[Ciberblade]

Been doing battle with this little ad malware program...and it has not returned in the last two days. For others that might run across this guy...the details:

I was brought in to look at this problem at the request of two other techs that could not seem to find the cause. The user complaint was rather typical "all of a sudden I get a popup ad even when I'm not online"

Ad-aware was able to detect and remove the process, registry entries, and files associated with it (after a reboot). All would seem fine, the process, file and folder were not present. Then 15mins later, it would show back up (completely transparent to the user).

All the spy/adware scans were unable to remove the bug totally -- because of one file. I found this file in "C:\WINDOWS\Prefetch" with the file name "ISTSVC.ECE-0b9ca3a6.pf"
Deleting this file first...running the scans and removing the entries has seemingly stopped the file from returning. This was on a WinXP-SP2 system.
The user did not know how the bug was downloaded.

[WhitPhil]

That is sort of curious!

Did you delete the actual ISTsvc.exe file??

The entry in PF should do nothing without the corresponding EXE file.

[Arky]

For a host of references to this problem do a Yahoo or Google search on istsvc.exe.

[Ciberblade]

yes I did delete the ISTsvc.exe file and folder...but I came back.

I also followed the info I gathered from the searches on Yahoo.

It's only been two days...I'll see if it shows back and post more next week.

[Ciberblade]

So I checked again...and seems I posted this thread a tad premature Hate it when that happens

This file is activated by a parent program -- that is how it reproduces itself. Finding that parent program was not simple (unless you know where to look)

Alrighty, now to the fun stuff!
The parent program has been called by many names (according to my Yahoo/Google searches) -- but it must have a registry entry. The spyware detection programs can find and remove all parts of the know bug -- just not the install program (the parent)
Go to your registry: "hkey_local_machine/software/microsoft/windows/current version/run"
and look through and verify the entries one by one (yeah, I know)
In this case, it was a file named kkwoix.exe in the Windows folder "C:\Windows\kkwoix.exe"

Further inspection of computers in the office revealed two more systems with that process running, the parent program was named "jube1.exe" and "dyfuca.exe" In each case the program was installed in the Windows folder.

Will post when I learn more.

[Skivvywaver]

dyfuca.exe is listed when spybot scans. I don't know if it removes it or not but spybot looks for it. Ciber, I figure you ran spybot, did it miss it?

[Ciberblade]

Nope...didn't miss it -- dyfuca.exe was one one of the other systems I checked and cleaned.

I guess if the parent had that name on all systems, then SpyBot could remove it w/o it showing back up. I deleted the file manually, then let the bot do the rest

[WhitPhil]

ISTSvc would appear to be the ISTbar Adware with a removal tool here

And Dyfuca would appear to be NetOptimizer Adware with a removal tool here

[Ciberblade]

Quote:

Originally Posted by WhitPhil

ISTSvc would appear to be the ISTbar Adware with a removal tool here

And Dyfuca would appear to be NetOptimizer Adware with a removal tool here

Thanks for the links....will add them to my 'toolkit'

[WhitPhil]

Hope they help.

And, a BTW, an easy trick to try and track down these unknown files (when they are viral in nature) is to use the Google advanced search, put the file name in the "with all the words" field, and then (in the above case) put Symantec.com in the Domain field.

And, then if Symatec hasn't heard of it, try Kaspersky.com or any of the other vendors.

[Ciberblade]

**update**

The bug is still gone

[Dr. G]

Ciberblade,
I'm still battling the ISTsvc monster. It sounds like you're on the right track looking for the "parent." I'm surprised why the removal tool by Symantek doesn't work. I've seen three different removal tracks on the tech guy forums. Derek seems to be advocating something different than what you arrived at, and someone else suggests simple running Kaspersky. Have you gotten any further with your investigation? If the bug is still gone, I'm not clear how you found the problem in the registry. Trial and error seems pretty ominous for even an intermediate user!!

Your thoughts would be appreciated. I'm on my second all-nighter doing battle with this thing. I record everything religiously, trying to apply scientific methods, but this thing defies logic! Thanks!!

[huntedpadfoo]

Hi, new here. I've recently got this problem and i have Ad-aware, it removes the registry files and all, but the virus stays. I can't even go to the task manager(ctrl+alt+delete thingo) because of this virus. There are a few applications i have found, but i cant delete them, because a message comes up saying that the program is in use, when it isnt!!! i need to shut down the process, then delete the file, but i can't, since i can't go to the task manager! BOTHER THIS !

[wdm2291]

go here and download a program called HijackThis,

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a folder on your desktop called "HijackThis" and save/download the program into that folder.

Then double click on the program (in that folder) to run it -- choose to run a scan and save a log. . then cut and paste that log and post it as a new thread in the "Security" section of this site's forums (instead of "Tips & Tricks") so someone can take a look at it.

DO NOT have HijackThis fix anything until after someone on here looks at it for you, as most of what it will show is stuff your computer needs to run properly.

Hope this helps,

Wayne