STbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.
ISTbar/AUpdate installs a tiny bar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.
STbar/MSCache also uses tiny bar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.
ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the pugi. toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.
Installed by ActiveX drive-by download on affiliate sites; typically porn in the case of XXXToolbar, from April 2003. An 'aggressive' downloader is usually used: if yah refuse the download, a JavaScript alert complains that it won't take no for an answer and opens the download window again.
ISTbar/MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.
Removal:
There is a entry in Add/Remove Programs for 'MS AUpdate' (AUpdate variant), 'MS Updates' (MSCache variant), or 'ISTbar' (ISTbar variant). Unfortunately this doesn't remove the toolbar in the AUpdate variant, or RapidBlaster in the AUpdate or ISTbar variants; in the MSCache variant it does not appear to work at all.
Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.
Manual Removal:
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry on the right (pointing to aupdate.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and you should be able to delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder. (The System folder can be found inside the Windows folder; it is called 'System32' on Windows NT/2000/XP or just 'System' on Windows 95/98/Me.)
Finally yah can restore your normal search settings (Internet Options->Programs->Reset Web Settings)
If at this time yah find you have rapidblaster or Download Plus, post it and I'll help yah get rid of those. Yah might not have those tho.
MSCache variant:
Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u ../mscache.dll
Next, open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'MS Updates' entry on the right (pointing to mscache.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and yah should be able to delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder.
Finally yah can restore your normal search settings (Internet Options->Programs->Reset Web Settings)
If yah now have ncase or winkeasydates, let me know and I'll help yah get rid of them.
XXXToolbar variant:
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry, if it is there. (Some early releases of XXXToolbar did not include this.)
Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"
Restart the computer and you should be able to delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (and .1) to clean up if yah like.
Now yah can restore your normal search settings (Internet Options->Programs->Reset Web Settings)
Now, if yah have problems with rapidblaster, let me know.
Intergrated search Tech is part of porn group affiliate scheme.
