Trojan.Downloader.Istbar.W and...winupdt.A

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Günter

Thread Starter
Joined
Sep 15, 2004
Messages
3
My machine is infected with two "trojans" which I can`t delete.
Bitdefender recognizes: Trojan.Downloader.Istbar.W and
Trojan.Downloader.Winupdt.A but cannot manage the problem.
Updated Spybot, AdAware, CWShredder, Bazooka, even don`t find them.
Trojans are resistant in my temporary internet files (IE5/content) (2.6 MB)!
Can see the content of these files only in my Ghooost backup-file.

Please help

Logfile of HijackThis v1.98.2
Scan saved at 00:18:43, on 16.09.2004
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Softwin\BitDefender Professional Edition\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Test\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdnagent.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093971277187
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76E1FAE-47B2-40BF-8DB2-E7F65D43186D}: NameServer = 192.92.138.35 193.81.83.2
 
Joined
Jul 29, 2004
Messages
6,650
Hi Günter,

The HijackThis log you posted seems correct.
Do the following operation for each user accounts of your system including Administrator :
Clear your Internet cache :
Click Start Button, click Settings, click Control Panel, click Internet Options, click Delete files button, click Delete cookies
 

Günter

Thread Starter
Joined
Sep 15, 2004
Messages
3
Hallo!
Thx. But still all done with no efect!
Also hidden files are visible, I can`t see the the files in the folder. And the folder (temporary IEFiles) has about 2.6 MB! As I mentioned above I can look the files only in my backup`s in Ghoost 2003 (with Ghoost Explorer)
 
Joined
Jul 29, 2004
Messages
6,650
Hum !
I have another possible solution :
Log on with administrator account;
Create a new folder something like C:\IeCache;
Go to Internet Options, click the button Settings (or Parameters), clic the button Move the folder to get the IE content into C:\IECache (normally, the 2,6 MB file will not follow)
You will be asked to reboot;
Delete manually the file that will stay in the old IE buffer
 
Joined
Jul 29, 2004
Messages
6,650
Duh ! I just realize that Ghost is a recovery tool that allows you to recover data on the hard drive even if they have been deleted. It's possible you copied 2 viruses which were deleted by your anti-virus but physically, they are still present on the hard drive.
It's the explanation of why no anti-virus was able to locate them
So, I suggest you to drop my prior post and to defrag your C: drive.
Make another Ghost image. Normally, you should see no more viruses.
 

Günter

Thread Starter
Joined
Sep 15, 2004
Messages
3
Hi!
First advice to move the Cache folder worked!!!!
Beasts are gone, many Thx!!!
Donation on the way ;-)
Usually I was very happy with Symantec`s Ghoost.
But in all my Backup`s I found the two guys.
Always I backup / restore the whole Partition, though I felt very secure, but I thought when restoring a partition, all former files are deleted. mhh
Anyway: THX a lot
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top