hijackthis result question

i keep finding an ISTtoolbar with a trojan downloader when i scan with yahoo antispy and spybot,after following your advice on the READ ME FIRST thread,i still find IST in scan results. i then tried hijackthis and found a file [IST services]C:\program files\IST svc\istsvc.exe, is it safe to let hijackthis delete this file.

 

Hi Fangy,

You should delete the entire IstSvc folder in Program Files.

Better yet, if you have already run through the Cleanup Tutorial, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will take a peek as time permits and see exactly where you stand.

PP

 

hello, when i first tried to run hijack it warned me i was going to run it from a temporary folder,i saved it to it's own folder and run it again without any warning's does this mean it's in a safe folder? i've attached the results from hijack for you to have a look at to see if it's safe to delete IST file.
thanks for your help
fangy

 

Hi Fangy,

Just put it where I suggested and it will be OK. Here's how to do that:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there and attach that log. You last log didn't attach. . .

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

PP

 

I think i've got the folder sorted out, I'll try send results again.
fangy

 

Hi Fangy,

Please look in Add or Remove Programs for the following and Uninstall them if found:

ISTsvc
myBar
MyWay

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see it, try to END it:

istsvc.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.;;<local>

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [hgGd] C:\WINDOWS\hrlfciga.exe
O4 - HKLM\..\Run: [-] C:\WINDOWS\hrlfciga.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\hrlfciga.exe
C:\WINDOWS\farmmext.exe
C:\Program Files\ISTsvc ---> The Folder
C:\Program Files\Internet Explorer\ixplore.exe ---> Note the Spelling!! NOT to be confused with iexplore.exe
C:\Program Files\MyWay ---> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Hi PP
I followed your advice, everything went the way you said it would, from add and remove programs i removed the ISTSVC program, although when i was checking the boxes in HJT i couldn't find entry's for "04-hklm\.\run:[HgGD]C:\windows\hrlfciga.exe" or "04-hklm\.\run:[-a square]C:\windows\hrlfciga.exe, all i could find similar was, " 04-hklm\.\run:[-two squares]C:\windows\hrlfciga.exe. So i left this unchecked, (I don't know how to make squares), Is this because of the ISTsvc program i'd removed? Or should i have checked the entry with the two squares? Once i'd went into safe mode i couldn't find C:\windows\hrlfciga.exe, I removed "farmmext.exe" And the folder ISTsvc was gone. I've attached the last HJT scan results. The last antispy scan i done didn't find anything , Could you tell me if this is the end of my troubles.
thanks fangy.

 

Hi Fangy,

Things look better.

Fix this entry with HijackThis:

O4 - HKLM\..\Run: [-] C:\WINDOWS\hrlfciga.exe

Then, make sure C:\WINDOWS\hrlfciga.exe has been deleted and doesn't remain.

Also run CCleaner again and flush System Restore by turning it OFF and then back ON.

Then, have a peek at Chaslang's Suggestions!!

PP

 

Hi PP,
Thanks for all your help with this, I've just one more thing to ask, I did another scan with HJT, But can't find "04-HKLM\..\Run: [-square]C:\WINDOWS\hrlfciga.exe, ........(I don't know how to type a square).....I also can't find "C:\WINDOWS\hrlfciga.exe, Does this mean they're fixed? I'll attach my last HJT result just in case you need to see it.
Thanks again, Fangy

 

Your HJT log looks clean to me! Are you experiencing any problems?

 

Hi BJG,
Everything seems to be ok, I don't seem to be having any problems, I was just wanting to know if i'd followed PP's advice to the end?
Thanks Fangy

 

As long as this file listed below is gone, then your ok my friend

C:\WINDOWS\hrlfciga.exe

 

Hello,
It's me again with another question, I've been looking at PP's link "CHASLANG'S SUGGESTIONS" He say's you should have a firewall, How do know if you've got a firewall on? I've got norton antivirus 2003 (with all updates) Does this have one? I downloaded Sygate personal firewall, Will i be ok running this, Not knowing if i've got a firewall running just now?
Thanks Fangy

 

NAV 2003 is just your Antivirus, If you have Sygate installed then you have a good firewall.

 

Since you have SP2, you should make sure that the built-in Windows Firewall is turned OFF so that it doesn't conflict with Sygate! The Windows Firewall is turned ON by Default when you install SP2, so go START > Control Panel > Security Center and disable it. You will be better off with Sygate!

PP

 

Thanks for everyone's help.
Fangy

 

You're Welcome!