Replies

Says that uses an ActiveX entry....so Firefox might avoid that one............

_________________________________________

Spyware: ISTbar

NUISANCE LEVEL
THREAT LEVEL

ISTbar

ISTbar is an MSIE toolbar, homepage and search hijacker provided by Integrated Search Technologies/CDT Inc. It installs several spyware agents mainly by ActiveX drive-by download (yes you read it correctly) on affiliate sites and delivers mostly porn ads. More details here.
ISTbar also installs porn pop-up producer RapidBlaster and the download assistant DownloadPlus. Can download and execute arbitrary unsigned code from its controlling server. This is used to update the software and to install third-party software.

Files installed are:

mscache.exe, aupdate.exe, aupdate_uninstall.exe, istsvc.exe, mscache.dll and istbar.dll.

Removal:

Uninstall ISTBar from "Add/Remove Programs" in the Windows Control Panel. Look for MS AUpdate, MS Updates, XXXToolbar, ISTsvc or ISTBar. If no such entry exists or if the uninstall fails, contact the vendor for support, use a spyware cleaner, or uninstall ISTBar manually.

AUpdate

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry on the right (points to aupdate.exe). Find the key HKCR\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKLM\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKLME\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and 'aupdate_uninstall.exe' from your System folder. (\System32 on Windows NT/2000/XP or just \System on Windows 95/98/ME). Restore your normal search settings (Internet Options > Programs > Reset Web Settings).

MSCache

Open a DOS command prompt window and enter:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'MS Updates' entry on the right (points to mscache.exe). Find the key HKCR\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKLM\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKLM\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and delete the files 'mscache.exe', and 'mscache.dll' from the Windows (Windows 95/98/ME) or WinNT (Windows NT/2000/XP) folder. Restore your normal search settings (Internet Options > Programs > Reset Web Settings).

XXXToolbar

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry (if there). Open a DOS command prompt window and enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

Restart the computer and delete the 'ISTbar' folder from the c:\Program Files folder, and the 'istsvc.exe' file from the Windows (Windows 95/98/ME) or WinNT (Windows NT/2000/XP) folder. You can also delete the registry keys HKCU\Software\ISTbar and HKCR\Pugi.PugiObj.

Cleaning

If you are cleaning your system manually, using some of the tips mentioned above, you do this at your own risk. Editing the Registry without some basic knowledge may result in your computer not starting up anymore. And reinstalling Windows may be the only way back.

Spyware cleaners Spyware resources

Main spyware page

[] [TOP]

I spent 8 hours today on one machine. It had 148 instances of "backweb" plus about 20 others.
msie.exe and msrpc32.exe to name a couple.

As a cable internet installer that's probably a little more effort than I'm going to go to. Ussually I do the cleanup on customers computers in the course of my work, but I generally restrict myself to downloading and running, AdAware, Spybot and Firefox and then explaining to the customer a little about spyware and security in general. Strictly speaking, hardware and software problems are not our concern, but ussually we'll try to fix things if we can.