Incomplete Removal - IST.ISTBar

[Steve]

Removal of IST.ISTBar (maybe other variants as well)
leaves sqldata1.exe in the %SystemRoot% directory, and
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.

 

[Bill Sanderson]

Thanks--is this also true if you do the removal in safe mode?

 

[Steve]

Didn't try in safe mode.

There was no running process for this program (hence the
safe mode question ?). The sqldata1 executable was being
fired by the run key which prompted the user (not my
machine) for their dialup connection, which in turn
downloads and installs the ISTBar trojans. The security
agents picked it up and blocked as it, but failed to
remove the root-cause of the problem.

The user level security at the time had Admin privileges.

Hope this helps.

 

[Bill Sanderson]

Thanks - yes, the safe mode recommendation is to deal with a running process
which may prevent deletion of files. It shouldn't be necessary, but
experience has shown that it helps in enough cases that it is worth trying.

Dosn't sound like it would help for your case, though. What Windows version
was this on?

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Didn't try in safe mode.

There was no running process for this program (hence the
safe mode question ?). The sqldata1 executable was being
fired by the run key which prompted the user (not my
machine) for their dialup connection, which in turn
downloads and installs the ISTBar trojans. The security
agents picked it up and blocked as it, but failed to
remove the root-cause of the problem.

The user level security at the time had Admin privileges.

Hope this helps.

 

[Guest]

XP SP2. All patches applied.

 

[Bill Sanderson]

I'm trying to see whether this cleaning issue might be home versus pro--a
number of other issues seem to be more prevalent on home--but I haven't
spotted anything clear about cleaning.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

XP SP2. All patches applied.