Description

ISTBar (MSUpdates\MSCache; SearchBarCash; TinyBar; ISTBar/AUpdat; and variants, including ISTBar/MSCache and ISTBar/XXXToolbar) is a browser hijacker that reconfigures the start page, toolbars, and search page in IE. It also delivers pop-up ads and, in some variants, will present porn in the form of pop-up windows on your Desktop. ISTBar has been known to carry other spyware into your system, as well.

ISTBar is an ActiveX control that installs itself automatically on any PC that comes into contact with its affiliated sites. You are most at risk of acquiring ISTBar when you visit porn sites.

How To Tell If ISTBar Is Present On Your System

You'll notice the sudden appearance of a new start page and the ISTBar toolbar in your browser interface. ISTBar also will generate pop-up ads, especially porn pop-up ads.

How To Get Rid Of ISTBar With Ad-Aware SE

Most anti-spyware utilities are capable of removing ISTBar. You can remove it with Ad-aware SE, for instance. Simply open the anti-spyware utility and click the Scan Now button to launch a search for malware. When the search is complete, choose the Critical Objects tab to view the list of identified components. Select all of the spyware-related items, including anything that refers to the ISTBar variants we described, and click the Next button. Finally, click OK to move the selected items to a quarantine folder. Reboot your system if prompted to do so.

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin. (Registry errors can render your computer inoperable if you don't have a backup.) This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."

How To Get Rid Of ISTBar Manually

One option for the manual removal of ISTBar is to open the Add Or Remove Programs (Add/Remove Programs Properties in Windows 98/Me) dialog box and look for references to ISTBar and its variants. When you find one, select it and click the Remove or Add/Remove button. Follow the on-screen instructions to complete the process. Reboot your computer if necessary and return to the Add Or Remove Programs (Add/Remove Programs Properties in Win98/Me) dialog box to look for references to ISTsvc, MS AUpdate, MS Updates, and XXXToolbar. Remove each one you find. Reboot the computer after removing all of the ISTBar-related components.

Another option is to perform a full manual uninstall in which you unregister the spyware program's DLL files, remove its Registry settings, and wipe away any files and folders it placed on the Windows drive. Start by searching your Windows drive for the Mscache.dll and Istbar.dll files. Note their locations (if present) and then close the search utility.

If you found the Mscache.dll file, open the Command Prompt (MS-DOS Prompt in Win98/Me) window and access a C:\WINDOWS\SYSTEM32> (C:\WINDOWS\SYSTEM> in Win98/Me) prompt, where C is the letter assigned to the Windows drive. Type regsvr32 /u followed immediately by the exact location of the Mscache.dll file in quotation marks (for example: regsvr32 /u "windows\system\mscache.
dll"). Press ENTER, type exit at the prompt, and press ENTER again to close the window.

The next step for all users is to open the Registry Editor and delete the following keys and values (if present):

• HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11D2-BA91-00600827878D}

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
RUN\AUTOUPDATER

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
RUN\IST SERVICE

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
RUN\MSUPDATES

• HKEY_LOCAL_MACHINE\SOFTWARE\ISTSVC

• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\
EXPLORER BARS\{69550BE2-9A78-11D2-BA91-00600827878D}

• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\
TOOLBAR\{69550BE2-9A78-11D2-BA91-00600827878D}

Close the Registry Editor after deleting the aforementioned values.

If you found the Istbar.dll file on your PC earlier, your next step is to open the Command Prompt (MS-DOS Prompt in Win98/Me) window and access a C:\WINDOWS\SYSTEM32> (C:\WINDOWS\SYSTEM> in Win98/Me) prompt. Type regsvr32 /u followed by the location of the Istbar.dll file in quotation marks (for example: regsvr32 /u "windows\
system\istbar.dll"). Press ENTER to unregister the DLL file, type exit, and press ENTER again to close the window. Reboot your computer. When Windows restarts, return to the Registry Editor and locate the HKEY_CURRENT_USER\SOFTWARE\ISTBAR key. Delete this key. While you're at it, locate and delete the HKEY_CLASSES_ROOT\PUGI
.PUGIOBJ key, as well as any other keys or values that refer to Pugi. Close the Registry Editor.

The last couple of steps are for all users. Open My Computer and browse the WINDOWS, WINDOWS\SYSTEM32 (WINDOWS\SYSTEM in Win98/Me) and PROGRAM FILES folders on the Windows drive for the ISTBar folder and the following files: Aupdate.exe, Aupdate.conf, Aupdate.trk, Aupdate_uninstall.exe, Istsvc.exe, Mscache.dll, and Mscache.exe. Delete any of these you find. Finally, restore your browser settings by opening the Tools menu in IE, selecting Internet Options, and clicking the Reset Web Settings button on the Programs tab.