Win32:Istdnldr [Trj]

???
c:_RESTORE\TEMP\A0000242.CPY
Infection: Win32:Istdnldr [Trj]

This is what Avast found on my computer. But I can’t seem to get rid of it. Any suggestions? I’m totally lost!

mdw

Hi,

please disable System restore, and it will be gone:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
:wink:

Thanks, its gone. But what is IST svc? And is it safe for me to delete it?

mdw ::slight_smile:

Please xplain in more detail (path/filenames …) what you mean ???

Hello, After scan appeard following message in the Report: C:\ProgramFiles\ISTsvc\istsvc.exe[UPX][L] Win32:Istdnldr Trj. During delete, error appeard: process can’t reach the file because another process is using it.
What is istsvc? Is it a process used normaly by a computer to work well? Is it a virus? Please send iformations about it.
What is Istdnldr? And at last, how can I restore or remowe it safely? Many thank in advance for your help (…I realy hope!!!). Soni ???

hi, spybot search and destroy in safe mode should delete this

My system restore was already disabled,i cant delete from recycle bin,i cant download any updates or programs,i cant even install my scanner bc of this nasty thang. I noticed that there is a program present called esurveiller installed on my pc (which is a pc monitorin prgram i found out) that will not let me uninstall, delete, shoot, mame or even say bad words to. I get this error: an installation support file (file isrt.dll) could not be installed,access denied. im being denied a lot of files lately on my own pc, im running windows ME. Is there anyone who has found a cure, and if so lemme know. I have attempted to run spybot, HJT, avast virus cleaner, nothing will work. Obviously this is a downloading issue,hence the name of the virus Win32:istdnldr (Trj) file name: istsvs.exe[UPX]. My zip files seem to be corrupted as well. i just ran thor scan again and still wont let me touch this file. I come to my pc to relax and take a break from my darling children and they more fun lately than this thing. I appreciate any info that anyone might offer. Thanks in advance

Dreams

Hi dreams,

did you google for info on how to
remove esurveiller ?

If this won’t work:
formatting & reinstall might be on option

If not for you, then read the link “VirusRemoval” below first…

then boot to safeMode (F8-Boot) and try and run the following tools there

  • Spybot

  • ad-aware
    scan & fix several times, until they don’t find/remove any more stuff

  • scan & repair/clean/move with avast & Escan, too

  • Hijackthis (don’t fix anythign yet, just give us the report/log) :wink:

WOW!! Fast response Who Cares, thanks

I care, btw :slight_smile: lol. ok here is HJT. And im thinkin maybe a reformat not such a bad idea , grrrrrrrrr. I try to about once a year as i am on daily running tourneys at a game site. but if you have a magic wand to fix better and less hassel, send me please . Thank so very much for your rapid response.

Logfile of HijackThis v1.97.7
Scan saved at 6:27:48 AM, on 7/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=search&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra ‘Tools’ menuitem: AV &Translate (HKLM)
O9 - Extra ‘Tools’ menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra ‘Tools’ menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra ‘Tools’ menuitem: AV Live (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ Lite (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O15 - Trusted Zone: http://hoylegames.sierra.com
O15 - Trusted Zone: http://www.triscape.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.5524884259
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

Dreams

Hi,

some nasties in the log, but they imho don’t account for your problems…

analysis here:
http://www.hijackthis.de/logfiles/51cfc9234a4a98d4468b7cbf23bf54ca.html

fix everything in RED & YELLOW that you don’t know or need, EXCEPT
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
INFO

Also the O9 - Extra … entires are not necesssary evil…

Also reread my above EDITED post, and do the other stuff

:wink:

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - h**p://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

0006_regular.cab infected by “TrojanDownloader.Win32.IstBar.fa” Virus. :wink:

Thank you so much, i will do as you said asap. i rebooted in safe mode and was able to delete and gettin ready to run scan again but wanted to read your advice first, so i will do all that before i do. im still unable to install anything at all, even after i deleted. i will get back to you here with a new HJT log as well. nasties, huh? ewwwwww!!!
thanks a bunch for sharing your knowledge.

Dreams

ok, i have a really blonde question here, lol. i cant download any type of remover, but got the info on how to manually remove esurveiller. i know what delete means, however, i need to kill processes. what does that mean? and how do i unregister a DLL? very sorry for this, but i just dont want to make a bigger mess than i need to. thanks

Dreams

Hi,

@1)
you could download them on a friends/collegues PC, copy/burn to floppy or CD, and try and run/install them in SafeMODE (F8-Boot) on your PC

if you have Win ME, you could also try an AV-Boot-scan:

  • with clean, write-Protected WIN-ME startup disk &
    a) DOS-Scanner from www.f-prot.com
    b) CLRAV (link now included in “VirusRemoval”-page)
  • www.centralcommand.com → Download → AV-Boot-Disks/-CD
  • linuxdefender from www.bitdefender.com
    etc etc etc → Board-search/User’s FAQ’s/Google

@2)

  • open Taskmanager by pressing Ctrl + Alt + DEL and change to processes tab → select/highlight process and click “End/Kill process”
    (Not sure if this works as described on Win ME, if not:
  • go get external taskmanagers, e.g. by sysinternals.com or ntutilities
    btw: Hijackthis 1.98 has a processmanager/killer:
    got to Config → misc tools after a scan with it
    Also: Board-search/User’s FAQ’s/Google
    and http://forum.avast.com/index.php?board=1;action=display;threadid=1509

@3) with newer WIN’s it’s
regsvr32 /u <path/folder/dllname>
if this doesn’t work:
Board-search/User’s FAQ’s/Google, e.g.:
Unregister

:wink:

thanks again for your valuable time and expertise. does any of the following infor mean anything to me? i was able to d/l the current version of HJT, however i cannot unzip. i deleted winzip because it was corrupted. ms is requiring a password in order to decompress this file. grrrrrrrr. i want my mommy!!! i dont recall saving this information to my desktop, but its there.

Dreams

[Installation]
DesktopIcon=NoIcon
QuickLaunch=NoIcon

[Installation\StartmenuItem]
Easy=0
Advanced=0

[Main]
Legals=1
ShowDetails=1
AutoSave=1
CreateBackups=1
CreateTrackBackups=1
CreateSystemBackups=1
IgnoreIncludeFileError=1
Confirmation=1
Compability=1
Priority=Normal
RecoveryAged=1

[Main\WaveAlert]
WaveAlertFile=0

[Automation\ProgramStart]
AutoCheck=0
AutoFix=0
RerunAfterFix=0
AutoImmunize=0
DontAsk=0
WaitStart=0
WaitPrograms=0
WaitMore=0
AutoClose=0

[Automation\SystemStart]
AutoRun=0
RunOnce=0
AutoCheck=0
AutoFix=0
WaitStart=0
WaitPrograms=0
WaitMore=0
AutoClose=0

[Automation\WebUpdate]
AutoCheck=0
AutoDownload=0
RemindUpdate=0
CheckBetas=0
CheckAllLanguages=0
CheckSkins=0
CheckSignatures=0

[Automation\WebUpdate\Proxy]
ProxyAddress=0

[Logfile]
WriteCheckLog=1
WriteFixLog=1
IncludeLogDetails=1
OverwriteLog=0

[Look]
BlindUser=0
Menu=MainMenu
DisplayHeader=1
FloatInfo=1
InfoPanelHighlight=0

[BugReport]
UseDefaultMailer=1
IncludeSysInfo=1
IncludeResults=1
IncludeActiveX=1
IncludeBHO=1
IncludeBrowserPages=1
IncludeProcessList=1
IncludeStartup=1
IncludeWinsockLSPs=1
IncludeClipboardText=0
IncludeClipboardImage=0
IncludeSpyFiles=0
CarbonCopy=1

[Expert]
ShredTracks=1
ShredRecovery=1
ShowResultsButtons=0
ShowRecoveryButtons=0

[Expert\Viewer]
HelperUseFiles=0
HelperUseFolders=0
HelperUseRegistry=0

[Filesets]
Spybot - Search & Destroy=1
Cookies.sbi=1
Dialer.sbi=1
Hijackers.sbi=1
Keyloggers.sbi=1
Malware.sbi=1
Revision.sbi=1
Security.sbi=1
Spybots.sbi=1
Temporary.sbi=1
Trojans.sbi=1
System Internals=0
Usage Tracking=0
Tracks.uti=0

[Durations]
Spybot - Search & Destroy=18
Cookies.sbi=0
Dialer.sbi=102
Hijackers.sbi=98
Keyloggers.sbi=12
Malware.sbi=14
Revision.sbi=1
Security.sbi=0
Spybots.sbi=136
Temporary.sbi=0
Trojans.sbi=8
System Internals=1
Usage Tracking=1
Tracks.uti=1

Hi,

this seems to be the settings of SPYBOT S&D
Quite a good program, but just the settings won’t help much… ;D ;D

its report/log would be better

even better would be the log from HJT / Hijackthis :wink:

a direct link to the Hijackthis-program without the need to unzip it is here:

http://tomcoyote.org/hjt/HijackThis.exe

ok, i quit. this is the error i am gettin still:

Internet Explorer was not able to open this internet site. The requested site is either unavailable or cannot be found. Well im at the site, duh. lol. bout ready to head to the loony bin. i really need download ability. why me? and you are too kind to be so helpful. can i send you my first born son as a thank you? juuuuust kidding. thanks

Dreams

Like I said, download tools on another PC…

e.g.
escan, clrav, AV-Boot-Disks/-CDs

ok, here is the newest hjt log. i was able to get it open in safe mode by copy n pasting into a new folder. i had it analyzed but the very last entry is new and there was no comment regarding it. i even pasted alone and no results. any ideas? you seem to be the only one with any answers lately. thanks again.

dreams

Logfile of HijackThis v1.98.0
Scan saved at 1:48:44 PM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://hoylegames.sierra.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL