istsvc et al. - keep coming back! (Win2000)

Hi there. I am fighting the same situation as some other people, but with a Windows 2000 professional (SP4) platform, which means it's not possible to disable the restore point (I think).

I get several processes that seem to reset themselves up. They seem to start with istsvc.exe (IST Bar, something I never downloaded) and seem to be downloading other spyware such as Media Access, PowerScan, and quite possibly more along the way.

I ran everything I had, and then some, all in safe mode and whatnot: Ad-Aware, Spybot, SpySubtract, AVG antivirus, AVAST antivirus, Ewido. They all see the contaminated files, remove them, but the files come back upon reboot. (Sole exception: when I unplugged my DSL modem the files did NOT reappear after 2 or 3 reboots... not even istsvc.exe... strange...)

I went into the registry, found and deleted the spyware processes in the microsoft>windows>(...)> "run" registry table.

I used Process Explorer to try and find the Parent file that reinstalls the spyware every time... found a file called "fWWY1vQ.exe" in my temp directory, deleted it, but still the processes come back after reboot (and that file too).

Please help me find the parent file that reinstalls everything, or the guilty processes. I spent all day on this... any advice would be much appreciated.

Here, I just rebooted. Here's the HiJackThis log file.

Logfile of HijackThis v1.99.1
Scan saved at 23:32:09, on 2005-05-31
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINNT\system32\p2pnetworking.exe
C:\Fred\Downloaded executables\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [MétéoIMédia] C:\program

files\MétéoMédia\MétéoIMédia\WeatherEye
O4 - HKCU\..\Run: [WeatherEye] C:\program

files\MétéoMédia\MétéoIMédia\WeatherEye.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program

Files\InterMute\SpySubtract\SpySub.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique

(dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe

NB: All these processes seem normal, except... why are there four (4) svchost.exe ?? Could this be it ?

 

Thanks, Tony.

Language tools were harmless as it happens (last modification date, etc. were ok, and I do use French/English on my keyboard).

I erased all temp files, all temporary internet files, and all the irrelevant Program Files that my trojan had installed (as usual)... I used Autoruns to check out my processes and... you were right!

it occurred to me that the Windows Update utility should NOT be in the Program Files folder .... I disabled it and moved the folder (with the sole windowsupdate.exe file in it) to the trashcan.

Next start: no install, Autorun shows WindowsUpdate went looking for itself and... voilà! "FILE NOT FOUND ". Perfect. Now I get to clean the rest with the relevant software.

Everthing seems ok. I'll get back if it doesn't work. Thanks again.