ISTBar Registry entry

[Littlefrank]

I have a Registry entry HKEY_LOCAL_MACHINE\SOFTWARE\ISTBAR
that cannot be deleted. MSAS, AdawareSE, and Spybot S&D
detect it but will not remove it. Symantec ISTfix will
not remove it. Manual Regedit delete and Regedit rename
will not work. Message says "Cannot be deleted" Safemode
same answer. Entry in registry has sub files: History and
History string. ????

 

[Andre Da Costa]

Andy Manchester has some info here:
Hi Richard

Ive just tried this and I have no problems removing the
IST folders from the registry, Maybe worth double
checking its being done from the Admin account, I didnt
use MS Antispy to remove the entries as I just deleted
every one found so cannot comment on if they still exist
after clean up but this was the main IST entries after
installing:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run]

"SurfAccuracy"="C:\\Program Files\\SurfAccuracy\\SAcc.exe"

"Internet Optimizer"="\"C:\\Program Files\\Internet
Optimizer\\optimize.exe\""

"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"

"Power Scan"="C:\\Program Files\\Power
Scan\\powerscan.exe"

"switp"="C:\\WINDOWS\\switpa.exe"


[HKEY_CURRENT_USER\Software\IST]
[HKEY_CURRENT_USER\Software\PowerScan]
[HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\SideFind]
[HKEY_LOCAL_MACHINE\SOFTWARE\PowerScan]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Uninstall\ISTbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Uninstall\ISTsvc]
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

-----Original Message-----
Andy Manchester has some info here:
Hi Richard

Ive just tried this and I have no problems removing the
IST folders from the registry, Maybe worth double
checking its being done from the Admin account, I didnt
use MS Antispy to remove the entries as I just deleted
every one found so cannot comment on if they still exist
after clean up but this was the main IST entries after
installing:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Run]

"SurfAccuracy"="C:\\Program

Files\\SurfAccuracy\\SAcc.exe"

"Internet Optimizer"="\"C:\\Program Files\\Internet
Optimizer\\optimize.exe\""

"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"

"Power Scan"="C:\\Program Files\\Power
Scan\\powerscan.exe"

"switp"="C:\\WINDOWS\\switpa.exe"


[HKEY_CURRENT_USER\Software\IST]
[HKEY_CURRENT_USER\Software\PowerScan]
[HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\SideFind]
[HKEY_LOCAL_MACHINE\SOFTWARE\PowerScan]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers

ion\Uninstall\ISTbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Uninstall\ISTsvc]
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I have a Registry entry HKEY_LOCAL_MACHINE\SOFTWARE\ISTBAR
that cannot be deleted. MSAS, AdawareSE, and Spybot S&D
detect it but will not remove it. Symantec ISTfix will
not remove it. Manual Regedit delete and Regedit rename
will not work. Message says "Cannot be deleted" Safemode
same answer. Entry in registry has sub files: History and
History string. ????

As I said in my post none of the programs will remove
this registry key. Manual remove does not work. It is
HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar.

 

[AndyManchesta]

I never have problems removing registry entries so this
may be a permissions issue,

Try it this way (Log in from a Admin Account) :

Open regedit (Start>Run> Regedit)

Goto

HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar.

Rightclick on the ISTbar & choose Permissions

If the field under Group or user names is empty click Add
In the box titled 'Enter the object names to select' type
Administrators click OK.

With Administrators highlighted in the top part of the
window check the Allow box next to Full Control. Click
Apply and OK then Delete the key.

Andy

 

[Littlefrank]

ANDY.
Tried that. Same result. "Cannot delete key" message

 

[AndyManchesta]

Hi LittleFrank

Can you confirm you have Administrator access on your pc,
If no antispy scanner can remove the entry and you cannot
remove the entry manually after checking Full Control
then it sounds like you are logged into a limited
account.

Try going to Start Menu and control Panel then to User
Accounts, Create a new Admin account and try deleting the
key using that.

If you are sure you are dojng this from the Admin account
then try it this way :

download and install Registrar Lite.

http://www.resplendence.com/download/reglite.exe

Run reglite and paste this line into the address box:

HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar.

Click on 'Go', then highlight ISTbar(reglite will have
already selected the key) in the left pane,

right click it and select 'Delete'. If you can't delete
it, Highlight the key and from the Security menu on the
top bar press "Take Ownership" and try to delete the key
if this doesnt work try "Edit Permissions"
under 'Security' from the same pull down menu at the top
(with the key still highlighted). Make sure 'Read'
and 'Full Control' are selected for your account(in the
top pane), click 'Ok' and try to delete it again.

If this doesnt work then save this regfile, Open Notepad
and copy & paste this into it:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar]



Save as Type "All Files" and call it fix.reg

save it to your desktop

download Ewido Security Suite and update it in normal
mode and run it in safe mode (Reboot and keep tapping F8
then choose safe mode from the list)

http://www.ewido.net/en/

After unning Ewido Use the Regfix you just saved and
double click it and allow it to be merged into the
registry, reboot and check that it has been removed.


If this doesnt work then download the FindItNT-2K-XP.zip


http://castlecops.com/zx/Zupe/Find It NT-2K-XP.zip

extract the files from the zip. Navigate to the Find It
NT-2K-XP folder and double-click on find.bat. A command
prompt will open and it will search your computer for
malicious files. Once it has finished a Notepad window
will pop up with output.txt. Copy the entire contents of
output.txt into your next post.


Andy

 

[Guest]

-----Original Message-----

Hi LittleFrank

Can you confirm you have Administrator access on your pc,
If no antispy scanner can remove the entry and you cannot
remove the entry manually after checking Full Control
then it sounds like you are logged into a limited
account.

Hi Andy.

I have full access and I can do anything in the registry
without a problem. But that entry would not go away. All
of my antispy programs would detect it but none would
delete it. I run Adaware SE, Spybot S&D, MS AntiSpyware
Beta, Norton 2005 and Hijack This. This computer is used
by my teenage son and his friends. When ISTbar was first
detected the anti spy programs removed all the files and
registry entries associated w/ISTbar except the single
registry entry that I have been trying to get rid of for
several weeks now. Yesterday I found out that an update
to MS AntiSpyware existed and I downloaded it. I ran a MS
scan and the Registry entry ISTbar was detected and as I
had done at least 50 times I pushed delete and knowing it
would not delete it, I moved on. Well, guess what? My
first scan this morning, something I do first thing every
morning, did not detect anything! Zero, zilch, nada, zip.
I went to the registry and it is gone! All is right with
the World! Thanks for your help.
Frank

 

[AndyManchesta]

Thanks for the info,

I was thinking we would have to reset your permissions
using "subinacl" as it was strange you couldnt delete the
line yourself with Full Control or Take Ownership but its
great MSAS was able to by running from your account and
its nice to hear its not a issue now

Good Work MS

All the best Frank

Regards Andy