# [Resolved] Removing rb32 and IST svc from Program Properties



## sunnyman (May 19, 2003)

Hello,
Was wondering if someone could help me out? I have IST svc and rb32 under Properties. I am not sure if these are both viruses or not, but can not remove the rb32 from Add/Remove Programs Properties. I am running Windows 98 and use Internet Explorer. If someone could shed some light on these for me, and advise on how to get rid of them I would be extremely grateful. Thank you in advance.
Sunnyman


----------



## passin_by (Jul 10, 2003)

http://217.115.153.73/parasite/RapidBlaster.html

also includes JavaCool's RBKiller is a specific tool to completely remove RapidBlaster.


----------



## Rollin' Rog (Dec 9, 2000)

In addition to that I'd also recommend installing, UPDATING, and running Spybot and then posting a HijackThis Scanlog when done.

http://tomcoyote.org/SPYBOT/
http://www.tomcoyote.org/hjt/


----------



## sunnyman (May 19, 2003)

Passin by & Rollin' Rog,
Thank you for your replies. I tried downlaoding Hijack this, but for some reason it does not run and save to the file I name. All I get is my Juno icon wjich pulls up my Juno start up page. Can you help? Thank you.
Sunnyman


----------



## IMM (Feb 1, 2002)

For the moment - just try renaming the hijackthis.log file it creates in the same directory you unzipped HijackThis to, to something like hijackthis.txt. Then it will open with notepad.

You are'nt seeing errors related to the vb6 runtimes - are u?


----------



## sunnyman (May 19, 2003)

Thanks IMM I'll give that a try. Have not seen vb6 runtimes.


----------



## passin_by (Jul 10, 2003)

> _Originally posted by sunnyman:_
> *Passin by & Rollin' Rog,
> I tried downlaoding Hijack this, but for some reason it does not run and save to the file I name. *


When you unzip the HJT just make it a folder on your harddrive.
(example: C:\hijackthis) .
After unzipping into that folder it should run.
Double click hijackthis.exe 
click on scan
click save log (after scan is finished)
it will save it to the C:\hijackthis folder.

when you go to open the log file (in my case)
the "open with" box came up, if this happens
click on notepad to open the file for you.

(*you can also click on the file once, hold down your shift key 
and right click then click on "open with", then notepad*)


----------



## sunnyman (May 19, 2003)

Passin by thanks for your reply,
For some reason every time I try to downlaod Hijackthis only get about 2:20 minutes into it and doesn't finish. I'm not sure if I have a zipfile? Is their some way to check? When I try to download I am promted with:
File Download Box
Save This file to disk or 
Open this file from current location
Save as Box
Save in (C Can not add file name to this area
File name: hijackthis
Save as type: Zip file or
All Files
Downlaoding stops at 2:20 remaining, and can never open file where it gets saved. Can someone help?? Thanks


----------



## Rollin' Rog (Dec 9, 2000)

The download dialog should automatically enter the name once you click "Save", then you select the folder to download to. And it should download very quickly.

Howabout if you right click on this url and select "save target as":

http://www.spywareinfo.com/~merijn/files/hijackthis.zip?


----------



## sunnyman (May 19, 2003)

Rollin'Rog,
Tried that thanks. But for some reason when Hijackthis is saved to "C" drive it is saved as my Juno logo, and when I click to open it takes me to Juno not to the Hijackthis program. Any answers as to way this continues to happen?


----------



## Rollin' Rog (Dec 9, 2000)

It sounds like you don't have an installed zip program, like Winzip.

As a workaround for the moment, try following my directions for downloading and renaming the attachment in this post.

http://forums.techguy.org/showthread.php?postid=972249#post972249

You can also get Winzip and install it. The "evaluation" version does not expire, and you just have to click through what is known as a "nag" screen when you use it.

http://www.winzip.com/download.cgi?home


----------



## sunnyman (May 19, 2003)

Rollin' Rog and those who have been so helpful in the TSG forum thank you very much, I was able to download WinZip and run the Hijack scan on my computer. Would not have been able to do so without your help. Now I will attempt to cut & paste my Hijackthis scan. Could one of you kind people let me know what I should delete. Thanks for your help very much! It is greatly appreciated!
Logfile of HijackThis v1.95.1
Scan saved at 10:32:20 PM, on 7/27/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\WIN32US.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.martfinder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/s/sp?brand=JN
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://approvedlinks.com/
F1 - win.ini: run=hpfsched
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37719.6174305556
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: c:\windows\java\my.css


----------



## Rollin' Rog (Dec 9, 2000)

Ok, now you need to do the following:

Place checks in all the HijackThis Scanlog entries I list below, then close all IE browser windows and click "fix checked". Reboot afterwards. Install and run Spybot following the directions in the link given for Spybot earlier in this thread. Reboot and post another ScanLog.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.martfinder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://approvedlinks.com/
F1 - win.ini: run=hpfsched

O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect

^^^^ This entry is a modem dialer, you may find yourself with a large phone bill if this has been connecting to the net rather than your normal modem connection. It may mean some serious hassles with the phone company, but if you are persistant they may cancel any exhorbitant charges on a one time basis.

On rebooting, or after running Spybot, you should ensure these three files are deleted from the system:

Winshow.dll
ISTsvc (the folder in Program Files)
win32us.exe

Also, if you have not created a personal "style sheet" and you would know what it was if you had, delete this HijackThis entry as well:

O19 - User stylesheet: c:\windows\java\my.css


----------



## passin_by (Jul 10, 2003)

I try to stay away from telling anyone what should/shouldn't be removed from their computer unless I know for certain it doesn't belong.
lol.. sure glad Rollin'Rog is checkin over shoulders. 

Rollin'Rog, would you mind takin a look at my hjt log
if I posted it? 
funny how I don't mind trying to help others w/their
machine but when it comes to mine Im weary about
listening and doing....  

Glad you were able to get somewhere Sunnyman.


----------



## Rollin' Rog (Dec 9, 2000)

Passin_by, if you will post it in a separate thread, I or someone equally capable, will be happy to review it for you... I will double check just to assure you.


----------



## sunnyman (May 19, 2003)

Rollin'Rog,
Thanks for your guidance with all of this. Below is my latest Hijackthis Scanlog. I am having difficulty completely running my Spybot Search & Destroy. I get about half way through running the bot-check, and it freezes at (2957/5835:C2.lop) and will not finish completely running the search & destroy. This same thing has happened before making any deletions of the Hijackthis scanlog. I'm not sure why I can not completely run the Spybot Search & Destroy. Can you advise. Thanks for your help!

Logfile of HijackThis v1.95.1
Scan saved at 9:37:43 PM, on 7/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/s/sp?brand=JN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37719.6174305556
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: c:\windows\java\my.css


----------



## Rollin' Rog (Dec 9, 2000)

Did you update Spybot before running it? There were some issues with this on older data files, but the updates have largely resolved it.

I have found that it will hang on that entry for some time on a friends system, despite the update but if you give it 10 minutes or so, it will continue.

There is a workaround. If you click on the "Excludes" tab, then "Cookies" and put a check in the "C2.lop" check box

You still need to get rid of this:

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

Try doing a ctrl-alt-del, then end task *istsvc.exe* before removing it with HijackThis. Then do a Find files for it and delete the ISTsvc folder in Program Files.


----------



## sunnyman (May 19, 2003)

Rollin'Rog,
Thanks! I did an update on Spybot and was able to get by the glitch. Found 28 detected programs. Should I delete all of these? I will follow your instructions above for removal of ISTsvc folder. Thanks again for our help!


----------



## Rollin' Rog (Dec 9, 2000)

Go ahead and have Spybot remove all it targets. It may take out the istsvc stuff completely for you, but check afterwards.


----------



## sunnyman (May 19, 2003)

Rollin' Rog,
Looks like it worked! I owe you a debt of gratitiude! Thank you for sticking with me and walking me through all of this. I let Spybot remove all it targeted which was a lot, and went to Programs and removed the ISTsvc folder which I could not do before. Also I do not see rb32 anymore under my Programs file. I think I am clean for now. I am copying my hijackthis folder one more time if you could take one last look at it I would appreciate it. Also can you tell me should I run Spybot and Hijackthis once a week or month to clean up any attackers that are attaching themselves to my system? Can you recommend any virus software that can be downloaded off the web to keep my system clean that I should be using?
You and the TSG forum have been quite helpful to me I really appreciate all you have done, if there is some way of reciprocating please let me know.
Regards,
Sunnyman

Logfile of HijackThis v1.95.1
Scan saved at 3:31:40 PM, on 7/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/s/sp?brand=JN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37719.6174305556
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: c:\windows\java\my.css


----------



## Rollin' Rog (Dec 9, 2000)

Looks good!

Once a week is probably a good regimen for most people; if you have doubts after an install or download of some doubtful program you can run it as needed.

And anytime you have issues with homepage or search hijacks, just start a new thread and post a HijackThis Scanlog as Spybot will not catch all of that stuff.

You're most welcome for the help, I know this has been a learning experience for you, but we are used to seeing that here.


----------

