Istbar annoyance

I have used ad aware online virus scans (trend micro) and most of the ad aware has been removed. However, everytime i scan using ad aware it finds two Istbar registry items. When i quarantine and delete them they reapear everytime i scan again. I found the reg folder under HKEY_USERS\S-1-5-21-22803.........\Software\IST <---- and the two registry values show up under this folder > Default REG_SZ (value not set) and Recover REG_SZ Þæ&¬]ø éð—)‰D~I‡æ•”W¦}Z®%¡É:;·:ÐÿÙÁUtQà <----(and this giberish). When i delete the whole folder manually they repear after a couple of seconds when i refresh, how do i get rid of this problem! pls help thanx

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

 

If you just want this removed instead of making sure your completely clean then download the removal tool.

IstBar Removal Tool

 

I have used all probgrams such as Ad aware and spypot (updated everything) but the thing is i dont actually have any pop ups or an unwatned toolbar, its just that that folder in the registry keeps reapearing after i delete it. I have even tried that removal tool by symantec and it says it finds nothing. Here is my hijack this log file...

 

You didnt attach anything?

 

oops sorry

 

First:

Please update to Hijack This 1.99.1


Second:

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

C:\Documents and Settings\Daniel\My Documents\My Software\HijackThis.exe



After doing the above, please post a new HJT log.

 

ok heres the new 1

 

You have one of the new nasties called ISTsvc and a few others. To completely remove most of these, please procede.


Download Kaspersky Anti-Virus Personal 5.0[/B] as it cleans this thoroughly + much of the crap that comes with it!! This version is a 30 day trial.

You should print this out for reference!

You must disable any resident AV programs you have and install KAV 5.0

When Installing, do the following as you come to them:

Uncheck the Operate According to Recommended Settings Box

Uncheck the Use Real-time Protection against Network Attacks Box

Uncheck the Use The iStreams Technology Box

Now, allow KAV 5.0 to download and install Updates. Then, look under Settings > Configure Updater and select Extended Database > OK > Check for Updates and allow those to install.

Then, Click Settings > Configure On-Demand Scan Settings and Set Scan Level to Maximum > Perform Recommended Action > OK

NOW, Close ALL Programs (including KAV 5.0) and Browsers!

Physically Disconnect from the Internet - Pull the Cable!!

Boot into SAFE MODE

OPEN KAV 5.0 BUT DO NOT RUN IT YET!!!

Open Task Manager (Ctrl-Alt-Del) and RightClick explorer.exe and END IT! Don't be alarmed when all of your desktop items disappear. That is normal.

Everything will go blank except for KAV 5.0 and Task Manager. DO NOT CLOSE THEM!!

Now : Start a FULL SYSTEM SCAN. Click the Protection Tab and select Scan My Computer .


This process may take HOURS . . . . LET IT RUN!

When the Scan and Cleanup are done, go to Task Manager and select File / New Task and type explorer.

Close KAV 5.0 and TaskManager and reboot to Normal Windows and get a fresh HijackThis Log and let us know how things look!

 

Sorry, Wouldnt let me edit it so I didnt have time to include the correct link.

Please download from this link!


Kaspersky Anti-Virus Personal 5.0

 

ok ill do all of that but what are resident AV programs?

 

Any Antivirus program you have currently installed. Running 2 different AV programs can cause conflicts with one another. This is so that we dont run into this problem

 

I too was infected by ist,thanks to my son and when I deleted it in the registy it would always come back. Then I went into safe mode and deleted it and it never came back. I hope this will help you and the removal tool was a big help too.

Have you looked at these links:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

The tool can be found here:
http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Night

 

ok i have done everything u sed arrick and it found 16 and deleted them. When it scanned i looked under reports and some files where infected but it didnt say delete next to them is this normal? Do i need to uninstall kaspersky now? and one more thing that folder in the registry was still there when i rebooted but i just deleted it and this time is hasnt reappeared again i think its gone for gud. Here is me new hijack this log..(btw what is jcwrva.exe in he windows folder?)

thanx

 

They should have been deleted, what I was aiming for is gone now. Yes, you can go ahead and uninstall.

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Nb82R] C:\WINDOWS\jcwrva.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband

O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if it should remain:


C:\WINDOWS\jcwrva.exe

C:\Program Files\ISTsvc <-- If this exist, delete whole folder!


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

isnt the online banking important? and i use tiscali so shudnt that be left there? I fixed the jcwrva but i cdnt find it in the windows folder

 

The O16 entries are ActiveX Objects (aka Downloaded Program Files) that you have downloaded from the website. Removing these will NOT effect the program in anyway.



Was you able to sucessfully run the Removal Tool ?