Cannot remove Istbar

Hi
I am repairing a pc for a friend (infected with heaps of spyware previously) and I have managed to narrow the list down to 2 left.

I have not been able to remove the following
C:\WINDOWS\Downloaded Program Files\DeskAdX.dll is infected with Adware.WinTaskAd
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll is infected with Adware.Istbar
I have run the tool from symantec and it says that Istbar is not present in the system.
I have tried a manual removal also but still it is present
I have also reset the web settings in internet options.


I have followed ALL the steps in what to do before posting and run all the tools. System restore is disabled and I have deleted the nortons protected files as well.


I was NOT able to run the two online scans in safe mode as it would not dial up to the internet. I have run the online scans several times and symantec still finds them
I have installed hijack this and I am able to post a log if a kind soul would take a look at it and tell me how to remove the last 2 nasties from this system.

Thank you very much in advance for all help
Regards mystique32

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for your reply

I have posted the hijack this log as requested

Thanks for having a look at it

I have it in a folder in my D Drive rather than C

 

Download Pocket KillBox
(Don't run it yet)

Now, Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [adqzqz] C:\WINDOWS\adqzqz.exe
O4 - HKCU\..\Run: [Monopoly3.exe] D:\TEMPGA~1\MONOPO~1.EXE /r

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)

O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\Downloaded Program Files\DeskAdX.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Downloaded Program Files\YSBactivex.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\adqzqz.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After you reboot, attach a fresh HJT log from normal mode.

 

I have run the hijack and repaired in safe mode (had to type it out first tho as no printer)

I fixed the items as per instructions but only one instance of the following was there? Typo maybe?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)

the first 2 items as per killbox instructions were there and subsequently killed on reboot.
The last one C:\WINDOWS\adqzqz.exe didn't show up in blue so I assume that it was no longer there after hijack did it's thing

I have attached my new log for you.

thanks for helping

 

Your log is now clean!

Are you having any further problems?

 

Hi again

Just wanted to say a huge thanks to bjgarrick for his help with that Istbar removal
The system is running much faster and the online scans are now showing as clean

I take my hat off to the people who run this site as they can remove stuff that has me stumped along with many others. (I do know a fair bit about pc's too
And I have also learnt a lot more from coming here and reading posts from others.
It is an awesome site run by great people.

Thanks again

 

Your Welcome!

Glad things are running good for you!

You should see this article on How to Protect yourself from malware!