MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: removing Trojan Downloader.Holica.B and Istbar 5.l
December 11, 2019, 09:23:50 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
December 11, 2019, 09:23:50 AM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: removing Trojan Downloader.Holica.B and Istbar 5.l  (Read 2780 times)
oscarwilde
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 5


Bookmark and Share

View Profile
« on: December 07, 2004, 01:28:40 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows 98
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



My computer s been used by other people and got infected with a lot of viruses and trojans as a result. I managed to delete all but four which are:
Trojan Horse Downloader.Holica.B
Dropper.Inor
VBS/VBSWG
Trojan Horse Downloader Istbar 5.H

I would greatly appreciate your help.

Thanks
My HJT log:
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\APPLICATION DATA\CWRL.EXE
C:\WINDOWS\SYSTEM\TDE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AVERTV\AVREMOTE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\BELGELERIM\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba
« Last Edit: December 07, 2004, 01:48:58 AM by oscarwilde » Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: December 07, 2004, 01:58:18 AM »


First Set Windows to View Hidden Files and Folders


Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

cwrl.exe
tde.exe

Close all other open Windows and have HiJackThis Fix:


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
oscarwilde
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 5


Bookmark and Share

View Profile
« Reply #2 on: December 07, 2004, 02:50:38 AM »

Hi
I ve done all that and here s the new hjt log:
Thank you so much and God bless you!:)

Logfile of HijackThis v1.98.2
Scan saved at 04:48:54, on 07.12.2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\AVERTV\AVREMOTE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\BELGELERIM\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Remote.lnk = C:\AVERTV\AVREMOTE.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: MynetSohbet - http://irc.mynet.com/java/cr.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.kahkaha.com:7050/java/cr.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-tr/tr/games2.cab


Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: December 07, 2004, 02:55:39 AM »

Logfile looks good oscarwilde ... Grin

How's everything running?

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
oscarwilde
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 5


Bookmark and Share

View Profile
« Reply #4 on: December 07, 2004, 03:05:51 AM »

Everything seemed fine and much faster until I did another virus scan. I ve still got all of them...
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #5 on: December 07, 2004, 03:09:22 AM »

Run HJT again and post another logfile please... Grin

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
oscarwilde
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 5


Bookmark and Share

View Profile
« Reply #6 on: December 07, 2004, 03:12:03 AM »

Here it is:
Logfile of HijackThis v1.98.2
Scan saved at 05:15:47, on 07.12.2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\AVERTV\AVREMOTE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\BELGELERIM\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Remote.lnk = C:\AVERTV\AVREMOTE.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: MynetSohbet - http://irc.mynet.com/java/cr.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.kahkaha.com:7050/java/cr.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-tr/tr/games2.cab


Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #7 on: December 07, 2004, 03:58:54 AM »


Hey oscarwilde ...


Close all other open Windows and have HiJackThis Fix:



O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: MynetSohbet - http://irc.mynet.com/java/cr.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.kahkaha.com:7050/java/cr.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab



Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


MyNet

Now, empty all your TEMP Folders / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

Double click 'My Computer' > 'C Drive' > 'Windows' > open 'Cookies' > Select all the files and click Delete.  

Now go back to your Windows folder.  Find and open the 'Downloaded Program Files' folder.  Select all programs that you do not use, or programs that don't have valid names.  Click the Delete button or click 'File' > 'Delete'.

Again, go back to your windows folder, find and open the 'Temp' folder.  This folder contains any left over setup files from programs you have installed, but failed to delete.  Select all the files, including hidden ones (to unlock hidden files, click 'Tools' > 'Viewing Options' > make sure 'Show all files' is selected) and delete them.  

Back to the Windows folder again, find and open the 'Temporary Internet Files' folder.  Disk Cleanup does not delete cookies in this folder, so we have to manually delete them.  Select all remaining files and delete them by clicking the Delete button or 'File' > 'Delete'.  

Now open your C Drive again.  Find a folder called Temp.  Open it and delete all the items.  

Again, in your C Drive, if you have WinZip, search for a folder called 'Unzipped'.  Delete all these files or move them to a folder if you wish to keep them.  The contents of the unzipped folder contain items that you unzipped using WinZip.


Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONSand make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
oscarwilde
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 5


Bookmark and Share

View Profile
« Reply #8 on: December 07, 2004, 02:25:45 PM »

Hi Cactus,
I ve done all of that but while I was deleting the Windows cookies folder, there were two files that I couldnt delete;
Index (it said cannot delete
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #9 on: December 07, 2004, 04:05:12 PM »


Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

AQ3HELPER.EXE


Close all other open Windows and have HiJackThis Fix:


O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE /partner AQ3

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=



Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


AQUATICA

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\PROGRAM FILES\AQUATICA\AQ3HELPER.EXE

Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

WIN98 TEMP FILES

double click 'My Computer' > 'C Drive' > 'Windows' > open 'Cookies' > Select all the files and click Delete.  

Now go back to your Windows folder.  Find and open the 'Downloaded Program Files' folder.  Select all programs that you do not use, or programs that don't have valid names.  Click the Delete button or click 'File' > 'Delete'.

Again, go back to your windows folder, find and open the 'Temp' folder.  This folder contains any left over setup files from programs you have installed, but failed to delete.  Select all the files, including hidden ones (to unlock hidden files, click 'Tools' > 'Viewing Options' > make sure 'Show all files' is selected) and delete them.  

Back to the Windows folder again, find and open the 'Temporary Internet Files' folder.  Disk Cleanup does not delete cookies in this folder, so we have to manually delete them.  Select all remaining files and delete them by clicking the Delete button or 'File' > 'Delete'.  

Now open your C Drive again.  Find a folder called Temp.  Open it and delete all the items.  

Again, in your C Drive, if you have WinZip, search for a folder called 'Unzipped'.  Delete all these files or move them to a folder if you wish to keep them.  The contents of the unzipped folder contain items that you unzipped using WinZip.



Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONSand make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 17, 2018, 03:35:50 PM