• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
Oaken

Istbar False Postive

11 posts in this topic

Ad-Aware is keep detecting

 

ISTBAR

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[13]=Regkey : clsid\{83a2f9b1-01a2-4aa5-87d1-45b6b8505e96}

obj[14]=Regkey : aspfile\persistenthandler

obj[15]=Regkey : activetoolband.showbarobj

obj[16]=Regkey : activetoolband.showbarobj.1

 

I remove them and after a restart they come back, I know for a fact that Istbar isn't on my machine as I have used Symantec Removal tool and it can't find a thing. I have also run other anti-spyware tools and anti-viruses which also say the computer is fine. I also don't have any of the symptoms.

 

http://www.lavasoftsupport.com/index.php?showtopic=10203

 

Another topic where someone else is also finding Istbar but is fine.

 

It only detects it with the lastest definitions.

 

Reference Number : SE1R176 19.06.2007

 

 

 

Can we get a confirmation of a false positive?

Share this post


Link to post
Share on other sites

Hi Oaken!

 

Thank you for the information!

We will investigate this issue further.

 

Are you, like john maciver, using Windows Vista 32bit?

 

Regards,

 

Pekka

 

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi LS Pekka,

 

Thanks for the quick reply, I am using Win Xp Media Center Edition SP2.

 

Oaken

Share this post


Link to post
Share on other sites

If memory serves, 83a2f9b1-01a2-4aa5-87d1-45b6b8505e96 can be legitimate or malware depending upon:

 

File properties: size = 292 kb, HiTRUST ... legitimate HiTrust plugin (Acer eDataSecurity Management)

 

File Properties: size = 28 kb, no company information ... malware W32/Istbar.WL@dl

Share this post


Link to post
Share on other sites

Hi Oaken and winchester73!

 

Thank you for your contributions!

 

Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecops.com/tk32677-ShowBarObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.

 

Regards,

 

Pekka

 

Lavasoft Research

Share this post


Link to post
Share on other sites

Thanks for the quick reply,

 

The problem is on my laptop which has "Acer eDataSecurity Management"

 

ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)

 

Under Version, Company it's value is "HiTRUST"

 

It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.

 

It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.

 

Do you think it is safe to say it is fine then?

Share this post


Link to post
Share on other sites
Hi Oaken and winchester73!

 

Thank you for your contributions!

 

Our investigation revealed that the detected Istbar objects are triggered by "Acer eDataSecurity Management". "Acer eDataSecurity Management" also installs ActiveToolBand.dll, with GUID 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96, which receives status x BHO(Certified spyware/foistware, or other malware) from CastleCops(http://www.castlecops.com/tk32677-ShowBarObj_Class.html). The detected objects could be legitimate("Acer eDataSecurity Management") or Malware(Istbar) depending on if you have "Acer eDataSecurity Management" installed or not. This issue will be attended as of the next Definition File release.

 

Regards,

 

Pekka

 

Lavasoft Research

 

You're welcome mate. Glad you got it sorted out ... :D

 

I used to test definition releases for urizen years ago ... :)

Share this post


Link to post
Share on other sites
Thanks for the quick reply,

 

The problem is on my laptop which has "Acer eDataSecurity Management"

 

ActiveToolBand.dll is, Size: 19.5 KB (19,968 bytes), Size on disk, 32.0 KB (32,768 bytes)

 

Under Version, Company it's value is "HiTRUST"

 

It was created on 01 February 2007, 05:03:01, which was the day i bought my laptop and everything was set up.

 

It would make sence that it only reapears after a restart as "Acer eDataSecurity Management" would get reloaded.

 

Do you think it is safe to say it is fine then?

 

Personally, I think it is a false positive.

 

Have a look here: http://www.castlecops.com/tk32677-ShowBarObj_Class.html

 

"If, in File Properties, file size is 28 kb and company information is missing: parasite, detected as W32/Istbar.WL@dl"

 

You are showing HiTrust, which is a valid BHO.

 

The valid entry would look like this in HijackThis:

 

O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll

 

You might see this as a running process:

 

C:\WINDOWS\system32\ActiveToolBand.dll

Share this post


Link to post
Share on other sites

Hi again Oaken!

 

The version of ActiveToolBand.dll that is in detection and is flagged as status x by

CastleCops has the following stats:

 

Size: 28.0 KB (28,672 bytes)

 

Description: ActiveToolBand Module

 

Company: -

File Version: 1, 0, 0, 1

Internal Name: ActiveToolBand

Language: English (United States)

OLESelfRegister: -

Original File Name: ActiveToolBand.DLL

Product Name: ActiveToolBand Module

Product Version: 1, 0, 0, 1

 

Ad-Aware detection:

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

istbar Object Recognized!

Type : File

Data : ActiveToolBand.dll

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : ActiveToolBand Module

FileDescription : ActiveToolBand Module

InternalName : ActiveToolBand

LegalCopyright : Copyright 2005

OriginalFilename : ActiveToolBand.DLL

 

--------------------------------------------------

 

The legitimate version of ActiveToolBand.dll(not in detection) has the following stats:

 

Size: 19.5 KB (19,968 bytes)

 

Description: ActiveToolBand Module

 

Company: HiTRUST

File Version: 1, 20, 0, 0

Internal Name: ActiveToolBand.dll

Language: English (United States)

Original File Name: ActiveToolBand.dll

Product Version: 1, 20, 0, 0

 

--------------------------------------------------

 

Based on the data that you provided it seems like you have the legitimate version of ActiveToolBand.dll installed.

 

However running HijackThis on with the separate versions installed shows:

 

Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll

 

None of the versions displays 'ShowBarObj Class' in HijackThis.

 

The Istbar regdata that shows up in detection is triggered by the Class ID

83A2F9B1-01A2-4AA5-87D1-45B6B8505E96 that installs into the registry when Acer eDataSecurity Management and

ActiveToolBand.dll is installed, no matter which version.

 

This issue will be attended as of the next Definition File release.

 

Regards,

 

Pekka

 

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi LS Pekka,

 

Thanks for all the information, my mind can be put to rest now. :D

 

Oaken

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0