WIN32: ISTDNLDR-U (Trj)

I have multiple files that have this virus on my computer. When I open up/restart my computer, the On-Access scanner finds about 2-10 of this virus. I’ve tried putting them in the chest, and deleting them, but they keep coming back.

A Hijackthis! log file is attached…I couldn’t fit it all…in the post itsaid 10,000 max characters.

Thanks. Does anybody how to fix this virus? I’ve searched around in the forums, found a few topics, but none that helped ME. Thanks!

Generally, recurring virus could be deleted by:

  1. Empting all temporary files (Internet cache)
  2. Disable System Restore
  3. Boot time scanning
  4. Enable System Restore

Do you need more help?

Yes.
I’ve tried all of those.

Thank you.

Same problem here, Help!
Robert

Hi Robert,

we need more info to help you;
please work through the link “VirusRemoval” below in my sig, and then come back with more info, e.g.
location of virus &
a hijackthis-Log, and
windows- & avast version &
what you’ve tried so far…

:wink:

This is an on-line analysis of your log file - http://hijackthis.de/logfiles/ae074b7092d5c95025769bf976c1936d.html this should hopefully get you started. You may then be able to post the contents after fixing the harmful ones and checking the unknown (use google) ones.

There are lots of nasties in the analysis and it also doesn’t see a software firewall. Ignore any reference to any avast entries, this is a bug in the latest HJT 1.99.1.

Also see the link whocares referred to in his signature

malware name: Win32:IstDnldr-U(trj) in C:\DOCUME~1\GEBRUI~1\LOCALS~1\Temp|K2cam7.exe
They keep coming back in different names like:BZZrEX.exe, FG9dYA.exe, gshte4.exe etc after deleting or moving to the chest. I have windoiws XP and avast 4.6 home edition. I have done all the steps you have described with no succes and I have tried many different programs…
Here is my hijack log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:16:00 AM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = \SOFTWARE\Microsoft\Internet Explorer\Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [O3KpDYT1] C:\WINDOWS\jdnhvv.exe
O4 - Startup: EarthView.lnk = C:\Program Files\EarthView\EarthView.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - User Startup: EarthView.lnk = C:\Program Files\EarthView\EarthView.exe
O4 - User Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra ‘Tools’ menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {56E4B9EB-4C79-4568-A19E-72794FA70060} (PatsShellOCX Control) - http://193.178.217.26/Jtrader%20new/SunJVMPatsFiles/pats.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://nl.encarta.msn.com/encnet/external/MSSurVid.cab
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Regards, Robert

I don’t understand if the trojan now appear in Temp folder or not after your cleaning. If yes, you can shred it and restart with all the steps you described first. Then try this… maybe you’ll have some results: go to http://www.avast.com/eng/avast_cleaner.html , download the removal tool, again do all the steps you have described first and run the tool at reboot.

sorry: my english is poor but i hope you understand ::slight_smile:

Note: I know that is a dangerous step “shred” totally a file because there’s the danger of damage some software. Do it ONLY if you are sure of your action!!!
Another thing I want say: my recent experience learn to me how the online check by HijackThis maybe is inaccurate: nothing is better then an expert eye like the eyes of many experienced members of this Forum… and I’m not one of them :slight_smile:

Just managed to solve the problem by running a program called a-squared. It managed to get rid of the trojan!
Robert

Hi Robert,
good to hear;

  • apply ServicePack2 & all other windowsupdates
  • secure your system & browser better; see my link below
    or this stuff will always come back through the browser :wink:

Thank you! Um, give me some time to try all this stuff.
Thanks again!

O.

…I managed to download this program after you posted, and I scanned my computer, and It got rid of the trojan too! Thanks so much!

Also, I tried Avast Cleaner and an online one, but none of them worked.
I also tried deleting stuff from here:
http://hijackthis.de/logfiles/ae074b7092d5c95025769bf976c1936d.html
, but I couldn’t find any of the nasty files!(except 1)

But, anyways, thanks guys for all your help.

Also probs with win32:istdnldr-u

Hijack v.1.98.1 Log:

Logfile of HijackThis v1.98.1
Scan saved at 20:36:19, on 05.04.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sony\vaio media music server\SSSvr.exe
C:\Programme\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\SV_Httpd.exe
C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\UPnPFramework.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\T-ONLINE\BSW4\ToDuCAlC.EXE
C:\Programme\Internet Explorer\iexplore.exe
D:\Anwendungen\hjt\HijackThis.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online.de/service/redir/tosw4_start.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Programme\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [sais] c:\programme\180solutions\sais.exe
O4 - HKLM..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM..\Run: [yjsxctal] C:\WINDOWS\yjsxctal.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Programme\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [WashAndGo - Cleanup of old Backupfiles] D:\Programme\Purgatio Pro\checker.exe /check
O4 - HKCU..\Run: [monitor] monitor.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - ftp://ftp.pt.ea.com/QA/pub/easports/patches/fifa2004/pc/DE/patchx2.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E5D6800D-3AA5-44DD-BD5C-79E3BD8FD90D}: NameServer = 217.237.150.97 217.237.149.161

Adaware: no success
Search&Destroy: no success
avast: no success

Did you rum a-squared…it solved my problem?
Robert

  1. you aren’t using the latest version of hijackthis.
    In the meantime fix these:
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online.de/service/redir/tosw4_start.htm (unless this is something you did intentionally)
    O4 - HKLM..\Run: [sais] c:\programme\180solutions\sais.exe
    O4 - HKLM..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
    O4 - HKLM..\Run: [yjsxctal] C:\WINDOWS\yjsxctal.exe
    O17 - HKLM\System\CCS\Services\Tcpip..{E5D6800D-3AA5-44DD-BD5C-79E3BD8FD90D}: NameServer = 217.237.150.97 217.237.149.161 (unless this is something you did intentionally or know about, like your ISP’s IP range, etc.)

This is not required at start-up
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE

  1. once you have updated and run a HJT scan - For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php