Top 10 "Most Unwanted" Spyware Named

TechWeb ^ | December 10, 2004 (2:48 PM EST) | Gregg Keizer,

[GVnana]

I'm on earthlink (love it BTW) but I'm not finding a reference for this.

[Ernest_at_the_Beach]

Says that uses an ActiveX entry....so Firefox might avoid that one............

_________________________________________

Spyware: ISTbar

NUISANCE LEVEL
THREAT LEVEL

 
ISTbar

ISTbar is an MSIE toolbar, homepage and search hijacker provided by Integrated Search Technologies/CDT Inc. It installs several spyware agents mainly by ActiveX drive-by download (yes you read it correctly) on affiliate sites and delivers mostly porn ads. More details here.
ISTbar also installs porn pop-up producer RapidBlaster and the download assistant DownloadPlus. Can download and execute arbitrary unsigned code from its controlling server. This is used to update the software and to install third-party software.

Files installed are:

mscache.exe, aupdate.exe, aupdate_uninstall.exe, istsvc.exe, mscache.dll and istbar.dll.

Removal:

Uninstall ISTBar from "Add/Remove Programs" in the Windows Control Panel. Look for MS AUpdate, MS Updates, XXXToolbar, ISTsvc or ISTBar. If no such entry exists or if the uninstall fails, contact the vendor for support, use a spyware cleaner, or uninstall ISTBar manually.

AUpdate

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry on the right (points to aupdate.exe). Find the key HKCR\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKLM\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKLME\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and 'aupdate_uninstall.exe' from your System folder. (\System32 on Windows NT/2000/XP or just \System on Windows 95/98/ME). Restore your normal search settings (Internet Options > Programs > Reset Web Settings).

MSCache

Open a DOS command prompt window and enter:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'MS Updates' entry on the right (points to mscache.exe). Find the key HKCR\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKLM\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKLM\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and delete the files 'mscache.exe', and 'mscache.dll' from the Windows (Windows 95/98/ME) or WinNT (Windows NT/2000/XP) folder. Restore your normal search settings (Internet Options > Programs > Reset Web Settings).

XXXToolbar

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry (if there). Open a DOS command prompt window and enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

Restart the computer and delete the 'ISTbar' folder from the c:\Program Files folder, and the 'istsvc.exe' file from the Windows (Windows 95/98/ME) or WinNT (Windows NT/2000/XP) folder. You can also delete the registry keys HKCU\Software\ISTbar and HKCR\Pugi.PugiObj.

---

Cleaning

If you are cleaning your system manually, using some of the tips mentioned above, you do this at your own risk. Editing the Registry without some basic knowledge may result in your computer not starting up anymore. And reinstalling Windows may be the only way back. 

Spyware cleaners  Spyware resources
 

Main spyware page

[] [TOP]

[Always Right]

I find if my daughter leaves on her AIM, her computer just gets loads of spyware stuff on it.

[dr_pat]

CA has a free spyware scan offer (using PestPatrol) at their website. You can use it to find out what (if anything) is currently on your system.

I was astonished to find Gator and two keystroke reporters on my PC. Needless to say, I quickly got and installed software to clean up current and prevent future infections.

[Ernest_at_the_Beach]

OK.....well, see post #5.....

[red-dawg]

I spent 8 hours today on one machine. It had 148 instances of "backweb" plus about 20 others.
msie.exe and msrpc32.exe to name a couple.

[Ernest_at_the_Beach]

CWS has the ability to modify itself, so finding and removing it is an ongoing challenge for consumers. Once CWS is discovered by an anti-spyware application, such as EarthLink's Spyware Blocker, powered by Webroot, Internet users should take action to immobilize or erase the program from their PCs.

So are you using Spyware Blocker?

Any comments about it...Like does it work?

[Ernest_at_the_Beach]

Damn.....that has to be painful....

[JWinNC]

I'm spending a big chunk of my time cleaning Trojans and HiJackers off my client's PCs. It's getting really bad especially for IE users. The stuff that replicates itself and hides in the registry is unbelievable. If you miss something, it'll just come right back.

JWinNC

[Publius6961]

Stupid question from a non geek...

Why can't there be a way to prevent any program from sending anything out?

Example. You are getting information from a site you have chosen. You are connected through your ISP. You know who those two are.
Why can't I limit uploads to just those two sites until I choose otherwise, and no others?

I assume there must be a good reason.

[Cicero]

CW Shredder is a nice little program that will help remove Cool Web Search. But you also have to comb through the Registry to get rid of it completely.

I hate to think how much of my computer's memory is taken up by Norton AntiVirus, ZoneAlarm, Spyware Blaster, Spyware Guard, SpamPal, Ad Muncher, and all the other programs I use to prevent infections. It wouldn't surprise me that it's about 75% protection and 25% programs that I'm running. And that's not to speak of all the complications that have been introduced into Windows itself in order to block these various malicious attacks. SP2 has definitely slowed my computers a bit.

[Boazo]

ping

[Ernest_at_the_Beach]

I assume there must be a good reason.

Do you know about ActiveX?

That seems to be a favored entry path....and sockets?

[steve86]

it is a fallacy that Linux is immune from such problems.

Theoretically immune? Probably not.

Does Linux actually get infected by Spyware? No, not in my many-year experience.

[Xenalyte]

CWShredder didn't do the trick for my polluted PC and my techie fiance working on it; we did the process three times with no luck. A Format C solved the problem nicely, though, and freed up a chunk of space.

[Ernest_at_the_Beach]

It hasn't been a very big target for the malware writers......yet.

[OKSooner]

Don't know what the top 10 are, but you catch 9 of them from Drudge.

[elmer fudd]

As a cable internet installer that's probably a little more effort than I'm going to go to. Ussually I do the cleanup on customers computers in the course of my work, but I generally restrict myself to downloading and running, AdAware, Spybot and Firefox and then explaining to the customer a little about spyware and security in general. Strictly speaking, hardware and software problems are not our concern, but ussually we'll try to fix things if we can.

[Ernest_at_the_Beach]

Here is a list:

__________________________________________

Spyware perpetrators Alexa Aureate / Radiate BargainBuddy ClickTillUWin Comet Cursor Conducent Timesink Cydoor eZula / KaZaa Toptext Flashpoint / Flashtrack Flyswat Gator GoHip Hotbar ISTbar Lions' Pride Enterprises Look2me Lop C2Media Mattel Brodcast Morpheus NewDotNet PurityScan RealPlayer Songspy Web3000 WebHancer Windows Messenger Xupiter Spyware promotors Downloadalot