TrojanDownloader

Discussion in 'NOD32 version 1 Forum' started by ozzi_dingo, Sep 14, 2004.

Thread Status:
Not open for further replies.
  1. ozzi_dingo

    ozzi_dingo Guest

    i cant repair nor delete this Trojan with nod and or avg7.
    I'm not to keen on installing Norton 2004 as its slows down my sys.
    i dont know how to regidit, is that a posability and if so can someone walk me throught it ??

    File C:\Documents and Settings\jane doe\Local Settings\Temporary Internet Files\Content.IE5\AH2JIT85\0006_regular[1].cab is infected with trojan Win32/TrojanDownloader.IstBar.NAD. NOD32 cannot clean this infiltration.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Disclaimer: The following procedure is to be used at your own risk!

    Wilders Security Forums assumes no responsibility for any problems that may result from your use of the steps or tools described within this procedure. Once a system has been infected, attempts to clean the infection can result in further damage, data loss or additional problems.







    BEFORE you start, UNDERSTAND something very clearly;

    If the steps below do NOT fix your problem

    You will have to post a “Hijack This Log” at one of the forums found at A-SAP

    For the most part what I have suggested fixes the greater majority of problems out there...however, it does NOT fix everything.






    Can you do the following AFTER installing and updating the latest Nod32 from here





    Please PRINT out the following Instructions and read them FULLY before proceeding.


    After this follow each step in order, and ONE step at a time.



    Do NOT go onto a further step until you have completed the one you are on.


    Also make sure you have the very latest version of each product mentioned and they are fully up-to-date.






    Step 1. Download Winsock XP Fix available here. Do NOT run this YET.



    Step 2. If you don't have a firewall package, download and install a free one such as Zone Alarm – a firewall with visual outgoing alerts to see what is trying to access the internet, available here. A list of other free firewalls can be found here.



    Step 3. Download Stinger (free) – Offline Virus removal tool, available here. Do NOT run this YET.



    Step 4. Download one of these Anti-Trojan packages: TDS-3 (eval), TrojanHunter (eval) or Ewido (free/ 'plus' version eval). Install and update it. Do NOT run this YET.

    NOTE: do NOT install an additional Anti-Trojan software program if you currently have one, as this may cause further problems.



    Step 5. Install, update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor, available here, here or direct download. Install and update it. Do NOT run this YET.



    Step 6. Download “Ad-Aware” (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will, and vice versa. Ad-Aware is available here or here. Install and update it. Do NOT run this YET.



    Step 7. Download “CWShredder” (free) – Specific Spyware removal tool, available here. Install and update it. Do NOT run this YET.



    Step 8. Download “VX2 Cleaner” (free) – Specific Spyware removal tool, available here or here. Do NOT run this YET.

    NOTE: Make sure you choose the correct version for your Windows operating system.



    Step 9. MAKE SURE NOD32 IS FULLY UP TO DATE with the latest virus signatures.



    Step 10. Turn OFF “System Restore”, this process depends on your operating system:



    WARNING: Turning OFF System Restore will NOT enable you to ROLL BACK your computer to the current state it is in.



    Windows XP Instructions.

    1. Right click on the “My Computer” icon on the Windows desktop.

    2. Click “Properties”.

    3. Click on the “System Restore”.

    4. Place a tick in “Turn off System Restore on all Drives”.

    5. Click OK.

    6. Close and restart your system.



    OR



    Windows ME Instructions.

    1. Right click on the “My Computer” icon on the Windows desktop.

    2. Click “Properties”.

    3. Click on “Performance”.

    4. Click “File system”.

    5. Click “Troubleshooting”.

    6. Check “Disable system restore”.

    7. Click on OK.

    8. Close and restart your system.



    Step 11. Delete your TEMP files by doing the following:

    Open up Internet Explorer

    Click on Tools

    Internet Options

    General TAB

    Temporary Internet Files

    Delete Files

    Delete All Offline Content.



    Step 12. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up your computer.

    Further instructions of placing your system into “SAFE MODE” can be found here as pressing/tapping the F8 key does not always work with some computers.



    Step 13. While in “SAFE MODE” do ALL of the following and REMAIN in SAFE MODE until Step 20:

    Click on Start

    All Programs.

    Eset.

    Nod32.


    BEFORE YOU START YOUR SCAN WITH NOD32, Check the following:


    Actions” TAB

    In the panel that says “If a Virus is found”

    Click on the radio button “CLEAN”


    In the right hand panel that says “Uncleanable Viruses”

    Click on the radio button “DELETE”



    Make sure QUARANTINE is ticked, both for “If a virus is found” and “Uncleanable viruses”.


    Setup” TAB

    Objects to diagnose – place a tick in all boxes.

    Diagnostic methods – place a tick in all boxes.

    Heuristic sensitivity – click on the “Deep” radio button.

    Extensions – place a tick in “Scan all files”.


    Scanning targets” TAB

    Double click on ALL of your Hard Drives so there is a RED tick shown.



    When you have done the above, click on “CLEAN” to run a SCAN with NOD32.



    NOTE: Make sure “QUARANTINE” is ticked with EVERYTHING that is detected BEFORE you DELETE anything that is found.



    If you are not sure whether it is safe to delete an infected file, QUARANTINE allows restoration of a file at a later time/date.



    If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

    1. Place a tick in the Quarantine check-box.

    2. Select Delete.

    3. Send the Quarantined file to Eset: samples@nod32.com This file can be found here:

    C drive

    Program files.

    Eset.

    Infected.



    NOTE: Quarantine ONLY copies the Virus or Trojan found so it can be sent to Eset for further analysis, it does NOT isolate the Virus or Trojan.



    Step 14. Run a scan with “Stinger” the program you downloaded above.



    Step 15. Run a scan with the Anti-Trojan program you use or downloaded above.



    Step 16. Run a scan with “Spybot Search and Destroy” the program you downloaded above.



    Step 17. Run a scan with “AdAware” the program you downloaded above.



    Step 18. Run a scan with “CWShredder” the program you downloaded above.



    Step 19. Run a scan with “VX2 Cleaner” the program you downloaded above.



    Step 20. Reboot your system into NORMAL MODE.



    Step 21. Run the ONLINE virus scan found here, or run one from the list found here.



    Step 22. Make sure your Windows is FULLY up-to-date (NO EXCUSES) by doing the following:

    While on the Internet, Click on Internet Explorer (the Blue “e”)

    Click on Tools (on the bar at the top of your screen in Internet Explorer)

    Click on Windows Update.

    This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “EXPRESS INSTALL”. Install ALL “Critical Updates” and “Service Packs”.



    REPEAT STEPS 13 to 21, THREE TIMES, as some Viruses, Trojans and Spyware can be very elusive.



    If all the above steps do NOT fix your problem please download and run “Hijack This” found here and post your log at one of the forums found at A-SAP

    Keep in mind the following quote:


    If after or during the above cleaning process you find that your internet connection has been broken, please run the Winsock XP Fix application that you downloaded in Step 1 at the beginning of this post.


    OR


    Proceed with the following to delete the corrupted registry keys, and then reinstall the TCP/IP protocol.


    Step 1. Delete the corrupted registry keys

    1. Click Start, and then click Run.

    2. In the Open box, type regedit, and then click OK.

    3. In Registry Editor, locate the following keys, right-click each key, and then click Delete:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

    4. When you are prompted to confirm the deletion, click Yes.

    NOTE: Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys. If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.



    Step 2. Install TCP/IP

    1. Right-click the network connection, and then click Properties.

    2. Click Install.

    3. Click Protocol, and then click Add.

    4. Click Have Disk.

    5. Type C:\Windows\inf, and then click OK.

    6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.

    7. Restart the computer.



    Securing your Computer when it is Clean​



    As you have been brought to this post because of an infected computer, when your system is clean you should take a look here: Why did I get infected in the first place? Also, for further discussions on security and how to make your system that much stronger, see here and here.



    After all of the above, please let us know how you go. Sharing your experience and the results you had can help us all to learn…

    Cheers :D

    Blackspear.



    Many thanks for the wisdom and knowledge of all of those that assisted in developing this thread - the members and moderators of Wilders Security...
     
    Last edited: Dec 21, 2004
  3. smiddy

    smiddy Registered Member

    Joined:
    Sep 12, 2004
    Posts:
    26
    yeah these are excellent suggestions i put them on my friends site so our Forum members can get there hands on them to protect themselves :cool:
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Glad I could be of help... and once a system is clean it is nice to keep it that way ;)

    Cheers :D
     
  5. ozzi_dingo

    ozzi_dingo Guest

    wow fantastic blackspear, real fine m8.
    ur the king of v.1.
    danx agian black spear :D
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure Ozzi_Dingo, are you aware that you are entitled to a FREE upgrade to the latest version 2.12.2? So long as you have a current Nod32 license.

    Cheers :D
     
  7. sagittarius

    sagittarius Registered Member

    Joined:
    Apr 19, 2003
    Posts:
    136
    Location:
    Queensland, Australia
    thanks for this comprehensive set of instructions Blackspear (always a painstaking & often thankless job). I appreciate the time & effort you have put into this (and your other replies on this forum). :D

    Have used Stinger (and the Trend Micro) removal tools for a long time, but disappointed to find that Stinger has fallen behind with their updates, the last being 16 August :(

    Is there any possibility of ESET developing a similar tool? They are a great adjunct to troubleshooting, and pointing users to another company's tools isn't great advertising for NOD32 is it?

    thanks for the link to this one (haven't used it before) I will be taking it for a spin this morning :D
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure, as you are a Reseller, if you send me a PM with your email address, I can forward you a document that we use for sending out Nod32 licenses by email to the client, this may be of help to you…


    Yeah, but is a pretty good offline tool ;)


    Paolo Monti has a vast range of removal tools, it would be nice to have them all combined, here’s hoping ;) :D


    It’s free and easy to have someone download and run…

    Together the above is fairly comprehensive and cleans the greater majority of what’s out there…

    Cheers :D
     
  9. sagittarius

    sagittarius Registered Member

    Joined:
    Apr 19, 2003
    Posts:
    136
    Location:
    Queensland, Australia
    it's on it's way :)
    yes, indeed :D
    looking forward to putting it through it's paces :D
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Received and replied.

    Cheers :D
     
  11. calumettt

    calumettt Guest

    Yes, I can walk you through registry edit. contact me, if you continue to want guidance. Try this: From START menu, select RUN. Type regedit in the box that appears. Next, use the pull down menu EDIT to locate FIND. Next, type in what you want to find: If you have the complete toublesome string, type that in, and regedit will find the string. A folder will appear open to your left. To your right will be the troublesome data. Right click on the right hand side data and select modify or delete: If you pick delete, the troublesome entry will be deleted, but that can be reloaded again by a troublemaker. I usually select modify, then type in appropriate data that has likely been replaced. Example: Homepages are often changed. Use modify to change it back to something acceptable. Or, if you don't use a homepage (or any other troublesome entry you locate on the right, use delete. Note that the data can come back, if the troublemaker targets you again. My email is calumettt@yahoo.com
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Everyone please be careful with just "searching for and editing / deleting" things in the registry. You can very easily corrupt your system into a non-working state.

    There are strings you could search for that may well belong to deletable items, however, very often there are variations of similar strings that have nothing at all to do with each other.

    I knew a poster who was trying to remove all Zone Alarm entries from their registry, so they searched for the word "Zone" and caused a lot of damage deleting things that had nothing to do with Zone Alarm. :(

    Registry editing is a very dangerous thing if you are not sure what you are doing.
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Very wise Words of Wisdom LWM, many thanks.

    Cheers :D
     
  14. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Blackspear,

    I add my thanks for your advice too. Having my machine being used as a playground for these "nameless", does not contribute to the kind of computing experIence I want!

    I did about a quarter of that, until I read your post, now I will do the whole cleanout!

    THANKS!! the day is looking brighter already!:D


    Marja:cool:
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure Marja, I'm glad I could be of assistance.

    All the best.

    Cheers :D
     
  16. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    Blackspear.....
    great post....
    "BEFORE you start, UNDERSTAND something very clearly;"
    I've been passing the link to others with puter probs probably related to hackers
    thanks
    couldbe
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure Couldbe, this is for Nod32 users, or those coming over to using Nod32. The main link for all other Anti-virus users is this one:

    https://www.wilderssecurity.com/showthread.php?t=50662

    Cheers :D
     
  18. Security Freak

    Security Freak Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    83
    Blackspear for President...... :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.