istbar, mssys, done all things on sticky and more

Here's the chain of events-

I boot up, windows opens.. avg shows a warning that "trojan horse downloader.istbar.ag" is in the temp folder as istbar.dll and there is a folder called ist1. so i run avg. It finds the two locations and puts the files in the vault. I then run the slew of apps the sticky told me to get ( aboutbuster, ad-aware, bazooka, ccleaner, cwshredder, kill2me, spybot s&d, spywareblaster, hijack this, hsremove, stinger). I'll also note that at the time avg finds these files the process "mssys.exe" starts running and hangs at 99% in processes until i end it because my computer is now hanging. I've read on this process but i cant find the registry key i have been directed to.. in the /....currentversion/run ...area.

So at this point i presume everything is gone. I open up old internet explorer. and it's as if pop-ups are popping up but there are none there, i say this because the current app goes inactive. and it does this every 2secs or so. So i get pissed, reboot in safe mode run everything again, except avg (maybe i should try that, i would think one of the other apps would get it just the same though) nothing appears to get deleted.. then reboot normally and there it is again.. avg detects "trojan horse downloader istbar.ag" to summarize.....

-hidden files & folders ARE viewable
-file extensions are NOT hidden
-system restore is turned off
-i've run all apps noted in "the sticky" in regular and safe mode

here is my hijack log (note, this is run just after boot up, i have not run any antivirus or spyware programs yet)


thanks for any given help

 

Hi excellrec,

Your HijackThis is old and you should have read this first:
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

You log should be saved as a .txt file and posted as an attachment via the Attachment Manager tool.

This is not good. You should check your Trusted Zone for others like it.
O15 - Trusted Zone: *.xxxtoolbar.com

I am not sure what these are:
O4 - HKLM\..\Run: [HDSPTray1] hdsp32.exe
O4 - HKLM\..\Run: [HDSPTray2] hdspmix.exe
DO NOT FIX them until we ID them.

All browser sessions should be closed when you run HJT:
D:\Program Files\Internet Explorer\iexplore.exe

PP

 

ok, sorry about the confusion with the hijack logs. I deleted the server[1] thing, so it's not there anymore. As far as that site saying it's in trusted sites.. i looked there. and it says ther'es none in there.... so...? i posted my latest log with the latest hijackthis, Thanks alot for any help guys/gals

 

nothing stands out.. but you can get rid of these

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

 

ok. So if this is checking out now... where do i go next. I am still getting avg detecting the virus "istbar.ag". The mssys thing isnt happening anymore, and none of the other symptoms seem to be there anymore, it's like i've lopped off everything above the problem... but the root still lies in there somewhere.

Somewhere there is something that get's triggered that starts trying to install all this crap on my computer... but all the anti-virus stuff and anti-spyware stuff is stopping it before it can. Could it be that the file doing this is not identified yet? that's why nothing seems to be finding what is causing all this? What do you guys/gals think?

Thanks, Arit

 

boot to safe mode
Delete all your temp files under Local Settings\temp for all profiles.
go to start.. run .. type REGSVR32 /u trojandownloader.win32.istbar.gen.dll (if you get an error, ignore it. if it's successful then proceed)

look for any of the following files and delete them


systemroot+\temp\bundlersi.exe
trojandownloader.win32.istbar.gen.dll
trojandownloader.win32.istbar.gen_(14).exe

... brain fart.. did you do the tutorial for ALL profiles? if not, you need to do this.

 

thanks for the help kodo... but avg is still detecting the downloader.
i booted into safe mode, adn typed in the run command, got an error. The temp folder is empty. i presume when you said look for those files... that would be only if the run cmd worked? When you say for all profiles... you mean win xp user profiles right? i only have one.... at least i only have one when booting windows normally, but when i boot into safe mode i can login as admin.. which i think i have been doing.. would this make a difference? Any more suggestions? Am i just f'ed? Thanks again all.
Arit

 

virus

trojan horse downloader istbar.4.ag

found in file
D:\documents and settings\emerald\istactivex.dll

of course i will delete this file, but when i re-boot, it comes right back... so ?

 

boot in safe mode. Go to start.. run.. type

REGSVR32 /u D:\documents and settings\emerald\istactivex.dll

say ok to any prompts even if it's an error prompt.

Now find that file and delete it and find any file called istactivex.inf and delete that too. It MAY be in the same location as a hidden file.