Flare Sci-fi Forums
Flare Sci-Fi Forums Post New Topic  New Poll  Post A Reply
my profile | directory login | search | faq | forum home

  next oldest topic   next newest topic
» Flare Sci-Fi Forums » Community » Officers' Lounge » MAKE IT STOP!!!!! (Page 1)

  This topic comprises 2 pages: 1  2   
Author Topic: MAKE IT STOP!!!!!
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
I'm having issues with spyware/malware whatever it is. Its damned annoying, and I can't get it to go away! Its something called ISTBar. I'm using Ad Aware SE and Spybot. They detect it, tell me I have to reboot to remove the exe. So I do, everything's fine. Then I run Ad Aware again after like 2 minutes (before connecting to the internet or anything) and its back. Help me get rid of this thing!!

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
Harry
Stormwind City Guard
Member # 265

 - posted      Profile for Harry     Send New Private Message       Edit/Delete Post   Reply With Quote 
Perhaps you could try to block it from accessing the network in your firewall. That would at least narrow down it's possibilities.

Then, search your registry for 'ISTBar' (and whatever other names it's using).

<insert obligatory anti-IE flame here>

--------------------
Titan Fleet Yards | Memory Alpha

Registered: Dec 1999  |  IP: Logged
Jay the Obscure
Liker Of Jazz
Member # 19

 - posted      Profile for Jay the Obscure     Send New Private Message       Edit/Delete Post   Reply With Quote 
I found Spy Doctor and Pest Patrol helpful in addition to the programs you mentioned.

I used the free scan offered by both. It did not allow for automatic removal using the program, but it listed the location where the adware/malware existed on my computer and I went and deleted the file myself.

I also found Browser Hijack Recover useful.

CNET has a good selection of anti-spyware tools.

--------------------
Great is the guilt of an unnecessary war.
~ohn Adams

Once again the Bush Administration is worse than I had imagined, even though I thought I had already taken account of the fact that the Bush administration is invariably worse than I can imagine.
~Brad DeLong

You're just babbling incoherently.
~C. Montgomery Burns

Registered: Mar 1999  |  IP: Logged
Cartman
just made by the Presbyterian Church
Member # 256

 - posted      Profile for Cartman     Send New Private Message       Edit/Delete Post   Reply With Quote 
*sigh* children...


If dealing with the AUpdate strand:

1) Open the registry and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

2) Delete the 'AutoUpdater' entry pointing to 'aupdate.exe'.

3) Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.

4) Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

5) Reboot.

6) Delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and 'aupdate_uninstall.exe' from the System folder.

7) Restore your normal search settings and then kill RapidBlaster and DownloadPlus.


If dealing with the MSCache strand:

1) Open a DOS prompt and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

2) Open the registry and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

3) Delete the 'MS Updates' entry pointing to 'mscache.exe'.

4) Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.

5) Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

6) Reboot.

7) Delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder.

8) Restore your normal search settings and then kill nCase and Wink/EasyDates.


If dealing with the XXXToolbar strand:

1) Open the registry and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

2) Delete the 'IST Service' entry.

3) Open a DOS prompt and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

4) Reboot.

5) Delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder.

6) Delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (.1).


If dealing with all three, reformat and don't touch a computer again until you're fifty.

And for the sake of TEH INTARNET, download Firefox and a few decent extensions, or I will get so medieval on your ass you'll wish you had bought a MAC.

Registered: Nov 1999  |  IP: Logged
Jay the Obscure
Liker Of Jazz
Member # 19

 - posted      Profile for Jay the Obscure     Send New Private Message       Edit/Delete Post   Reply With Quote 
Well, yeah. Everyone knows that.

--------------------
Great is the guilt of an unnecessary war.
~ohn Adams

Once again the Bush Administration is worse than I had imagined, even though I thought I had already taken account of the fact that the Bush administration is invariably worse than I can imagine.
~Brad DeLong

You're just babbling incoherently.
~C. Montgomery Burns

Registered: Mar 1999  |  IP: Logged
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
Harry, Cartman:

Thank you so very much for automatically assuming that I use IE. I've used Firefox on this computer exclusively since I built it in September. [Razz] [Roll Eyes]

Cartman:

I have a folder, Program Files\ISTsvc with a file istsvc.exe in it that keeps popping up. What strain is this? Whenever I attempt to delete the file it says its in use, etc.

Alrighty, I just ran Ad Aware again, it deleted about 24 registry entries for this sucker and now Ad Watch keeps popping up saying that IST Service is trying to change the registry enter in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run. How do I stop it from changing the entry?

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
Spybot identifies this thing as ISTbar.Slotch, and it also found DyFuCA.

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
Cartman
just made by the Presbyterian Church
Member # 256

 - posted      Profile for Cartman     Send New Private Message       Edit/Delete Post   Reply With Quote 
"Thank you so very much for automatically assuming that I use IE."

Well, duh. ISTbar doesn't infect any browser other than IE. If you really have used Firefox exclusively since September, then how did it get onto your computer, eh? EH?

"I have a folder, Program Files\ISTsvc with a file istsvc.exe in it that keeps popping up. What strain is this?"

That would be the Toolbar. Just be sure to follow all the steps in the right order, or you'll be running AdAware until the heat death of the universe.

(ISTBar.slotch, BTW, is simply an alias of XXXToolbar. As far as I know, they're identical.)

--------------------
".mirrorS arE morE fuN thaN televisioN" - TEH PNIK FLAMIGNO

Registered: Nov 1999  |  IP: Logged
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
Certain videos run IE through WMP when attempting to acquire a license. I would assume that's where this fucker came from.

I would follow your steps but there is no istbar.dll file anywhere on my computer. The only entry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is for MSN Messenger.

When I reboot and run Ad Aware first thing, there is no ISTsvc/istsvc.exe. After about 5 minutes it regenerates and then I'm back to square one.

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
Cartman
just made by the Presbyterian Church
Member # 256

 - posted      Profile for Cartman     Send New Private Message       Edit/Delete Post   Reply With Quote 
Skip steps 1 through 3, then, and boot into safe mode before doing 5 and 6.

(Try this program, too.)

Registered: Nov 1999  |  IP: Logged
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
From Symantec, eh? That's my AV software... Nice if it to pick it up...

Anyways, I went into safe mode (before I saw your post) and managed to delete ISTsvc\istsvc.exe. That then spawned a file in the Windows directory, gbvwaqgq.exe, which I had to delete through safe mode. Everything seems to be hunky-dory now...

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
bX
Stopped. Smelling flowers.
Member # 419

 - posted      Profile for bX     Send New Private Message       Edit/Delete Post   Reply With Quote 
This is me totally not posting some tetchy flame-bait Think Different� response.
Registered: Sep 2000  |  IP: Logged
Cartman
just made by the Presbyterian Church
Member # 256

 - posted      Profile for Cartman     Send New Private Message       Edit/Delete Post   Reply With Quote 
I am obligated, under international PC law that I have just made up, to retort with this.
Registered: Nov 1999  |  IP: Logged
Fabrux
Epic Member
Member # 71

 - posted      Profile for Fabrux     Send New Private Message       Edit/Delete Post   Reply With Quote 
I just built this computer 4 months ago, so it'll be a bit before I'm thinking about a new system. [Smile]

--------------------
I haul cardboard and cardboard accessories

Registered: Mar 1999  |  IP: Logged
Mucus
Senior Member
Member # 24

 - posted      Profile for Mucus     Send New Private Message       Edit/Delete Post   Reply With Quote 
Bah, real computer users plan for upgrading *while* buying new computers/motherboards [Wink]
Registered: Mar 1999  |  IP: Logged
  This topic comprises 2 pages: 1  2   

Quick Reply
Message:

HTML is enabled.
UBB Code™ is enabled.

Instant Graemlins
   


Post New Topic  New Poll  Post A Reply Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


© 1999-2024 Charles Capps

Powered by UBB.classic™ 6.7.3