ISTbar/Powerscan, TinyBar , eXactSearch

ISTbar/Powerscan, TinyBar , eXactSearch

I have these three on my system and Spybot Search and Destroy, AdAware6, and Super Utilities won't get rid of them.

They delete them and the registry entries but the next time I use the internet they are back. I have gone to the Norton site which showed what files were associated with each and after either manually deleting them or allowing the programs to delete them none of the files are present on my computer. Then after using the internet they are back.

I have ZA Pro v4 and also have my system set not to allow Active X to run unless its signed.

 

Umm, no. AdAware6 SpyBot S&D, and Super Utilities are all 100% up to Date. I updated them just prior to running these detections and removal attempts.

Thanks for the point to the thread though, I missed that one and although I have tried several of the steps in it already I see a couple other things I didn't think of to do. I'll try that and will let you know if it solved the problem.

 

Yep, my bad I figured out after that you meant upgrade to SE not to update the definations file. I ran all the tests and SE still does not find the three file only the Super Utilities Pro finds them.

I ran all the test in the order that they are prescribed and while in safe mode also ran Super Utilities Pro. During checking in safe mode only the Super Utilities Pro found the three files in question. After letting the programs do what they needed I rebooted to normal and ran SpyBot S&D, AdAwareSE and Super Utilities Pro again and nothing was found.

I Then went on the internet and after closing IE rechecked the system. AdAwareSE and Spybot S&D came up clean but Super Utilities Pro reported finding ISTbar, TinyBar, and eXactSearch again.

Have you ever heard of or used Super Utilities Pro? I got it from ZDNet downloads section. Is there a possiblity that this program is giving false readings?

 

Sorry I forgot add what steps I took.

1: Disable System Restore temporarily: Done

2: Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper: Not Present

3: Enable viewing of hidden files and folders and extensions; Done

4: Downloading Tools; Done
Ad-Aware SE
Ad-Aware VX2 Cleaner Plug-In
CCleaner
Spybot.
SpywareBlaster.
McAfee AVERT Stinger.
CWShredder.
Kill2me.
about:Buster.
HSRemove.

5: Online scan at Trend Micro's Free Online Virus Scan; Done

6; Online scan at Symantec Security Check; Done

7; Boot in safe mode with networking; Done

8; Run McAfee AVERT Stinger; Done

9: Clean Your Hard Drive with CCleaner. Run CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete Index.dat" checkbox; Done

10: Main Spyware Scan And Removal; Scan your machine with Ad-Aware SE (remember to install the Ad-Aware VX2 Cleaner Plug-In for it) and Spybot. Look for the Immunize feature in Spybot and use it; Done

11: Secondary Spyware Scan And Removal: Run CWShredder, Kill2me, about:Buster and HSRemove; Done

12: Scan With Hijack This; Done

13: Windows Update; Done

14:Remove Microsoft Java; Done

 

You're right, the three detects are registry key's and it does remove them only to have them reappear after running the internet again.

Before deleting them when I first found them I went to the symantec site and read up on how to manually remove them and the file they state it hides in was not found. I thought that the files must have been deleted and the keys got left behind by accident. I let the program delete them and thought that that would be the last I would see of them, but the keys still keep coming back. The fact that AdAware SE and Spybot S&D do not find them makes me think its a false reporting.

I will run HJT and post a log as you request.

 

Thanks for your help in all this.


Edit by chaslang: HJT log changed to an attachment

 

I just re-read the thread and yep I did miss the post as txt attachment and I don't understand what you mean by an inline log. As for the online scans entry's (Opps) I saw those lines and deleted(fixed) them as I figured I didn't need to run the scans again since they were clean.

The O4 - Startup: SMASHER.lnk = C:\Program Files\SMASHER\smasher.exe is my Smasher Popup Stopper program.
The O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/...ive/HS_live.cab, is for my web sites stuff.

I'll delete the others you pointed out, and I'll get back to you after I run the Registrar Lite program and let you know what it found.

 

ISTbar - No Hits
Powerscan - No Hits
eXactSearch - No Hits
TinyBar: - 2 Hits

HKEY_USERS\S-1-5-21-1229272821-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tinybar.com

HKEY_USERS\S-1-5-21-1229272821-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.tinybar.com

Looks like only this one parasite remains. Do you want me to run this in Safe Mode and delete it from the registry?

 

Ok, Thanks for all your help. I think I will not run Super Utilities Pro anymore. I had it on the trial period right now so I think I will just remove it and use the tools you guys recomended.