|
What is ISTbar ?
ISTbar is a homepage and search hijacking adware. It adds a toolbar to Internet Explorer and displays popup ads that come mainly from porn sites. ISTbar/AUpdate is installed by ActiveX drive-by download on affiliate sites, typically porn adverts, from April 2003. At least ISTbar/AUpdate is known to install using aggressive JavaScript.ISTBAR also installs other third-party software which includes advertising.
ISTbar variants
The ISTBAR.AUpdate variant installs a TinyBar variant to implement its toolbar. The hijacker (ISTBAR) is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.
The ISTBAR.MSCache variant also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com. ISTBAR.MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.
The ISTBAR.XXXToolbar variant is an update based around adult porn. It uses its own toolbar based on a Pugi toolbar variant. The hijacker (ISTBAR) is aimed at its controlling server xxxtoolbar.com, and slotch.com, distribution of this variant is controlled by toolbarcash.com.
ISTBAR also installs other spyware/adware threats including: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp, and the AUpdate variant is also known to install DownloadPlus and the MSCache variant installs nCase and the Wink/EasyDates dialler.
ISTbar behavior
- Stealth Tactics
- Shows ads
- Changes browser
- Stays Resident
ISTbar Removal Instructions:
Disclaimer: Modifying the registry or system files can cause
serious problems that may require you to reinstall your operating
system. We cannot guarantee that problems resulting from modifications
to the registry can be solved. Use the information provided at your
own risk.
Kill processes:
istsvc.exe, istdownload.exe, gjefpet.exe, juhpad.exe, sfsetup.exe, sidefind.exe
Help: how to kill malicious processes
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IST Service
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Bandrest=never
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Assistant=no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant=[site address]
HKEY_LOCAl_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Bandrest=never
HKEY_CURRENT_USER\Software\IST
HKEY_CURRENT_USER\Software\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Sidefind
HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sidefind
HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper
HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1
HKEY_CLASSES_ROOT\ISTbar.BarObj
HKEY_CLASSES_ROOT\ISTactivex.Installer
HKEY_CLASSES_ROOT\ISTactivex.Installer.1
HKEY_CLASSES_ROOT\ISTactivex.Installer.2
HKEY_CLASSES_ROOT\ISTx.Installer
HKEY_CLASSES_ROOT\ISTx.Installer.2
HKEY_CLASSES_ROOT\Pugi.PugiObj
HKEY_CLASSES_ROOT\Pugi.PugiObj.1
HKEY_CLASSES_ROOT\SideFind.Finder
HKEY_CLASSES_ROOT\SideFind.Finder.1
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag.1
HKEY_CLASSES_ROOT\Ysb.YsbObj
HKEY_CLASSES_ROOT\Ysb.YsbObj.1
HKEY_CLASSES_ROOT\YSBactivex.Installer
HKEY_CLASSES_ROOT\YSBactivex.Installer.1
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\TypeLib\
HKEY_CLASSES_ROOT\Component Categories\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\%Windir%/Downloaded Program Files/istactivex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbarISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Help: how to remove registry entries
Unregister DLLs:
cmctl.dll, istactivex.dll, istbar.dll, istbarcm.dll, istbar_dh.dll, sidefind.dll, sfbho.dll, ysb.dll, ysbactivex.dll
Help: how to unregister malicious DLLs
Delete files:
istsvc.exe, istdownload.exe, gjefpet.exe, juhpad.exe, sfsetup.exe, sidefind.exe, cmctl.dll, istactivex.dll, istbar.dll, istbarcm.dll, istbar_dh.dll, sidefind.dll, sfbho.dll, ysb.dll, ysbactivex.dll
Help: how to remove harmful files
Delete directories:
C:\Program Files\ISTsvc
C:\Program Files\SideFind
C:\Program Files\YourSiteBar
Misc:
The parasite may use randomly named files and registry keys.
[site address] is an adress of a web site on the couldnotfind.com or slotch.com domain.
Copyright ©
SpywareDot 2002-2005| spywaredot.com. All rights reserved.
|
|
|
|
|
Removal Instructions
|
Remove Advanced Keylogger
Offers tips for Advanced Keylogger remove, learn how to uninstall Advanced Keylogger in our uninstalling and removing guide
|
Remove TIBS Dialer
Offers tips for TIBS Dialer remove, learn how to uninstall TIBS Dialer in our uninstalling and removing guide
|
Remove Hot as Hell
Offers Hot as Hell removal instructions, how to uninstall and remove Hot as Hell spyware.
|
Remove BlazeFind
Offers BlazeFindremoval instructions, how to uninstall and remove BlazeFind spyware.
|
Remove Transponder
Offers Transponder removal instructions, how to uninstall and remove Transponder spyware.
|
Remove ISTbar
Offers tips for ISTbar remove, learn how to uninstall ISTbar browser hijacker in our uninstalling and removing guide
|
Remove Gain
Offers Gain removal instructions, how to uninstall and remove gain adware
|
Remove 180search Assistant
Offers 180Search Assistant removal instructions, how to uninstall and remove 180Search Assistant adware.
|
Remove lop.com
How to remove lop.com read our lop rmover uninstalling and removal guide
|
Remove MySearch
Offers mysearch uninstall instructions, learn how to remove mysearch toolbar parasite pest spyware.
|
Remove CoolWebSearch
Offers a remove coolwebsearch step by step uninstall guide. removing cool web search safely from your computer removal guide
|
Remove HotBar
How to remove Hotbar, learn more about the hotbar spyware an how you can uninstall it in our hotbar removal guide
|
Remove Gator
Offers tips for Gator remove, learn how to uninstall gator adware in our uninstalling and removing guide
|
Remove Internet Optimizer
Read our internet optimizer removal instructions and learn how to remove the internet optimizer and delete it from your computer
|
|
|
