1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please help - how to remove ISTbar spyware

Discussion in 'All other topics' started by denis2, Jan 13, 2005.

  1. denis2

    denis2 Member

    Joined:
    Jan 11, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    Hi

    Yesterday I downloaded a series of trial dvd authoring software (TMPGEnc, Ulead, and others) and today Ad-aware found 135 critical new objects! Previously I had had none for a couple months. I've removed all except for something called ISTBar. Ad-aware found Regkey and Regvalue. I ran something called FxIstbar but it came back saying it couldn't find it on my pc.

    Please help, if anyone knows how to remove it I'd appreciate a step by step guide (I guess I have to put the pc into safe mode and back it up). Has anyone had any experience with this spyware?
     
  2. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,008
    Likes Received:
    77
    Trophy Points:
    128
    check your add/remove programs. which ad-aware are you using, se or 6. if 6 than get se
     
  3. denis2

    denis2 Member

    Joined:
    Jan 11, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11

    I have ad aware SE. However, although it removes Istbar regkey and istbar regvalue, they are back again after next start up. Also ran a2 (A square) which removed 10 malware items linked to Istbar but then ran adaware and same two reg items appeared. Is there a manual way to remove Istbar?
     
  4. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,008
    Likes Received:
    77
    Trophy Points:
    128
    check msconfig/startup & programs/startup to see if istbar there. also run in safe mode to run programs to delete spyware
     
  5. denis2

    denis2 Member

    Joined:
    Jan 11, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11

    I ran Hijack This and here is the log - can anyone see anything there that I need to remove?

    Logfile of HijackThis v1.99.0
    Scan saved at 22:03:03, on 13/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    F:\AVAST4~1\ashDisp.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\NetLimiter\NetLimiter.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MZL & Novatech TrafficStatistic\bin\gui\TrafficStatisticGUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\a2\a2guard.exe
    F:\Adobe Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
    F:\Canopus 2\Procoder2.exe
    F:\Avast 4\aswUpdSv.exe
    F:\Avast 4\ashServ.exe
    F:\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\MZL & Novatech TrafficStatistic\bin\http_server\HTTP_Srv.exe
    C:\Program Files\MZL & Novatech TrafficStatistic\bin\cpm\RunCPM.exe
    C:\WINDOWS\system32\wdfmgr.exe
    F:\Kerio Personal Firewall\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    F:\Kerio Personal Firewall\Personal Firewall 4\kpf4gui.exe
    F:\Avast 4\ashMaiSv.exe
    C:\WINDOWS\System32\alg.exe
    F:\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    F:\ht.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...k/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/uk/*http://www.yahoo.co.uk
    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] F:\AVAST4~1\ashDisp.exe
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TrafficStatisticGUI] "C:\Program Files\MZL & Novatech TrafficStatistic\bin\gui\TrafficStatisticGUI.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [80DW] C:\WINDOWS\qxkalmv.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = F:\Adobe Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O23 - Service: avast! iAVS4 Control Service - Unknown - F:\Avast 4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - F:\Avast 4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Avast 4\ashMaiSv.exe
    O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - F:\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
    O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrafficStatistic HTTPSrv Service - MZL & Novatech - C:\Program Files\MZL & Novatech TrafficStatistic\bin\http_server\HTTP_Srv.exe
    O23 - Service: TrafficStatistic RunCPM Service - MZL & Novatech - C:\Program Files\MZL & Novatech TrafficStatistic\bin\cpm\RunCPM.exe

     
  6. freedom2

    freedom2 Regular member

    Joined:
    Dec 11, 2004
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    26
    @ denis2

    if your running Windows XP, you can do system restore, to a few days before you downloaded it.....

    also a installed personal firewall might stop you
    from getting that some of those, you get while
    surfing a lot, and are hard as hell, to delete
    sometimes even ADD/REMOVE PROGRAMS will not even
    work. the worst is those damn PORNO-SITES they
    put shit in your computer you didn't even know about

    good day..................
     
    Last edited: Jan 14, 2005

Share This Page