Description

ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

Variants

ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an ‘AUpdate’ process.

ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.

ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.

ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to installDownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.

Also known as

The AUpdate variant is known as SearchBarCash-Hijacker, and the MSCache varaint as MSUpdates\MSCache, by Ad-Aware.

Distribution

Installed by ActiveX drive-by download on affiliate sites; typically porn in the case of XXXToolbar, from April 2003. An ‘aggressive’ downloader is usually used: if you refuse the download, a JavaScript alert complains that it won’t take no for an answer and opens the download window again.

ISTbar/MSCache was widely distributed to victims clicking on links to the ‘OutWar’ online game.

What it does

Advertising

In the XXXToolbar variant, yes: opens pop-ups as directed by its controlling server. Otherwise, no, though the TinyBar component could be used to open pop-ups.

All versions also install other third-party software which includes advertising.

Privacy violation

No.

Security issues

Yes. Can download and execute arbitrary unsigned code from its controlling server. This is used both to update the software and to install third-party software.

Stability problems

None known.

Removal

There is a entry in Add/Remove Programs for ‘MS AUpdate’ (AUpdate variant), ‘MS Updates’ (MSCache variant), or ‘ISTbar’ (ISTbar variant). Unfortunately this doesn’t remove the toolbar in the AUpdate variant, or RapidBlaster in the AUpdate or ISTbar variants; in the MSCache variant it does not appear to work at all.

Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.

 

Manual removal

AUpdate variant

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘AutoUpdater’ entry on the right (pointing to aupdate.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey ‘{69550BE2-9A78-11D2-BA91-00600827878D}’. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and you should be able to delete the files ‘aupdate.exe’, ‘aupdate.conf’, ‘aupdate.trk’ and (if it is there) ‘aupdate_uninstall.exe’ from the System folder. (The System folder can be found inside the Windows folder; it is called ‘System32’ on Windows NT/2000/XP or just ‘System’ on Windows 95/98/Me.)

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster andDownloadPlus.

MSCache variant

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘MS Updates’ entry on the right (pointing to mscache.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey ‘{69550BE2-9A78-11D2-BA91-00600827878D}’. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and you should be able to delete the files ‘mscache.exe’, and ‘mscache.dll’ from the Windows folder

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with nCase and Wink/EasyDates.

XXXToolbar variant

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘IST Service’ entry, if it is there. (Some early releases of XXXToolbar did not include this.)

Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

Restart the computer and you should be able to delete the ‘ISTbar’ folder inside Program Files, and the ‘istsvc.exe’ file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (and .1) to clean up if you like.

Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster.