ISTbar/Powerscan

Cazzie · 03-15-2005, 05:54 AM

I first entered my query in general security, however after reading a few other threads I noticed folk were downloading hijack this and posting the log.
I have tried a variation of removal tools and adware programs, however each time I reboot, this pesty malaware keeps returning.

Here is my log.

Can anyone please help!

This is the latest information provided by HJT Analyser as referred by someone here, however I cannot now find that post (don't ya just hate being the new kid on the block)

===================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:31:14 PM, on 15/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Evidence Exterminator\erasrv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\fntjuqf.exe
C:\Program Files\Evidence Exterminator\eraser.exe
C:\Program Files\NoAds\NoAds.exe
C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\COMMON~1\qiwz\qiwza.exe
C:\PROGRA~1\COMMON~1\qiwz\qiwzl.exe
C:\Documents and Settings\Cazz'\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.techsupportforum.com/sear...earchid=558082
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no

file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -

C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable

Login\bpcable.exe" /r
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program

Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [bpANpd] C:\WINDOWS\fntjuqf.exe
O4 - HKLM\..\Run: [<°‡@¡±§Tlçÿ[Ì…*9ÀÌC:\Program

Files\ISTsvc\istsvc.exe] C:\WINDOWS\fntjuqf.exe
O4 - HKLM\..\Run: [00ERSRRRNKY] C:\Program Files\Evidence

Exterminator\eraser.exe
O4 - HKLM\..\RunOnce: [00ERSRRRNKY] "C:\Program Files\Evidence

Exterminator\erasrv.exe" remove
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Update Service]

C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [qiwz] C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\iLookup\ezStub22.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://static.windupdates.com/cab/Do...ridge-c283.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.imgfarm.com/images/nocache...MyFunCardsFWBI

nitialSetup1.0.0.8.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -

http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl

Class) -

http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader

Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://v5.windowsupdate.microsoft.co...ls/en/x86/clie

nt/wuweb_site.cab?1093863945265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2...rendmicro.com/

housecall/xscan53.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control

4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown

owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Eraser Service (EraserThread) - Unknown owner -

C:\Program Files\Evidence Exterminator\erasrv.exe
O23 - Service: GhostStartService - Symantec Corporation -

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

End of KRC HijackThis Analyzer Log.

AntoIRL · 03-15-2005, 06:49 AM

G'day.

I'm not an expert, but I did have problems with ISTtoolbar. Go to [url=http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html].

Either follow the manual instructions or download their fix, you'll find the link half way down the page.

Cheers,

Cazzie · 03-15-2005, 06:57 AM

Hey G'day

Thanks for responding :)

I have infact dpownloaded the symantac removing tool, which in this case did not help, each time I reboot and run the Noadware it returns

THANKS for trying

CHEERS :)

greyknight17 · 03-15-2005, 06:53 PM

Please make sure that Word Wrap is turned off in Notepad before posting it here next time. The formatting makes it very difficult for us to read it.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\fntjuqf.exe
C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe
C:\PROGRA~1\COMMON~1\qiwz\qiwza.exe
C:\PROGRA~1\COMMON~1\qiwz\qiwzl.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

ISTsvc
YourSiteBar
iLookup or Web Offer

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [bpANpd] C:\WINDOWS\fntjuqf.exe
O4 - HKLM\..\Run: [<°‡@¡±§Tlçÿ[Ì…*9ÀÌC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fntjuqf.exe
O4 - HKCU\..\Run: [qiwz] C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\iLookup\ezStub22.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...bridge-c283.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach....tup1.0.0.8.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\PROGRA~1\COMMON~1\qiwz\
C:\PROGRA~1\YOURSI~1\
C:\Program Files\ISTsvc\
C:\WINDOWS\fntjuqf.exe
C:\WINDOWS\iLookup\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

03-15-2005, 05:54 AM	#1 (permalink)
Cazzie Registered User Join Date: Mar 2005 Location: Adelaide, South Australia Posts: 2 OS: xp	ISTbar/Powerscan I first entered my query in general security, however after reading a few other threads I noticed folk were downloading hijack this and posting the log. I have tried a variation of removal tools and adware programs, however each time I reboot, this pesty malaware keeps returning. Here is my log. Can anyone please help! This is the latest information provided by HJT Analyser as referred by someone here, however I cannot now find that post (don't ya just hate being the new kid on the block) =================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:31:14 PM, on 15/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Evidence Exterminator\erasrv.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\Program Files\Telstra\Cable Login\bpcable.exe C:\WINDOWS\fntjuqf.exe C:\Program Files\Evidence Exterminator\eraser.exe C:\Program Files\NoAds\NoAds.exe C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe C:\Program Files\Telstra\Cable Login\bpcable.exe C:\PROGRA~1\Webshots\webshots.scr C:\PROGRA~1\COMMON~1\qiwz\qiwza.exe C:\PROGRA~1\COMMON~1\qiwz\qiwzl.exe C:\Documents and Settings\Cazz'\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techsupportforum.com/sear...earchid=558082 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe" O4 - HKLM\..\Run: [bpANpd] C:\WINDOWS\fntjuqf.exe O4 - HKLM\..\Run: [<°‡@¡±§Tlçÿ[Ì…9ÀÌC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fntjuqf.exe O4 - HKLM\..\Run: [00ERSRRRNKY] C:\Program Files\Evidence Exterminator\eraser.exe O4 - HKLM\..\RunOnce: [00ERSRRRNKY] "C:\Program Files\Evidence Exterminator\erasrv.exe" remove O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup O4 - HKCU\..\Run: [qiwz] C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\iLookup\ezStub22.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do...ridge-c283.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...MyFunCardsFWBI nitialSetup1.0.0.8.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...ls/en/x86/clie nt/wuweb_site.cab?1093863945265 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...rendmicro.com/ housecall/xscan53.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe O23 - Service: Eraser Service (EraserThread) - Unknown owner - C:\Program Files\Evidence Exterminator\erasrv.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE End of KRC HijackThis Analyzer Log. __________________ Cazzie from Downunder :) Last edited by Cazzie; 03-15-2005 at 06:16 AM. Reason: HJT Analayser (new information)*

03-15-2005, 06:57 AM	#3 (permalink)
Cazzie Registered User Join Date: Mar 2005 Location: Adelaide, South Australia Posts: 2 OS: xp	re your response Hey G'day Thanks for responding :) I have infact dpownloaded the symantac removing tool, which in this case did not help, each time I reboot and run the Noadware it returns THANKS for trying CHEERS :) __________________ Cazzie from Downunder :)

03-15-2005, 06:53 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please make sure that Word Wrap is turned off in Notepad before posting it here next time. The formatting makes it very difficult for us to read it. Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\fntjuqf.exe C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe C:\PROGRA~1\COMMON~1\qiwz\qiwza.exe C:\PROGRA~1\COMMON~1\qiwz\qiwzl.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: ISTsvc YourSiteBar iLookup or Web Offer Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O1 - Hosts: 64.91.255.87 www.dcsresearch.com O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll O4 - HKLM\..\Run: [bpANpd] C:\WINDOWS\fntjuqf.exe O4 - HKLM\..\Run: [<°‡@¡±§Tlçÿ[Ì…9ÀÌC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\fntjuqf.exe O4 - HKCU\..\Run: [qiwz] C:\PROGRA~1\COMMON~1\qiwz\qiwzm.exe O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\iLookup\ezStub22.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...bridge-c283.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach....tup1.0.0.8.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\PROGRA~1\COMMON~1\qiwz\ C:\PROGRA~1\YOURSI~1\ C:\Program Files\ISTsvc\ C:\WINDOWS\fntjuqf.exe C:\WINDOWS\iLookup\ Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt* log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-15-2005, 06:49 AM	#2 (permalink)
AntoIRL Registered User Join Date: Mar 2005 Posts: 4 OS: XP	G'day. I'm not an expert, but I did have problems with ISTtoolbar. Go to [url=http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html]. Either follow the manual instructions or download their fix, you'll find the link half way down the page. Cheers,