Symantec Adware.Istbar/Trojan.ISTsvc Removal Tool 1.1.0

Removes toolbar and hijacks from Adware.SideFind and Trojan.ISTsvc.

September 30, 2005
Freeware
Windows (all)
164 KB
2,762
3
5 / 5    (4 votes)
Behavior
Adware.Istbar is an adware component, which does one or more of the following:

* Installs an Internet Explorer toolbar
* Acts as a Home page and search hijacker

This risk is often distributed with Adware.SideFind and Trojan.ISTsvc.

Symptoms
Your Symantec program detects Adware.Istbar

Transmission
This security risk can be downloaded from a Web page using an ActiveX installer.

technical details
File names:
IstBar_DH.dll
istbar.dll
istbarcm.dll
istdownload.exe
cmctl.dll
istbarcm.dll
ysbactivex.dll

Note: Detections dated March 3rd, 2005 or earlier may detect this adware as Adware.Istbar!Dl.

When Adware.Istbar is installed, it does the following:

1. May create some of the following folders and files :

* %ProgramFiles%ISTbarcmctl.dll
* %ProgramFiles%ISTbaristbarcm.dll
* %ProgramFiles%ISTbarimagemap_normal.bmp
* %ProgramFiles%ISTbarimagemap_over.bmp
* %ProgramFiles%ISTbarversion.txt
* %ProgramFiles%ISTbarxml_istbar.xml
* %UserProfile%FavoritesFun & Games, drops numerous link files in this folder
* %UserProfile%FavoritesGoing Places, drops numerous link files in this folder
* %UserProfile%FavoritesLiving, drops numerous link files in this folder
* %UserProfile%FavoritesShop, drops numerous link files in this folder
* %UserProfile%FavoritesTechnology, drops numerous link files in this folder

Notes:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:Documents and Settings[Current User] (Windows NT/2000/XP).

2. Creates some of the following registry keys:

HKEY_LOCAL_MACHINESOFTWAREISTbar
HKEY_CURRENT_USERSoftwareISTbar
HKEY_CLASSES_ROOTISTbar.BarObj
HKEY_CLASSES_ROOTPugi.PugiObj.1
HKEY_CLASSES_ROOTPugi.PugiObj
HKEY_CLASSES_ROOTTestContentMatchControl1.ContentMatchTag
HKEY_CLASSES_ROOTTestContentMatchControl1.ContentMatchTag.1
HKEY_CLASSES_ROOTCLSID{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
HKEY_CLASSES_ROOTCLSID{386A771C-E96A-421f-8BA7-32F1B706892F}
HKEY_CLASSES_ROOTCLSID{5F1ABCDB-A875-46c1-8345-B72A4567E486}
HKEY_CLASSES_ROOTCLSID{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}
HKEY_CLASSES_ROOTCLSID{DC341F1B-EC77-47BE-8F58-96E83861CC5A}
HKEY_CLASSES_ROOTCLSID{FAA356E4-D317-42A6-AB41-A3021C6E7D52}
HKEY_CLASSES_ROOTInterface{0E704BA4-C517-4BE7-A1CD-C3FFDA1E1FFE}
HKEY_CLASSES_ROOTInterface{7B178417-3CDA-444F-94FF-312C0A3A78A8}
HKEY_CLASSES_ROOTInterface{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
HKEY_CLASSES_ROOTInterface{90CE74CC-788A-4A00-B38D-CBCA08CC9E8F}
HKEY_CLASSES_ROOTInterface{9388907F-82F5-434D-A941-BB802C6DD7C1}
HKEY_CLASSES_ROOTInterface{A36A5936-CFD9-4B41-86BD-319A1931887F}
HKEY_CLASSES_ROOTInterface{BF06DA8E-2BEB-4816-9BBD-F7625246E245}
HKEY_CLASSES_ROOTInterface{DC065FA6-08F9-4C50-99DC-275D16CFC5BD}
HKEY_CLASSES_ROOTTypelib{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
HKEY_CLASSES_ROOTTypelib{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
HKEY_CLASSES_ROOTTypeLib{89A10D64-83BF-41A4-86A3-7AAF1F8F3D1B}
HKEY_CLASSES_ROOTTypeLib{8C752C5E-3C10-4076-AF0A-FFC69FA20D1B}
HKEY_CLASSES_ROOTTypeLib{CC257918-F435-4A33-8231-2B8195990CCA}
HKEY_CLASSES_ROOTTypeLib{DB447818-96B4-40DF-8A55-720DA496F514}
HKEY_CLASSES_ROOTTypeLib{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF}
HKEY_CLASSES_ROOTComponent Categories
{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
UninstallISTbar
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
UninstallISTbarISTbar
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentVersionExplorer
Browser Helper Objects{A3FDD654-A057-4971-9844-4ED8E67DBBB8}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Internet SettingsZoneMapDomainscontentmatch.net
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface
{0985C112-2562-46F2-8DA6-92648BA4630F}
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib
{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
HKEY_LOCAL_MACHINESOFTWAREClassesYSBactivex.Installer

3. Adds the values:

"Bandrest" = "Never"
"Search Bar" = "[WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Search Page" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Search Page_bak" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Start Page" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Start Page_bak" = "file:/ //C:/WINNT/Web/Start.htm"
"Use Search Assistant" = "no"

to the registry subkey:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain

to redirect the start page and search pages.

4. Adds the value:

"Bandrest" = "Never"

to the registry subkey:HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain

5. Adds the values:

"{FAA356E4-D317-42A6-AB41-A3021C6E7D52}" = ""
"{5F1ABCDB-A875-46C1-8345-B72A4567E486}" = ""

to the registry subkeys:

HKEY_LOCAL_MACHINE%SOFTWAREMicrosoftInternet ExplorerToolbar
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
6. Adds the following toolbar to all Internet Explorer windows:
7. Displays links in the toolbar area relating to words typed anywhere in an Internet Explorer window.