1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

ISTSVC removal

Discussion in 'Virus & Other Malware Removal' started by klapn, Feb 14, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. klapn

    klapn Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    1
    Hello I think I am doing this right according to the other postings...I can not get rid of this using the downloadable tools so have reverted to doing this...it scares me as I am not to sure if I am doing this right...Anyhow I have run hijackthis and got the following.....

    Logfile of HijackThis v1.99.0
    Scan saved at 5:08:01 p.m., on 15/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spoolvse.exe
    C:\WINDOWS\System32\mssams.exe
    C:\WINDOWS\rwdklw.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\msnmgr16.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nz9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nz9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://nz9.hpwis.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
    O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [start extracting] spoolvse.exe
    O4 - HKLM\..\Run: [Security Agent Manager] mssams.exe
    O4 - HKLM\..\Run: [HFU5t5ENt] C:\WINDOWS\rwdklw.exe
    O4 - HKLM\..\Run: [MSN service] msnmgr16.exe
    O4 - HKLM\..\Run: [¢‰¸K0ÔÁÐ]§ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rwdklw.exe
    O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁÐ]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rwdklw.exe
    O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁÐ]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rwdklw.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
    O4 - HKLM\..\RunServices: [Security Agent Manager] mssams.exe
    O4 - HKLM\..\RunServices: [MSN service] msnmgr16.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [start extracting] spoolvse.exe
    O4 - HKCU\..\Run: [Security Agent Manager] mssams.exe
    O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105432481019
    O17 - HKLM\System\CCS\Services\Tcpip\..\{31472A89-DA70-4FA5-84BF-AF34E9A65731}: NameServer = 202.27.184.3 202.27.184.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{31472A89-DA70-4FA5-84BF-AF34E9A65731}: NameServer = 202.27.184.3 202.27.184.5
    O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    Can someone tell me how to remove this or due to my inexperience should I get someone in physically to help...thank you in advance.
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi klapn, Welcome to TSG!!

    Download the KillBox

    Unzip the files to your desktop.


    Run KillBox.exe.

    Select the Delete on Reboot option.

    In the Full Path of File to Delete field paste each of the following and click the red circle with the white X in it, when it asks you to reboot, click No.

    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\rwdklw.exe


    Close Killbox.

    Restart in safe mode

    Go to C:\WINNT\Temp and empty the entire contents of that folder.
    Go to c:\documents and settings\Owner\local settings\temp and empty the entire contents of that folder.
    Repeat for every profile on the machine.

    Reboot.

    Go here: http://housecall.trendmicro.com/ and scan your machine to clear the virus you have.

    Create a permanent folder on your hard drive like c:\program files\hjt.
    Download Hijackthis and click "Save", direct it to the permanent folder you created. Double click on hijackthis.exe and select "Do a system scan and save a logfile". This log will open in notepad. Copy and paste the log back here for review.
    Don't make any changes until instructed to do so.

    **Note this is a new version of HJT so please do the download.
     
  3. ukcaracc

    ukcaracc

    Joined:
    Feb 23, 2005
    Messages:
    7
    I have just sloved this issue on XP sp2. It took me 4 hours of google surfing and experimenting and pain, as the fix at symantec DOES NOT WORK and I would rather try to have babies with satan than use the fix supplied by the spyware authors. Who I honestly believe should be covered in petrol and set on fire during a live web broadcast.

    In a nutshell:
    everytime istsvc is attacked, another process with a random name repaires the damage and you are at square one again. I found the repairer file's name and path by checking in the registry location :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    It looked out of place being random! I confirmed its identity by checking for and halting a process with the same name in task manager and noting that once deleted the istsvc.exe file stayed deleted.

    - open the task manager
    - halt and delete (or move for safety's sake) the repairer executable (I found it in /windows)
    - halt istsvc and delete the executable (I found it in /program files/istscv)
    - run adaware and spybot repeatedly until clean.
    - (maybe optional) delete all temporary internet files and temp files the origonal installers hide here. Norton finds these but can't delete them itself.
    - (almost certainly optional) open regedit, find and delete everything to do with the name of the repairer and istsvc.

    Incidentally if you look at the name my repairer program had - lcurits - long enough (squinting and ignoring the l helps) you get an uncanny insight into who the authors are.

    Companies that produce this sort of software should be named, shamed and where possible shut down. The director's names and addresses should be published and there lives wrecked.
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Thanks for that nice commentary, ukcaracc. :rolleyes:

    It's working in conjunction with another file in this case it's C:\WINDOWS\rwdklw.exe. You have to remove both and most of the time it takes the reg hack as well.

    klapn, I'm waiting for your reply. :)
     
  5. ukcaracc

    ukcaracc

    Joined:
    Feb 23, 2005
    Messages:
    7
    Sorry cybertech,

    My comments were not exactly professional but I was and still am, very angry indeed.

    Why is Integrated Search Technologies not being prosecuted? They have written a piece of software that tricks the user into installing it on the machine, downloads (against the users will) other undesirable software (including pornographic material) and, worst of all, actively resists removal.

    Virus authors can be extradited and sent to prison, so why not the directors of IST?

    Sorry I am losing it again.
    I will make this my last word here so as not to become a nuisance.
    Good luck all of you with this and other spyware to follow.
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    ukcaracc, I understand your anger! I hope lawmakers will do something about it!!
     
  7. xdanx

    xdanx

    Joined:
    Aug 15, 2003
    Messages:
    83
    hey man, after trying and trying to remove this pice of crap, i think its finnaly gone, evertime i removed it the way i was doing it, it was gone, then on reboot it was back!!!

    think i killed it now my repairer file was windows:qlvoq.exe

    thanks a lot ukcaracc

    just done a scan and all looks ok!!!

    is gettin rid of my restore points wish??
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Something called "The World Wide Web" im afraid.......its not ilegal in ALL countries,thats why they can get away with it.

    :confused: :mad:
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330703

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice