|
What is ISTbar ?
ISTbar is a homepage and search hijacking adware. It adds a toolbar to Internet Explorer and displays popup ads that come mainly from porn sites. ISTbar/AUpdate is installed by ActiveX drive-by download on affiliate sites, typically porn adverts, from April 2003. At least ISTbar/AUpdate is known to install using aggressive JavaScript.ISTBAR also installs other third-party software which includes advertising.
ISTbar variants
The ISTBAR.AUpdate variant installs a TinyBar variant to implement its toolbar. The hijacker (ISTBAR) is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.
The ISTBAR.MSCache variant also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com. ISTBAR.MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.
The ISTBAR.XXXToolbar variant is an update based around adult porn. It uses its own toolbar based on a Pugi toolbar variant. The hijacker (ISTBAR) is aimed at its controlling server xxxtoolbar.com, and slotch.com, distribution of this variant is controlled by toolbarcash.com.
ISTBAR also installs other spyware/adware threats including: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp, and the AUpdate variant is also known to install DownloadPlus and the MSCache variant installs nCase and the Wink/EasyDates dialler.
ISTbar behavior
- Stealth Tactics
- Shows ads
- Changes browser
- Stays Resident
ISTbar Removal Instructions:
Kill processes: istsvc.exe, istdownload.exe, gjefpet.exe, juhpad.exe, sfsetup.exe, sidefind.exe Help: how to kill malicious processes
Delete registry values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IST Service HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=[site address] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar=[site address] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page=[site address] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Bandrest=never HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Assistant=no HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant=[site address] HKEY_LOCAl_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Bandrest=never HKEY_CURRENT_USER\Software\IST HKEY_CURRENT_USER\Software\ISTbar HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar HKEY_LOCAL_MACHINE\SOFTWARE\Sidefind HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sidefind HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1 HKEY_CLASSES_ROOT\ISTbar.BarObj HKEY_CLASSES_ROOT\ISTactivex.Installer HKEY_CLASSES_ROOT\ISTactivex.Installer.1 HKEY_CLASSES_ROOT\ISTactivex.Installer.2 HKEY_CLASSES_ROOT\ISTx.Installer HKEY_CLASSES_ROOT\ISTx.Installer.2 HKEY_CLASSES_ROOT\Pugi.PugiObj HKEY_CLASSES_ROOT\Pugi.PugiObj.1 HKEY_CLASSES_ROOT\SideFind.Finder HKEY_CLASSES_ROOT\SideFind.Finder.1 HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag.1 HKEY_CLASSES_ROOT\Ysb.YsbObj HKEY_CLASSES_ROOT\Ysb.YsbObj.1 HKEY_CLASSES_ROOT\YSBactivex.Installer HKEY_CLASSES_ROOT\YSBactivex.Installer.1 HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\CLSID\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\Interface\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\TypeLib\ HKEY_CLASSES_ROOT\Component Categories\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer\Browser Helper Objects\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\%Windir%/Downloaded Program Files/istactivex.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbarISTbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar Help: how to remove registry entries
Unregister DLLs: cmctl.dll, istactivex.dll, istbar.dll, istbarcm.dll, istbar_dh.dll, sidefind.dll, sfbho.dll, ysb.dll, ysbactivex.dll Help: how to unregister malicious DLLs
Delete files: istsvc.exe, istdownload.exe, gjefpet.exe, juhpad.exe, sfsetup.exe, sidefind.exe, cmctl.dll, istactivex.dll, istbar.dll, istbarcm.dll, istbar_dh.dll, sidefind.dll, sfbho.dll, ysb.dll, ysbactivex.dll Help: how to remove harmful files
Delete directories: C:\Program Files\ISTsvc C:\Program Files\SideFind C:\Program Files\YourSiteBar
Misc: The parasite may use randomly named files and registry keys.
[site address] is an adress of a web site on the couldnotfind.com or slotch.com domain.
Copyright ©
SpywareDot 2002-2005| spywaredot.com. All rights reserved.
|