Unable to rid sys of ISTBAR - Help

[Sport9155]

I have been trying to remove Istbar, with no luck. I have tried the remover from Symantec and it tells me that Istbar is not present.
I run ADware and have it remove what it finds, but as soon as I reboot its back.
I have followed yourj first step of instructions all the way through and Istbar still keeps comming back after rebooting. I have even tried to remove it manulally, but still no go.
I am definitely in need of some help at this point. What can you suggest.

[Novice]

It is standard procedure to ask everyone to read the sticky's at the top of this forum page, follow all suggestions and advice, and then repost if the problem still exists! Welcome to MajorGeeks.

[bjgarrick]

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

[NEWGEEK2005]

I have the same problem, i need help, the deskbar keep popping up and down and i don't know how to get rid of it. I tried everything also, but everytime i reboot, it comes back..SO ANNOYING!

[NEWGEEK2005]

SAME PROBLEM!...I NEED HELP i can't get rid of the deskbar behind the taskbar!!

[chaslang]

Quote:

Originally Posted by star17

Read this for starters...

http://www.doxdesk.com/parasite/ISTbar.html

Also read this:
http://sarc.com/avcenter/venc/data/adware.istbar.html


If you stil have problems after reading those links, follow what BJ gave in message # 3.

[Sport9155]

I have followed all actions suggested in the Stickey postings, and Adware still tells me I have ISTbar (IST Service) after rebooting. I am attaching the hijackthis log file. I have also tried the Symantec remover and it tells me that ISTbar was not found. Even if I boot up in safe mode and delete all traces of "ISTServices" from the registry and then delete the folder from c:\programs\ it still comes back after the reboot. I would rather not format the system partition, so I'm hopping that you will be able to guide me through this.

[bjgarrick]

Ok, lets start by removing the files, follow below:

1) Boot into Safe Mode

2) Be sure you have "View hidden files and folders" enable per the tutorial, Now go into the directory C:\Program Files and locate the folder below:

C:\Program Files\ISTsvc <--- Delete the whole folder!

3) Now go into the directory C:\WINDOWS\system32 and locate the file mfcwj32.dll and delete it.

4) Reboot, and run HJT again, have it fix the below entries, Remember to close all browsers before fixing anything with HJT!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing (NOTE: Reset web settings after removal of this entry)
O2 - BHO: (no name) - {08211965-D6A7-563C-FBDA-97E9626FA453} - C:\WINDOWS\system32\mfcwj32.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

After removing these entries, reboot and post new log. Thanks!

Let me know how things are running after this!

O4 - HKLM\..\Run: [760X8OQ] C:\WINDOWS\nhktmy.exe
C:\WINDOWS\nhktmy.exe

This looks iffy as well.

[Sport9155]

I went through the directions as listed and it still came back. But I think that Phillie may have something as now the file he has referenced is showing up with the IST.

Have a look.

[chaslang]

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Quote:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\nhktmy.exe
C:\WINDOWS\system32\mswin32.cmd
C:\Program Files\ISTsvc\istsvc.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [760X8OQ] C:\WINDOWS\nhktmy.exe
O4 - HKLM\..\Run: [WinTimer] "C:\WINDOWS\system32\mswin32.cmd"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [7609¿Ì*ú]Mú*ÀaîžaaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nhktmy.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\nhktmy.exe
C:\WINDOWS\system32\mswin32.cmd
C:\Program Files\ISTsvc\istsvc.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

[Sport9155]

I believe we are getting really close here, there just seems to be one line that keeps poping back after a reboot and it is referencing nhktmy.exe. Although, I have deleted as you asked.

[chaslang]

The nhktmy.exe process does not appear to be loading. It may be a damage registry key.
See if this folder is on your PC:
C:\Program Files\ISTsvc

If so, delete it. (Let me know)

Boot into safe mode and have HJT fix:
O4 - HKLM\..\Run: [7609¿Ì*ú]Mú*ÀaîžaaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nhktmy.exe

Then reboot and run HJT. See if the line is gone or did it come back.

[Sport9155]

The folder C:\Program Files\ISTsvc was not there.
But, line "O4 - HKLM\..\Run: [7609¿Ì*ú]Mú*ÀaîžaaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nhktmy.exe"
did come back.

[chaslang]

Make sure you have these options set as follows (tell me if you have all of then set this way or not):
Click Start and Select Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Using Windows Explorer can you see: C:\WINDOWS\nhktmy.exe

Download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.

[Sport9155]

Folder settings are and were, the way you have specified so no changes there.
This file, C:\WINDOWS\nhktmy.exe, does not exist. The only spot I can see that this is referenced at all is as a prefetch.

Not sure about the last service noted, "Zeta" that file does not even exist anymore.

[chaslang]

That's funny! Zeta did not appear in your previous HJT log. Check a log right now. If you find a line like this:
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Have HJT fix it. The take a look at the output from GetServices again and make sure it is gone.

Click Start, Run, and enter regedit and click OK. This brings up the registry editor.

Click Edit and Select Find then enter istsvc.exe to look for that O4 entry in your registry. It may be corrupted and that is why HJT cannot fix it. See what you find under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

also look in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Also check for nhktmy.exe

[Sport9155]

Zeta does not appear in the HJT log, but does show up in the serviceslog again.
The 04 entry does show up in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
But not in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

nhktmy.exe was found in the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 with a value name of 000 and the value nhktmy.exe

again in
HKEY_USERS\S-1-5-21-1960408961-413027322-682003330-1004\Software\Microsoft\Search Assistant\ACMru\5603

[chaslang]

Download Erunt , install it and use it to backup your registry before continuing. Then do the below steps.

Run regedit again and delete the zeta entry in the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Do not delete the Run key, make sure you have Zeta selected in the right window pane. Right click on it and select delete.


For the nhktmy.exe problem, select the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
make sure the bottom of the regedit shows that full path and then right click on it and select delete.

Repeat for:

HKEY_USERS\S-1-5-21-1960408961-413027322-682003330-1004\Software\Microsoft\Search Assistant\ACMru\5603

[Sport9155]

Deleted the following:
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

But,
HKEY_USERS\S-1-5-21-1960408961-413027322-682003330-1004\Software\Microsoft\Search Assistant\ACMru\5603, Did not exist, could it have been removed by me deleting the previous key first?

Zeta did not exit here, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
But did find it referenced:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZESOFT\0000, as two values DeviceDesc, and Service
Also here
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZESOFT,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ZESOFT,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZESOFT,

Should I be deleting all these keys?