Author Topic: istbar-ac  (Read 7944 times)

0 Members and 1 Guest are viewing this topic.

Morz

  • Guest
istbar-ac
« on: March 02, 2005, 01:15:03 PM »
Hi folks,

in the last two weeks AVAST found two viruses/worms/malware on my computer and removed the first one, the second one I did by deleting the files by myself (avast couldn't do it, why?). They were located in these files:

virus: Win32:istbar-AC [Trj]  in
C:\DOKUME~1\Honk1\LOKALE~1\Temp\start.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Cache\start.exe

and virus: VBS:Malware [Script] in
C:\Dokumente und Einstellungen\Honk1\Lokale Einstellungen\Temporary Internet Files\Content.IE5\09P37V7M\ied_s7m[1].chm\ied_s7m.htm
C:\Dokumente und Einstellungen\Honk1\Lokale Einstellungen\Temporary Internet Files\Content.IE5\OKC4OD3E\ied_s7m[1].chm\ied_s7m.htm

Everything should be fine now, but everytime I browse the web (using DSL) the sites are loading and loading and loading....... and only some will work after a certain time (never loaded completely), most of them won't work at all. So here are my questions:

What do these viruses/trojans do, i.e. what kind of coincidence exist between my web problems and these viruses? And how can I fix it?

By the way, on my pc is a WIN 2000 system running and I installed at least service pack 2, probably 3 as well. Do you need any more information?

Thanx,

Morz

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31078
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: istbar-ac
« Reply #1 on: March 02, 2005, 01:19:24 PM »
Quote
avast couldn't do it, why?
Most likely because the files where in use. You need to disable the process/application which are using them before you can remove them.

Quote
What do these viruses/trojans do
They do what all Trojans do.
http://www.webopedia.com/TERM/T/Trojan_horse.html

Latest service pack for Windows 2k is version 4. I strongly suggest you make your system up-to-date.

To make sure your system is clean, click on the link in my signature and follow the instructions in the malware removal section.

Morz

  • Guest
Re: istbar-ac
« Reply #2 on: March 02, 2005, 04:14:57 PM »
Thanks Eddy,

for fast reply.
Additional to my AVASt and Ad-AWARE check I also did, as you proposed, a SPYBOT and HIGHJACKTHIS check. SpyBot found some minor stuff, but my problem still exists. And with the Highjackthis log I need your help again. Of some lines I know what these files are doing (like Zone Labs, ITouch and stuff), but not all. What is objectionable for you?

Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 16:01:04, on 02.03.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\htpatch.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\system32\RunDll32.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINNT\system32\internat.exe
C:\WINNT\NCLAUNCH.EXe
C:\WINNT\FSScrCtl.exe
C:\Programme\Winamp\winamp.exe
C:\WG\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINNT\System32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [VersionCheck] "C:\Programme\Onlineeye Pro\vcheck.exe"
O4 - HKLM\..\Run: [EleFunAnimatedWallpaper] "C:\Programme\Bildschirmschoner\EleFun Multimedia\Dragon-Fly Wallpaper\Dragon-Fly.exe" DO_NOT_START
O4 - HKLM\..\Run: [JDChanger] C:\DOKUME~1\Honk1\LOKALE~1\Temp\JDChanger.exe /SCR
O4 - HKLM\..\Run: [CloneCDTray] C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=bd4dc1a030558cb15676455d30dda3c8406bf95e8c476681ff00c94299864d60177f5a4353373436dc4b5159b29815782c46dddff5a7f47569f6dd2cbec2d3:6c5440ccd3b0bd9cb5fcddba6ee2da02
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe



Thanx

Morz

lee16

  • Guest
Re: istbar-ac
« Reply #3 on: March 02, 2005, 04:57:55 PM »
Hi Morz,

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hklm\software\microsoft\internet explorer\main
o4 - hklm\..\run: [windows syncroad] c:\program files\windows syncroad\syncroad.exe
o4 - startup: powerreg scheduler.exe
o4 - HKLM\..\Run: [VersionCheck] "C:\Programme\Onlineeye Pro\vcheck.exe"
o4 - HKLM\..\Run: [EleFunAnimatedWallpaper] "C:\Programme\Bildschirmschoner\EleFun Multimedia\Dragon-Fly Wallpaper\Dragon-Fly.exe" DO_NOT_START
o4 - HKLM\..\Run: [JDChanger] C:\DOKUME~1\Honk1\LOKALE~1\Temp\JDChanger.exe /SCR
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=bd4dc1a030558cb15676455d30dda3c8406bf95e8c476681ff00c94299864d60177f5a4353373436dc4b5159b29815782c46dddff5a7f47569f6dd2cbec2d3:6c5440ccd3b0bd9cb5fcddba6ee2da02


These entrys should also be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.

o14 - IERESET.INF: SEARCH_PAGE_URL=
o14 - IERESET.INF: START_PAGE_URL=

After delete this folder:

C:\Program Files\Windows SyncroAd

Then delete all your files in your Temp files, as there is many temp flders i suggest you do it with a program such as ccleaner (http://www.ccleaner.com/ccdownload2.php) rather then manually.

After this reboot, update your IE and windows at windows update (www.windowsupdate.com).

Then redo and repost your hijackthis log so someone can confirm your system is clean.

--lee

Morz

  • Guest
Re: istbar-ac
« Reply #4 on: March 02, 2005, 07:09:08 PM »
Thanks again,

I did all you told me
even reinstalled Firefox
........... :-\
still the same problem, so it's probably not a problem of a current virus,
but of action taken by these bastards while having been on my system. That's why I asked if somebody knows,
what these specific trojans do.........that I can undo it.
I'm also like to know all other proposals/advices somebody can give me!  ???

By the way, the log of hijackthis again:

Logfile of HijackThis v1.99.1
Scan saved at 17:52:07, on 02.03.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\htpatch.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINNT\system32\internat.exe
C:\WINNT\NCLAUNCH.EXe
C:\WINNT\FSScrCtl.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WG\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [ECS CLOCK] C:\WINNT\System32\ecsclock.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe



Hope somebody can help me; thanx in advance

Morz

lee16

  • Guest
Re: istbar-ac
« Reply #5 on: March 02, 2005, 07:43:52 PM »
Log seems clean, BUT:

I take it you know what these entry are:

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

These could be bad (as i can't find any exact info on them), however they could be part of your ISP, it may be worth phoning them to make sure.

Quote
That's why I asked if somebody knows,
what these specific trojans do.........that I can undo it.


Well ISTbar is an IE search bar, that has malware in it, there are many styles of it, all do different things, but all a pain.
I cannot see anymore of it in your log, are you still getting the warnings?
Maybe re running ad-aware, spybot  and avast  boot-scan will help now.
Also look for ISTbar in control panel > add/remove programs (not sure of the exact name on a windows 2000 OS in control panel) and remove any instances of it.
Also if you have any of the following folders delete them:

C:\Program Files\ISTsvc
C:\Program Files\ISTbar
C:\Program Files\IST

Or any similar ones.

Quote
I'm also like to know all other proposals/advices somebody can give me!

Well i can suggest some other programs to help you, i will list them below:

SWSshredder: http://cwshredder.net/bin/CWShredder.exe
BHOlist: http://computercops.biz/zx/Merijn/bholist.zip
SpywareBlaster: http://www.javacoolsoftware.com/sbdownload.html


Also i really really do suggest updating your windows and IE at windows update (www.windowsupdate.com).

--lee

Morz

  • Guest
Re: istbar-ac
« Reply #6 on: March 02, 2005, 08:09:27 PM »
I removed the last "o14" lines as well,
rebooted,
rechecked my system,
still nothing changed.
I'm sure now that nothing still "lives" on my system anymore.

I've no ideas any more.
Thanks for your help.

Morz   ???

lee16

  • Guest
Re: istbar-ac
« Reply #7 on: March 02, 2005, 08:15:50 PM »
Quote
I'm sure now that nothing still "lives" on my system anymore.
I've no ideas any more.
Thanks for your help

Are you saying your not getting the virus warnings anymore, or you are?

--lee

Morz

  • Guest
Re: istbar-ac
« Reply #8 on: March 02, 2005, 08:28:34 PM »
No, you mistook me. I removed the viruses some time within the last weeks.
I didn't get any warnings anymore afterwards.
I just have problems to browse the web, especially loading sites.........

lee16

  • Guest
Re: istbar-ac
« Reply #9 on: March 02, 2005, 08:35:56 PM »
Ahh i see, lets see if we can help.

We will need to know:

What websites are you having trouble with
What browser are you using
What firewall are you using
Is the solution solved if you close webshield then try the sites
Any other info you feel is relevent

--lee

Morz

  • Guest
Re: istbar-ac
« Reply #10 on: March 02, 2005, 08:50:10 PM »
I found out, it's a problem of Zone Alarm. I'll fix it myself now. Thanks a lot for your help.

 ;D

lee16

  • Guest
Re: istbar-ac
« Reply #11 on: March 02, 2005, 08:54:17 PM »
Ahh yes Zonealarm, you probably already read it then, but ill post the link anyway: http://forum.avast.com/index.php?topic=11486.0


Anyway, glad your PC problems are almost over.

--lee