ADW_ISTBAR.II

Download the latest scan engine

TypeAdware

Aliases: ISTbar (Ad-Aware), ISTbar (Mcafee), ISTbar (PestPatrol), ISTbar.Slotch (SpyBot), Adware.Istbar (Symantec)

In the wild: No

Destructive: No

Language: English

Systems affected: Windows 95, 98, ME, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

High

Information exposure:

Medium
 

Description:

This ADW_ISTBAR variant opens the following site, which displays a pop-up advertisement while the Internet browser is opened:

    http://www.slotch.com/ist/scripts/log_unistalls.php

Upon exectution, this memory-resident adware drops a copy of itself as ISTSVC.EXE in the %Program Files%\ISTsvc folder.

(Note: %Program Files% refers to the Program Files folder, which is usually C:\Program Files.)

Description created:  Jun 19, 2005



TECHNICAL DETAILS



Initial samples received on:  Jun 6, 2004

File type: PE

Memory resident: Yes  

Compression type: UPX

Download URL: http://www.slotch.com/ist/scripts/log_unistalls.php;
http://www.xxtoolbar.com/ist/scripts/istsvc_config.php

File size: 11,264 Bytes (compressed);
28,672 Bytes (uncompressed)

Details:

This ADW_ISTBAR variant opens the following site, which displays a pop-up advertisement while the Internet browser is opened:

    http://www.slotch.com/ist/scripts/log_unistalls.php

Upon exectution, this memory-resident adware drops a copy of itself as ISTSVC.EXE in the %Program Files%\ISTsvc folder.

(Note: %Program Files% refers to the Program Files folder, which is usually C:\Program Files.)

It then creates the following registry entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
IST Service = "C:\Program Files\ISTsvc\istsvc.exe"

It also creates the following registry entry and registry key, respectively, that serves as its settings marker:

HKEY_LOCAL_MACHINE\Software\ISTsvc
version = "dword:000003f3"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\ISTsvc

This adware's configurations can also be found in the following Web site:

    http://www.xxtoolbar.com{BLOCKED}scripts/istsvc_config.php

Furthermore, it creates the mutex ISTsvcMUTEX to ensure that only one instance of itself is running in memory.

Analysis by:  Lordian Corpuz Mosuela



SOLUTION


Minimum scan engine version needed: 7.100

Download the latest scan engine

Spyware pattern version needed : 0.623.00

Pattern release date:  Apr 8, 2008

DCE version needed: 3.9

      Spyware cleanup version needed : 200.06

      Pattern release date:  Jun 18, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

MANUAL REMOVAL INSTRUCTIONS

Identifying the Grayware Program

Download the latest grayware pattern file and scan your system. Note all files detected as ADW_ISTBAR.II.

Terminating the Grayware Program

This procedure terminates the running grayware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    On Windows NT, 2000, XP and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the grayware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected grayware files in the list of running processes.
  5. To check if the grayware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the grayware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the grayware from executing at startup.

If the registry entries below are not found, the grayware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    ISTService = "%Program Files%\ISTsvc\istsvc.exe"

  4. (Note: %Program Files% refers to the Program Files folder, which is usually C:\Program Files.)
  5. Close Registry Editor.

Removing Keys from the Registry

  1. In the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software
  2. Still in the left panel, locate and delete the subkey:
    ISTsvc
  3. Close Registry Editor.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Download and unzip the latest grayware pattern file and scan your system. Then, delete all files detected as ADW_ISTBAR.II.

Note: If the above manual removal instructions fail to eliminate this spyware, close all Internet Explorer windows, and perform the solution again.