:\ and D:\) in my case, which when deleted keep getting put back. Also, the internet brower is hijacked to http://www.baidu.com/index.php?tn=dsgj_cb

Norton View Details:

Risk-level 'High', Type 'Virus' and File as 'd:\autorun.inf' but I am unable to see/remove the file.

Help Questions

1. Why isnt Norton able to permanently solve this threat? Blocking isnt working since when I change the internet default homepage, on the next click, the internet browser opens up on the baidu.com link.

2. How can I eliminate/clean this Trojan?

Many thanks for any help/advice

Norton is blocking it so you are safe. Does it give a malware name?

Also did you try t scan your machine?

Thx Stu

Yes, ran a full system scan but comes totally clean. However, the Auto Protect window with the alert is flashing every other second.

Dont think Norton is fully blocking it since the msn.exe file is being put back when deleted, the web browser is hijacked each time despite manual resets to a blank home page and after the scan/reboots/manual resets of web home page. 

I Better not step on Guru Stu's toes

Quads

let’s try something else. Please download and install SuperAntispyware at www.superantispyware.com. Just download the free version. Update and run a full scan. Let’s see if it can find anything

---

Quads wrote:

I Better not step on Guru Stu's toes

 

Quads

 

 

---

haha, you won't. It is a open forum ;)

Ok 

Turn off system restore

The Autorun.inf on each hard drive is not meant to be there(copies itself to clean partitions, hard drive, Flash or floppy),  If you can not open your hard drive in "My Computer" by normal clicking, Right clck instead and click "explore".

Then as it's a possible hidden file, Click "tools" in the menu, then click "folder options", now select "show hidden files and folders" and also tick "show protected system files".

Now find "autorun.inf" if you open in Notepad, you may see something like this.

shell\explore\Command=msn.exe

If so delete the "autorun.inf" from both drives.

Then download and run Hijackthis and Personal message me the log.

I will say what entries to remove on this thread.  Hopefully it will find the BHO (Browser Hijacker).

Quads 

Can I ask where is "msn.exe" located??

Quads 

thx Quads,

msn.exe is directly at c:\ and d:\ 

 Sending you the log of hijackthis ...

Thx Stu,

Downloading SuperAntispyware home edition... will report the scan results shortly...

Hi 

Start Hijackthis again and tick these entries

O1 - Hosts: 69.57.152.127 pagead2.googlesyndication.com

O4 - Startup: msn.exe

O4 - Global Startup: Compaq Client Manager.lnk = ?

Then Click the "Fix Checked" button once finished restart the PC

Now I have a small script that will find the "autorun.inf" and "msn.exe" file and delete, or should.

Go here, http://homepages.slingshot.co.nz/~crutches/msnexe/

Download "msnexe.bat" and click to run.

I tried on my system, but I am not infected with "msn.exe" etc. so couldn't find it.

Try that 

Quads 

Quads,

Used Hijackthis and ticked all the specified entries and hit 'Fix Checked'. There wasnt any visible sign/message of completion, although this utility kept highlighting the before and after URL of the home page each time  the trojan was trying to switch it to baidu.com

I tried your batch utility as well.

After this, when I tried to reboot the laptop I got the message  'NTLDR is missing - Press Ctrl+Alt+Del to restart'.

Despite trying several times,the laptop doesnt seem to get past this message. I want to be sure on next steps before I try them.

Did we accidentally delete any useful *.ini file?

Using some other computer to write this message & understand what the problem could be now, since I've been unable to get past that message and a black screen on my laptop.

Thx for any suggestions.

Stu,

The SuperAntiSpyware highlighted 6 tracking cookies, which I asked it to fix. But that still did not stop NortonAntiVirus Auto-Protect from detecting the Trojan again (and the msn.exe file and the homepage being hijacked etc...)

Also, you can read the latest status on my earlier post to Quads, unfortunately, my laptop isnt going beyond a black screen now.

Thx for any advice.

Hi

Use the recovery Console, the XP CD-ROM

1. Insert the Windows XP bootable CD into the computer.
2. When prompted to press any key to boot from the CD, press any key.
3. Once in the Windows XP setup menu press the "R" key to repair Windows.
4. Log into your Windows installation by pressing the "1" key and pressing enter.
5. You will then be prompted for your administrator password, enter that password. (if any)
6. Copy the below two files to the root directory of the primary hard disk. In the below example we are copying these files from the CD-ROM drive letter, which in this case is "e." This letter may be different on your computer.
   
   copy e:\i386\ntldr c:\
   copy e:\i386\ntdetect.com c:\

baidu.com ???   it is a very famous site in china and alot of places… baidu is more famous then google in china…and i go there often…very good place to get songs and stuff…and to surf web…

Please also try Malwarebytes

Thanks Quads,

I took it  to a specialist who did pretty much as you have prescribed and reloaded XP.

The problem seems to have gone now, thankfully.