Results 1 to 4 of 4
  1. #1
    Full Member
    Join Date
    January 18th, 2005
    Posts
    469
    I've just been testing a new software download, ISTBar, which was installed among the nonconsensual installations via security holes shown in my recent video.

    Among ISTBar's other features, the program shows links in its toolbar -- namely affiliate links to merchants' sites. Targeted CJ merchants include Apollo Hosting, Astrology.com, CareerBuilder, Jobs.com, Match.com, and Travelocity. Targeted LinkShare merchants include BareNecessities, Buy.com, Champion Sports, ePersonals, Florist.com, FragranceWeb, Golfballs.com, HotWire, JewelryWeb, LowestFare, OneTravel, Overstock.com, WicksEnd, and Wine.com. Also targeted are independent merchants Amazon.com and Date.com.

    On one hand, ISTBar's activity (as I've observed it so far) is somewhat less outrageous than some: ISTBar opens these affiliate links at users' specific request (by clicks), as distinguished from e.g. 180solutions opening affiliate links even when users type in merchants' domains. But with ISTBar profiting from installations through security holes, and with users therefore receiving ISTBar software without notice or consent, I wouldn't think many merchants would want to be paying them affiliate commissions.

    I have on hand the affiliate codes used by ISTBar in its memberships at LS, CJ, and the independent programs.

  2. #2
    ABW Ambassador Nova's Avatar
    Join Date
    January 18th, 2005
    Location
    home
    Posts
    2,395
    Thank you Ben,

    I hope your effort of reporting these issues will result in positive and merchants and networks do something about it and not be waste efforts to help clean this business.

    again thank you.

    What COC stand for? Crooks Overwriting Commission
    Don't worry tracking is Infected

    Live life to the fullest, You only get 1 chance. Enjoy it while you can... Nothing last forever!

  3. #3
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Real nasty affiliate here. I'm sure Ben could get Overstock on his alert and testing list as they always show up on these perps commission raping list.

    ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

    Variants
    ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.

    ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.

    ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.

    ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.

    Also known as
    The AUpdate variant is known as SearchBarCash-Hijacker, and the MSCache varaint as MSUpdates\MSCache, by Ad-Aware.

    Distribution
    Installed by ActiveX drive-by download on affiliate sites; typically porn in the case of XXXToolbar, from April 2003. An 'aggressive' downloader is usually used: if you refuse the download, a JavaScript alert complains that it won't take no for an answer and opens the download window again.

    ISTbar/MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.

    What it does
    Advertising
    In the XXXToolbar variant, yes: opens pop-ups as directed by its controlling server. Otherwise, no, though the TinyBar component could be used to open pop-ups.

    All versions also install other third-party software which includes advertising.

    Privacy violation
    No.

    Security issues
    Yes. Can download and execute arbitrary unsigned code from its controlling server. This is used both to update the software and to install third-party software.

    Stability problems
    None known.

    Removal
    There is a entry in Add/Remove Programs for 'MS AUpdate' (AUpdate variant), 'MS Updates' (MSCache variant), or 'ISTbar' (ISTbar variant). Unfortunately this doesn't remove the toolbar in the AUpdate variant, or RapidBlaster in the AUpdate or ISTbar variants; in the MSCache variant it does not appear to work at all.

    Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.

    Manual removal
    AUpdate variant
    Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry on the right (pointing to aupdate.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

    Restart the computer and you should be able to delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder. (The System folder can be found inside the Windows folder; it is called 'System32' on Windows NT/2000/XP or just 'System' on Windows 95/98/Me.)

    Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster and DownloadPlus.

    MSCache variant
    Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u ../mscache.dll
    Next, open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'MS Updates' entry on the right (pointing to mscache.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.

    Restart the computer and you should be able to delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder

    Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with nCase and Wink/EasyDates.

    XXXToolbar variant
    Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry, if it is there. (Some early releases of XXXToolbar did not include this.)

    Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u "\Program Files\ISTbar\istbar.dll"
    Restart the computer and you should be able to delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj (and .1) to clean up if you like.

    Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster.

    Links
    Integrated Search Technologies is part of porn group affiliate scheme GammaCash.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  4. #4
    I like traffic lights
    Join Date
    January 18th, 2005
    Location
    Southern hemisphere - away from Fukushima
    Posts
    2,936
    As always, with the aggregators appearing to be dragging the chain on this matter, the best course for affiliates is to put Firefox download buttons on ALL their websites and encourage surfers to migrate from IE.

    10% have done so already. Let's keep 'em coming.

    All the adware scum perps (insert Mike's favourite terms here) rely on Microsoft for their thievery. Move them off Microsoft and claim back your rightful commissions!

  5. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Replies: 11
    Last Post: May 6th, 2005, 08:31 AM
  2. Video: Ebates installation through security holes
    By bedelman in forum Midnight Cafe'
    Replies: 12
    Last Post: December 15th, 2004, 06:50 PM
  3. Replies: 6
    Last Post: December 6th, 2004, 02:14 PM
  4. Replies: 9
    Last Post: November 28th, 2004, 12:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •