Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Browser Hijack?

Status
Not open for further replies.
Trentham

Trentham

Technical User
Nov 9, 2002
67
GB
A short time ago my browswer (IE5.5, recently upgraded from 5.0) started showing evidence of being hijacked. Sometimes when it started up and sometimes during use it would link to one of a number of pages and thence on to various porn sites. In fact on start up it would sometimes do this even though not connected to the internet.

The original links seen have been to pages on kathic.offshorechicks.com,
Scans with AdAware and SpyBot Search and Destry have revealed nothing in particular and currently I've got my machine protected by AdSubtract and PopUpCop, which are doing fine in closing down the windows but are also having a detrimental effect of closing things I might want.

I have been a little suspicious of a module IstSVCwnd because I don't know what it is or where it came from and it sometimes is the cauise of machine hangs.

A recent connection also gave cause for doubt (incuding the word 'ist') when PopupCop said that a site was trying to download 'FREE SEX-XXXTOOLBAR' with a requesting web page of and a download location of

I'm running Win2000pro behing Outpost firewall and with (up to date) AVG virus scanner.

Any suggestions would be appreciated.

Ken
 
Sort by date Sort by votes
try googling "istsvc" (instead of "istsvcwnd") - it looks like this may indeed be the culprit!

It looks like a case of BHO (Browser Helper Object" hijacking; a method that ad-aware and spybot aren't always on top of...

try some of the anti-BHO tools from faq608-3482.

<marc> i wonder what will happen if i press this...[pc][ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]
 
Upvote 0 Downvote
Hello Trentham,
The FAQ link that manarth has given will help you.
Personally I would recommend Spywareinfo.


You will find a link to the Hijack This utility there.
Friendly people there who will check your Hijack This log for you.
Also check out a new utility called CWShredder. petermeachem used the CWShredder utility when he had the problem mentioned here. thread760-601356




Ted

Proofread carefully to see if you any words out
 
Upvote 0 Downvote
Many thanks. I've had a scan with 'HijackThis' and it's revealed a lot of entries and it does indeed look that istsvc is a naught thing!
 
Upvote 0 Downvote
You too! I found where it had installed itself, and was able to go straight into Add/Remove progarms and delete it from there. The user that got this one says it arrived as a message claiming to be for a pop up blocker. So far he hasn't complained, and so I think we got it all.
 
Upvote 0 Downvote
I can't trace the arrival of mine to anything unusual. It could perhaps have been an unblocked email message which dumped it before I had a chance to delete the message.

I always err on the side of caution when things are 'offered' me (both on the internet AND on the telephone!).
 
Upvote 0 Downvote
Pretty sketchy guys and gals...
...istsvc is a drive-by download (check it out: ...so not sure why any need to &quot;trace its arrival&quot; or otherwise.
Another good argument to be running SpyBor or AdAware with the latest updates....this particular parasite is old news and should have been easily avoided.
 
Upvote 0 Downvote
The need to trace its arrival is important because it could point to a weakness in my setup. I was already running the latest AdAware, SpyBot and various others and yet it still arrived.

I also need to know how it got in to help my clients with similar problems should they arise!
 
Upvote 0 Downvote
Are you using the Innoculate function of SpyBot? What I'm getting at is, it got there most assuredly due to someone surfing a site where the parasite &quot;lives,&quot; hence the drive-by download.
 
Upvote 0 Downvote
Yep, I'm doing regular checks and innoculates where necessary but SpyBot didn't find this one.

reading more about this sort of nuisance, it seems likely that somewhere something offered me an ActiveX control which when I declined it, proceded to carry on anyway!
 
Upvote 0 Downvote
I hade same problem and this helped me:

Take a look in your registry under this key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL

You SHOULD see this setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
Default =&quot;
With this subkey:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]

&quot;ftp&quot;=&quot;ftp://&quot;;
&quot;gopher&quot;=&quot;gopher://&quot;;
&quot;home&quot;=&quot;&quot;mosaic&quot;=&quot;&quot;www&quot;=&quot;
credit for this goes to CARR (he/she posted this)
 
Upvote 0 Downvote
XXXToolbar variant
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry, if it is there. (Some early releases of XXXToolbar did not include this.)

Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:

cd &quot;%WinDir%\System&quot;
regsvr32 /u &quot;\Program Files\ISTbar\istbar.dll&quot;
Restart the computer and you should be able to delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (and .1) to clean up if you like.

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings)
 
Upvote 0 Downvote
Thanks for all the ideas and info. HijackThis allowed me to see all the naughty things that were going on and fix them.
 
Upvote 0 Downvote
Trentham,
Good to hear you are now clear, HijackThis is a very good utility.
Thanks for letting us know.


Ted

&quot;The difference between a misfortune and a calamity is this: If Gladstone fell into the Thames, it would be a misfortune. But if someone dragged him out again, that would be a calamity.&quot;
Benjamin Disraeli.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tiggerdad
  • Locked
  • Question
Browser links to network folders do not work
Replies
0
Views
1K
tiggerdad
tiggerdad
demigod7
  • Locked
  • Question
No internet in browser even after being connected to the internet
Replies
1
Views
351
xwb
xwb
hpsait
  • Locked
  • Question
Unable to view webcast using any browser
Replies
12
Views
246
goombawaho
goombawaho
BobMCT
  • Locked
  • Question
Looking for suggestions to regain control of all my browsers? 1
Replies
14
Views
293
1DMF
1DMF
BadBigBen
  • Locked
  • Question
Browser(s) issue, need a bit of input... 1
Replies
19
Views
479
rclarke250
rclarke250

Part and Inventory Search

Sponsor

Back
Top