Can't get rid of XXXToolbar / istsvc.exe

[Pierre-Normand Houle]

I've been trying to eradicate this virus for several days. It was detected
by Spybot. I have installed Ad-Aware SE Personal and bought a copy
of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided by
Symantec.

I start WinXp in safe mode and run all these utilities, scan all my drives,
remove all the pest and all seems clean. I reboot and it just reinstalls itself.
The suspicious processes that keep coming back are qquwa.exe, qquwm.exe,
xpjrvh.exe and, of course, istsvc.exe, plus a load of registry entries referring
to XXXToolbar and other crap. I kill and clean everything but it keeps coming
back after each reboot. (I've tried most of the manual removal procedures
for XXXToolbar and Istbar that I've found on the web or usenet)

It there a *free* antivirus out there that would block it from reinstalling itself
at reboot or make a better job of detecting and eradicating it than Spybot,
AdAware and Spyhunter do? I'd be glad to stop spending money trying to
get rid of that nuisance.

Thanks for any help!

[CalamityKen]

Pierre-Normand Houle wrote:
> I've been trying to eradicate this virus for several days. It was
> detected
> by Spybot. I have installed Ad-Aware SE Personal and bought a copy
> of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided
> by Symantec.

Read about SpyHunter:
Rogue/Suspect Anti-Spyware Products & Web Sites
http://www.spywarewarrior.com/rogue_...re.htm#sh_note

> I start WinXp in safe mode and run all these utilities, scan all my
> drives, remove all the pest and all seems clean. I reboot and it just
> reinstalls itself. The suspicious processes that keep coming back are
> qquwa.exe, qquwm.exe, xpjrvh.exe and, of course, istsvc.exe, plus a
> load of registry entries referring to XXXToolbar and other crap. I
> kill and clean everything but it keeps coming back after each reboot.
> (I've tried most of the manual removal procedures
> for XXXToolbar and Istbar that I've found on the web or usenet)
>
> It there a *free* antivirus out there that would block it from
> reinstalling itself at reboot or make a better job of detecting and
> eradicating it than Spybot, AdAware and Spyhunter do? I'd be glad to
> stop spending money trying to
> get rid of that nuisance.
>
> Thanks for any help!

Download the latest v1.99.1 version of HijackThis to use and post your new
log in a support forum after you have followed all directions:
http://tools.radiosplace.com/hijackthis.zip
or
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

*Important:* Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on
C: then right click and select New then Folder and name it HJT.

Move HijackThis.exe into this folder as you do not want the HijackThis
backup logs in the Temp folder that should be cleaned out periodically nor
all over your Desktop.

When you run HijackThis from C:\HJT folder by double clicking on it and have
it "Fixed checked" it will create a backup file of modifications to use if
restore is necessary.

Support forum:
http://forums.maddoktor2.com/index.php?showforum=17

Install the prevention protection below and *help your friends from being
infected on the Internet.*

"An ounce of prevention is worth a pound of cure."

Remove the infections and install the prevention protection on *ALL* User
Account IDs.

Empty the Recycle Bin frequently.

Download and run CCleaner as the Temp folders should be cleaned out
periodically as installation programs and hijack programs leave a lot of
junk there.
http://www.ccleaner.com
Then reboot to let it clean out what it found.

Download Windows Prefetch Clean and Control then run it and clean the
Prefetch monthly.
http://www.majorgeeks.com/download2495.html

Defrag the hard drive regularly especially after CCleaner.

By the way, in order to improve Internet Explorer (IE) performance the
Temporary(TIF)should be cleaned out periodically.
Also, it is a good idea to limit the size of the TIF to 10MB for performance
sake.
In IE go to Tools then Internet Options then Settings and move the slider
down to 10MB.

Download and install WinPatrol.
http://www.winpatrol.com

*Note:* WinPatrol is more comprehensive than TeaTimer.
Go to Spybot S&D and disable TeaTimer in the Tools Resident area.

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and
SpywareBlaster then *keep them up to date* as today's Internet is full of
nasty infections.
https://netfiles.uiuc.edu/ehowes/www...ce.htm#IESPYAD
http://www.bleepingcomputer.com/forums/tutorial53.html
http://www.javacoolsoftware.com/spywareblaster.html
--
YoKenny
Keep your Security software up to date at CoU
http://www.dozleng.com/updates/index.php?&act=calendar

[Capt. Neal®]

"CalamityKen" <YKnot@home.invalid> wrote in message news:Py_3e.2965$Fy3.177283@news20.bellglobal.com.. .
> Pierre-Normand Houle wrote:
>> I've been trying to eradicate this virus for several days. It was
>> detected
>> by Spybot. I have installed Ad-Aware SE Personal and bought a copy
>> of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided
>> by Symantec.
>
> Read about SpyHunter:
> Rogue/Suspect Anti-Spyware Products & Web Sites
> http://www.spywarewarrior.com/rogue_...re.htm#sh_note
>
>> I start WinXp in safe mode and run all these utilities, scan all my
>> drives, remove all the pest and all seems clean. I reboot and it just
>> reinstalls itself. The suspicious processes that keep coming back are
>> qquwa.exe, qquwm.exe, xpjrvh.exe and, of course, istsvc.exe, plus a
>> load of registry entries referring to XXXToolbar and other crap. I
>> kill and clean everything but it keeps coming back after each reboot.
>> (I've tried most of the manual removal procedures
>> for XXXToolbar and Istbar that I've found on the web or usenet)
>>
>> It there a *free* antivirus out there that would block it from
>> reinstalling itself at reboot or make a better job of detecting and
>> eradicating it than Spybot, AdAware and Spyhunter do? I'd be glad to
>> stop spending money trying to
>> get rid of that nuisance.
>>
>> Thanks for any help!
>
> Download the latest v1.99.1 version of HijackThis to use and post your new
> log in a support forum after you have followed all directions:
> http://tools.radiosplace.com/hijackthis.zip
> or
> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>
> *Important:* Create a folder on the C: drive called C:\HJT.
> You can do this by going to My Computer (Windows key+e) then double click on
> C: then right click and select New then Folder and name it HJT.
>
> Move HijackThis.exe into this folder as you do not want the HijackThis
> backup logs in the Temp folder that should be cleaned out periodically nor
> all over your Desktop.
>
> When you run HijackThis from C:\HJT folder by double clicking on it and have
> it "Fixed checked" it will create a backup file of modifications to use if
> restore is necessary.
>
> Support forum:
> http://forums.maddoktor2.com/index.php?showforum=17
>
> Install the prevention protection below and *help your friends from being
> infected on the Internet.*
>
> "An ounce of prevention is worth a pound of cure."
>
> Remove the infections and install the prevention protection on *ALL* User
> Account IDs.
>
> Empty the Recycle Bin frequently.
>
> Download and run CCleaner as the Temp folders should be cleaned out
> periodically as installation programs and hijack programs leave a lot of
> junk there.
> http://www.ccleaner.com
> Then reboot to let it clean out what it found.
>
> Download Windows Prefetch Clean and Control then run it and clean the
> Prefetch monthly.
> http://www.majorgeeks.com/download2495.html
>
> Defrag the hard drive regularly especially after CCleaner.
>
> By the way, in order to improve Internet Explorer (IE) performance the
> Temporary(TIF)should be cleaned out periodically.
> Also, it is a good idea to limit the size of the TIF to 10MB for performance
> sake.
> In IE go to Tools then Internet Options then Settings and move the slider
> down to 10MB.
>
> Download and install WinPatrol.
> http://www.winpatrol.com
>
> *Note:* WinPatrol is more comprehensive than TeaTimer.
> Go to Spybot S&D and disable TeaTimer in the Tools Resident area.
>
> Browser settings for increased security:
> http://bshagnasty.home.att.net/browsersettings.htm
>
> Install IE-SPYAD then run the install.bat in the ie-spyad folder and
> SpywareBlaster then *keep them up to date* as today's Internet is full of
> nasty infections.
> https://netfiles.uiuc.edu/ehowes/www...ce.htm#IESPYAD
> http://www.bleepingcomputer.com/forums/tutorial53.html
> http://www.javacoolsoftware.com/spywareblaster.html
> --
> YoKenny
> Keep your Security software up to date at CoU
> http://www.dozleng.com/updates/index.php?&act=calendar
>

Great post. Thanks Kenny. I forwarded it via e-mail to a friend
who's just been victimized.

CN

[Pierre-Normand Houle]

"CalamityKen" <YKnot@home.invalid> wrote in message news:Py_3e.2965$Fy3.177283@news20.bellglobal.com.. .
> Pierre-Normand Houle wrote:
> > I've been trying to eradicate this virus for several days. It was
> > detected
> > by Spybot. I have installed Ad-Aware SE Personal and bought a copy
> > of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided
> > by Symantec.
>
> Read about SpyHunter:
> Rogue/Suspect Anti-Spyware Products & Web Sites
> http://www.spywarewarrior.com/rogue_...re.htm#sh_note
>
> > I start WinXp in safe mode and run all these utilities, scan all my
> > drives, remove all the pest and all seems clean. I reboot and it just
> > reinstalls itself. The suspicious processes that keep coming back are
> > qquwa.exe, qquwm.exe, xpjrvh.exe and, of course, istsvc.exe, plus a
> > load of registry entries referring to XXXToolbar and other crap. I
> > kill and clean everything but it keeps coming back after each reboot.
> > (I've tried most of the manual removal procedures
> > for XXXToolbar and Istbar that I've found on the web or usenet)
> >
> > It there a *free* antivirus out there that would block it from
> > reinstalling itself at reboot or make a better job of detecting and
> > eradicating it than Spybot, AdAware and Spyhunter do? I'd be glad to
> > stop spending money trying to
> > get rid of that nuisance.
> >
> > Thanks for any help!
>
> Download the latest v1.99.1 version of HijackThis to use and post your new
> log in a support forum after you have followed all directions:
> http://tools.radiosplace.com/hijackthis.zip
> or
> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>
> *Important:* Create a folder on the C: drive called C:\HJT.
> You can do this by going to My Computer (Windows key+e) then double click on
> C: then right click and select New then Folder and name it HJT.
>
> Move HijackThis.exe into this folder as you do not want the HijackThis
> backup logs in the Temp folder that should be cleaned out periodically nor
> all over your Desktop.
>
> When you run HijackThis from C:\HJT folder by double clicking on it and have
> it "Fixed checked" it will create a backup file of modifications to use if
> restore is necessary.
>
> Support forum:
> http://forums.maddoktor2.com/index.php?showforum=17

Thanks Kenny,

My PC is still infected but I've run HijackThis and posted the log to
forums.maddoktor2.com. Hopefully, somebody can see something
that's being missed by AdAware, SpyHunter and the Symantec removal
tool.

[CalamityKen]

Pierre-Normand Houle wrote:
> "CalamityKen" wrote:
>> Pierre-Normand Houle wrote:
>>> I've been trying to eradicate this virus for several days. It was
>>> detected
>>> by Spybot. I have installed Ad-Aware SE Personal and bought a copy
>>> of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided
>>> by Symantec.
>>
>> Read about SpyHunter:
>> Rogue/Suspect Anti-Spyware Products & Web Sites
>> http://www.spywarewarrior.com/rogue_...re.htm#sh_note
>>
>>> I start WinXp in safe mode and run all these utilities, scan all my
>>> drives, remove all the pest and all seems clean. I reboot and it
>>> just reinstalls itself. The suspicious processes that keep coming
>>> back are qquwa.exe, qquwm.exe, xpjrvh.exe and, of course,
>>> istsvc.exe, plus a load of registry entries referring to XXXToolbar
>>> and other crap. I kill and clean everything but it keeps coming
>>> back after each reboot. (I've tried most of the manual removal
>>> procedures
>>> for XXXToolbar and Istbar that I've found on the web or usenet)
>>>
>>> It there a *free* antivirus out there that would block it from
>>> reinstalling itself at reboot or make a better job of detecting and
>>> eradicating it than Spybot, AdAware and Spyhunter do? I'd be glad to
>>> stop spending money trying to
>>> get rid of that nuisance.
>>>
>>> Thanks for any help!
>>
>> Download the latest v1.99.1 version of HijackThis to use and post
>> your new log in a support forum after you have followed all
>> directions: http://tools.radiosplace.com/hijackthis.zip
>> or
>> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>>
>> *Important:* Create a folder on the C: drive called C:\HJT.
>> You can do this by going to My Computer (Windows key+e) then double
>> click on C: then right click and select New then Folder and name it
>> HJT.
>>
>> Move HijackThis.exe into this folder as you do not want the
>> HijackThis backup logs in the Temp folder that should be cleaned out
>> periodically nor all over your Desktop.
>>
>> When you run HijackThis from C:\HJT folder by double clicking on it
>> and have it "Fixed checked" it will create a backup file of
>> modifications to use if restore is necessary.
>>
>> Support forum:
>> http://forums.maddoktor2.com/index.php?showforum=17
>
> Thanks Kenny,
>
> My PC is still infected but I've run HijackThis and posted the log to
> forums.maddoktor2.com. Hopefully, somebody can see something
> that's being missed by AdAware, SpyHunter and the Symantec removal
> tool.

I answered your request.
http://forums.maddoktor2.com/index.php?showtopic=3705
--
YoKenny
Keep your Security software up to date at CoU
http://www.dozleng.com/updates/index.php?&act=calendar

[Captain Jinks]

In article <kc_3e.13493$g_5.328508@wagner.videotron.net>,
houlepn.nospam@attglobal.net says...
> I've been trying to eradicate this virus for several days. It was detected
> by Spybot. I have installed Ad-Aware SE Personal and bought a copy
> of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided by
> Symantec.
>
> I start WinXp in safe mode and run all these utilities, scan all my drives,
> remove all the pest and all seems clean. I reboot and it just reinstalls itself.
> The suspicious processes that keep coming back are qquwa.exe, qquwm.exe,
> xpjrvh.exe and, of course, istsvc.exe, plus a load of registry entries referring
> to XXXToolbar and other crap. I kill and clean everything but it keeps coming
> back after each reboot. (I've tried most of the manual removal procedures
> for XXXToolbar and Istbar that I've found on the web or usenet)
>
> It there a *free* antivirus out there that would block it from reinstalling itself
> at reboot or make a better job of detecting and eradicating it than Spybot,
> AdAware and Spyhunter do? I'd be glad to stop spending money trying to
> get rid of that nuisance.
>
> Thanks for any help!

I encountered a virus a few months ago that could not be found or
removed by any scanner that I had available to me. Ultimately I decided
that I might not be able to actually remove the thing but I could
prevent it from triggering its payload.

What I did was to create empty text files and while in Safe Mode I
replaced all the virus files with bogus copies that were completely
harmless. The viral infection would check on boot up to see if the
assorted files were present and if not it would recreate them. The
bogus files I created were enough to stop the virus at that point. As
long as the virus doesn't actually check the contents of the files it
will be satisfied that it is going to do its damage.

Try this routine and it may be enough to keep the thing from doing
anything until your antivirus or spyware program is capable of detecting
and removing the thing.

[Ian JP Kenefick]

On Mon, 04 Apr 2005 22:41:14 GMT, Captain Jinks
<addresswitheld@nospam.net> wrote:

>In article <kc_3e.13493$g_5.328508@wagner.videotron.net>,
>houlepn.nospam@attglobal.net says...
>> I've been trying to eradicate this virus for several days. It was detected
>> by Spybot. I have installed Ad-Aware SE Personal and bought a copy
>> of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided by
>> Symantec.
>>
[snip]

Run 'sysclean_fe' tool available from the link below. It may be that a
trojan downloader is reinstalling the malware.

--

Regards,
Ian Kenefick
http://antivirus.ik-cs.com

[David H. Lipman]

From: "Pierre-Normand Houle" <houlepn.nospam@attglobal.net>

|
| Thanks Kenny,
|
| My PC is still infected but I've run HijackThis and posted the log to
| forums.maddoktor2.com. Hopefully, somebody can see something
| that's being missed by AdAware, SpyHunter and the Symantec removal
| tool.
|

Please read the following URL on Clean Booting XP
http://support.microsoft.com/kb/310353

Use a combination of CounterSpy -- http://www.sunbelt-software.com/CounterSpy.cfm
and BHODemon -- http://www.definitivesolutions.com/bhodemon.htm to remove ISTsvc.

I know of success stories using thses two to remove it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Ken]

David H. Lipman wrote:

>From: "Pierre-Normand Houle" <houlepn.nospam@attglobal.net>
>
>|
>| Thanks Kenny,
>|
>| My PC is still infected but I've run HijackThis and posted the log to
>| forums.maddoktor2.com. Hopefully, somebody can see something
>| that's being missed by AdAware, SpyHunter and the Symantec removal
>| tool.
>|
>
>Please read the following URL on Clean Booting XP
>http://support.microsoft.com/kb/310353
>
>Use a combination of CounterSpy -- http://www.sunbelt-software.com/CounterSpy.cfm
>and BHODemon -- http://www.definitivesolutions.com/bhodemon.htm to remove ISTsvc.
>
>I know of success stories using thses two to remove it.
>
>
>
Post your Hijackthis log on the Tom Coyote forum.
www.tomcoyote.org
www.pcpitstop.com

Ken

[Zilva Zanga]

"Pierre-Normand Houle" <houlepn.nospam@attglobal.net> wrote in message
news:kc_3e.13493$g_5.328508@wagner.videotron.net.. .
> I've been trying to eradicate this virus for several days. It was detected
> by Spybot. I have installed Ad-Aware SE Personal and bought a copy
> of Spyhunter for 30$. I've also run the FxIsbar.exe utility provided by
> Symantec.
>
> I start WinXp in safe mode and run all these utilities, scan all my
> drives,
> remove all the pest and all seems clean. I reboot and it just reinstalls
> itself.
> The suspicious processes that keep coming back are qquwa.exe, qquwm.exe,
> xpjrvh.exe and, of course, istsvc.exe, plus a load of registry entries
> referring
> to XXXToolbar and other crap. I kill and clean everything but it keeps
> coming
> back after each reboot. (I've tried most of the manual removal procedures
> for XXXToolbar and Istbar that I've found on the web or usenet)
>
> It there a *free* antivirus out there that would block it from
> reinstalling itself
> at reboot or make a better job of detecting and eradicating it than
> Spybot,
> AdAware and Spyhunter do? I'd be glad to stop spending money trying to
> get rid of that nuisance.
>
> Thanks for any help!
>
>

http://forum.hijackthis.de/showthread.php?t=2792
Read down through the posts. Ruby explains to the poster how to eliminate a
trojan. Although it's not the same as yours the directions may still work.
It worked for me on a different trojan.