TrojanDownloader

i cant repair nor delete this Trojan with nod and or avg7.
I'm not to keen on installing Norton 2004 as its slows down my sys.
i dont know how to regidit, is that a posability and if so can someone walk me throught it ??

File C:\Documents and Settings\jane doe\Local Settings\Temporary Internet Files\Content.IE5\AH2JIT85\0006_regular[1].cab is infected with trojan Win32/TrojanDownloader.IstBar.NAD. NOD32 cannot clean this infiltration.

[Blackspear]

Disclaimer: The following procedure is to be used at your own risk!

Wilders Security Forums assumes no responsibility for any problems that may result from your use of the steps or tools described within this procedure. Once a system has been infected, attempts to clean the infection can result in further damage, data loss or additional problems.

BEFORE you start, UNDERSTAND something very clearly;

If the steps below do NOT fix your problem

You will have to post a “Hijack This Log” at one of the forums found at A-SAP
For the most part what I have suggested fixes the greater majority of problems out there...however, it does NOT fix everything.

Can you do the following AFTER installing and updating the latest Nod32 from here





Please PRINT out the following Instructions and read them FULLY before proceeding.


After this follow each step in order, and ONE step at a time.


Do NOT go onto a further step until you have completed the one you are on.


Also make sure you have the very latest version of each product mentioned and they are fully up-to-date.





Step 1. Download Winsock XP Fix available here. Do NOT run this YET.



Step 2. If you don't have a firewall package, download and install a free one such as Zone Alarm – a firewall with visual outgoing alerts to see what is trying to access the internet, available here. A list of other free firewalls can be found here.



Step 3. Download Stinger (free) – Offline Virus removal tool, available here. Do NOT run this YET.



Step 4. Download one of these Anti-Trojan packages: TDS-3 (eval), TrojanHunter (eval) or Ewido (free/ 'plus' version eval). Install and update it. Do NOT run this YET.

NOTE: do NOT install an additional Anti-Trojan software program if you currently have one, as this may cause further problems.



Step 5. Install, update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor, available here, here or direct download. Install and update it. Do NOT run this YET.



Step 6. Download “Ad-Aware” (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will, and vice versa. Ad-Aware is available here or here. Install and update it. Do NOT run this YET.



Step 7. Download “CWShredder” (free) – Specific Spyware removal tool, available here. Install and update it. Do NOT run this YET.



Step 8. Download “VX2 Cleaner” (free) – Specific Spyware removal tool, available here or here. Do NOT run this YET.

NOTE: Make sure you choose the correct version for your Windows operating system.



Step 9. MAKE SURE NOD32 IS FULLY UP TO DATE with the latest virus signatures.



Step 10. Turn OFF “System Restore”, this process depends on your operating system:



WARNING: Turning OFF System Restore will NOT enable you to ROLL BACK your computer to the current state it is in.



Windows XP Instructions.

1. Right click on the “My Computer” icon on the Windows desktop.

2. Click “Properties”.

3. Click on the “System Restore”.

4. Place a tick in “Turn off System Restore on all Drives”.

5. Click OK.

6. Close and restart your system.



OR



Windows ME Instructions.

1. Right click on the “My Computer” icon on the Windows desktop.

2. Click “Properties”.

3. Click on “Performance”.

4. Click “File system”.

5. Click “Troubleshooting”.

6. Check “Disable system restore”.

7. Click on OK.

8. Close and restart your system.



Step 11. Delete your TEMP files by doing the following:

Open up Internet Explorer

Click on Tools

Internet Options

General TAB

Temporary Internet Files

Delete Files

Delete All Offline Content.



Step 12. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up your computer.

Further instructions of placing your system into “SAFE MODE” can be found here as pressing/tapping the F8 key does not always work with some computers.



Step 13. While in “SAFE MODE” do ALL of the following and REMAIN in SAFE MODE until Step 20:

Click on Start

All Programs.

Eset.

Nod32.


BEFORE YOU START YOUR SCAN WITH NOD32, Check the following:


“Actions” TAB

In the panel that says “If a Virus is found”

Click on the radio button “CLEAN”


In the right hand panel that says “Uncleanable Viruses”

Click on the radio button “DELETE”



Make sure QUARANTINE is ticked, both for “If a virus is found” and “Uncleanable viruses”.


“Setup” TAB

Objects to diagnose – place a tick in all boxes.

Diagnostic methods – place a tick in all boxes.

Heuristic sensitivity – click on the “Deep” radio button.

Extensions – place a tick in “Scan all files”.


“Scanning targets” TAB

Double click on ALL of your Hard Drives so there is a RED tick shown.



When you have done the above, click on “CLEAN” to run a SCAN with NOD32.



NOTE: Make sure “QUARANTINE” is ticked with EVERYTHING that is detected BEFORE you DELETE anything that is found.



“ If you are not sure whether it is safe to delete an infected file, QUARANTINE allows restoration of a file at a later time/date.”



If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

1. Place a tick in the Quarantine check-box.

2. Select Delete.

3. Send the Quarantined file to Eset: samples@nod32.com This file can be found here:

C drive

Program files.

Eset.

Infected.



NOTE: Quarantine ONLY copies the Virus or Trojan found so it can be sent to Eset for further analysis, it does NOT isolate the Virus or Trojan.



Step 14. Run a scan with “Stinger” the program you downloaded above.



Step 15. Run a scan with the Anti-Trojan program you use or downloaded above.



Step 16. Run a scan with “Spybot Search and Destroy” the program you downloaded above.



Step 17. Run a scan with “AdAware” the program you downloaded above.



Step 18. Run a scan with “CWShredder” the program you downloaded above.



Step 19. Run a scan with “VX2 Cleaner” the program you downloaded above.



Step 20. Reboot your system into NORMAL MODE.



Step 21. Run the ONLINE virus scan found here, or run one from the list found here.



Step 22. Make sure your Windows is FULLY up-to-date (NO EXCUSES) by doing the following:

While on the Internet, Click on Internet Explorer (the Blue “e”)

Click on Tools (on the bar at the top of your screen in Internet Explorer)

Click on Windows Update.

This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “EXPRESS INSTALL”. Install ALL “Critical Updates” and “Service Packs”.



REPEAT STEPS 13 to 21, THREE TIMES, as some Viruses, Trojans and Spyware can be very elusive.



If all the above steps do NOT fix your problem please download and run “Hijack This” found here and post your log at one of the forums found at A-SAP

Keep in mind the following quote:

Quote:

Originally Posted by LowWaterMark

The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

If after or during the above cleaning process you find that your internet connection has been broken, please run the Winsock XP Fix application that you downloaded in Step 1 at the beginning of this post.


OR


Proceed with the following to delete the corrupted registry keys, and then reinstall the TCP/IP protocol.


Step 1. Delete the corrupted registry keys

1. Click Start, and then click Run.

2. In the Open box, type regedit, and then click OK.

3. In Registry Editor, locate the following keys, right-click each key, and then click Delete:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

4. When you are prompted to confirm the deletion, click Yes.

NOTE: Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys. If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.



Step 2. Install TCP/IP

1. Right-click the network connection, and then click Properties.

2. Click Install.

3. Click Protocol, and then click Add.

4. Click Have Disk.

5. Type C:\Windows\inf, and then click OK.

6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.

7. Restart the computer.

Securing your Computer when it is Clean

As you have been brought to this post because of an infected computer, when your system is clean you should take a look here: Why did I get infected in the first place? Also, for further discussions on security and how to make your system that much stronger, see here and here.



After all of the above, please let us know how you go. Sharing your experience and the results you had can help us all to learn…

Cheers

Blackspear.



Many thanks for the wisdom and knowledge of all of those that assisted in developing this thread - the members and moderators of Wilders Security...

[smiddy]

yeah these are excellent suggestions i put them on my friends site so our Forum members can get there hands on them to protect themselves

[Blackspear]

Quote:

Originally Posted by smiddy

yeah these are excellent suggestions i put them on my friends site so our Forum members can get there hands on them to protect themselves

Glad I could be of help... and once a system is clean it is nice to keep it that way

Cheers

wow fantastic blackspear, real fine m8.
ur the king of v.1.
danx agian black spear

[Blackspear]

Quote:

Originally Posted by ozzi_dingo

wow fantastic blackspear, real fine m8.
ur the king of v.1.
danx agian black spear

My pleasure Ozzi_Dingo, are you aware that you are entitled to a FREE upgrade to the latest version 2.12.2? So long as you have a current Nod32 license.

Cheers

[sagittarius]

thanks for this comprehensive set of instructions Blackspear (always a painstaking & often thankless job). I appreciate the time & effort you have put into this (and your other replies on this forum).

Have used Stinger (and the Trend Micro) removal tools for a long time, but disappointed to find that Stinger has fallen behind with their updates, the last being 16 August

Is there any possibility of ESET developing a similar tool? They are a great adjunct to troubleshooting, and pointing users to another company's tools isn't great advertising for NOD32 is it?

Quote:

Step 3. Download Ewido – Anti-Trojan Software, Install and update it. do NOT run this YET.
http://www.ewido.net/en/

thanks for the link to this one (haven't used it before) I will be taking it for a spin this morning

[Blackspear]

Quote:

Originally Posted by sagittarius

thanks for this comprehensive set of instructions Blackspear (always a painstaking & often thankless job). I appreciate the time & effort you have put into this (and your other replies on this forum).

My pleasure, as you are a Reseller, if you send me a PM with your email address, I can forward you a document that we use for sending out Nod32 licenses by email to the client, this may be of help to you…

Quote:

Originally Posted by sagittarius

Have used Stinger (and the Trend Micro) removal tools for a long time, but disappointed to find that Stinger has fallen behind with their updates, the last being 16 August

Yeah, but is a pretty good offline tool

Quote:

Originally Posted by sagittarius

Is there any possibility of ESET developing a similar tool? They are a great adjunct to troubleshooting, and pointing users to another company's tools isn't great advertising for NOD32 is it?

Paolo Monti has a vast range of removal tools, it would be nice to have them all combined, here’s hoping

Quote:

Originally Posted by sagittarius

thanks for the link to this one (haven't used it before) I will be taking it for a spin this morning

It’s free and easy to have someone download and run…

Together the above is fairly comprehensive and cleans the greater majority of what’s out there…

Cheers

[sagittarius]

Quote:

Originally Posted by Blackspear

My pleasure, as you are a Reseller, if you send me a PM with your email address, I can forward you a document that we use for sending out Nod32 licenses by email to the client, this may be of help to you…

it's on it's way

Quote:

Originally Posted by Blackspear

Paolo Monti has a vast range of removal tools, it would be nice to have them all combined, here’s hoping

yes, indeed

Quote:

Originally Posted by Blackspear

Together the above is fairly comprehensive and cleans the greater majority of what’s out there…

looking forward to putting it through it's paces

[Blackspear]

Quote:

Originally Posted by sagittarius

it's on it's way ...

Received and replied.

Cheers

Yes, I can walk you through registry edit. contact me, if you continue to want guidance. Try this: From START menu, select RUN. Type regedit in the box that appears. Next, use the pull down menu EDIT to locate FIND. Next, type in what you want to find: If you have the complete toublesome string, type that in, and regedit will find the string. A folder will appear open to your left. To your right will be the troublesome data. Right click on the right hand side data and select modify or delete: If you pick delete, the troublesome entry will be deleted, but that can be reloaded again by a troublemaker. I usually select modify, then type in appropriate data that has likely been replaced. Example: Homepages are often changed. Use modify to change it back to something acceptable. Or, if you don't use a homepage (or any other troublesome entry you locate on the right, use delete. Note that the data can come back, if the troublemaker targets you again. My email is calumettt@yahoo.com

[LowWaterMark]

Everyone please be careful with just "searching for and editing / deleting" things in the registry. You can very easily corrupt your system into a non-working state.

There are strings you could search for that may well belong to deletable items, however, very often there are variations of similar strings that have nothing at all to do with each other.

I knew a poster who was trying to remove all Zone Alarm entries from their registry, so they searched for the word "Zone" and caused a lot of damage deleting things that had nothing to do with Zone Alarm.

Registry editing is a very dangerous thing if you are not sure what you are doing.

[Blackspear]

Quote:

Originally Posted by LowWaterMark

Everyone please be careful with just "searching for and editing / deleting" things in the registry. You can very easily corrupt your system into a non-working state...

Very wise Words of Wisdom LWM, many thanks.

Cheers

[Marja]

Blackspear,

I add my thanks for your advice too. Having my machine being used as a playground for these "nameless", does not contribute to the kind of computing experIence I want!

I did about a quarter of that, until I read your post, now I will do the whole cleanout!

THANKS!! the day is looking brighter already!


Marja

[Blackspear]

My pleasure Marja, I'm glad I could be of assistance.

All the best.

Cheers

[couldbe]

Blackspear.....
great post....
"BEFORE you start, UNDERSTAND something very clearly;"
I've been passing the link to others with puter probs probably related to hackers
thanks
couldbe

[Blackspear]

Quote:

Originally Posted by couldbe

Blackspear.....
great post....
"BEFORE you start, UNDERSTAND something very clearly;"
I've been passing the link to others with puter probs probably related to hackers
thanks
couldbe

My pleasure Couldbe, this is for Nod32 users, or those coming over to using Nod32. The main link for all other Anti-virus users is this one:

http://www.wilderssecurity.com/showthread.php?t=50662

Cheers

[Security Freak]

Blackspear for President......