Ad-Aware is keep detecting
ISTBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=Regkey : clsid\{83a2f9b1-01a2-4aa5-87d1-45b6b8505e96}
obj[14]=Regkey : aspfile\persistenthandler
obj[15]=Regkey : activetoolband.showbarobj
obj[16]=Regkey : activetoolband.showbarobj.1
I remove them and after a restart they come back, I know for a fact that Istbar isn't on my machine as I have used Symantec Removal tool and it can't find a thing. I have also run other anti-spyware tools and anti-viruses which also say the computer is fine. I also don't have any of the symptoms.
http://www.lavasofts...showtopic=10203
Another topic where someone else is also finding Istbar but is fine.
It only detects it with the lastest definitions.
Reference Number : SE1R176 19.06.2007
Can we get a confirmation of a false positive?
Istbar False Postive
Started by
Oaken
, Jun 21 2007 06:59 PM
10 replies to this topic
#2
LS Pekka
-
- Members
-
- 452 posts
Advanced Member
Posted 21 June 2007 - 10:04 PM
Hi Oaken!
Thank you for the information!
We will investigate this issue further.
Are you, like john maciver, using Windows Vista 32bit?
Regards,
Pekka
Lavasoft Research
Thank you for the information!
We will investigate this issue further.
Are you, like john maciver, using Windows Vista 32bit?
Regards,
Pekka
Lavasoft Research
#3
Oaken
-
- Members
-
- 7 posts
Newbie
Posted 21 June 2007 - 11:35 PM
Hi LS Pekka,
Thanks for the quick reply, I am using Win Xp Media Center Edition SP2.
Oaken
Thanks for the quick reply, I am using Win Xp Media Center Edition SP2.
Oaken
#4
winchester73
-
- Members
-
- 92 posts
Advanced Member
Posted 21 June 2007 - 11:47 PM
If memory serves, 83a2f9b1-01a2-4aa5-87d1-45b6b8505e96 can be legitimate or malware depending upon:
File properties: size = 292 kb, HiTRUST ... legitimate HiTrust plugin (Acer eDataSecurity Management)
File Properties: size = 28 kb, no company information ... malware W32/Istbar.WL@dl
File properties: size = 292 kb, HiTRUST ... legitimate HiTrust plugin (Acer eDataSecurity Management)
File Properties: size = 28 kb, no company information ... malware W32/Istbar.WL@dl
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member
Member of
, the Alliance of Security Analysis Professionals
Member of
, the Alliance of Security Analysis Professionals
#5
LS Pekka
-
- Members
-
- 452 posts
Advanced Member
Posted 22 June 2007 - 04:11 AM
Hi Oaken and winchester73!
Thank you for your contributions!
Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecop...rObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.
Regards,
Pekka
Lavasoft Research
Thank you for your contributions!
Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecop...rObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.
Regards,
Pekka
Lavasoft Research
#6
Oaken
-
- Members
-
- 7 posts
Newbie
Posted 22 June 2007 - 10:59 AM
Thanks for the quick reply,
The problem is on my laptop which has "Acer eDataSecurity Management"
ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)
Under Version, Company it's value is "HiTRUST"
It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.
It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.
Do you think it is safe to say it is fine then?
The problem is on my laptop which has "Acer eDataSecurity Management"
ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)
Under Version, Company it's value is "HiTRUST"
It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.
It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.
Do you think it is safe to say it is fine then?
#7
winchester73
-
- Members
-
- 92 posts
Advanced Member
Posted 22 June 2007 - 01:11 PM
Hi Oaken and winchester73!
Thank you for your contributions!
Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecop...rObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.
Regards,
Pekka
Lavasoft Research
You're welcome mate. Glad you got it sorted out ...
I used to test definition releases for urizen years ago ...
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member
Member of, the Alliance of Security Analysis Professionals
Member of
, the Alliance of Security Analysis Professionals
#8
winchester73
-
- Members
-
- 92 posts
Advanced Member
Posted 22 June 2007 - 01:18 PM
Thanks for the quick reply,
The problem is on my laptop which has "Acer eDataSecurity Management"
ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)
Under Version, Company it's value is "HiTRUST"
It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.
It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.
Do you think it is safe to say it is fine then?
Personally, I think it is a false positive.
Have a look here: http://www.castlecop...rObj_Class.html
"If, in File Properties, file size is 28 kb and company information is missing: parasite, detected as W32/Istbar.WL@dl"
You are showing HiTrust, which is a valid BHO.
The valid entry would look like this in HijackThis:
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
You might see this as a running process:
C:\WINDOWS\system32\ActiveToolBand.dll
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member
Member of, the Alliance of Security Analysis Professionals
Member of
, the Alliance of Security Analysis Professionals
#9
Oaken
-
- Members
-
- 7 posts
Newbie
Posted 22 June 2007 - 02:53 PM
Well hijackthis doesn't pick it up at all, good or bad sign?
#10
LS Pekka
-
- Members
-
- 452 posts
Advanced Member
Posted 22 June 2007 - 03:54 PM
Hi again Oaken!
The version of ActiveToolBand.dll that is in detection and is flagged as status x by
CastleCops has the following stats:
Size: 28.0 KB (28,672 bytes)
Description: ActiveToolBand Module
Company: -
File Version: 1, 0, 0, 1
Internal Name: ActiveToolBand
Language: English (United States)
OLESelfRegister: -
Original File Name: ActiveToolBand.DLL
Product Name: ActiveToolBand Module
Product Version: 1, 0, 0, 1
Ad-Aware detection:
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
istbar Object Recognized!
Type : File
Data : ActiveToolBand.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : ActiveToolBand Module
FileDescription : ActiveToolBand Module
InternalName : ActiveToolBand
LegalCopyright : Copyright 2005
OriginalFilename : ActiveToolBand.DLL
--------------------------------------------------
The legitimate version of ActiveToolBand.dll(not in detection) has the following stats:
Size: 19.5 KB (19,968 bytes)
Description: ActiveToolBand Module
Company: HiTRUST
File Version: 1, 20, 0, 0
Internal Name: ActiveToolBand.dll
Language: English (United States)
Original File Name: ActiveToolBand.dll
Product Version: 1, 20, 0, 0
--------------------------------------------------
Based on the data that you provided it seems like you have the legitimate version of ActiveToolBand.dll installed.
However running HijackThis on with the separate versions installed shows:
Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll
None of the versions displays 'ShowBarObj Class' in HijackThis.
The Istbar regdata that shows up in detection is triggered by the Class ID
83A2F9B1-01A2-4AA5-87D1-45B6B8505E96 that installs into the registry when Acer eDataSecurity Management and
ActiveToolBand.dll is installed, no matter which version.
This issue will be attended as of the next Definition File release.
Regards,
Pekka
Lavasoft Research
The version of ActiveToolBand.dll that is in detection and is flagged as status x by
CastleCops has the following stats:
Size: 28.0 KB (28,672 bytes)
Description: ActiveToolBand Module
Company: -
File Version: 1, 0, 0, 1
Internal Name: ActiveToolBand
Language: English (United States)
OLESelfRegister: -
Original File Name: ActiveToolBand.DLL
Product Name: ActiveToolBand Module
Product Version: 1, 0, 0, 1
Ad-Aware detection:
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
istbar Object Recognized!
Type : File
Data : ActiveToolBand.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : ActiveToolBand Module
FileDescription : ActiveToolBand Module
InternalName : ActiveToolBand
LegalCopyright : Copyright 2005
OriginalFilename : ActiveToolBand.DLL
--------------------------------------------------
The legitimate version of ActiveToolBand.dll(not in detection) has the following stats:
Size: 19.5 KB (19,968 bytes)
Description: ActiveToolBand Module
Company: HiTRUST
File Version: 1, 20, 0, 0
Internal Name: ActiveToolBand.dll
Language: English (United States)
Original File Name: ActiveToolBand.dll
Product Version: 1, 20, 0, 0
--------------------------------------------------
Based on the data that you provided it seems like you have the legitimate version of ActiveToolBand.dll installed.
However running HijackThis on with the separate versions installed shows:
Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll
None of the versions displays 'ShowBarObj Class' in HijackThis.
The Istbar regdata that shows up in detection is triggered by the Class ID
83A2F9B1-01A2-4AA5-87D1-45B6B8505E96 that installs into the registry when Acer eDataSecurity Management and
ActiveToolBand.dll is installed, no matter which version.
This issue will be attended as of the next Definition File release.
Regards,
Pekka
Lavasoft Research
#11
Oaken
-
- Members
-
- 7 posts
Newbie
Posted 22 June 2007 - 04:03 PM
Hi LS Pekka,
Thanks for all the information, my mind can be put to rest now.
Oaken
Thanks for all the information, my mind can be put to rest now.
Oaken
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
