|
What is ISTbar ?
ISTbar is a homepage and search hijacking adware. It adds a toolbar to Internet Explorer and displays popup ads that come mainly from porn sites. ISTbar/AUpdate is installed by ActiveX drive-by download on affiliate sites, typically porn adverts, from April 2003. At least ISTbar/AUpdate is known to install using aggressive JavaScript.ISTBAR also installs other third-party software which includes advertising.
ISTbar variants
The ISTBAR.AUpdate variant installs a TinyBar variant to implement its toolbar. The hijacker (ISTBAR) is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.
The ISTBAR.MSCache variant also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com. ISTBAR.MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.
The ISTBAR.XXXToolbar variant is an update based around adult porn. It uses its own toolbar based on a Pugi toolbar variant. The hijacker (ISTBAR) is aimed at its controlling server xxxtoolbar.com, and slotch.com, distribution of this variant is controlled by toolbarcash.com.
ISTBAR also installs other spyware/adware threats including: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp, and the AUpdate variant is also known to install DownloadPlus and the MSCache variant installs nCase and the Wink/EasyDates dialler.
ISTbar behavior
- Stealth Tactics
- Shows ads
- Changes browser
- Stays Resident
ISTbar Removal Instructions:
Kill processes:
istsvc.exe, istdownload.exe, gjefpet.exe, juhpad.exe, sfsetup.exe, sidefind.exe
Help: how to kill malicious processes
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IST Service
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Bandrest=never
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Assistant=no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant=[site address]
HKEY_LOCAl_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Bandrest=never
HKEY_CURRENT_USER\Software\IST
HKEY_CURRENT_USER\Software\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Sidefind
HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sidefind
HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper
HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1
HKEY_CLASSES_ROOT\ISTbar.BarObj
HKEY_CLASSES_ROOT\ISTactivex.Installer
HKEY_CLASSES_ROOT\ISTactivex.Installer.1
HKEY_CLASSES_ROOT\ISTactivex.Installer.2
HKEY_CLASSES_ROOT\ISTx.Installer
HKEY_CLASSES_ROOT\ISTx.Installer.2
HKEY_CLASSES_ROOT\Pugi.PugiObj
HKEY_CLASSES_ROOT\Pugi.PugiObj.1
HKEY_CLASSES_ROOT\SideFind.Finder
HKEY_CLASSES_ROOT\SideFind.Finder.1
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag.1
HKEY_CLASSES_ROOT\Ysb.YsbObj
HKEY_CLASSES_ROOT\Ysb.YsbObj.1
HKEY_CLASSES_ROOT\YSBactivex.Installer
HKEY_CLASSES_ROOT\YSBactivex.Installer.1
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\Component Categories\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\%Windir%/Downloaded Program Files/istactivex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbarISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Help: how to remove registry entries
Unregister DLLs:
cmctl.dll, istactivex.dll, istbar.dll, istbarcm.dll, istbar_dh.dll, sidefind.dll, sfbho.dll, ysb.dll, ysbactivex.dll
Help: how to unregister malicious DLLs
Delete files:
istsvc.exe, istdownload.exe, gjefpet.exe, juhpad.exe, sfsetup.exe, sidefind.exe, cmctl.dll, istactivex.dll, istbar.dll, istbarcm.dll, istbar_dh.dll, sidefind.dll, sfbho.dll, ysb.dll, ysbactivex.dll
Help: how to remove harmful files
Delete directories:
C:\Program Files\ISTsvc
C:\Program Files\SideFind
C:\Program Files\YourSiteBar
Misc:
The parasite may use randomly named files and registry keys.
[site address] is an adress of a web site on the couldnotfind.com or slotch.com domain.
Copyright ©
SpywareDot 2002-2005| spywaredot.com. All rights reserved.
|
