|
 |
|
|
| How to delete ISTbar - Removal tool, fix instructions |
|
ISTbar
Name: ISTbar
Aliases: RapidBlaster, slotch, aupdate, TheLocalSearch Toolbar, Qidion, The Local Search, The Local Search Smartbar, The Local Smartbar, Smartbar, xxx-toolbar, CWS isbar rblast, slotch, AUpdate, RBlast, SlotchBar, YourSiteBar
Type: Spyware
Size: 176,128 bytes
First appeared on: 20.10.2003
Damage: High
Brief Description:
ISTbar is a spyware program that installs other spyware and adware programs and dialers without user's permission. It installs the following, among others: Adware/AdLogix, Adware/nCase, Adware/PurityScan, Spyware/Dyfuca, Spyware/WhenU.Savenow and Spyware/XXXToolbar.
It also displays pop-up advertisements from adult sites and adds a toolbar to the Internet Explorer browser.
Visible Symptoms:
ISTbar is easy to recognize, as it displays the following symptoms:
- It adds a toolbar to the Internet Explorer browser.
- It displays pop-up advertisements of adult content.
- It changes the home page of the Internet Explorer browser to one within the domain: http://www.slotch.com
Presence of the file: C:\Program Files\ISTsvc\ISTsvc.exe.
Technical description:
ISTbar creates the following files:
- FEGHYEF.EXE in the Windows temporary directory.
- ISTsvc.exe; IstBar_DH.dll; ysbactivex.dll; sfbho.dll; sfexd001; sidefind.dll; istrecover[1].exe; istbar.dll; ysb.dll; istbarcm.dll; ISTactivex.dll; istdownload.exe; sidefind.exe; sfsetup.exe; sfbho.dll; ysb(2).dll; cmctl.dll; istbarcm.dll; juhpad.exe; ysbactivex(3).dll; ysb_regular[1].cab; gjefpet.exe
- Several files in the subfolders ISTBAR and ISTSVC, in the directory Program Files.
ISTbar creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
IST Service = %ProgramFiles\ ISTsvc\ istsvc.exe
where %ProgramFiles% is the directory Program Files.
By creating this entry, ISTbar ensures it is run whenever Windows is started.
- HKEY_CLASSES_ROOT\ CLSID\ {5F1ABCDB-A875-46C1-8345-B72A4567E846}
- HKEY_CLASSES_ROOT\ Interface\ {7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
- HKEY_CLASSES_ROOT\ TypeLib\ {6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
- HKEY_CURRENT_USER\ Software\ IST
- HKEY_CURRENT_USER\ Software\ ISTbar
- HKEY_LOCAL_MACHINE\ Software\ ISTsvc
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Internet Explorer\ Toolbar "{5F1ABCDB-A875-46C1-8345-B72A4567E846}"
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ IST
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ ISTbarISTbar
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ ISTsvc
- HKEY_LOCAL_MACHINE\ Software\ y036
May create some of the following folders and files :
- %ProgramFiles%\ISTsvc\ISTsvc.exe
- %ProgramFiles%\SideFind\sfbho.dll
- %ProgramFiles%\SideFind\sidefind.dll
- %ProgramFiles%\SideFind\sfex001
- %ProgramFiles%\SideFind\update\sidefind.exe
- %ProgramFiles%\YourSiteBar\ysb.dll
- %ProgramFiles%\YourSiteBar\imagemap_normal.bmp
- %ProgramFiles%\YourSiteBar\version.txt
- %ProgramFiles%\YourSiteBar\yoursitebar.xml
- %System%\gjefpet.exe
- %%Windir% \Downloaded Program Files\ysbactivex.dll
- %UserProfile%\Favorites\Fun & Games, drops numerous link files in this folder
- %UserProfile%\Favorites\Going Places, drops numerous link files in this folder
- %UserProfile%\Favorites\Living, drops numerous link files in this folder
- %UserProfile%\Favorites\Shop, drops numerous link files in this folder
- %UserProfile%\Favorites\Technology, drops numerous link files in this folder
Notes:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
Propagation:
ISTbar follows the routine below:
- When the user accesses certain web pages, a message appears to ask for permission to run an ActiveX code.
- If the user agrees, the ActiveX code installs several spyware and adware programs and dialers, downloads other programs from the Internet and displays advertisements from adult sites.
Removal tool and instruction:
In order to restore the original configuration of your computer, follow the instructions below:
- First of all, uninstall ISTbar by using the option Add/Remove Programs in the Control Panel and deleting the programs ISTsvc and ISTBar.
- If the uninstallation of ISTbar is not available, access the Start menu, Run option and type the following command:
regsvr32 /u "%Programfiles%\ISTbar\istbar.dll"
where %Programfiles% is the Program Files directory, where ISTbar is installed.
- Delete all the files and entries in the Windows Registry that ISTbar has created, detailed in above.
- Restart the computer.
You can also try to use Adware.Istbar Removal Tool from Symantec. Click here to download the tool.
AntivirusWorld recommends:
If you're not sure you can remove the virus manually, use the following antivirus:
-
 Buy Panda Antivirus
- Latest generation antivirus
- Immediate and automatic updates against new viruses
- Complete protection
- Up-to-the-minute bulletins about new Internet threats
- Antivirus self-diagnosis and protection
- Maximum speed, minimum resource use
- Simple to use: install and forget
- Tech Support 24 hours a day, 365 days a year
|
|
|
|
|
