ISTBar

[John]

This spyware, ISTBAR keeps reinstalling itself.
MS AntiSpyware beta 1 keeps detecting it & supposedly
removing (deleted) it.
After I run a scan, I'll go to regedit and find it
residing in two locations, after MS Spyware says it was
removed. ?
Ideas anyone?

 

[Monitor]

Please submit a Tools, suspected spyware report from the
infected machine!

Monitor

 

[Wilber]

Hi John.... looks like this file is residing in your
system restore files .... everytime you reboot your
machine it reinfects its self I`d turn off system
restore .... boot your machine in safe mode and re scan
your machine ...
Hope this helps
Wilber

 

[Bill Sanderson]

What evidence leads you to this conclusion?

 

[Bill Sanderson]

John - have you tried restarting your system in safe mode and doing a full,
deep scan with Microsoft Antispyware and removing it there. Does that
succeed?

 

[John]

How do you turn off restore with Win 200 Pro ?
problem still exists a month later, still shows up on
bootup or restarts or logoff

Thanks, John

 

[Bill Sanderson]

That was part of what led me to my response to Wilbur.

I've yet to hear of a verified instance of malware regenerating from the
System Restore storage area. No antivirus vendor states in writing that
this is possible, as far as I've been able to find.

I believe that what this means is that your system isn't, in fact, clean.

Can you do the following:

1) send a Tools, Suspected Spyware report from Microsoft Antispyware--note
ISTBAR somewhere in the report. If you get an error message attempting to
send this report, don't worry about it.

2) restart in safe mode by pressing F8 function key before the first Windows
screen appears. Do a full, deep scan with Microsoft
Antispyware--preferably, continue scanning until a scan comes through clean.

3) If this does not succeed in cleaning Istbar, send email to:

(e-mail address removed)

With ISTBAR somewhere in the subject header.

Steve Dodson may have additional instructions for the resistant variants.

 

[Guest]

I have run safe mode a few times and ran a cleaner program
which found nothing and then full restart and all the
spyware starts making files in temp directory and a
subdirectory in program files.
I cannot find out how in WIn2000 Pro to stop a restore so
as soon as booting into Win2000 it starts all over again !
Yet anti spyware (newest updates) starts again showing
these spies and even the micro trend virus program alarms
in seeing them but cannot delete them but spyware allows
spies ot be removed and they are gone until a reboot or
restart.

Worse is a use a mail washer program thus very little gets
by but still got wacked.

 

[John]

For whatever reason I cannot in tools use the report
function for it fails saying due to a proxy but I have
zero problems going outbound for everything else.

My virus program is Micro Trend Internet version that is
functional all the time. I called them and they say they
cannot clean these ( get deny) and gave me a clean program
to use when on safe mode but it see nothing wrong and
being Win2000 there is no boot to DOS function so even in
safe mode this spyware/virus is already functional even in
safe mode.
Laptop has no built in floppy or C/D ( Sony thin type
laptop) so I cannot boot up on a floppy.

I copied the report contents and send via email to MSFT
and this forum and no response from them when I sent it 2
weeks ago and just did it again today

What bothers me is spyware sees these after a reboot,
allows permenent delete but is not finding the root
program that seeds itself on reboot/restart and even if
just a logout and re login.

-----Original Message-----
That was part of what led me to my response to Wilbur.

I've yet to hear of a verified instance of malware regenerating from the
System Restore storage area. No antivirus vendor states in writing that
this is possible, as far as I've been able to find.

I believe that what this means is that your system isn't, in fact, clean.

Can you do the following:

1) send a Tools, Suspected Spyware report from Microsoft Antispyware--note
ISTBAR somewhere in the report. If you get an error message attempting to
send this report, don't worry about it.

2) restart in safe mode by pressing F8 function key before the first Windows
screen appears. Do a full, deep scan with Microsoft
Antispyware--preferably, continue scanning until a scan comes through clean.

3) If this does not succeed in cleaning Istbar, send email to:

(e-mail address removed)

With ISTBAR somewhere in the subject header.

Steve Dodson may have additional instructions for the

resistant variants.

 

[Bill Sanderson]

I don't think you'll get a response from Microsoft.

I do suspect that with a suitable external CD drive, you might be able to
boot to the Recovery Console, or install the Recovery Console on the hard
drive and boot to it that way, and delete these resistant files.

killbox might also allow for that.

Have you tried working with Ron Kinner, via HijackThis logs?