Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I am at a loss as to what to do next.
I first received notice through Ad Aware, and had it confirmed by AVG, that I have a trojan horse dialler "ISTsvc.exe" Letting AVG try to delete it resulted in an error message saying access denied. Attempts to manually delete the file or the parent ISTsvc folder also gave error message access denied.
I read some posts here and then downloaded Spybot, Rapidblaster killer, and Hijack this. Now it goes from bad to worse. Both Spybot and rb killer detect spyware and I assume the ISTsvc.exe program. But attempts to let those two programs fix the problem result in my computer rebooting itself. Now any attempt to go near the ISTsvc folder or the ISTsvc.exe program result in my computer rebooting itself. Attempts to access Add\Remove Programs results in the computer rebooting. When the computer reboots, attempting to boot to safe mode freezes it. It just locks up. I can get a log file from Hijack this but I don't know what to delete. Here is the log file:Logfile of HijackThis v1.96.0
Scan saved at 7:46:36 PM, on 13/08/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\TVTMD.exe
C:\Program Files\Srng\Srng.exe
C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Documents and Settings\Tim\My Documents\hijack this\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srng.net/search/9885/search.html
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - C:\Program Files\Topicks\Bin\TpBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v1\scbar.exe" /U
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Premeter] C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {29CAC0B6-D6C2-4395-8289-BF3FBF27AD5F} (AInst Class) - http://209.47.15.72/inst/activeinstaller.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37806.9429513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://entrata.chely.org/dialit/servizigratuiti.exeAny help would be appreciated. I'm hijacked in reboot hell. Damn this is nasty!
Thanks
Hi TB,
Run an updated Spybot Search and Destroy (LOL well maybe not, as your having problems with it) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srng.net/search/9885/search.htmlO2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
search-hijacker – See http://www.doxdesk.com/parasite/ShopNav.htmlO3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - C:\Program Files\Topicks\Bin\TpBar.dll
Not knownO4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
Total Velocity variant - autoinstalling spywareO4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
Spyware included with the latest version of Grokster. Also see http://www.spywareinfo.com/yabbse/index.php?board=11;action=display;threadid=4585;start=0O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
Search hijacker - see http://www.doxdesk.com/parasite/Srng.htmlO4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v1\scbar.exe" /U
IE search hijackerO4 - HKLM\..\Run: [Premeter] C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
NetRatings software by Opistat. "OpiStat measures Internet usage anonymously and surveys participants according to their profiles and online habits". This software has been reported to get downloaded and installed automatically after a Grokster install. It anonymously collects your use of the Internet protocols (sites visited, Web pages, advertisements seen, electronic commerce, streaming). To be avoided!O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
Xupiter - adware and homepage hijacker – See http://www.doxdesk.com/parasite/Xupiter.htmlO4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
ISTBar foistware – See http://www.doxdesk.com/parasite/ISTbar.htmlO16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {29CAC0B6-D6C2-4395-8289-BF3FBF27AD5F} (AInst Class) - http://209.47.15.72/inst/activeinstaller.dllO16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://entrata.chely.org/dialit/servizigratuiti.exe
After reboot then delete the following:
The folder Topicks at C:\Program Files\Topicks
The file TVTMD.exe at C:\WINDOWS\TVTMD.exe
The folder RVP at C:\Program Files\RVP
The folder Srng st C:\Program Files\Srng
The folder scbar at C:\Program Files\scbar
The folder Xupiter at C:\Program Files\Xupiter
The folder ISTsvc at C:\Program Files\ISTsvc--------------
For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware.
Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings.
Good Luck!
Thanks very much for the prompt reply!
Wow! Slap your back! I think that worked!
Altho I still wasn't able to run the Spybot without my machine rebooting, I was able to fix the mentioned items using HT. Then was able to delete the files. Thanks also for the recommends. I WILL look into how did I get infected in the first place. I believe it was probably because I lowered security requirements to tweak a Kazaa (Sharman P2P) problem as it wouldn't run without doing that and turning off the firewall. I won't be doing that again!!
Thanks ya saved my bacon!
Hi TB ans Setter,
I was having the same problem as Tb, was with the ISTsvc. I looked this site up and found what you guys wrote..I did exactly what you told TB to do..I think it worked :)
But, I do have a question..Of corse my Logfile of HijackThis is different, but I deleted the ones that were the same..Since our logfiles are different, can you take a look at my logfiles and tell me if I should delete any of these too. Plezzzzz..Thank You,
Zoeyglowy :PC:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\program files\desksite\bin\cma.exe
C:\WINDOWS\MSMGT.exe
C:\Program Files\MemoryMeter\MemoryMeter.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\Program Files\America Online 8.0a\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\spool\spool.exe
C:\Documents and Settings\Shannon\Desktop\hijack this\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
O2 - BHO: (no name) - {BF94D8E4-BC11-477A-928D-9C5C85D267F5} - C:\WINDOWS\System32\ianssam.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: (no name) - {534413A4-AB93-4789-A34B-F5D32CEBF0B4} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O3 - Toolbar: (no name) - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C4ED-ED6AA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsfrsv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [spool lptt01] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.exe -b
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Spinner.lnk = C:\Program Files\Spinner\Program\spinner.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://chat-j3.freeserve.com/Java/cfs31229.cab
O16 - DPF: ChatSpace Java Client 2.1.0.88L - http://216.65.197.84:8080/Java/cs4msl088.cab
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.techiemedia.net:8000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://dimebag.fateback.com/2931.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www115.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26ebf06c1ad6dc7e0b02/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {BB99D1AB-35A7-4385-AD22-DAD382F29C6D} - https://www.opinionsquare.com/globalconfig/ngcsurvey.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldwinner.com/games/v40/darts/darts.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v45/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CEF2916-C100-4D70-992E-B04EB1A18324}: NameServer = 67.36.13.26 66.73.20.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7EF9BC5-5875-4DF9-9FFE-AE0EB8C0F203}: NameServer = 205.188.195.4
HI Zoeyglowy,
First, run the program RapidBlaster Killer from http://www.wilderssecurity.net/specialinfo/rapidblaster.html
Second, run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot.
Third, after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again.
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
HuntBar - See http://www.doxdesk.com/parasite/HuntBar.htmlO2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
HuntBar/Stoolbar - See http://www.doxdesk.com/parasite/HuntBar.htmlO2 - BHO: (no name) - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
Unknown, this may be part of RapidBlaster. Fix it!O2 - BHO: (no name) - {BF94D8E4-BC11-477A-928D-9C5C85D267F5} - C:\WINDOWS\System32\ianssam.dll
Unknown, this may be part of RapidBlaster. Fix it!O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
HuntBar - See http://www.doxdesk.com/parasite/HuntBar.htmlO3 - Toolbar: (no name) - {534413A4-AB93-4789-A34B-F5D32CEBF0B4} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
WebSearch a HuntBar variant – See http://www.doxdesk.com/parasite/HuntBar.htmlO3 - Toolbar: (no name) - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C4ED-ED6AA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsfrsv.dll
Unknown, this may be part of RapidBlaster. Fix it!O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
SuperBar parasite – See http://www.doxdesk.com/parasite/SuperBar.htmlO4 - HKLM\..\Run: [spool lptt01] "C:\Program Files\spool\spool.exe"
New variant of the RapidBlaster parasite (in a "spool" folder in Program Files) – See http://www.doxdesk.com/parasite/RapidBlaster.html . It is not recommended you manually uninstall RapidBlaster but use RapidBlaster Killer - see http://www.wilderssecurity.net/specialinfo/rapidblaster.htmlO4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.exe –b
Go Hip Spybot – Spybot S&D should remove this.O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
Total Velocity adware/hijackerO4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
Autoinstalling spyware by Total VelocityO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://dimebag.fateback.com/2931.exe
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www115.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26ebf06c1ad6dc7e0b02/netzip/RdxIE601.cabO16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {BB99D1AB-35A7-4385-AD22-DAD382F29C6D} - https://www.opinionsquare.com/globalconfig/ngcsurvey.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldwinner.com/games/v40/darts/darts.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v45/h2hpool/h2hpool.cabAfter reboot then delete the following (if found):
Either the folder INCRED~1 (Don’t know what INCRED~1 is) or the folder BHO at C:\PROGRA~1\INCRED~1\BHO
The folder BTLINK at C:\PROGRAM Files\COMMON Files\BTLINK
The folder SEARCH~1 (Don’t know what SEARCH~1 is) at C:\PROGRAM Files\SEARCH~1
The folder POWERS~1 (PowerSearch?) at C:\PROGRAM Files\POWERS~1
The folder SuperBar at C:\Program Files\SuperBar
The folder spool at C:\Program Files\spool
The file WINSTA~1.exe (winstartup.exe?) at C:\WINDOWS\System\WINSTA~1.exe
The file MSMGT.exe at C:\WINDOWS\MSMGT.exe
The folder MemoryMeter at C:\Program Files\MemoryMeterDon’t know what your Operating System is (logfile was cut off at the top), but since you don’t have the MSBlast Worm going around; recommend all windows updates.
--------------
For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware.
Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings.
Good Luck!
OH YEAH, this is a bad virus! I was looking for some keygens like a good man and got infected. It started to reboot my PC over and over until it got to my BIOS and then would not detect my HDD anymore. I phisically removed my HHD to another PC, searched *istsvc* and shift deleted all of if, AND FLASHED MY BIOS, cause the via still wouldn`t detect my HDD and finally got it to work. I didn`t wanna take any chances so I ran spybot, hijackthis and ad-aware.
Oh well.
Dear Setter,
I have been hit with this ISTsvc, also. Can you write me off-line so we can talk, please? I would be willing to call you on my dime.
Sincerely,
Robert Hammond
Dear Setter,
I have ZoneAlarm installed on my system, which is XP and it popped up asking me if I want to allow istsvc.exe to connect to the internet... I said NO, and did a search on google to see what it was, that's how I found this site and you... I have read what you have done to help other and would like to ask for your help too... I do not have any of the four mentioned programs installed on my system yet, but am willing to put on what ever is needed... Could you please e-mail me and let me know where to just where to start?? I don't think anything has happen yet, but I could be very well wrong... Need your help, if you can..
Kimba_II@msn.com
Report Offensive Follow Up For Removal
I need similar help, something is hijacking my computer. IE will run and then freeze for about 2minutes then run for about 2minutes. plus several other problems. please look at my list from HiJack :
Logfile of HijackThis v1.95.1
Scan saved at 10:25:03 AM, on 9/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NOVELL\CLIENT32\NWRECMSG.exe
C:\NOVELL\CLIENT32\WM95.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\DPMW32.exe
C:\PROGRAM FILES\OAK TECHNOLOGY\OAK SIMPLICD\OAKTASK.exe
C:\PROGRAM FILES\OAK TECHNOLOGY\OAK SIMPLICD REWRITE\IWCTRL.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\CLEARSEARCH\LOADER.exe
C:\PROGRAM FILES\MA\HH.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe
C:\WINDOWS\NOTEPAD.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\epspmgr4.exe
C:\WINDOWS\SYSTEM\epdsplr4.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mama.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mamma.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.exe
O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.exe
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\OAKTEC~1\OAKSIM~2\IWCTRL.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [HH] C:\PROGRAM FILES\MA\HH.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_6_1,0,2,5.cab
O16 - DPF: {B71C61AE-79C5-4870-B761-07A2D21F63E0} (FreeMedia Control) - http://66.28.33.112/v1/Media.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} - http://xbs.climaxbucks.com/internet-optimizer/MultiDist.CAB
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109738.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/930260cd062fd5/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: msvcr71 (PCPitstop Utility) - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: msvcp71 (PCPitstop Utility) - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: ppctlcab (PCPitstop Utility) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: axscannerruntime (PCPitstop Utility) - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl (PCPitstop Utility) - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: axscanner (PCPitstop Utility) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.180.99.2,216.180.122.2any help would be greatly appreciated
 |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
