Trojan.Downloader.Istbar.W and...winupdt.A

[Günter]

My machine is infected with two "trojans" which I can`t delete.
Bitdefender recognizes: Trojan.Downloader.Istbar.W and
Trojan.Downloader.Winupdt.A but cannot manage the problem.
Updated Spybot, AdAware, CWShredder, Bazooka, even don`t find them.
Trojans are resistant in my temporary internet files (IE5/content) (2.6 MB)!
Can see the content of these files only in my Ghooost backup-file.

Please help

Logfile of HijackThis v1.98.2
Scan saved at 00:18:43, on 16.09.2004
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Softwin\BitDefender Professional Edition\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Test\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdnagent.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093971277187
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76E1FAE-47B2-40BF-8DB2-E7F65D43186D}: NameServer = 192.92.138.35 193.81.83.2

 

[Chicon]

Hi Günter,

The HijackThis log you posted seems correct.
Do the following operation for each user accounts of your system including Administrator :
Clear your Internet cache :
Click Start Button, click Settings, click Control Panel, click Internet Options, click Delete files button, click Delete cookies

 

[Günter]

Hallo!
Thx. But still all done with no efect!
Also hidden files are visible, I can`t see the the files in the folder. And the folder (temporary IEFiles) has about 2.6 MB! As I mentioned above I can look the files only in my backup`s in Ghoost 2003 (with Ghoost Explorer)

 

[Chicon]

Hum !
I have another possible solution :
Log on with administrator account;
Create a new folder something like C:\IeCache;
Go to Internet Options, click the button Settings (or Parameters), clic the button Move the folder to get the IE content into C:\IECache (normally, the 2,6 MB file will not follow)
You will be asked to reboot;
Delete manually the file that will stay in the old IE buffer

 

[Chicon]

Duh ! I just realize that Ghost is a recovery tool that allows you to recover data on the hard drive even if they have been deleted. It's possible you copied 2 viruses which were deleted by your anti-virus but physically, they are still present on the hard drive.
It's the explanation of why no anti-virus was able to locate them
So, I suggest you to drop my prior post and to defrag your C: drive.
Make another Ghost image. Normally, you should see no more viruses.

 

[Günter]

Hi!
First advice to move the Cache folder worked!!!!
Beasts are gone, many Thx!!!
Donation on the way ;-)
Usually I was very happy with Symantec`s Ghoost.
But in all my Backup`s I found the two guys.
Always I backup / restore the whole Partition, though I felt very secure, but I thought when restoring a partition, all former files are deleted. mhh
Anyway: THX a lot