Hi Gerald
This probably is ISTbar's entries i know it does use it &
I do not have this entry in my registry and have MS
Antispy installed
Theres a GIANTCompany entry in
HKEY_LOCAL_MACHINE/Software/GiantCompany/Antispyware same
again in HKEY_CURRENT_USER
but no download manager entries except just for Adobe
which i have installed.
Theres alot of different malware that use the entry
\Microsoft\DownloadManager in the registry ranging from
Adware to Viruses but if a scanner is detecting ISTbar
then its saving you some time as you can just download
and run the istbar remover in safe mode then reset your
web settings.
Check your add/remove screen for ISTbar entries and
remove any found
MS AUpdate, MS Updates, XXXToolbar, ISTsvc or ISTBar.
Download Symantecs Removal Tool and run in safe mode
(reboot & keep tapping F8 then choose safe mode)
http://securityresponse.symantec.com/avcenter/FxIstbar.exe
To restore default settings in Internet Explorer
Click Start > Settings > Control Panel
Select Internet Options
Select the Programs tab
Click Reset Web Settings
Click OK
Exit Control Panel
Theres to many reg entries to go for this manually and
the fix tool works well in safe mode i will post the
entries and files though in case you do need to delete
any .
File names:
ISTsvc.exe
IstBar_DH.dll
ysbactivex.dll
sfbho.dll
sfexd001
sidefind.dll
istrecover[1].exe
istbar.dll
ysb.dll
istbarcm.dll
ISTactivex.dll
istdownload.exe
sidefind.exe
sfsetup.exe
sfbho.dll
cmctl.dll
juhpad.exe;
ysb_regular[1].cab
gjefpet.exe
File & Folder Locations:
C:\Program Files\ISTsvc\
C:\Program Files\SideFind\
C:\Program Files\YourSiteBar\
C:\Windows\System32\gjefpet.exe
C:\Windows\Downloaded Program Files\ysbactivex.dll
can drop numerous link files in these folder's :
C:\Documents and Settings\[Current User]\Fun & Games,
C:\Documents and Settings\[Current User]\Going Places,
C:\Documents and Settings\[Current User]\Living,
C:\Documents and Settings\[Current User]\Shop,
C:\Documents and Settings\[Current User]\Technology,
Reg Entries :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
"IST Service" = "C:\Program Files\ISTsvc\ISTsvc.exe"
"[5 random characters]" = "[path to adware]"
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Search
"SearchAssistant" = "[Web site on the couldnotfind.com
domain]"
Creates some of the following registry keys depending on
the variant:
HKEY_LOCAL_MACHINE\Software\ISTsvc
HKEY_LOCAL_MACHINE\Software\ISTbar
HKEY_LOCAL_MACHINE\Software\Sidefind
HKEY_LOCAL_MACHINE\Software\YourSiteBar
HKEY_LOCAL_MACHINE\Software\Microsoft\Sidefind
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager
HKEY_CURRENT_USER\Software\IST
HKEY_CURRENT_USER\Software\ISTbar
HKEY_CLASSES_ROOT\ISTbar.BarObj
HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper
HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1
HKEY_CLASSES_ROOT\SideFind.Finder
HKEY_CLASSES_ROOT\SideFind.Finder.1
HKEY_CLASSES_ROOT\Pugi.PugiObj.1
HKEY_CLASSES_ROOT\Pugi.PugiObj
HKEY_CLASSES_ROOT\YSBactivex.Installer.1
HKEY_CLASSES_ROOT\YSBactivex.Installer
HKEY_CLASSES_ROOT\Ysb.YsbObj
HKEY_CLASSES_ROOT\Ysb.YsbObj.1
HKEY_CLASSES_ROOT\ISTactivex.Installer
HKEY_CLASSES_ROOT\ISTactivex.Installer.1
HKEY_CLASSES_ROOT\ISTactivex.Installer.2
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag
.1
HKEY_CLASSES_ROOT\ISTx.Installer
HKEY_CLASSES_ROOT\ISTx.Installer.2
HKEY_CLASSES_ROOT\CLSID\{FAA356E4-D317-42A6-AB41-
A3021C6E7D52}
HKEY_CLASSES_ROOT\CLSID\{8CBA1B49-8144-4721-A7B1-
64C578C9EED7}
HKEY_CLASSES_ROOT\CLSID\{A3FDD654-A057-4971-9844-
4ED8E67DBBB8}
HKEY_CLASSES_ROOT\CLSID\{5F1ABCDB-A875-46c1-8345-
B72A4567E486}
HKEY_CLASSES_ROOT\CLSID\{771A1334-6B08-4a6b-AEDC-
CF994BA2CEBE}
HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-
ECFD34EED658}
HKEY_CLASSES_ROOT\CLSID\{86227D9C-0EFE-4F8A-AA55-
30386A3F5686}
HKEY_CLASSES_ROOT\CLSID\{386A771C-E96A-421f-8BA7-
32F1B706892F}
HKEY_CLASSES_ROOT\CLSID\{018B7EC3-EECA-11D3-8E71-
0000E82C6C0D}
HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-
96E83861CC5A}
HKEY_CLASSES_ROOT\CLSID\{7C559105-9ECF-42b8-B3F7-
832E75EDD959}
HKEY_CLASSES_ROOT\Interface\{A36A5936-CFD9-4B41-86BD-
319A1931887F}
HKEY_CLASSES_ROOT\Interface\{DC065FA6-08F9-4C50-99DC-
275D16CFC5BD}
HKEY_CLASSES_ROOT\Interface\{339D8AFF-0B42-4260-AD82-
78CE605A9543}
HKEY_CLASSES_ROOT\Interface\{BF06DA8E-2BEB-4816-9BBD-
F7625246E245}
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-
F914F2FA953F}
HKEY_CLASSES_ROOT\Interface\{90CE74CC-788A-4A00-B38D-
CBCA08CC9E8F}
HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-
4929FD104D43}
HKEY_CLASSES_ROOT\Interface\{0985C112-2562-46F2-8DA6-
92648BA4630F}
HKEY_CLASSES_ROOT\Interface\{9388907F-82F5-434D-A941-
BB802C6DD7C1}
HKEY_CLASSES_ROOT\Interface\{0E704BA4-C517-4BE7-A1CD-
C3FFDA1E1FFE}
HKEY_CLASSES_ROOT\Interface\{03B800F9-2536-4441-8CDA-
2A3E6D15B4F8}
HKEY_CLASSES_ROOT\Interface\{DFBCC1EB-B149-487E-80C1-
CC1562021542}
HKEY_CLASSES_ROOT\TypeLib\{E9A5B71C-093B-4F34-AF07-
34FCA89BA0DF}
HKEY_CLASSES_ROOT\TypeLib\{8C752C5E-3C10-4076-AF0A-
FFC69FA20D1B}
HKEY_CLASSES_ROOT\TypeLib\{58634367-D62B-4C2C-86BE-
5AAC45CDB671}
HKEY_CLASSES_ROOT\TypeLib\{89A10D64-83BF-41A4-86A3-
7AAF1F8F3D1B}
HKEY_CLASSES_ROOT\TypeLib\{D0288A41-9855-4A9B-8316-
BABE243648DA}
HKEY_CLASSES_ROOT\TypeLib\{DB447818-96B4-40DF-8A55-
720DA496F514}
HKEY_CLASSES_ROOT\TypeLib\{CC257918-F435-4A33-8231-
2B8195990CCA}
HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-
9AC771ABAAE6}
HKEY_CLASSES_ROOT\TypeLib\{67907B3C-A6EF-4A01-99AD-
3FCD5F526429}
HKEY_CLASSES_ROOT\TypeLib\{4EE12B71-AA5E-45EC-8666-
2DB3AD3FDF44}
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-
0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\SideFind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\ISTbarISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\YourSiteBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explo
rer\Browser Helper Objects\{A3FDD654-A057-4971-9844-
4ED8E67DBBB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\contentmatch.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store
Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-
832E75EDD959}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ModuleUsage\C:/WINDOWS/Downloaded Program
Files/ISTactivex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ModuleUsage\C:/WINNT/Downloaded Program
Files/ISTactivex.dll
to redirect the start page and search pages it add these :
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main
"Bandrest" = "Never"
"Search Bar" = "[Web site on the couldnotfind.com domain]"
"Search Page" = "[Web site on the couldnotfind.com
domain]"
"Search Page_bak" = "[Web site on the microsoft.com
domain]"
"Start Page" = "[Web site on the slotch.com domain]"
"Start Page_bak" = "file:/ //C:/WINNT/Web/Start.htm"
"Use Search Assistant" = "no"
HKEY_LOCAl_MACHINE\Software\Microsoft\Internet
Explorer\Main
"Bandrest" = "Never"
Andy