1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan.Downloader.Istbar.W and...winupdt.A

Discussion in 'Virus & Other Malware Removal' started by Günter, Sep 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Günter

    Günter Thread Starter

    Joined:
    Sep 15, 2004
    Messages:
    3
    My machine is infected with two "trojans" which I can`t delete.
    Bitdefender recognizes: Trojan.Downloader.Istbar.W and
    Trojan.Downloader.Winupdt.A but cannot manage the problem.
    Updated Spybot, AdAware, CWShredder, Bazooka, even don`t find them.
    Trojans are resistant in my temporary internet files (IE5/content) (2.6 MB)!
    Can see the content of these files only in my Ghooost backup-file.

    Please help

    Logfile of HijackThis v1.98.2
    Scan saved at 00:18:43, on 16.09.2004
    Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
    C:\Programme\Softwin\BitDefender Professional Edition\vsserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programme\Logitech\iTouch\iTouch.exe
    C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
    C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Test\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BDNewsAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdnagent.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [BDSwitchAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093971277187
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B76E1FAE-47B2-40BF-8DB2-E7F65D43186D}: NameServer = 192.92.138.35 193.81.83.2
     
  2. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Hi Günter,

    The HijackThis log you posted seems correct.
    Do the following operation for each user accounts of your system including Administrator :
    Clear your Internet cache :
    Click Start Button, click Settings, click Control Panel, click Internet Options, click Delete files button, click Delete cookies
     
  3. Günter

    Günter Thread Starter

    Joined:
    Sep 15, 2004
    Messages:
    3
    Hallo!
    Thx. But still all done with no efect!
    Also hidden files are visible, I can`t see the the files in the folder. And the folder (temporary IEFiles) has about 2.6 MB! As I mentioned above I can look the files only in my backup`s in Ghoost 2003 (with Ghoost Explorer)
     
  4. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Hum !
    I have another possible solution :
    Log on with administrator account;
    Create a new folder something like C:\IeCache;
    Go to Internet Options, click the button Settings (or Parameters), clic the button Move the folder to get the IE content into C:\IECache (normally, the 2,6 MB file will not follow)
    You will be asked to reboot;
    Delete manually the file that will stay in the old IE buffer
     
  5. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Duh ! I just realize that Ghost is a recovery tool that allows you to recover data on the hard drive even if they have been deleted. It's possible you copied 2 viruses which were deleted by your anti-virus but physically, they are still present on the hard drive.
    It's the explanation of why no anti-virus was able to locate them
    So, I suggest you to drop my prior post and to defrag your C: drive.
    Make another Ghost image. Normally, you should see no more viruses.
     
  6. Günter

    Günter Thread Starter

    Joined:
    Sep 15, 2004
    Messages:
    3
    Hi!
    First advice to move the Cache folder worked!!!!
    Beasts are gone, many Thx!!!
    Donation on the way ;-)
    Usually I was very happy with Symantec`s Ghoost.
    But in all my Backup`s I found the two guys.
    Always I backup / restore the whole Partition, though I felt very secure, but I thought when restoring a partition, all former files are deleted. mhh
    Anyway: THX a lot
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274590

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice