This is topic MAKE IT STOP!!!!! in forum Officers' Lounge at Flare Sci-Fi Forums.


To visit this topic, use this URL:
https://flare.solareclipse.net/ultimatebb.php/topic/10/3535.html

Posted by Topher (Member # 71) on :
 
I'm having issues with spyware/malware whatever it is. Its damned annoying, and I can't get it to go away! Its something called ISTBar. I'm using Ad Aware SE and Spybot. They detect it, tell me I have to reboot to remove the exe. So I do, everything's fine. Then I run Ad Aware again after like 2 minutes (before connecting to the internet or anything) and its back. Help me get rid of this thing!!
 
Posted by Harry (Member # 265) on :
 
Perhaps you could try to block it from accessing the network in your firewall. That would at least narrow down it's possibilities.

Then, search your registry for 'ISTBar' (and whatever other names it's using).

<insert obligatory anti-IE flame here>
 
Posted by Jay the Obscure (Member # 19) on :
 
I found Spy Doctor and Pest Patrol helpful in addition to the programs you mentioned.

I used the free scan offered by both. It did not allow for automatic removal using the program, but it listed the location where the adware/malware existed on my computer and I went and deleted the file myself.

I also found Browser Hijack Recover useful.

CNET has a good selection of anti-spyware tools.
 
Posted by Cartman (Member # 256) on :
 
*sigh* children...


If dealing with the AUpdate strand:

1) Open the registry and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

2) Delete the 'AutoUpdater' entry pointing to 'aupdate.exe'.

3) Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.

4) Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

5) Reboot.

6) Delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and 'aupdate_uninstall.exe' from the System folder.

7) Restore your normal search settings and then kill RapidBlaster and DownloadPlus.


If dealing with the MSCache strand:

1) Open a DOS prompt and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

2) Open the registry and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

3) Delete the 'MS Updates' entry pointing to 'mscache.exe'.

4) Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.

5) Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

6) Reboot.

7) Delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder.

8) Restore your normal search settings and then kill nCase and Wink/EasyDates.


If dealing with the XXXToolbar strand:

1) Open the registry and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

2) Delete the 'IST Service' entry.

3) Open a DOS prompt and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

4) Reboot.

5) Delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder.

6) Delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (.1).


If dealing with all three, reformat and don't touch a computer again until you're fifty.

And for the sake of TEH INTARNET, download Firefox and a few decent extensions, or I will get so medieval on your ass you'll wish you had bought a MAC.
 
Posted by Jay the Obscure (Member # 19) on :
 
Well, yeah. Everyone knows that.
 
Posted by Topher (Member # 71) on :
 
Harry, Cartman:

Thank you so very much for automatically assuming that I use IE. I've used Firefox on this computer exclusively since I built it in September. [Razz] [Roll Eyes]

Cartman:

I have a folder, Program Files\ISTsvc with a file istsvc.exe in it that keeps popping up. What strain is this? Whenever I attempt to delete the file it says its in use, etc.

Alrighty, I just ran Ad Aware again, it deleted about 24 registry entries for this sucker and now Ad Watch keeps popping up saying that IST Service is trying to change the registry enter in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run. How do I stop it from changing the entry?
 
Posted by Topher (Member # 71) on :
 
Spybot identifies this thing as ISTbar.Slotch, and it also found DyFuCA.
 
Posted by Cartman (Member # 256) on :
 
"Thank you so very much for automatically assuming that I use IE."

Well, duh. ISTbar doesn't infect any browser other than IE. If you really have used Firefox exclusively since September, then how did it get onto your computer, eh? EH?

"I have a folder, Program Files\ISTsvc with a file istsvc.exe in it that keeps popping up. What strain is this?"

That would be the Toolbar. Just be sure to follow all the steps in the right order, or you'll be running AdAware until the heat death of the universe.

(ISTBar.slotch, BTW, is simply an alias of XXXToolbar. As far as I know, they're identical.)
 
Posted by Topher (Member # 71) on :
 
Certain videos run IE through WMP when attempting to acquire a license. I would assume that's where this fucker came from.

I would follow your steps but there is no istbar.dll file anywhere on my computer. The only entry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is for MSN Messenger.

When I reboot and run Ad Aware first thing, there is no ISTsvc/istsvc.exe. After about 5 minutes it regenerates and then I'm back to square one.
 
Posted by Cartman (Member # 256) on :
 
Skip steps 1 through 3, then, and boot into safe mode before doing 5 and 6.

(Try this program, too.)
 
Posted by Topher (Member # 71) on :
 
From Symantec, eh? That's my AV software... Nice if it to pick it up...

Anyways, I went into safe mode (before I saw your post) and managed to delete ISTsvc\istsvc.exe. That then spawned a file in the Windows directory, gbvwaqgq.exe, which I had to delete through safe mode. Everything seems to be hunky-dory now...
 
Posted by Balaam Xumucane (Member # 419) on :
 
This is me totally not posting some tetchy flame-bait Think Different� response.
 
Posted by Cartman (Member # 256) on :
 
I am obligated, under international PC law that I have just made up, to retort with this.
 
Posted by Topher (Member # 71) on :
 
I just built this computer 4 months ago, so it'll be a bit before I'm thinking about a new system. [Smile]
 
Posted by Mucus (Member # 24) on :
 
Bah, real computer users plan for upgrading *while* buying new computers/motherboards [Wink]
 
Posted by Topher (Member # 71) on :
 
I was shopping for budget, really. But I'm sure I can upgrade some. This is the board I ended up getting.
 
Posted by Austin Powers (Member # 250) on :
 
You know my trick for not getting my PC infected with spyware/adware etc.?

I use Windows 98! [Smile]
It hardly ever crashes, all my programs run sufficiently fast, I don't play games...
So why the hell should I upgrade to Windows XP and invite all kinds of viruses, spyware etc. to infest my system?

Old software rulez! [Wink]
 
Posted by Omega (Member # 91) on :
 
Certain videos

Hehe.
 
Posted by Nim' (Member # 205) on :
 
I'm so poor I have to rent farts. [Frown]

[ December 16, 2004, 03:50 PM: Message edited by: Nim' ]
 
Posted by Cartman (Member # 256) on :
 
"You know my trick for not getting my PC infected with spyware/adware etc.?"

Your premises about Win98 might (and I stress might), in your case, all be true. However, your conclusion about WinXP is so far from being a logical consequence of them as to be on its own extra-dimensional fallacy plane. Your argument is therefore total crap, sir.
 
Posted by TSN (Member # 31) on :
 
"[Win98] hardly ever crashes..."

And in what magical pixieland did you obtain this copy of 98?
 
Posted by PsyLiam (Member # 73) on :
 
Indeed. I'm sure that NASA and, er, God will be interested in this amazing copy of Win 98 that not only never gets spyware or viruses, but also somehow crashes less than WinXP. It truelly must be a blessed copy of the hold OS.
 
Posted by TSN (Member # 31) on :
 
Which is like what I said, only longer and four days too late.
 
Posted by Fleet-Admiral Michael T. Colorge (Member # 144) on :
 
I suggest that after you get rid of that spyware you use Spybot Search and Destroy along with Lavasoft's Ad Aware for preventive maintenance.
 
Posted by PsyLiam (Member # 73) on :
 
quote:
Originally posted by TSN:
Which is like what I said, only longer and four days too late.

Dear God, I'm turning into Andrew.
 
Posted by Jason Abbadon (Member # 882) on :
 
Well, you still get some jokes... [Wink]
 
Posted by TSN (Member # 31) on :
 
Actually, Lee is turning into Andrew. I'm not sure why, but it can't be good.
 


© 1999-2024 Charles Capps

Powered by UBB.classic™ 6.7.3