Jump to content


Photo

Istbar False Postive


  • Please log in to reply
10 replies to this topic

#1 Oaken

Oaken

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 21 June 2007 - 06:59 PM

Ad-Aware is keep detecting

ISTBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=Regkey : clsid\{83a2f9b1-01a2-4aa5-87d1-45b6b8505e96}
obj[14]=Regkey : aspfile\persistenthandler
obj[15]=Regkey : activetoolband.showbarobj
obj[16]=Regkey : activetoolband.showbarobj.1

I remove them and after a restart they come back, I know for a fact that Istbar isn't on my machine as I have used Symantec Removal tool and it can't find a thing. I have also run other anti-spyware tools and anti-viruses which also say the computer is fine. I also don't have any of the symptoms.

http://www.lavasofts...showtopic=10203

Another topic where someone else is also finding Istbar but is fine.

It only detects it with the lastest definitions.

Reference Number : SE1R176 19.06.2007



Can we get a confirmation of a false positive?

#2 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 21 June 2007 - 10:04 PM

Hi Oaken!

Thank you for the information!
We will investigate this issue further.

Are you, like john maciver, using Windows Vista 32bit?

Regards,

Pekka

Lavasoft Research

#3 Oaken

Oaken

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 21 June 2007 - 11:35 PM

Hi LS Pekka,

Thanks for the quick reply, I am using Win Xp Media Center Edition SP2.

Oaken

#4 winchester73

winchester73

    Advanced Member

  • Members
  • PipPipPip
  • 92 posts

Posted 21 June 2007 - 11:47 PM

If memory serves, 83a2f9b1-01a2-4aa5-87d1-45b6b8505e96 can be legitimate or malware depending upon:

File properties: size = 292 kb, HiTRUST ... legitimate HiTrust plugin (Acer eDataSecurity Management)

File Properties: size = 28 kb, no company information ... malware W32/Istbar.WL@dl
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Member of IPB Image, the Alliance of Security Analysis Professionals

#5 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 22 June 2007 - 04:11 AM

Hi Oaken and winchester73!

Thank you for your contributions!

Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecop...rObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.

Regards,

Pekka

Lavasoft Research

#6 Oaken

Oaken

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 22 June 2007 - 10:59 AM

Thanks for the quick reply,

The problem is on my laptop which has "Acer eDataSecurity Management"

ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)

Under Version, Company it's value is "HiTRUST"

It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.

It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.

Do you think it is safe to say it is fine then?

#7 winchester73

winchester73

    Advanced Member

  • Members
  • PipPipPip
  • 92 posts

Posted 22 June 2007 - 01:11 PM

Hi Oaken and winchester73!

Thank you for your contributions!

Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecop...rObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.

Regards,

Pekka

Lavasoft Research


You're welcome mate. Glad you got it sorted out ... :D

I used to test definition releases for urizen years ago ... :)
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Member of IPB Image, the Alliance of Security Analysis Professionals

#8 winchester73

winchester73

    Advanced Member

  • Members
  • PipPipPip
  • 92 posts

Posted 22 June 2007 - 01:18 PM

Thanks for the quick reply,

The problem is on my laptop which has "Acer eDataSecurity Management"

ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)

Under Version, Company it's value is "HiTRUST"

It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.

It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.

Do you think it is safe to say it is fine then?


Personally, I think it is a false positive.

Have a look here: http://www.castlecop...rObj_Class.html

"If, in File Properties, file size is 28 kb and company information is missing: parasite, detected as W32/Istbar.WL@dl"

You are showing HiTrust, which is a valid BHO.

The valid entry would look like this in HijackThis:

O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll

You might see this as a running process:

C:\WINDOWS\system32\ActiveToolBand.dll
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Member of IPB Image, the Alliance of Security Analysis Professionals

#9 Oaken

Oaken

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 22 June 2007 - 02:53 PM

Well hijackthis doesn't pick it up at all, good or bad sign?

#10 LS Pekka

LS Pekka

    Advanced Member

  • Members
  • PipPipPip
  • 452 posts

Posted 22 June 2007 - 03:54 PM

Hi again Oaken!

The version of ActiveToolBand.dll that is in detection and is flagged as status x by
CastleCops has the following stats:

Size: 28.0 KB (28,672 bytes)

Description: ActiveToolBand Module

Company: -
File Version: 1, 0, 0, 1
Internal Name: ActiveToolBand
Language: English (United States)
OLESelfRegister: -
Original File Name: ActiveToolBand.DLL
Product Name: ActiveToolBand Module
Product Version: 1, 0, 0, 1

Ad-Aware detection:

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

istbar Object Recognized!
Type : File
Data : ActiveToolBand.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : ActiveToolBand Module
FileDescription : ActiveToolBand Module
InternalName : ActiveToolBand
LegalCopyright : Copyright 2005
OriginalFilename : ActiveToolBand.DLL

--------------------------------------------------

The legitimate version of ActiveToolBand.dll(not in detection) has the following stats:

Size: 19.5 KB (19,968 bytes)

Description: ActiveToolBand Module

Company: HiTRUST
File Version: 1, 20, 0, 0
Internal Name: ActiveToolBand.dll
Language: English (United States)
Original File Name: ActiveToolBand.dll
Product Version: 1, 20, 0, 0

--------------------------------------------------

Based on the data that you provided it seems like you have the legitimate version of ActiveToolBand.dll installed.

However running HijackThis on with the separate versions installed shows:

Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll

None of the versions displays 'ShowBarObj Class' in HijackThis.

The Istbar regdata that shows up in detection is triggered by the Class ID
83A2F9B1-01A2-4AA5-87D1-45B6B8505E96 that installs into the registry when Acer eDataSecurity Management and
ActiveToolBand.dll is installed, no matter which version.

This issue will be attended as of the next Definition File release.

Regards,

Pekka

Lavasoft Research

#11 Oaken

Oaken

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 22 June 2007 - 04:03 PM

Hi LS Pekka,

Thanks for all the information, my mind can be put to rest now. :D

Oaken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users