Removing troj_istbar-1

I'm following all of the pages of "what to do, says Major Attitude" to get rid of a virus and spyware...right now I'm on the step of "do an online scan at Symantic Security Check"

I'm NOT hopeful because "Trend Micro's Free Online Virus Scan" found 8 instances of troj_istbar-1, however, it couldn't "repair or delete it" because the "file was in use". I tried shutting it down using the menu at alt-cntrol-del. But it didn't help...I'm going to follow the rest of the instructions, but so far IT WON'T DIE!!! ARGH!!!

Connie

 

Hi Connie,

Suggest you try this tool: http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Then, please send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

My HJT log...

I hope I attached the log correctly. please let me know what you guys find. Thanks.
Connie

 

Hi Connie,

Did you try the Symantec Removal tool I linked?

Before you do anything else, you MUST Extract HijackThis from the ZIP File to a SAFE Folder - C:\Program Files\HijackThis!!



NOW:
Please look in Add or Remove Programs for the following and Uninstall it if found:

Viewpoint

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711

R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O3 - Toolbar: (no name) - {9F6A22E6-1682-4F82-9B72-6314794CB253} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vUwDFps] C:\WINDOWS\anboosnm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ofglic.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Vzdtlf.exe
O4 - HKLM\..\Run: [È Ý8¿Ì*û]Mú*ÀaîžaaûC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\anboosnm.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ---> The Folder
C:\WINDOWS\system32\Ofglic.exe
C:\WINDOWS\system32\Vzdtlf.exe
C:\WINDOWS\anboosnm.exe
C:\Program Files\ISTsvc ---> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

am printing now...then will follow your directions exactly...will post asap.
thanks,
connie

 

AllRightyThen!!

 

Phillie,
I do not have the log file under the hijack this log of .....viewpoint manager\viewMgr.exe now for some reason.
I also have more instances of the "anboosnm.exe" now.
Would you like to see the newest HJT log file before I go checking things off?

 

Well, I've clicked on the same 3 folders with the last part being:

04 ...\ISTsvc\istsvc.exe...\anboosnm.exe

and HJT cannot seem to clean it off.

 

Did you run the tool I linked?
Did you delete the ISTSvc Folder?
Did you delete the C:\WINDOWS\anboosnm.exe file after fixing with HJT?

Please give me a fresh HJT log and we'll see where you stand.

PP

 

Yes I did everything you mentioned. I had tried to no avail to do this before I got all of the instructions from the "how to remove trojans, etc boards".

The trojan keeps coming back, and nothing can seem to remove it.

Just now when I came on-line, instead of getting porn popups and the diet patch, now I'm getting yahoo.com and the diet patch. Honestly, I will NEVER download a "questionable" file again. One other thing is that I scanned the "questionable file" with my norton utilites which was fully updated and it DID NOT catch it. I never would've installed it knowingling with a stupid virus on it! Not yelling at you, I"m just incredibly frustrated. This is my first major virus killing and I do appreciate your help.

Attached is the most recent HJT log, two items in 04 still have the IST thing.

 

Phillie,

I got a little brave/stupid and ran the whole thing over again, but this time went to regedit and deleted any instances of ISTsvc there (that looked safe to delete). Should this help or is it still there lurking?

Yes I ran all of the programs you suggested. I am having sucess at the moment (no popups at all) no sign of ISTsvc at the moment. (Crossing fingers).

I think after all of this that I do need to upgrade norton. I was running norton 2002, BUT I had all of the updates current and it still missed this virus.

I'm going to attach one more HJT text file for you...if you see anything suspecious please let me know, but it seems we're good for the moment unless doing the registry route won't help. THANKS!!!!

 

Hi Connie,

The latest log looks better!

Now that you have removed the registry entries, go back and DELETE the ISTSvc folder - C:\Program Files\ISTsvc

Also see if you can DELETE C:\WINDOWS\anboosnm.exe if it remains.

Here's a link to make sure you got all the Registry items:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html


You have a lot of 016 DPF items in your HJT log and I always wonder what rides along with them. Especially ones like this: O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
You should remove all the ones you don't recognize or need!

There are some better (and FREE) AV options here at MGs if you choose to remove Norton (very hard to do, though!).
Please see Chaslang's Suggestions!!!

PP

 

I've removed my norton antivirus and am using AntiVirXP which I downloaded from this site. Does anyone know how to see if it is "cleaning" my incoming e-mail messages?

p.s. AntiVirXP found 2 more viruses on my computer last night...the TR/lstbar.er1 (which I think is a variant of the bugger I just removed ARGH, and the TR/hijack.popcaploader!!! Bye bye Norton!!!

Thanks!
Connie

 

The free version does NOT scan E-mails (the PRO Vresion does).

The free version Does scan E-mail Attachments when you open them, but this is not true e-mail scanning which would delete bad e-mails before they were downloaded to your machine.

AntiVir is a good product! It is effective and they update definitions every couple of days. If you want the BEST in AV and don't mind paying for it, I recommend either NOD32 or Kaspersky with an edge going to NOD32.

Are you running a good firewall now, as well? Both the FREE Sygate and ZoneAlarm Personal Firewalls are preferable to the built-in Windows Firewall as they monitor both incoming and outgoing traffic!!

PP

 

Yes, I downloaded Sgygate last night. So it is worth paying for AntiVirXP so I will have e-mail scanning? I haven't even looked at the prices yet. I'm impressed with it so far, having found 2 viruses norton couldn't.

Thanks for the info, I'll also look at the other anti-virus programs...and thank you sooooooo much for helping me kill the IST virus!!!!

 

Happy to try to help

If you are going to pay for AV, see how NOD32 and Kaspersky stack up pricewise. . . They are the best "for pay" options!

As far as e-mail scanning goes, probably depends on how much e-mail you get and how careful and attentive you are when it comes to opening them The best defense is being aware of what is out there trying to get you and acting accordingly!

Since you are now running Sygate Firewall, you should make sure that the built-in Windows Firewall is OFF to avoid conflict.

PP

 

Just finished reading this thread and want to comment that MG is still the nicest and most knowledgable computer help available. Also, to pose the question....Won't Norton ever learn? I loved Norton on "The Honeymooners" but the modern day Norton

Jack

 

Thanks for the good word, Jack! Norton isn't that bad . . . Just that there are better alternatives with less bloat!

I, too, preferred Art Carney!!

PP

 

Prices I've found on anti virus programs:

AVG 7.0: $33.30
NOD32: $39.00 (1 user)
Kaspersky: Anti-virus Personal $41.50, Personal PRO $66.50.

 

Thank you, I just turned off MS virus. Should I also go back and "hide" the hidden files and such?
Who is MG? Did I miss something?

 

Do you mean Windows FireWall?

If you so desire!

That's us . . . . The MajorGeeks

Of your listed "for pay" AV, NOD32 seems the way to go!

PP

 

Well MS FIREWALL will not turn off for some reason!
I click on control panel, security, manage firewall, click off, ok, and it still is on!
Any ideas?

 

That's odd . . . Let me ask one of our other members if he's seen that before. Hang in there

PP

 

you know I've lost my mind...the reason why the "green light" was on for firewall was that Sygate is running. I clicked on "firewall" and it showed the correct one. sorry for the whining!

Thanks Philly!

 

Excellent!

Steve will be disappointed that his expertise is no longer needed!

So, I've lost track . . . LOL! Where do you stand now? Everything working OK? Any other questions I can try to answer?

PP

 

I'm virus free today, but I've got an interesting one for you Phillie .. I got an "anonymous" e-mail, I tried looking at the properties of it to see who it came from...can I post the "innerds/path/properties" of the post and you could tell me where it came from regionally? I'm concerned because it came to my private e-mail address that I rarely use.

 

You can post it, but not sure how much I can help with that. Perhaps software forum might offer a better response?

With those e-mails, I just delete them if I don't recognize the sender! But, after all, I AM paranoid!! LOL

PP