1st.xxx.toolbar.exe wont go away

[Robbi]

How many times does this MS ANTISPYWARE need to keep
removing this file, then only to reboot the next day, and
find a red pop up (red) window, saying that the
1st.xxx.toolbar is trying to install.....do you wish to
remove it.....

i type yes over and over, and sure enough another day
comes along, and up it pops !


HEY MICROSOFT....find out why you cant seem to be able to
get rid of this problem PERMENANTLY !

 

[AndyManchesta]

I fail to see how its MSAS's fault that you downloaded
and installed the xxx.toolbar but I will try help you out
on this,

I do not know much about it but I know plenty of sites
that install it so I will try infect myself with this and
let you know where it it and what the filenames are,I
will repost in about a hour once ive run some test,

Andy

 

[AndyManchesta]

Hi Again here's what you need to do, Reboot your system
into safe mode(Reboot and keep tapping F8 then choose
safe mode from the list)

Copy this to notepad and save it to your desktop so you
can still use it in safe mode,You could just try MS
Antispy first in safe mode as it may remove the problem
but here's full manual removal instructions if you need
it.

Once in safe mode goto start menu and run and type

regedit

when that opens goto 'edit' on the top bar then to 'find'
and type

IST Service

It will find it for you in the run folder but if you know
your way around regedit its here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

When you get to the run folder left click run and it will
open the values on the right then right click IST Service
and press remove

Exit regedit

Next open Add/Remove programs from the control panel and
remove any of these if found:

ISTsvc
OfferAgent
CramToolbar
Powerscan
Sidefind
Slotchbar
SurfAccuracy

Close Add/Remove Screen and go back to control panel

Click Internet Options

On the page that opens Press delete files and include
offline content then press ok

Next for the ActiveX

Next to delete files you will see a button
called 'Settings' press that then goto 'View Objects'

This will open the Downloaded program files folder,Delete
these 2 if found :

Installer class
{14A32216-1678-1982A355-7263B1281987}

Again just right click and press remove

Next for the folders

Goto start menu then c:drive and to program files

delete these folders if found :

CramToolbar
InternetOptimizer
ISTsvc
OADesktop
Powerscan
Sidefind
SurfAccuracy


Finally empty your recycle bin by right clicking and
choosing empty then run MSAS in safe mode to remove any
other traces that may be left in the registry area to
save you having to search for anything else.

Your Done !

Let me know if you need help with anything

All the best

Andy

 

[Robbi]

Hi Andy
I guess that when i sort of blame MS antispyware, well,
they offer a product that removes spyware, and it actually
picks up this spyware, and alledgedly removes it, and sure
enough, another day has passed, i turn on my computer, and
the red pop up window pops up and asks me, that this
xxx.toolbar is TRYING to install.....so if they are aware
of this spyware, why cant they do something more than just
remove the install issue at the time, not just remove the
current situation of it trying to install.

I am sure that at their search and research area where old
MS staff sit around and find spyware, and wpork out ways
to remove it, are they also having this program
repetativly coming back EVERY DAY?

If this was a pay program, i am sure by now i would demand
my money back, stateing that they are not fulfilling what
they say they do, by not truely removing this threat of my
machine !.

I don't recall ever installing software that has this
toolbar in it, but i do have a number of free ware
applications on ym machine that i have gone through, but
cannot find any referance to it !

I also do not scour the porn networks for rubbish like
that, and this 1st.xxx.toolbar.exe i presume is a porn
toolbar, only by the referance of the "xxx".


This email is in NO WAY meant to ctitisize either MS ANTI
SPYWARE or you Andy, but when it comes back every day,
well, you sort of get sick and tired of it !

And this machine is a work station machine used in Cancer
care. So it is critical not to have absolute rubbish like
this on the system !

So you can see why i am sort of dismayed that their
product does not do what it says it can do !

Kind Regards

Robbi

 

[AndyManchesta]

Hi Robbi

Dont Worry mate I do not represent MS in any way,I'm not
a MVP but just a user like yourself who tries to help
people where I can. I just get used to helping people on
here who post negative comments and never reply to the
help given so I was abit quick to comment without
thinking, Sorry about that.

I got xxx.toolbar by visiting Cracks.am and just
pressing 'A' in the list then the first file it showed
and run the file. I knew it would give me Istbar who make
xxx.toolbar but It infected my system with about 20
different problems plus backdoor trojans and trojan
downloaders which I posted on the general newsgroup
under 'SendingSpywareReport' so I appreciate your
comments.These people are scum and use every trick in the
book to deceive people into thinking its something else.

I was just testing on a unpatched pc with no AV
protection to see what the damage they can cause and it
suprised me the amount of junk I got by pressing 1 file,
I think it was called cracks.exe but cannot be sure as
that wasnt important I just thought if I get the toolbar
it would be easier to post a fix, Maybe you can just
remove this by removing ISTsvc from Add/remove screen and
the IST folder from program files but then you still need
to take out that xxx.toolbar ActiveX called
InstallerClass

It may help you to send a supected spyware report at it
seems they may be missing a part of this,When I tested I
got about 20 infections so thats why the removal
instructions is so large as I couldnt be sure exactly
what came with xxx.toolbar

This could be bundled with all sorts of applications, I
just know they spread them around crack/serial & wares
sites and the name looks more like its from Adult sites
but I suspect they install it on any site that will let
them. With cracks.am Im sure now after testing they write
malicious Javascripts and add trojan downloaders to the
page it self so when you press any button you get
infected if you AV protection is not great so there is a
number of ways you could of got this, you may even still
have the trojan downloader on your system which keeps
bringing it back but its hard to know

Ewido Security Suite will remove trojan downloaders and
using Ccleaner to remove all temp & unused files would
also help.

In the test I did I had to disable Microsofts Real Time
protection to get them all to install as it kept giving
the same red pop up and wouldnt run the file with Real
Time enabled. Ususally that's great but just to test it I
disabled MSAS. It missed alot of files on the scan which
I had to use Ewido on but even after that there was still
supect entries which were not present before so they are
probably making new variants all the time to keep infront
of the Antispy vendors but MSAS still found nearly 600
infected entries so it shows how deep it can get just by
running one suspect file and visiting a dodgy site
without enough protection.

I fully appreciate your view on this and it would be
great news if MSAS could find a way to kill this in one
try,If you havent used safe mode yet then its well worth
a try also download and install ewido and Ccleaner and
use them in safe mode too.

If you have Service Pack 2 goto tools on the top bar then
goto Manage add ons, Check the add-ons currently loaded
in IE and disable any you find suspicious as you can
easily re-enable them later, Then with Ewido and MSAS
boot into safe mode and run a full system scan with each
and they should fix the problem for you.Its alot easier
when the malicious files are not running.

Its worth you checking add/remove screen for the things I
listed mainly ISTsvc but all the rest are connected to
this too,Then the same in the program files area if you
can to make sure it goes without a fight when you run the
scanners.

If you need any help with anything my emails at the top
and I'm more than happy to help out if I can.

Regards

Andy

 

[robbi]

You are amazing !, i have not tried yet to start the
removal process you reccomended !, and i am so glad that
we didnt end up like most idiots on the web with
misunderstandings !

I really appreciate, and am amazed the time you took out
of your day to do all this, for not only me, but i am sure
you help others !

Have a fantastic day, and nice meeting you !!!!!


Kind Regards Robbi !

 

[Robbi]

Ok, went and saved to text file, did all that you advised,
NOTHING on my machine at all, did safe mode
scan...searched all files and folders, regedit, etc,
NOTHING...would this mean, that it is not installed, like
you experimented?

As the red pop up window i get, is...

It is "TRYING" to install, so therefor, it is not in my
installed programs, etc.

Could be why i cant find anything.

I am in the process of doing a start/search....1st
service....or 1stsvc etc, but so far nothing !

So i wonder where it is trying to install from???
I was wondering should i blame my isp..comcast? is it
coming from them, but i cant imagine it to be so.

It must be some where on this computer, as it is a stand
alone system, winxp serv pack 2.

Robbi

 

[AndyManchesta]

Hi Again Robbi

Sorry for the delay I help in a few forums so do lose
track of the topics I post in alot of the time.

This is abit strange if you cannot find any of the files
but I suppose thats good news in a way, It doesnt help
you get rid of this pop up though and something must be
there to keep bringing it back.

With the IST words this is 'ist' with the letter 'I' not
a number, Not sure if we have that part mixed up so
wanted to make that clearer

Have you also tried Ewido, this is great for finding
Trojans as MSAS is mainly for Spyware so worth trying
that too

I dont think this is connected to comcast but Im in the
UK and do not know much about them,

If you are still having problems I think we should use
Hijack This and check your pc in more detail, I know the
signs of malware and can spot them quite easily in a
Hijack Log so it may be easier to use this to make sure
your system is clean.

If you wanted to use this first create a folder on
desktop or c:drive (Really anywhere except temp' folders
as Hijack This Makes backups of anything that is deleted
and running it from temp folders will mean you lose all
backups if you even delete the temp files)

Right click a empty space Desktop/C:drive and
choose 'New' then 'Folder' name it and save hijack this
into the folder you just created

Download it from here:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Extract and run Hijack This and choose to do a system
scan and save the logfile, When its finished scanning it
will open the results in notepad. Post them here or to my
email and I will check all the entries and get back to
you

(**Note most of what it finds will be essential so do not
fix entries untill you know for sure its malicious, Even
I wouldnt advise a fix untill I check every path and
filename in detail as there is alot of malware these days
that use Legitimate sounding names to hide themselves so
it usually takes me a couple of hours to check the log
before replying to be sure its the right fix)

Regards Andy

 

[Guest]

WOW

Now we are getting Deep, let me know when you are going on
hollidays to Santa Fe New MExico, lol, and you can have
free room, for computer servi ces !, lol

I will give it a go !

Thanks HEAPS !