Safe mode hangs

TheMSsForum.com: The Microsoft Software Forum

I have a persistent istbar trojan and any attempt to run spyware cleaners in
safe mode causes it to hang. I have winXP SP2 and the problem is the same for
3 different spyware programs. They work fine with a normal boot, just not in
safe mode - however removing the istbar trojan this way causes it to return.
Any advice appreciated.

Jen
Top

Re: Safe mode hangs by Malke

Malke
Wed Feb 02 21:43:44 CST 2005

bahloohi wrote:

> I have a persistent istbar trojan and any attempt to run spyware
> cleaners in safe mode causes it to hang. I have winXP SP2 and the
> problem is the same for 3 different spyware programs. They work fine
> with a normal boot, just not in safe mode - however removing the
> istbar trojan this way causes it to return. Any advice appreciated.
>
> Jen

Here's Symantec's write-up and removal tool:

http://sarc.com/avcenter/venc/data/adware.istbar.html

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Top

Re: Safe mode hangs by bahloohi

bahloohi
Thu Feb 03 03:01:03 CST 2005



"Malke" wrote:

> Here's Symantec's write-up and removal tool:
>
> http://sarc.com/avcenter/venc/data/adware.istbar.html
>
> Malke

Thanks for your response Malke.
Apologies, I should have posted at more length, I have already tried the
symantec fix. Here is a rundown of what I have tried so far:

From adawarese build 1.05 (Deep scan)

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object :
S-1-5-21-********-861567501-725345543-1004\software\ist

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object :
S-1-5-21-*********-861567501-725345543-1004\software\ist
Value : Recover

(not sure if replacing numbers with wild symbols is necessary but I thought
it better to be safe than sorry)

From Microsoft Antispyware Beta1
Detected Threats

IST.ISTbar Browser Hijacker more information...(clicking this reveals "no
information available")
Details: ISTbar is an Internet Explorer redirector that modifies your
homepage and searches without your consent using an Internet Explorer toolbar.
Status: Ignored
Severe threat - Severe threats typically are remotely exploitable
vulnerabilities, which can lead to system compromise. Successful exploitation
does not

normally require any interaction and exploits are in the wild. There exists
a high possibility of potential system damage or security flaw. Attacker has

complete control over your computer or install new software on your machine.

Infected registry keys/values detected
HKEY_CURRENT_USER\software\ist
HKEY_CURRENT_USER\software\ist Recover

Anonymizer also finds
HKEY_CURRENT_USER\software\ist

CWshredder finds nothing.
The Symantec fix you recommended finds nothing.
System restore is off.
All programs using latest updates.

AVG finds nothing at present but 2 days ago I was getting almost continual
warnings about Trojan Horse Downloader.Istbar.5.AQ

I have emptied windows/documents and settings/<each user>/local
settings/temp, emptied TIF's, deleted the registry entries both by the
progams listed above and manually, all to no avail. each time I reboot there
it is again. I'm not sure if doing all this in safe mode will make a
difference but I'd like to try except for the fact that safe mode is unstable
and hangs at different intervals each time I try.

Any suggestions?

TIA

Jen


Top

Re: Safe mode hangs by bahloohi

bahloohi
Tue Feb 08 05:43:02 CST 2005

I still need help with this please.

"bahloohi" wrote:

>
>
> "Malke" wrote:
>
> > Here's Symantec's write-up and removal tool:
> >
> > http://sarc.com/avcenter/venc/data/adware.istbar.html
> >
> > Malke
>
> Thanks for your response Malke.
> Apologies, I should have posted at more length, I have already tried the
> symantec fix. Here is a rundown of what I have tried so far:
>
> From adawarese build 1.05 (Deep scan)
>
> istbar Object Recognized!
> Type : Regkey
> Data :
> Category : Malware
> Comment :
> Rootkey : HKEY_USERS
> Object :
> S-1-5-21-********-861567501-725345543-1004\software\ist
>
> istbar Object Recognized!
> Type : RegValue
> Data :
> Category : Malware
> Comment :
> Rootkey : HKEY_USERS
> Object :
> S-1-5-21-*********-861567501-725345543-1004\software\ist
> Value : Recover
>
> (not sure if replacing numbers with wild symbols is necessary but I thought
> it better to be safe than sorry)
>
> From Microsoft Antispyware Beta1
> Detected Threats
>
> IST.ISTbar Browser Hijacker more information...(clicking this reveals "no
> information available")
> Details: ISTbar is an Internet Explorer redirector that modifies your
> homepage and searches without your consent using an Internet Explorer toolbar.
> Status: Ignored
> Severe threat - Severe threats typically are remotely exploitable
> vulnerabilities, which can lead to system compromise. Successful exploitation
> does not
>
> normally require any interaction and exploits are in the wild. There exists
> a high possibility of potential system damage or security flaw. Attacker has
>
> complete control over your computer or install new software on your machine.
>
> Infected registry keys/values detected
> HKEY_CURRENT_USER\software\ist
> HKEY_CURRENT_USER\software\ist Recover
>
> Anonymizer also finds
> HKEY_CURRENT_USER\software\ist
>
> CWshredder finds nothing.
> The Symantec fix you recommended finds nothing.
> System restore is off.
> All programs using latest updates.
>
> AVG finds nothing at present but 2 days ago I was getting almost continual
> warnings about Trojan Horse Downloader.Istbar.5.AQ
>
> I have emptied windows/documents and settings/<each user>/local
> settings/temp, emptied TIF's, deleted the registry entries both by the
> progams listed above and manually, all to no avail. each time I reboot there
> it is again. I'm not sure if doing all this in safe mode will make a
> difference but I'd like to try except for the fact that safe mode is unstable
> and hangs at different intervals each time I try.
>
> Any suggestions?
>
> TIA
>
> Jen
>
>
Top

Re: Safe mode hangs by Malke

Malke
Tue Feb 08 07:45:39 CST 2005

bahloohi wrote:

See comments at end of your post. Some parts of your post have been
snipped for brevity.

> I still need help with this please.
>
> "bahloohi" wrote:
>
>> Thanks for your response Malke.
>> Apologies, I should have posted at more length, I have already tried
>> the symantec fix. Here is a rundown of what I have tried so far:
>>
>> From adawarese build 1.05 (Deep scan)
>>
>> istbar Object Recognized!
>> Rootkey : HKEY_USERS
>> Object :
>> S-1-5-21-********-861567501-725345543-1004\software\ist
>>
>> istbar Object Recognized!
>> Rootkey : HKEY_USERS
>> Object :
>> S-1-5-21-*********-861567501-725345543-1004\software\ist
>> Value : Recover
>>
>> From Microsoft Antispyware Beta1
>> Detected Threats
>> IST.ISTbar Browser Hijacker
>>
>> Infected registry keys/values detected
>> HKEY_CURRENT_USER\software\ist
>> HKEY_CURRENT_USER\software\ist Recover
>>
>> Anonymizer also finds
>> HKEY_CURRENT_USER\software\ist
>>
>> CWshredder finds nothing.
>> The Symantec fix you recommended finds nothing.
>> System restore is off.
>> All programs using latest updates.
>>
>> AVG finds nothing at present but 2 days ago I was getting almost
>> continual warnings about Trojan Horse Downloader.Istbar.5.AQ
>>
>> I have emptied windows/documents and settings/<each user>/local
>> settings/temp, emptied TIF's, deleted the registry entries both by
>> the progams listed above and manually, all to no avail. each time I
>> reboot there it is again. I'm not sure if doing all this in safe mode
>> will make a difference but I'd like to try except for the fact that
>> safe mode is unstable and hangs at different intervals each time I
>> try.

Patience is a virtue. Volunteers who help in the MS newsgroups, such as
I do, live all over the world and most of us also have Real Jobs and
Real Lives. If the situation is urgent, you always have the option to
take the machine to a good local computer professional. This may be
your best course of action anyway.

In order to permanently remove malware, you must do it when the malware
is not running. This means Safe Mode or by going outside the operating
system with something like ERD Commander (very expensive) or a Bart's
PE disk that you've built. You've got to delete those registry keys.
So, why is the system unstable in Safe Mode? Do you have Nero's InCD
4.3 installed? This is a known cause of instability/inability to get
into Safe Mode with XP SP2. Apparently going back to an earlier version
of InCD (just the InCD program, not the rest of Nero's programs) fixes
this. Nero also has an update to InCD (and the rest of their programs)
on their site. If you have InCD and don't use it, uninstall it and see
if you can now get into Safe Mode successfully.

Please do post back and let me know the details of your issues with Safe
Mode and if you have InCD. I will be checking the groups throughout my
day (it is 5:45 AM here now).

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Top