Unable to rid sys of ISTBAR - Help

I have been trying to remove Istbar, with no luck. I have tried the remover from Symantec and it tells me that Istbar is not present.
I run ADware and have it remove what it finds, but as soon as I reboot its back.
I have followed yourj first step of instructions all the way through and Istbar still keeps comming back after rebooting. I have even tried to remove it manulally, but still no go.
I am definitely in need of some help at this point. What can you suggest.

 

It is standard procedure to ask everyone to read the sticky's at the top of this forum page, follow all suggestions and advice, and then repost if the problem still exists! Welcome to MajorGeeks.

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

I have the same problem, i need help, the deskbar keep popping up and down and i don't know how to get rid of it. I tried everything also, but everytime i reboot, it comes back..SO ANNOYING!

 

SAME PROBLEM!...I NEED HELP i can't get rid of the deskbar behind the taskbar!!

 

I have followed all actions suggested in the Stickey postings, and Adware still tells me I have ISTbar (IST Service) after rebooting. I am attaching the hijackthis log file. I have also tried the Symantec remover and it tells me that ISTbar was not found. Even if I boot up in safe mode and delete all traces of "ISTServices" from the registry and then delete the folder from c:\programs\ it still comes back after the reboot. I would rather not format the system partition, so I'm hopping that you will be able to guide me through this.

 

Ok, lets start by removing the files, follow below:

1) Boot into Safe Mode

2) Be sure you have "View hidden files and folders" enable per the tutorial, Now go into the directory C:\Program Files and locate the folder below:

C:\Program Files\ISTsvc <--- Delete the whole folder!

3) Now go into the directory C:\WINDOWS\system32 and locate the file mfcwj32.dll and delete it.

4) Reboot, and run HJT again, have it fix the below entries, Remember to close all browsers before fixing anything with HJT!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing (NOTE: Reset web settings after removal of this entry)
O2 - BHO: (no name) - {08211965-D6A7-563C-FBDA-97E9626FA453} - C:\WINDOWS\system32\mfcwj32.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

After removing these entries, reboot and post new log. Thanks!

Let me know how things are running after this!

 

O4 - HKLM\..\Run: [760X8OQ] C:\WINDOWS\nhktmy.exe
C:\WINDOWS\nhktmy.exe

This looks iffy as well.

 

I went through the directions as listed and it still came back. But I think that Phillie may have something as now the file he has referenced is showing up with the IST.

Have a look.

 

I believe we are getting really close here, there just seems to be one line that keeps poping back after a reboot and it is referencing nhktmy.exe. Although, I have deleted as you asked.

 

The folder C:\Program Files\ISTsvc was not there.
But, line "O4 - HKLM\..\Run: [7609¿Ì*ú]Mú*ÀaîžaaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nhktmy.exe"
did come back.

 

Folder settings are and were, the way you have specified so no changes there.
This file, C:\WINDOWS\nhktmy.exe, does not exist. The only spot I can see that this is referenced at all is as a prefetch.

Not sure about the last service noted, "Zeta" that file does not even exist anymore.

 

Zeta does not appear in the HJT log, but does show up in the serviceslog again.
The 04 entry does show up in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
But not in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

nhktmy.exe was found in the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 with a value name of 000 and the value nhktmy.exe

again in
HKEY_USERS\S-1-5-21-1960408961-413027322-682003330-1004\Software\Microsoft\Search Assistant\ACMru\5603

 

Deleted the following:
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

But,
HKEY_USERS\S-1-5-21-1960408961-413027322-682003330-1004\Software\Microsoft\Search Assistant\ACMru\5603, Did not exist, could it have been removed by me deleting the previous key first?

Zeta did not exit here, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
But did find it referenced:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZESOFT\0000, as two values DeviceDesc, and Service
Also here
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZESOFT,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ZESOFT,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZESOFT,

Should I be deleting all these keys?

 

When I tried to delet the following I would get an error saying that these were not deleted:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT\0000,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZESOFT\0000
Basicaly the the ones that were not noted with legacy could be deleted and the others could not. It did how ever remove the zesoft entry from the serviceslog.
One strange thing though, that one 04 entry from HJT that is located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run keeps comming back.

 

All seems to be in the clear now, I can scan the system and get a clean bill of health. I would like to thank you for all your help, I could not of avoided a reinstall with out your help.

Thank you again.