Trojan Detected by 4.x Home

[mjmoore]

The trojan virus Win32:IstDnldr-U [Trj] was detected by Avast!, but I can't get it cleaned out of my system.

Any help would be most appreciated.

Merle

[Lisandro]

Can you check 'Cleaning' in my signature?
Can you say the path and name of the infected file (if any)?
Which is your operational system?

[mjmoore]

Yes, I can check on 'Cleaning'.

The only thing I've noticed is when I ran 'Ad Aware SE personal' it found about 115 items that needed to be fixed.

If I go on line I get the virus warning about 5 times then the warnings cease.

I have removed all temp files, temporary files, cookies, internet files, internet history etc.  (Some of them from 'Safe Mode' so I could get rid of the temp files in the WINNT files).   

I've tried to move/rename the file when it was reported.
I've tried to repair the file.
I've tried to delete the file.

Not sure where to go from here.

Thanks for the reply and hope you can shed some light on what I can do next.

Merle

[neiby]

I would like to find out more about Win32:IstDnldr but I can't find any information. The virus reference on www.avast.com doesn't seem to have much at all in it, and I can't figure out what this trojan is called by the other AV companies. If I knew what NAV called it then I could check their excellent database for more info.

Anyone know how to find out more about this trojan?

Thanks!

[mjmoore]

The Trojan uses:

C:\DOCUME~1\MERLEM~1.NON\LOCALS~1\Temp\qU7y2Q.exe

as one of it's many hydra heads.

It now uses C:\RECYCLER\Temp\vlUtw8.exe since I deleted the qU7y2Q.exe file.

These Folders do not exist that one can view.  I do have hidden files made visible.

And, as fast as you delete the files another is generated with a different (randomly generated) name.

Is this an entirely new trojan?

Merle

[mjmoore]

Another smidgen of information, but I doubt it will help:

VPS version: 0513-2, 04/01/2005

Merle

[white_mtnd]

I've got the very same problem...
I installed Avast! today, before I got pop-up windows all the time...I think that this trojan does just that.
Ad-aware SE just keeps on finding new items which I delelte every time, but they just keep on comin back.

I had a program called Web Shot's installed before.... I got the first pop-ups when I installed this program..

Hope some-one can help me/us out!

Erik

P.S. sorry for my bad English..I'm only al lonely Dutchman

[lee16]

Hi all,

Disable system Restore, then reboot (Windows ME/Xp only), then delete the trojans again, also i suggest you do a boot time scan with avast, and also delete all temp files.

Let me know if this helps (or does not help)

--lee

[DavidR]

I would like to find out more about Win32:IstDnldr but I can't find any information. The virus reference on www.avast.com doesn't seem to have much at all in it, and I can't figure out what this trojan is called by the other AV companies. If I knew what NAV called it then I could check their excellent database for more info.

Anyone know how to find out more about this trojan?

Thanks!

Google is your friend.

Also as you are aware not all AV companies use the same virus name so check out this resource - VGREP

[neiby]

I would like to find out more about Win32:IstDnldr but I can't find any information. The virus reference on www.avast.com doesn't seem to have much at all in it, and I can't figure out what this trojan is called by the other AV companies. If I knew what NAV called it then I could check their excellent database for more info.

Anyone know how to find out more about this trojan?

Thanks!

Google is your friend.

Also as you are aware not all AV companies use the same virus name so check out this resource - VGREP

Yes, I know how to use Google. ;-)  However, it still didn't turn up a lot of useful information. Primarily, I found links to forums with postings from people infected with the same trojan, but that's about it. I was hoping to find a Symantec-style page detailing exactly what the trojan does and how to get rid of it.

[whocares]

Hi Neiby,

If you would have used David's VGREP link, you'd gotten e.g. here:
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Win32%3AIstDnldr-U&product=0

and from there to Symantec or tother's descriptions:
It's Adware

bear in mind that there are lots of variants of this malware, so removal instructions might have to be adapted

 

[mjmoore]

Downloaded BitDefender Professional . . . didn't even find a virus, trojan or anything else.   

Forgot to mention I'm running WIN2000 PRO.

At least VGREP acknowledges the correct name for the trojan . . . now if someone would just be able to post a FIX for it.   

Merle

[whocares]

The Trojan uses:

C:\DOCUME~1\MERLEM~1.NON\LOCALS~1\Temp\qU7y2Q.exe

It now uses C:\RECYCLER\Temp\vlUtw8.exe since I deleted the qU7y2Q.exe file.

Hi,

why not just clean out the trashbasket (=RECYCLER)

Also reread the entire above thread carefully and work through the instructions, e.g. click & FOLLOW Technical's link to "Cleaning"

if you don't succeed, come back here with detailed information (about findings & abotu what you've done so far) & a Hijackthis-Log

P.S.: There is no FIX if you mean an automated Tool that does all the work&thinking  for you; most important is securing your system & browser, or this stuff will alwqys come back 

[neiby]

David,

Thanks for the link to VGREP. That's a very helpful tool!

John

[DavidR]

David,
Thanks for the link to VGREP. That's a very helpful tool!
John

Well worth bookmarking for the future, it really is the only way to track down aliases. One thing about the resource is it does take some time for the new viruses/malware to be added, so if the virus is new there may be no record of it on VGREP.