HowTo? remove ISTBAR

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kerryprance

Thread Starter
Joined
Nov 26, 2004
Messages
43
Hey all,

I've got something causing a continuious stream of data to be downloading from my my system (XPpro on a ...yeeeeech...HP syst so I don't have sp 2 running). According to "Yahoo" anti-spy there are 2 hijackers
ISTbar & ISTbarXXXtoolbar

1 trojan downloader -
Win32.ISTbar.ce located - C:\PROGRAMFILES\jstsvc\jstsvc.exe

(also showing a Atlas DTM.com and XXXToolbar.com tracking cookies)

Adaware 6.0 confirms the jstsvc\jstsvc.exe BUT..... neither program will get rid of it & windows won't let me delete it.

So guys, what do I do here..please?
also as per advise I have seen posted here & PCHell I dissabled "messenger" in the "services.msc", but havn't noticed any changes. Could somebody explain to me (in laymans terms) A) what is messenger & what it doesB) what I did by dissabling it, and C) how do I restore it IF I should need it? It dissapeared from the list when I dissabled it.

OH----also, since I have noticed this problem my screen image jumps around a little. Is this common to the virus or just another little video suprise that HP has in store for me? ( I swear i'm having to rebuild this piece of junk one piece at a time)

Thanks in advance

Kerry
 
Joined
Sep 7, 2004
Messages
49,014
First of all get the new AdAware - check for updates and run and fix all

then Istsvc http://securityresponse.symantec.com/avcenter/FxIstbar.exe

From Symantec
Note:
· The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
· The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
· The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
· The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
These can be manually deleted using the following steps:
a. Start Internet Explorer.
b. Click Tools > Internet Options.
c. In the Temporary Internet Files section, then click the Delete Files button.
d. Check Delete all offline content, and then click OK.

boot and Then get HiJack This http://www.majorgeeks.com/download3155.html, put
it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
log here.
 
Joined
Feb 23, 2005
Messages
7
I have just solved this issue on XP sp2. It took me 4 hours of google surfing and experimenting and pain, as the fix at symantec DOES NOT WORK and I would rather try to have babies with satan than use the fix supplied by the spyware authors. Who I honestly believe should be covered in petrol and set on fire during a live web broadcast.

In a nutshell:
everytime istsvc is attacked, another process with a random name repaires the damage and you are at square one again. I found the repairer file's name and path by checking in the registry location :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It looked out of place being random! I confirmed its identity by checking for and halting a process with the same name in task manager and checking that once deleted the istsvc.exe file stayed deleted.

- open the task manager
- halt and delete (or move for safety's sake) the repairer executable (I found it in /windows)
- halt istsvc and delete the executable (I found it in /program files/istscv)
- run adaware and spybot repeatedly until clean.
- (maybe optional) delete all temporary internet files and temp files the origonal installers hide here. Norton finds these but can't delete them itself.
- (almost certainly optional) open regedit, find and delete everything to do with the name of the repairer and istsvc.

Incidentally if you look at the name my repairer program had - lcurits - long enough (squinting and ignoring the l helps) you get an uncanny insight into who the authors are.

Companies that produce this sort of software should be named, shamed and where possible shut down. The director's names and addresses should be published and there lives wrecked.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top