Malware/Spyware keep coming back after restart.

Hi.
I have read and done the suggestions in the Readme sticky, and while it removes the Spyware, each time I restart my pc and connect to the internet it reappears again.

Ad-aware detects two types. 'DyFuCA' and 'istbar'

When it removes them a message saying
'CrogramFiles\istsvc\istsvc.exe is in use and cannot be removed' and to run ad-aware on start up to remove it.

Microsoft AntiSpyware detects two types called 'IST.ISTbar (browserModifier),
and 'Trojan.Downloader.TargetSavers'

Can someone please help!

 

I'm running Windows 2000 SP4. According to what I've read I don't think it has a system restore.

 

That's right - no system restore in Win2000.

After doing ALL of the READ ME if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Okay, here's the log after I ran the spyware cleaners.

 

Please tell me someone can see what the problem is. I have to run spyware cleaners each time I turn on my computer and connect to the internet.

 

I don't see ISTbar but it can be masked . I see 2 files running that are probably the problem. Let's do this before I give you a fix.

Look up these two files and tell me what they say.
Do that by right clicking the file, then properties, and see if there is a version. I don't have Winn200 so I am not exactly sure if that is the procedure.
C:\PROGRA~1\COMMON~1\fmrm\fmrmm.exe
C:\WINNT\qavsweng.exe

If you know anything else about them let me know. Also let's run this since you mentioned ISTbar. Go to this link FixISTBar and D/L the removal tool and run it (under removal instructions). Then give me a new HJT log.

 

Thanks for the suggestions.

For C:\PROGRA~1\COMMON~1\fmrm\fmrmm.exe, the version is 4.0.3.8 copyright 2005.
In the same folder there are also fmrma and fmrmp executables.

There is no version for C:\WINNT\qavsweng.exe, but it was created on the same day as the other file (11thMar05) which I think is the day I got the spyware. It's 10KB in size.

I ran the removal tool you suggested, but it didn't detect anything. The strange this was that when I ran Microsoft AntiSpyware, it picked the ISTBAR up. According to MS Antispyare it is in the location HKEY_CURENT_USER\software\ist

I finished running MSAntispyware to delete it (along with the Trojan.Downloader* it picked up) and then ran HJT. Here's the log, but I guess it will look the same as the last one.

*The locations for the Trojan downloader MS Antispyware gives are

HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\TSA\Update version 4.0.3.8
HKEY_LOCAL_MACHINE\SOFTWARE\TSA New install 0

 

I will have a fix for you today. MS Antispyware has been known to make mistakes. We actually are recommending that you don't use it until they get their problems fixed. It has been known to corrupt internet connections.

 

Older versions of DAP were considered to have malware. I will put fixes in here for DAP. Either do all of the DAP or none of the DAP - your choice if you feel it is OK.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

DAP (Your choice)
fmrm

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

fmrmm.exe
fmrma.exe
qavsweng.exe

Now scan with HijackThis and Check the Boxes for the following:

Do this next line if you don't recognize the address
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [FDG1bsM2] C:\WINNT\qavsweng.exe
O4 - HKCU\..\Run: [fmrm] C:\PROGRA~1\COMMON~1\fmrm\fmrmm.exe

(Next 2 are DAP - your choice)
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\PROGRA~1\COMMON~1\fmrm--->The Folder
C:\WINNT\qavsweng.exe
C:\PROGRA~1\DAP--->The Folder (Your choice)

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

I really appreciate this, I'll give it a go now.

 

Yes!

I followed your instructions, and then restarted my computer and connected to the internet again. I ran ad-aware and spybot and my system came up clean

I've been using Firefox for a while now and have never had any serious problems (the minor ones that occured, ad-aware and spybot took care of). This is the first time I couldn't get rid of the crap. Thanks a lot for all your help OldThug

 

Your very welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

If everything seems to be working OK then turn system restore back on.

It might not hurt to let me look at the final HJT log to make sure you are clean.

 

I have to correct this statement. I have now been told that they have made some progress on this program. Tho not perfect yet, it does fix some problems that others do not fix.