istsvc.exe - Dangerous
istsvc.exe
Manual removal instructions:
Antivirus Report of istsvc.exe:
istsvc.exe
ISTbar is an IE toolbar with some variants:
1. ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.
2. ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.
ISTbar/MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.
3. ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com. Opens pop-ups as directed by its controlling server.
All versions also install other third-party software which includes advertising.
ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.
Automatic removal:
Use RegRun Startup Optimizer to remove it.
Manual removal:
AUpdate variant
Find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'AutoUpdater' entry pointing to aupdate.exe.
Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.
Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars,
and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder.
MSCache variant
In the DOS command prompt window enter the following commands:
cd "%WinDir%\System"
regsvr32 /u ../mscache.dll
Then find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'MS Updates' entry pointing to mscache.exe.
Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.
Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars,
and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder.
XXXToolbar variant
Find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'IST Service' entry, if it is there.
Open a DOS command prompt window and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"
Restart the computer and delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder.
You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj .
| istsvc.exe | Malware |
| istsvc.exe | Dangerous |
| istsvc.exe | High Risk |
1. ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.
2. ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.
ISTbar/MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.
3. ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com. Opens pop-ups as directed by its controlling server.
All versions also install other third-party software which includes advertising.
ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.
Automatic removal:
Use RegRun Startup Optimizer to remove it.
Manual removal:
AUpdate variant
Find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'AutoUpdater' entry pointing to aupdate.exe.
Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.
Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars,
and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder.
MSCache variant
In the DOS command prompt window enter the following commands:
cd "%WinDir%\System"
regsvr32 /u ../mscache.dll
Then find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'MS Updates' entry pointing to mscache.exe.
Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.
Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars,
and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder.
XXXToolbar variant
Find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'IST Service' entry, if it is there.
Open a DOS command prompt window and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"
Restart the computer and delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder.
You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj .
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.