Severity scale:  
  (49/100)

ISTbar. How to remove? (Uninstall guide)

removal by Jake Doevan - -   Also known as Adware.Istbar | Type: Browser Plugins
12

Information about ISTbar:

ISTbar, also known as Adware.Istbar is a malicious Internet Explorer search toolbar that hijacks a web browser by changing its default start page and modifying related settings. It also adds numerous bookmarks leading to advertising resources, displays undesirable pop-up advertisements and pornographic content. ISTbar downloads and installs multiple third-party adware and spyware parasites without asking for user permission. It has the ability to silently update itself via the Internet. ISTbar is usually installed by some infamous advertising and pornographic websites. The parasite automatically runs on every Windows startup. It places its files on Windows registry, and it is quite hard to find all these files and delete them in order to remove this computer parasite.

ISTbar

How can ISTbar hijack computers?

ISTbar is distributed as a software attachment, but you can also accidentally install it if you tend to browse through unreliable websites. As we have already mentioned, it can be distributed on various porn websites; also, it can be sent by mail. To prevent silent installation of ISTbar, you need to be careful when surfing the web. Do not open Spam or Junk emails and do not download the attachments from such e-mails. Also, be attentive while installing new programs. Make sure you choose Advanced or Custom installation mode and then untick the agreement to install ISTbar.

How to remove this malicious program?

ISTbar virus can be deleted manually, but you can check the manual removal method below this article – and you will see that it is very complicated to do and might take a long time to remove it entirely. To delete ISTbar completely, you should use a professional removal tool. So you should install Reimage and run a full system scan with it.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove ISTbar you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall ISTbar. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manual removal instructions below.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing ISTbar (2005-09-03)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing ISTbar (2005-09-03)
Hitman Pro
We have tested Hitman Pro's efficiency in removing ISTbar (2005-09-03)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing ISTbar (2005-09-03)

ISTbar manual removal:

Kill processes:
istsvc.exe,istdownload.exe,gjefpet.exe,juhpad.exe,sfsetup.exe,sidefind.exe

Delete registry values:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunIST Service

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart Page=[site address]

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainSearch Bar=[site address]

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainSearch Page=[site address]

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainBandrest=never

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainUse Search Assistant=no

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchSearchAssistant=[site address]

HKEY_LOCAl_MACHINESOFTWAREMicrosoftInternet ExplorerMainBandrest=never

HKEY_CURRENT_USERSoftwareIST

HKEY_CURRENT_USERSoftwareISTbar

HKEY_LOCAL_MACHINESOFTWAREISTsvc

HKEY_LOCAL_MACHINESOFTWAREISTbar

HKEY_LOCAL_MACHINESOFTWARESidefind

HKEY_LOCAL_MACHINESOFTWAREYourSiteBar

HKEY_LOCAL_MACHINESOFTWAREMicrosoftDownloadManager

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSidefind

HKEY_CLASSES_ROOTBrowserHelperObject.BAHelper

HKEY_CLASSES_ROOTBrowserHelperObject.BAHelper.1

HKEY_CLASSES_ROOTISTbar.BarObj

HKEY_CLASSES_ROOTISTactivex.Installer

HKEY_CLASSES_ROOTISTactivex.Installer.1

HKEY_CLASSES_ROOTISTactivex.Installer.2

HKEY_CLASSES_ROOTISTx.Installer

HKEY_CLASSES_ROOTISTx.Installer.2

HKEY_CLASSES_ROOTPugi.PugiObj

HKEY_CLASSES_ROOTPugi.PugiObj.1

HKEY_CLASSES_ROOTSideFind.Finder

HKEY_CLASSES_ROOTSideFind.Finder.1

HKEY_CLASSES_ROOTTestContentMatchControl1.ContentMatchTag

HKEY_CLASSES_ROOTTestContentMatchControl1.ContentMatchTag.1

HKEY_CLASSES_ROOTYsb.YsbObj

HKEY_CLASSES_ROOTYsb.YsbObj.1

HKEY_CLASSES_ROOTYSBactivex.Installer

HKEY_CLASSES_ROOTYSBactivex.Installer.1

HKEY_CLASSES_ROOTCLSID{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}

HKEY_CLASSES_ROOTCLSID{386A771C-E96A-421f-8BA7-32F1B706892F}

HKEY_CLASSES_ROOTCLSID{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}

HKEY_CLASSES_ROOTCLSID{5F1ABCDB-A875-46c1-8345-B72A4567E486}

HKEY_CLASSES_ROOTCLSID{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}

HKEY_CLASSES_ROOTCLSID{7C559105-9ECF-42b8-B3F7-832E75EDD959}

HKEY_CLASSES_ROOTCLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}

HKEY_CLASSES_ROOTCLSID{8CBA1B49-8144-4721-A7B1-64C578C9EED7}

HKEY_CLASSES_ROOTCLSID{A3FDD654-A057-4971-9844-4ED8E67DBBB8}

HKEY_CLASSES_ROOTCLSID{DC341F1B-EC77-47BE-8F58-96E83861CC5A}

HKEY_CLASSES_ROOTCLSID{FAA356E4-D317-42A6-AB41-A3021C6E7D52}

HKEY_CLASSES_ROOTInterface{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}

HKEY_CLASSES_ROOTInterface{0985C112-2562-46F2-8DA6-92648BA4630F}

HKEY_CLASSES_ROOTInterface{0E704BA4-C517-4BE7-A1CD-C3FFDA1E1FFE}

HKEY_CLASSES_ROOTInterface{339D8AFF-0B42-4260-AD82-78CE605A9543}

HKEY_CLASSES_ROOTInterface{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}

HKEY_CLASSES_ROOTInterface{90CE74CC-788A-4A00-B38D-CBCA08CC9E8F}

HKEY_CLASSES_ROOTInterface{A36A5936-CFD9-4B41-86BD-319A1931887F}

HKEY_CLASSES_ROOTInterface{BF06DA8E-2BEB-4816-9BBD-F7625246E245}

HKEY_CLASSES_ROOTInterface{DC065FA6-08F9-4C50-99DC-275D16CFC5BD}

HKEY_CLASSES_ROOTInterface{DFBCC1EB-B149-487E-80C1-CC1562021542}

HKEY_CLASSES_ROOTInterface{EAF2CCEE-21A1-4203-9F36-4929FD104D43}

HKEY_CLASSES_ROOTTypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}

HKEY_CLASSES_ROOTTypeLib{58634367-D62B-4C2C-86BE-5AAC45CDB671}

HKEY_CLASSES_ROOTTypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}

HKEY_CLASSES_ROOTTypeLib{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}

HKEY_CLASSES_ROOTTypeLib{89A10D64-83BF-41A4-86A3-7AAF1F8F3D1B}

HKEY_CLASSES_ROOTTypeLib{8C752C5E-3C10-4076-AF0A-FFC69FA20D1B}

HKEY_CLASSES_ROOTTypeLib{CC257918-F435-4A33-8231-2B8195990CCA}

HKEY_CLASSES_ROOTTypeLib{D0288A41-9855-4A9B-8316-BABE243648DA}

HKEY_CLASSES_ROOTTypeLib{DB447818-96B4-40DF-8A55-720DA496F514}

HKEY_CLASSES_ROOTTypeLib{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF}

HKEY_CLASSES_ROOTComponent Categories{00021494-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentVersionExplorerBrowser Helper Objects{A3FDD654-A057-4971-9844-4ED8E67DBBB8}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{10E42047-DEB9-4535-A118-B3F6EC39B807}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionModuleUsage%Windir%/Downloaded Program Files/istactivex.dll

HKEY_LOCAL_MACHINESOFTWAREMicrosoftCode Store DatabaseDistribution Units{7C559105-9ECF-42B8-B3F7-832E75EDD959}

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainscontentmatch.net

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallISTbar

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallISTsvc

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallISTbarISTbar

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSideFind

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallYourSiteBar

Unregister DLLs:
cmctl.dll,istactivex.dll,istbar.dll,istbarcm.dll,istbar_dh.dll,sidefind.dll,sfbho.dll,ysb.dll,ysbactivex.dll

Delete files:
istsvc.exe,istdownload.exe,gjefpet.exe,juhpad.exe,sfsetup.exe,sidefind.exe,cmctl.dll,istactivex.dll,istbar.dll,istbarcm.dll,istbar_dh.dll,sidefind.dll,sfbho.dll,ysb.dll,ysbactivex.dll

Delete directories:
C:Program FilesISTsvc

C:Program FilesSideFind

C:Program FilesYourSiteBar


  • Stas

    ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server.

    ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar code. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.

    ISTbar alse installs other parasites: both variants install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus.

  • static

    hey , found this by accident, anyways had this malicious spyware in my machine and it drove me nuts, took a lot of work to remove it too.

    i did learn a few things about spyware though and how to remove them which means knowledge is a POWER.. thanks for the help..

  • me2

    a pain in the neck. i discovered it after updating my win2k with sp4. if u set up a new pc and make an online update – make sure to run a firewall/av first, b4 running windows updates, m8s.

    another removal can be found at:
    http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

    btw – it installs other spyware like powerscan or the optimize.exe
    kind've annoying, but killable 🙂

  • Veen

    Be aware, that there is a Parent file that will reinstall ISTsvc.exe. If you do not find and remove the Parent file, deleting ISTsvc from your registry will only temporarily remove it. The parent file can be named anything. In my case it was called ulcapt.exe. There are several fixes to this problem, some simple and some complex. My method was to end the ISTsvc process under Windows Task Manager along with another process that I was unfamilar with. Wait a couple of minutes and if ISTsvc reappears under processes, then repeat until you find the Parent exe file. Once I found the Parant file, I deleted all references to ISTsvc and the parent file from my registry.

  • emonahan

    I thought I was pretty computer savvy, until I realized I had this on my system. I used SS&D and Adaware, both detected it, and when I hit "fix the problems" my comp crashed. Twice. One day and 2 rebuilds later, I still have it, so thanks for the manual removal instructions – now let's go see if I can crash this baby again 😐

  • Guest

    Thanks for the comments on number 2. It is worth adding that I searched through my exe's by date and found another exe had been installed on the same date as istsvc.exe. i ended the process of both, I then deleted all reference to istsvc on the hard drive, registry including ulcapt.exe. This appears to have done the trick

  • Chris

    Okay this thing is seriously pissin me off. I am running SS&D, Adaware SE Personal, STOPzilla, Spyhunter, and Microsoft Antispyware and all of them detect it but none can seem to clean it however microsoft antispyware does block it from reinstalling however it just keeps trying and trying to reinstall cuz i cannot find the parent file. Sorry I am a newb at this so arrrgghhh

  • tom

    the file name was something completely different on mine. forget now, cause I deleted it ! but the clue was, that it was created the same day I was infected. there was only one I didn't recognize, and that was it. It quit re-creating itself after that was deleted. ALSO, easier to do in SafeMode.

  • ragdollop

    i think that someone should program viruses that would attack these companys! that would be coool!

  • salsaman

    When Microsoft Antispyware is unable to fully remove the istbar: restart in safe mode (hold the F8 button when the computer is restarting, select safe mode) then do a search (Start button, then Search) look for all files with *.exe created on the day that your machine was infected, and delete them (if in doubt: save them on a USB stick or CD to keep a copy)

  • wtf

    GOD! I hate this thing! I hope the removal works!

  • fudgefactor

    i got the message "omg this is so funny and a link", then my computer went crazy and it is driving me nuts. every time i try to remove it in add/remove programs, it locks up. seems like im not the only one.