Win32: Goldun-BZ trojan +Win32: Adware-gen

(My OS is Windows XP.)

I did a through scan earlier this morning using Avast.

In the end I found this:

http://img388.imageshack.us/img388/6306/avastpk0.th.png

On impulse I deleted one of the adware infections… I am not sure if it will inevitably come back though. If anyone would know anything 'bout that.

Also, I am curious as to what those system files are and if they pose a threat. They didn’t come up when I scanned them but never the less they are in the chest.

So, what should I do to remedy the problem?

There is little point in deleting a file in the chest shortly after sending it there as a) it can do no harm there and b) you might as well have deleted it in the first place and cut out the middle man, the avast chest.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

I realy do wish Alwil would get rid of this All Chest Files collation of the three sections.

  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.

  • The User Files section is where the user can add files they suspect of being malware but not detected by avast.

  • The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).

Ooh, thank you very much. That did help clear things up quite a bit.

Though I just recalled that Win32: Goldun-BZ trojan was detected in a previous scan and promptly deleted but it appears it came back. Does that fact change how I should handle things?

yes it does
first run a scan with malwarebytes Anti-malware free AND with their ROGUE REMOVER
Click Remove- a backup will be made

then rt click the avast ball and update Programs (will also do database)
then rt click again and schedule a boot time scan
reboot
post back logs

we’ll go from there

Alright then. I did everything that you told me to do.

Malwarebytes’ Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

1:10:23 PM 8/23/2008
mbam-log-08-23-2008 (13-10-15).txt

Scan type: Quick Scan
Objects scanned: 41557
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) → No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) → No action taken.
HKEY_CLASSES_ROOT\virtualdns.virtualdnsobj (Adware.WebDir) → No action taken.
HKEY_CLASSES_ROOT\virtualdns.virtualdnsobj.1 (Adware.WebDir) → No action taken.
HKEY_CLASSES_ROOT\Interface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) → No action taken.
HKEY_CLASSES_ROOT\Interface{1f63b171-e2f3-4362-a484-8563144d62e6} (Adware.WebDir) → No action taken.
HKEY_CLASSES_ROOT\Interface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\CLSID{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) → No action taken.
HKEY_CLASSES_ROOT\CLSID{86c510e9-97ef-4749-914f-0280247be3a6} (Adware.WebDir) → No action taken.
HKEY_CLASSES_ROOT\CLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Typelib{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) → No action taken.
HKEY_CLASSES_ROOT\Typelib{143414d1-c324-4d6f-9756-5075d9a4a485} (Adware.WebDir) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{86c510e9-97ef-4749-914f-0280247be3a6} (Adware.WebDir) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt&Search\ (Adware.Hotbar) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\HARMONY.BAT (Trojan.Agent) → No action taken.
(I did do a full system scan aside from this short one but nothing turned up.)



Strangely when I went back to Malwarebytes all of my data was erased, like my logs and quarantine list…

Did you click REMOVE? MBAM found a load of AdwareCrapola and there may be something else lurking
since something funny is happening
check Add Remove programs and remove anything which you do not recognize
rerun MBAM full scan with all options selected and CLICK REMOVE
run the Rogue Remover scan
do the boot time avast thing- send any hits to the Chest
I’d also run a Super Anti Spyware scan

anyone know what Harmony.bat might be?
post back

Thankfully all of my records are back suddenly just by exiting and going back to MB.

All of the Adware is still there but the Trojan is gone. I could have swore I got rid of all of it. Though at least now I won’t have to scan again. deletes all of adware

Also, in add or remove programs everything is in order except way too many updates from SP2 >P

I will now try scanning with Super Anti Spyware.

Super Anti Spyware

Memory items detected
0

Files detected
375

Registry items
0

Total threats
375

Perhaps DavidR will comment on SuperAntiSPyware since he uses it :slight_smile:
375 total threats- what were they -cookies?

Now back to MBAM
your first log was full of “no action taken”
run a MBAM “quick scan” and click REMOVE
post the log

There are several separate adware infections

Malwarebytes’ Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2

9:09:37 PM 8/23/2008
mbam-log-08-23-2008 (21-09-37).txt

Scan type: Quick Scan
Objects scanned: 41414
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Yeah, all of the files are cookies but almost all of them are ads.

Did you click REMOVE on a previous MBAM scan- where did all the adware go?
looks like MBAM is clean which is GOOD 10 min scan- not bad
Did you CLEAN or whatever you do with SAS?
looking good
I’d do an online scan with Kaspersky AV
if Kaspersky finds anything it will not fix it on free scan so post back

If kaspersky is clean
run secunia software inspector and update all your apps
run ccleaner
Defrag
set a new restore point

I f you now want to talk prevention- post back

I got rid of the adware that showed up in MBAM and SAS.

Well, I thought I was smooth sailing past all your steps until Kaspersky found Trojan-Downloader.Win32.IstBar.ja. Appareantly the file name is C:\data. How in the hell that randomly showed up is beyond me. When I was running Kaspersky I had stopped Avast’s onacess protection because it instructed me… Hopefully that didn’t have anything to do with it… sigh

It is easy to speculate but hard to comment with no information on the files detected, their names and locations, and the actions taken, etc.

DavidR- My point exactly

on the kaspersky hit
can you find and upload the hit to VirusTOTAL?

googling around
some discussion here but no fix
www.wilderssecurity.com/archive/index.php/t-82511.html

http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453094274
shows five files
search for them and delete 4 if found
on the one called “data” best to check properties and file location
post back if you cannot id the correct one as the baddie
if it is C:\data just delete it- it is dropped by the trojan into your “root file”

ISTbar ISTbar is a Trojan downloader which will download additional malware components including but not limited to Internet Optimizer and Bargain Buddy. Servers which ISTbar will contact to download malware include: ysbweb.com, sidefind.com, download.bargain-buddy.net, slotch.com and more. In addition to being a Trojan it is also an Internet Explorer BHO installed as a toolbar.

Notice how a Host file would keep this kind of crapola from phoning home

This Trojan arrives as a file that is either dropped or downloaded file by other malware.

Upon execution, it displays a Graphical User Interface (GUI) that prompts an affected user to install an Internet Explorer toolbar on the system. Once the user clicks the I AGREE button in the said GUI, this Trojan downloads and installs several adware toolbars on the affected machine.

perhaps one of the “site advisor” type tools would be helpful

disable System Restore

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>IST

  3. In the right panel, locate and delete the entry:
    exe_start = “dword:00001”

  4. Close Registry Editor.

search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU

AND/ OR
run SDFIX
http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t131299.html
read ALL of the instructions TWICE and print them out
this is a powerful tool so do NOT be impulsive

read the stickie at the top of this forum and post a Hijack this
and any logs
As DavidR hinted - we gotta know exactly what we are dealing with

Notice how getting a second opinion with Kaspersky or other on line scanners is helpful
Kaspersky is usually pretty good at trojans
I am surprised that AVG Anti-Spyware (formerly EWIDO) did not pick up this older, once common, infection,
however these infections are constantly morphing

Okay, from Virus Total I got this result during scanning:
c:\data
Antivirus Version Last Update Result
BitDefender 7.2 2008.08.24 Trojan.Downloader.Istbar.JA
Ewido 4.0 2008.08.24 Downloader.IstBar.ja
F-Secure 7.60.13501.0 2008.08.24 Trojan-Downloader.Win32.IstBar.ja
Fortinet 3.14.0.0 2008.08.24 VBS/Istbar.JG!tr
Ikarus T3.1.1.34.0 2008.08.24 Trojan-Downloader.Win32.IstBar.JA
Kaspersky 7.0.0.125 2008.08.24 Trojan-Downloader.Win32.IstBar.ja
VBA32 3.12.8.4 2008.08.23 Trojan-Downloader.Win32.IstBar.ja



http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453094274 shows five files search for them and delete 4 if found [b]*on the one called "data" best to check properties and file location post back if you cannot id the correct one as the baddie[/b] if it is C:\data just delete it- it is dropped by the trojan into your "root file"
I am not quite sure how to find the other files to search for using Virus Total. *I did find the file called "data" in c:\ I am a bit confused about what you mean but hopefully the above information will help.

I am glad that I checked several thanks to your help. Though it seems like the checking never ends D:

HKEY_CURRENT_USER>Software>IST

I cannot find the IST part of that

well you had to follow the pestpatrol link

iinstall.exe
crack.exe
data
iinstall.exe
crack.exe

notice that two of the files are found in different locations- the question is where
do a “search” or “find” for these using your os START>FIND (or whatever)

you can then upload to virus total my use of “search” was inappropriate
virus total will eventually report to Avast to help improve detections

notice how EWIDO shows- you might try the EWIDO online scan
or the Bit-Defender one Bit Defender will remove
*but watch for False Positives with their advanced heuristics :slight_smile:

I do not know if the IST or possibly 1ST is in the registry- try a search
verify the paths if you find it as these bastards frequently use the same name in a different location as a trap for the overanxious and imprudent

F-Secure also has an on-line scan I think

take your time and track down all the leads no rush now

anything in that C:/data file? just nuke it

Yeah, I searched for them before and nothing turned up aside from the file called “data”. Is iinstall.exe and crack.exe MEANT to exist? When I my search I selected “search on all files and folders” and filled in the names in both criteria boxes “all or part of the file name” and “a word or phrase in the file” and searched in “My Computer”. Hopefully I did things correctly.

When I searched the registry several times for “IST” I am presented with something different every single time.

Also, I am not sure what is in the C:/data file
Here is a screen shot of the file in question:

http://img404.imageshack.us/img404/4458/dataql6.th.png



search for this and delete if found- be sure to enable show hidden files etc TROJ_ISTBAR.DU (didn't find it and show hidden files is available)

[b]
[i]AND/ OR
run SDFIX
http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t131299.html
read ALL of the instructions TWICE and print them out
this is a powerful tool so do NOT be impulsive

read the stickie at the top of this forum and post a Hijack this
and any logs
As DavidR hinted - we gotta know exactly what we are dealing with[/i][/b]


I have yet to do what is bolded, so y’know. There’s quite a bit right now and I feel like a chicken with it’s head cut off. :frowning:

I chose to scan with Ewido. Haven’t scanned with F-Secure or Bit-Defender yet because I assume that this will be sufficent enough in providing information.

stay at it
the anti Trojans/malware scanners target different (overlaping) sets than the AV’s
so you need to do some of each
I like to alternate- sorta like pealing an onion

we hope those file are gone since they were baddies no problem if they are missing - good riddence
besides these baddies change file names so we gotta double check everything

SO EWIDO and Bit Defender are two good choices- one of each type
then post up the HJT well save the big gun tilllater

i do not remember and gotta go for awhile- did you do this?

search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU

i do not remember and gotta go for awhile- did you do this?

search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU


Yeah, I searched for it but didn’t find it.

So, I am currently rescanning with Ewido because last night I fell asleep and didn’t get rid of what I found and once I came back my computer restarted :stuck_out_tongue: Interesting, after doing it again it’s found a few different tracking cookies than the last scan. Anyway. After it’s finished (which it is close to) I’ll scan with Bit Defender and then the HJT.