Results 1 to 3 of 3
  1. #1
    Affiliate Marketing Consultant Linda - 5starAffiliatePrograms's Avatar
    Join Date
    January 18th, 2005
    Location
    SoCal
    Posts
    4,040
    I just came accross this in another forum.
    Don't know if it's a parasite but sure sounds like it. I did a search and have not seen it mentioned on ABW.

    QUOTE from a poster on another forum:

    "And you thought Gator's attempted auto-install popups were bad... Meet IE Plugin by CDT Inc / searchbarcash.com. After you click "No" on the install box, it comes up with a javascript prompt that says "You Must Click YES". Then it comes up with the auto-install box AGAIN. Once you click no, it comes up with another javascript prompt saying "You Must Click OPEN". Then, it opens an exe file, to which your browser will prompt you to open or save.

    This is why people use popup blockers, which end up hurting the income of many affiliates and webmasters.

    Linda Buquet | Affiliate Management Consultant | Catalyst eMarketing.com
    Representing: zZounds (Music Indie) Irvs Luggage (CJ) RoadLoans (CJ)

  2. #2
    Member
    Join Date
    January 18th, 2005
    Posts
    59
    Yes, that's ISTbar/AUpdate. Nasty stuff - documented here:

    http://www.doxdesk.com/parasite/ISTbar.html

    Having a JavaScript prompt complain and repeat when an ActiveX drive-by is refused is a very common tactic from the dialler world.

    --
    Andrew Clover
    mailto:and@doxdesk.com
    http://www.doxdesk.com/

  3. #3
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Andrew's page goes to show why the network's TOS and Coc should be ammended to immediately cancel any affiliates account who places a drive-by install script on their hosted web site.

    Description
    ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

    Variants
    ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server.

    ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar code. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.

    ISTbar alse installs other parasites: both variants install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus.

    Also known as
    The AUpdate variant is known as SearchBarCash-Hijacker by Ad-Aware.

    Distribution
    Installed by ActiveX drive-by download on affiliate sites, typically porn adverts, from April 2003.

    What it does
    Advertising
    In the XXXToolbar variant, yes: opens pop-ups as directed by its controlling server. In AUpdate, no, though the TinyBar component could be used to open pop-ups in the future.

    Both variants install other third-party software which includes advertising.

    Privacy violation
    No.

    Security issues
    Yes. Can download and execute arbitrary unsigned code from its controlling server. This is used both to update the software and to install third-party software.

    Stability problems
    None known.

    Removal
    There is a entry in Add/Remove Programs for 'MS AUpdate' (AUpdate variant) or 'ISTbar' (ISTbar variant). Unfortunately this doesn't remove the toolbar in the AUpdate variant, or RapidBlaster in either variant.

    Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.

    Manual removal
    AUpdate variant
    Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry on the right (pointing to aupdate.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

    Restart the computer and you should be able to delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder. (The System folder can be found inside the Windows folder; it is called 'System32' on Windows NT/2000/XP or just 'System' on Windows 95/98/Me.)

    Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster and DownloadPlus.

    XXXToolbar variant
    Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry, if it is there. (Some early releases of XXXToolbar did not include this.)

    Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u "\Program Files\ISTbar\istbar.dll"
    Restart the computer and you should be able to delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (and .1) to clean up if you like.

    Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster.



    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

  4. Newsletter Signup

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •