This is the first time for me to post on anything on any web site so I hope I’m following protocol. I have ISTSVC.exe on my pc running XP Home and I cannot get ride of it. I have installed Ad Aware 6.0, Zone Alarm, SpyBot S&D, and CookieWall. I have also increased the security level for cookie to request permission to add a cookie. I have successfully removed MANY programs, spyware, virants etc... BUT ISTSCV.exe will not go away. It seems to prompt my pc to reboot when scanning for it with Spybot S&D. Ad-Aware does not detect it when I scan. When I tried to delete the file I was prompted that "Access is Denied” and now I can’t even find the folder. I can see istsvc.exe as a program on Zone Alarm (which I have denied internet access to or from my computer) but cannot kill it. I have noticed my pc is very slow on start up and opening programs (before adding all this security software) and that it often crashed while watching a cd Powerpoint presentation or working a Frontpage. Is this related... or time for a new PC? Please advise this newbie and first time forum poster! THANK YOU SO MUCH IN ADVANCE. Below is my Hijackthis log file for your review: Logfile of HijackThis v1.96.2 Scan saved at 8:25:23 AM, on 09/16/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Palm\HOTSYNC.exe C:\Download\SpywareGuard\SpywareGuard\sgmain.exe C:\Download\SpywareGuard\SpywareGuard\sgbhp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office10\WINWORD.exe C:\Download\HiJackThis\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ex t/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/ R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Download\SpywareGuard\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Download\SpyBot\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.exe O4 - Startup: SpywareGuard.lnk = C:\Download\SpywareGuard\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/Q uickTimeInstaller.exe O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1884c28408dc05e77705/netzip/RdxIE6.cab O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37587.4794444444 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6AB20166-3C61-4853-B297-66CFBA05F202}: NameServer = 206.141.192.60 206.141.193.55 Thanks in advance for any help!

http://www.sophos.com/virusinfo/analyses/apppmagica.html http://www.doxdesk.com/parasite/ISTbar.html http://www.answersthatwork.com/Tasklist_pages/tasklist_i.htm http://www.winpatrol.com/winpatrolplus.html http://mvps.org/winhelp2002/unwanted.htm groups.google search with answer check the last link first.

http://www.mvps.org/inetexplorer/darnit_2.htm copied from above; 1STBAR Partially removed via add/remove programs (MS AUpdate and ISTbar). Use AdAware and/or Spybot to help with the cleanup. You can also clean up the registry: HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run (AutoUpdater entry for 'aupdate.exe' programme or "1stService") HKEY_CLASSES_ROOT\CSLID\{69550BE2-9A78-11D2-BA91-00600827878D} HKEY_CURRENT_USER\Software\1STbar HKEY_CURRENT_USER\Software\IST\ HKEY_CLASSES_ROOT\Pugi.PugiObj HKEY_CLASSES_ROOT\Pugi.PugiObj.1 HKEY_CLASSES_ROOT\1STactivex.Installer.1\ HKEY_CLASSES_ROOT\1STactivex.Installer\ Search engine hijackings - you may also need to delete the following registry keys as per the advice in Microsoft's knowledge base article: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q323869 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page Delete the following files if they exist: aupdate_uninstall.exe; aupdate.trk; aupdate.conf; aupdate.exe; istbar.dll; istsvc.exe, istactivex.dll, 1STactivex.dll, 1stactivex.inf,

Thanks... I'll start looking into that and will let you know the results!

I hate these "smartass" tricks these sites use to get stuff into our computer we have almost no control of! In istscv.exe case, the problem you have with the denial of file delete is easly solved: just do CTRL+ALT+DELETE, select ISTSCV and end the process in the processes bar. Also, you might want to go to: start => run => msconfig => and uncheck istscv, which prevents the program from starting each time you turn on your computer. But the first step I explained is the most efficient. After you done that you can go to your program files folder and delete istscv related material with no denials whatsoever! To clean the registry after this just use an updated Ad-Aware version. Here you must pay attencion to a second trick another parasite toolbar uses: the XXXToolbar. After you use Ad-Aware to uninstall XXXToolbar, you are taken to a site which says xxxtoolbar uninstalled. Can you guess what it does? Right, just downloads and installs a new bunch of sh*t again in your computer. To prevent this go to your browser and disable all scripting functions: (in IE6: Tools => Internet Options => Security => Custom Level => and disable in all "Scripting" sub-menus settings. This way xxxtoolbar won't do it's little ressurection trick again! After doing this enable the scripting settings you've disabled before, as it is important for most of the "nice" sites to work properly! Use Ad-Aware, virus scan programs, search your computer and search the net (forums and security/privacy sites) for this matter. It's an ongoing, neverendind struggle with sites that want to get the best of you and only information and attention with what's going on @ the Net and in your computer can turn the game in your favor... untill the next thing they'll come up with! Take care!

Thanks, Feelin That was too easy ;) I loved seeing that booger go!

Why, just today I installed zonealarm and adaware. I don't know how, but this istsvc thing found its way into my computer. Zone alarm worked fine, but adaware disabled half of my computer! I uninstalled it and everything was fine. Except for this damned istsvc thing! It was in my program files so I sent it to the recycling bin. I was able to "empty" my bin because it was currently running. The buttons wouldn't work, so I re-booted the computer, went straight to the recycling bin and was able to empty it. So far, so good. I hope this helps someone out there. Good luck.