cannot get rid of trojan. plz somone help damsel in distress

Discussion in 'malware problems & news' started by cleopatra, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. cleopatra

    cleopatra Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    5
    have tried all the possible spyware removal tools i have, only AVG (latest version) is perstisting that I have a trojan 'dowmloader.ISTBAR.3AT

    All the other programmes Trojan hunter,BPS spyware remover, spyblaster, spyguard,adaware6., anti-trojan sheild. they all say that my system is clean, AVG will not remove this trojan and i do feel that it is slowing my pc down considerably and lockin up from time to time.

    I have been trying now for 2 day in order to resolve this problem but i'm affraid that i have forgoton how to hyjack this log and how to do it.

    Only had to do this once before and that was in Jan. so i'm fairly rusty and not much good at this sort of thing, unless i'm guided.

    So if there are any willing (more pc aware than me) ppls that can help a damsell in distress before i start getting very stressed,
    I would really appreciate your help.

    Thanks for listening.


    cleo.
     
  2. cleopatra

    cleopatra Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    5
    ok guy's

    Here goe's i have managed how to do it, i did try this afternoon but nothing happened and i did'nt get a save log file up......... but hey here you are can you try and see what you can make of this plz.... :'(

    Logfile of HijackThis v1.97.7
    Scan saved at 19:06:21, on 19/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\WINDOWS\SYSTEM\HPZTSB09.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
    C:\WINDOWS\SYSTEM\HPHMON05.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\UNZIPPED\FRAMXPRO\FREERAM XP PRO 1.40.EXE
    C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\MY DOCUMENTS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://uk.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ASHAMPOO\ASHAMP~3\POPUP.DLL
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_17_0.DLL
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\SYSTEM\TEOMABAD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IdiomaX Office] C:\Program Files\IdiomaX\Office Translator 2.2\IdxOffice.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~2\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~2\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
    O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\UNZIPPED\FRAMXPRO\FREERAM XP PRO 1.40.EXE" -win
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: =>&Italiano - http:\\wordreference.com\it\j\ieit99.htm
    O8 - Extra context menu item: =>&Inglese - http:\\wordreference.com\it\en\j\0300.htm
    O8 - Extra context menu item: Teoma Search - javascript:external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"
    O8 - Extra context menu item: Dictionary Search - javascript:external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"
    O9 - Extra button: Xanadu (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: CoolMP3 (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38010.3626157407
    O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/English to Italian.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab

    Very long i know but don't know why.

    Cheers again.

    Cleo
     
  3. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Cleopatra,

    Welcome to Wilders ! :)

    I am looking at your log. At first glance there is nothing so much alarming in it. It need some minor fixes. But, before i post the solution of your log can you please follow the following steps :

    1) Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Reboot your machine and boot into safe mode by tapping F8 key(8-9 times) at bootup.

    2) Go here and do an online virus scan:

    http://housecall.trendmicro.com/

    Be sure and put a check in the box by Auto Clean before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Restart your computer.

    Please show us the scan result of trendmicro in your next reply.

    With Thanks !
    Newkid !
     
  4. cleopatra

    cleopatra Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    5
    hi newkid.

    thanks for your advise i have already disabled system restore noe but when i went to reboot in safe mode i could'nt get connected to the internet to run house call.

    and all my icons on the desktop where all over the place!!!!!! lol...

    so with the system restore disabled shud i still do the house call scano_Oo_O?

    Cheers again

    Cleo
     
  5. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hi Cleo..

    Yes, you can do the scan in the safe mode as well. But, anyway.. Try to scan your machine online at normal mode and follow the advise as suggested earlier.

    With Thanks !
    Newkid !
     
  6. cleopatra

    cleopatra Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    5
    hit there done the house call scan with success and there does not appear to be anything there all ok. so what are your suggestions now?

    cheers

    Cleo
     
  7. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Cleopatra,

    That's Great news that TM shows no infections in your machine. Also, your HJT log not showing any thing alarming.

    Now, Please Turn on your system restore and follow the following URL suggestion : http://www.kephyr.com/spywarescanner/library/istbar/index.phtml

    When you've done all that, reboot your machine , rescan your machine with AVG(updated) and if it still detects the same Trojan then post a fresh hijackthis log with the file name where AVG detects the trojan.

    With thanks !
    Newkid !
     
  8. cleopatra

    cleopatra Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    5
    hi again,

    Well i Did al of that, and i found that if i deleted the whole programme 'Downloader Accelorater Plus' did get rid of the 'Downloader. Istbar.3.AT found in RESTORE\TEMP\A0053067.CPY.

    But thanks again for looking at it for me. You have been brilliant help.

    ;) :D :)

    YOU GUYS ARE AWSOME. (soz if i spelt that wrong).

    Cheers :D

    Cleo!!!!!!!! I'm a happy bunny once again.
     
  9. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
Loading...
Thread Status:
Not open for further replies.