Monday, November 28, 2005

Adware & Malware Identifier Index

The following is an in-progress index of some of the more common adware & malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available.




The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.





Indexed by Common Infection Name:


-[A]- -[B]- -[C]- -[D]- -[E]- -[F]- -[G]- -[H]- -[I]- -[J]- -[K]- -[L]- -[M]- -[N]- -[O]- -[P]- -[Q]- -[R]- -[S]- -[T]- -[U]- -[V]- -[W]- -[X]- -[Y]- -[Z]-



ABetterInternet, Aurora, Nail.exe.




  • Associated Worms/Trojans: Trojan.Win32.Stervis.b.
  • Executable Files: adbltzun.exe; aurareco.exe; aurora.exe; aurora-wise1.exe; nail.exe; poller.exe; svcproc.exe; thnall~1.exe; uacupg.exe.
  • Dynamic Link Libraries: aurorahandler.dll; bolger.dll; drpmon.dll.
  • Directory/Search Page: www.abetterinternet.com
  • Uninstall Page URL:
  • Related Articles:
  • Notes: See "How to Remove Nail.exe."


AproposMedia, PeopleOnPage, POP




  • Associated Worms/Trojans:
  • Executable Files: 9yxuen.exe; addit.exe; all_files10.exe; aprload.exe; apropos.exe; apropos_client_loader.exe; apropos_uninstaller.exe; aufo.exe; autoupdate.exe; auto_update_install.exe; cxtpls.exe; dx8iext.exe; load.exe; magicinlayinstall.exe; midaddle.exe; monpop.exe; mv7dizbww.exe; mw.exe; mw_4s_stub.exe; notify.exe; ororoxid.exe; phomac.exe; popsrv225.exe; _ps_inst.exe; qnqyiee.exe; rcisp.exe; sepinst.exe; sfl.exe; shmhupnp.exe; sm1ay.exe; sysai.exe; update_1.exe; updater.exe; vmpremov.exe; wrifo.exe; z.exe; zga.exe.
  • Dynamic Link Libraries: 199e866.dll; 6ktkk.dll; 7ggoo.dll; acsdir.dll; activeinstall2.dll; aproposplugin.dll; atla.dll; atlw.dll; cxtpls.dll; directxvercheck.dll; dsetup.dll; dsetup16.dll; dsetup32.dll; pop225.dll; pophook4.dll; proxystub.dll; qnqyiee.dll; qtinstallerhelper.dll; sidesearch.dll; toolbar.dll; truetypefontinfo.dll; wingenerics.dll; write_ph.dll; z.dll; zga.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: According to the Spyware Information Center, this infection is also known as Adware/Apropos [Panda], Adware/SideSearch [Panda], Adware/WinTools [Panda], Backdoor.Agent.ag [Kaspersky], Trj/Upseter.A [Panda], TrojanDownloader.Win32.Apropo.b [Kaspersky], TrojanDownloader.Win32.Apropo.g [Kaspersky], Win32/Agent.AG trojan [Eset], Win32/TrojanDownloader.Apropo.B trojan [Eset], Win32/TrojanDownloader.Apropo.G trojan [Eset]. See: How to Remove AproposMedia.

C2, Lop




  • Associated Worms/Trojans:
  • Executable Files: asshuktr.exe; bilyooas.exe; byb_save.exe; crgbeaoa.exe; dmvcrthl.exe; eaymulyl.exe; eeublidc.exe; glxshmcr.exe; ijlysseb.exe; jqumysto.exe; kfriegbs.exe; llfggrdr.exe; lltckiey.exe; lopsearc.exe; meemnckyqbr.exe; meepajlr.exe; mprcouie.exe; oofrkxpe.exe; peebqusz.exe; quveioot.exe; shoucrck.exe; ssmeeibl.exe; tchpeatr.exe; tglblrll.exe; trdzhtxf.exe; trstdris.exe; ulyuiexeechp.exe; vestufck.exe; vfthrcbr.exe; xogyfhp.exe; ykphmbre.exe; ylynfste.exe; yxogltoo.exe.
  • Dynamic Link Libraries: blztstulla.dll; blztstullc.dll; blztstullj.dll; blztstullp.dll; blztstulls.dll; blztstullt.dll; blztstully.dll; blztstullpr.dll; blztstulltr.dll; blztstulloo.dll; chksbdrlya.dll; eaeeishllblc.dll; eelykofrllfrpr.dll; eelykofrllfrj.dll; ealymfrprwch.dll; epllkeeoopr.dll; freabrlaouw.dll; gldqumssfrie.dll; hglllyxrxw.dll; icdrhwno.dll; heeachmstll.dll; meepajlr.dll; ousszidrta.dll; plg_ie*.dll; prxzoustustgr.dll; prnouestssstx.dll; quizbt*.dll; quglwachfs.dll; sstroallhqch.dll; tblchepruprgr.dll; trstshcrscksr.dll; ukfroigl.dll; upckeetoutw.dll; veaeyglckr.dll; woafrquzn.dll; yeecrsoustoull.dll; ziebaeeoaeepr.dll.
  • Directory/Search Page: http://lop.com/ and many others.
  • Uninstall page URL: See: How to Remove Lop.
  • Related Articles: Important Removal Tool Note.
  • Notes: Lop has utilized stealth downloads and has downloaded via bundling in the past. Some variants of this infection can also effect the Mozilla and Netscape browsers. See: How to Remove Lop.

CashToolBar




Claria, Gain, Gator



  • Associated Worms/Trojans:
  • Executable Files: cmessys.exe; fsg.exe; fsg-ag.exe; fsg*.exe; gain_trickler_*.exe.
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL: See: How to Remove Claria, Gain, Gator.
  • Related Articles: Important Removal Tool Note.
  • Notes: This infection generally downloads bundled with other software which the user has voluntarilty accepted. It utilizes a "trickler" technology designed to limit its use of processor time. It claims to be entirely removable via the Windows "Add/Remove Programs" utility. It provides uninstall instructions at the above URLs. See: How to Remove Claria, Gain, Gator.


ConfuSearch




downloader.bjg



  • Associated Worms/Trojans:
  • Executable Files: A0034787.exe; EDow_AS2.exe; installer_MARKETING18.exe; SSK3_B5 Seedcorn 4.exe; VB3.exe ; wrapperouter.exe
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: See "How to Remove downloader.bjg."


DyFuCa



  • Associated Worms/Trojans:
  • Executable Files: actalert.exe; goldentiger.exe; idctup20.exe; optimize.exe; thi6026.tmp\preinstt.exe; ssupdate.exe; view-m~1.exe.
  • Dynamic Link Libraries: iopti130.dll; nem207.dll; nem211.dll; nem214.dll; nem219.dll; nem220.dll; wsem210.dll; wsem216.dll; wsem218.dll; wsem302.dll; wsem303.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: DyFuCa is a porn dialer trojan. When downloaded as part of InternetOptimizer, it is also a 404 page ("Page Not Found") hijacker. The Spyware Information Center lists the following aliases: Spyware/Dyfuca [Panda], Spyware/SafeSurf [Panda], TrojanDownloader.Win32.Dyfuca.bw [Kaspersky], TrojanDownloader.Win32.Dyfuca.cn [Kaspersky], TrojanDownloader.Win32.Dyfuca.dc [Kaspersky], Trojan-Downloader.Win32.Dyfuca.dp [Kaspersky], TrojanDownloader.Win32.Dyfuca.gen [Kaspersky], Win32/TrojanDownloader.Dyfica.NAB trojan [Eset], Win32/TrojanDownloader.Dyfica.NAC trojan [Eset]. See: How to Remove DyFuCa.

EasyBar, HotOffers



  • Associated Worms/Trojans:
  • Executable Files: dwvem.exe; file_0.exe; iau.exe; lssas.exe ; mservice.exe; msqdevl.exe; runwin32.exe; stisvsq.exe; svshost.exe; tibs3.exe [a.k.a. Troj/HideDial-A]; wininet32.exe.
  • Dynamic Link Libraries: csrss.dll.
  • Directory/Search Page: http://www.easy-search.biz.
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: The url http://www.easy-search.biz/ is no longer an active search engine. More recent versions of this infection appear to involve single ad pages, pop-ups and pop-unders, and redirects to hard porn sites. They utilize a CHM exploit to execute through an unpatched Microsoft hole. If you have "iau.exe" on your machine without "runwin32.exe" you have the far more virulent, newer, heavily bundled CHM exploit version. This version somehow hides in the Windows text files areas, if removed, and reinstalls on the next reboot. See: How to Remove EasySearch, HotOffers.


EliteBar Toolbar, EliteSideBar, Elitum, EM Toolbar, Enternet Media Toolbar; ETBRUN, LQ, PokaPoka, SearchMiracle, YupSearch




FastWebSearch, FreshBar




GlobalWebSearch, ISearch




HotWebSearch




HuntBar



  • Associated Worms/Trojans:
  • Executable Files: wtoolss.exe.
  • Dynamic Link Libraries: ...btiein.dll; ...msielink.dll; ...msiein.dll; ...qdow.dll; ...SToolbar.dll; ...toolbar.dll; ...WToolsB.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: "Toolbar.dll" is a name widely used for legitimate and malware BHOs. It is not necessarily indicative of a particular BHO. See: How to Remove HuntBar.


Ibis Toolbar



  • Associated Worms/Trojans:
  • Executable Files: wintools.exe; wsup.exe; wtoolsa.exe.
  • Dynamic Link Libraries: common.dll; toolbar.dll.
  • Directory/Search Page: http://www.websearch.com/.
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: This malware is related to HuntBar and WinTools. "toolbar.dll" and "common.dll" are names used for legitimate and malware BHOs. They are not necessarily indicative of a particular BHO. See: How to Remove Ibis Toolbar.


IELoader:



  • Associated Worms/Trojans:
  • Executable Files: aaa.exe; bbb.exe; iagold.exe; msudpb.exe ; py.exe; zzb.exe.
  • Dynamic Link Libraries: ieloader.dll; msudpb.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: Added by TrojanDownloader.Small.RR. Installs TrojanDialer.Freeload, which, according to Symantec, "is an ActiveX component that can be used by Web pages to download dialer programs. The dialer program may be used to access premium-rate services including pornographic and astrological services." See: How to Remove IELoader.

ILookUp




ISearchTech.SideFind




ISearchTech.YSB, YourSiteBar




ISTBar, SideFind.



  • Associated Worms/Trojans:
  • Executable Files: gjefpet.exe; istdownload.exe; istrecover.exe; istsvc.exe; juhpad.exe; sfsetup.exe; sidefind.exe; srchupdt.exe.
  • Dynamic Link Libraries: cmctl.dll; istactivex.dll; istbar.dll; istbarcm.dll; istbar_dh.dll; mscache.dll; sfbho.dll; sidefind.dll; sidefind13.dll; srchfst.dll; ysb.dll; ysbactivex.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: How to Remove the ISearchTech Family; How to Remove YourSiteBar; How to Remove ISearchTech.SideFind; ISearchTech.SideFind Update (08-27-05); Important Removal Tool Note.
  • Notes: According to the Spyware Information Center, this infection is also known as: Adware/SearchFast [Panda], Adware/SideFind [Panda], Spyware/ISTbar [Panda], Trojan Horse [Panda], TrojanDownloader.Win32.Istbar.eo, TrojanDownloader.Win32.IstBar.gen [Kaspersky]. This infection is spread by stealth downloads, generally from game and porn sites. Numerous variants are at large and some may not be removable by the removal tool referenced on this page. All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately. See: How to Remove the ISearchTech Family.


KeenValue, SearchUpgrader Toolbar



  • Associated Worms/Trojans:
  • Executable Files: SearchUpgrader.exe.
  • Dynamic Link Libraries: bho.dll; pwrs0rbi.dll; IncFindBHO.dll.
  • Directory/Search Page: http://www.searchupgrader.com/.
  • Uninstall Page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: Some versions of these infections are also known as eUniverse (Ad-Aware), KeenValue (Mcafee), Euniverse (PestPatrol), PowerSearch (PestPatrol), eUniverse.IncrediFind (Spybot), KeenValue.PerfectNav (Spybot), Adware.Keenval (Symantec), SPYW_KEENVAL.A (Trend Micro). See: How to Remove KeenValue.


Mirar Toolbar




MySearchBar, MyWay Speed Bar, MyWebSearch



  • Associated Worms/Trojans:
  • Executable Files: hbinst.exe; s4bareq.exe; s42ns.exe; mwsoemon.exe; my2ns.exe; mysetp.exe; mysetup1.exe; websearch1.exe.
  • Dynamic Link Libraries: f3htmlmu.dll; hbhostie.dll; msiehobj.dll; mybar.dll; mypopswt.dll; mysrchas.dll; mwsbar.dll; mwsoestb.dll; mwssrcas.dll; npmyway.dll; s4bar.dll; w6bar.dll.
  • Directory/Search Page: http://www.mysearch.com/jsp/home.jsp; http://bar.mywebsearch.com/menusearch.
  • Uninstall Page URL:
  • Related Articles: None.
  • Notes:

NavExcell Toolbar



  • Associated Worms/Trojans:
  • Executable Files:
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles:
  • Notes:
NaviSearch

nCase, Zango



  • Associated Worms/Trojans:
  • Executable Files: 180adsolution.exe; 180ax.exe; msbb.exe; saap.exe; saie.exe; sain.exe; sais.exe; salm.exe; zango.exe.
  • Dynamic Link Libraries: 180adsolutionhook.dll ; 180axhook.dll; atpartners.dll; msbbhook.dll; ncmyb.dll; saaphook.dll; saiehook.dll; sainhook.dll; saishook.dll; zangohook.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: These items stealth install. See Spyware Information Center on Zango variant: "Based on eTrust PestPatrol Spyware Scorecard v2.05.03 Zango violates the following criteria: First, Installs itself or any other item without user permission or knowledge at time of installation...." See: How to Remove nCase, Zango.

Network Essentials, SmartPops



  • Associated Worms/Trojans:
  • Executable Files: launcher.exe; ne.exe; networkessentials.exe; rh.exe.
  • Dynamic Link Libraries: me1.dll; ne.dll; networkessentials.dll.
  • Directory/Search Page:
  • Uninstall Page URL: http://www.smartpops.com/customersvc.html (vendor's manual removal instructions only).
  • Related Articles: None.
  • Notes: Uses trojan downloader. According to Spyware Information Center: "Gathers info on your browsing habits to display popup ads targeted at your interests. Info gathered includes: Username, Zip, Gender, Age, Country, Address, Email, LastName, FirstName, CPU Speed, OS Version, Memory, SubProvider, Provider, Providers, Download."

SearchBus



  • Associated Worms/Trojans:
  • Executable Files:
  • Dynamic Link Libraries: sbus.dll.
  • Directory/Search Page: http://www.searchbus.com/
  • Uninstall page URL:
  • Related Articles:
  • Notes:


SearchForFree



  • Associated Worms/Trojans:
  • Executable Files: htmlsync.exe; icasserv.exe; isystem.exe; ldriver.exe; zlibc.exe.
  • Dynamic Link Libraries: k6c40rvk.dll; rcj.dll.
  • Directory/Search Page: http://www.searchforfree.info/.
  • Uninstall page URL:
  • Related Articles: HijackThis vs. SearchForFree (June 15, 2005); Important Removal Tool Note.
  • Notes: The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) . The file "nvdsvc32.exe" is associated with "icasserv.exe" and may be present. The most recent variant of this infection downloads the file "zlibc.exe" instead of "icasserv.exe". The file zlibc.exe indicates that the infection is being downloaded by the Troj/Chorus-A (a.k.a. AdClicker-CM and Trojan-Clicker.Win32.Small.ft ) as of late June 2005. As of early July 2005, it is not clear whether fixes for the "fd" version of the infection work for the "ft" version. See: How to Remove SearchForFree.

SearchHH, SearchMeUp, UmaxSearch, WhitePages




SearchRelevancy



  • Associated Worms/Trojans:
  • Executable Files: ...searchrelevancy\uninstall.exe.
  • Dynamic Link Libraries: searchrelevancy.dll.
  • Directory/Search Page: None.
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: According to DoxDesk, "SearchRelevancy is an Internet Explorer Browser Helper Object (BHO) that adds advertising links to search engine results pages as fake results. Clicking the links sends the browser to the listed site via a hidden redirect through searchbrowser.com which adds affiliate codes to the URL. " See: How to Remove SearchRelevancy.



small.gz



  • Associated Worms/Trojans:
  • Executable Files: desktopdancer[1].exe; setup.exe.
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: This trojan has recently been used to download SearchMiracle.EliteBar. See "How to Remove small.gz."


Sweetbar



  • Associated Worms/Trojans:
  • Executable Files: C:\Windows\System32\web.exe.
  • Dynamic Link Libraries:
  • Directory/Search Page: http://www.sweetbar.com/
  • Uninstall page URL:
  • Related Articles: None.
  • Notes: Downloaded by Trojan.Anicmoo which utilizes Windows vulnerability described in Microsoft Security Bulletin MS05-002: "Cursor and Icon Format Handling Vulnerability - CAN-2004-1049: A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. " The trojan downloads the file "SecurityRisk.Downldr" which downloads "update.txt" which in turn downloads the Browser Helper Object (BHO) to connect to www.sweetbar.com.


VX2



  • Associated Worms/Trojans:
  • Executable Files: bios32.exe; boot.exe; f0e66c68.exe; hjfp.exe; infwin.exe.
  • Dynamic Link Libraries: ablui.dll; akledit.dll; blowfish.dll; iehelper.dll; ktp6177s1.dll; multimpp.dll; rdfsaps.dll; vx2.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: The following aliases are listed at the Spyware Information Center page for this malware: Adware/MSView [Panda], Application/HideWindow.A [Panda], Application/Psexec.A [Panda], Application/ToolWget.A [Panda], Backdoor Program [Panda], Backdoor.Bionet.405 [Kaspersky], Backdoor.IRC.Zapchast [Kaspersky], Backdoor.IRC.Zcrew [Kaspersky], Backdoor/Bionet.405!Server [Computer Associates], Backdoor/IRC.Zcrew [Computer Associates], Backdoor/ZCrew.B [Computer Associates], Backdoor/ZCrew.B.IRC [Computer Associates], Backdoor/Zcrew.G [Computer Associates], BAT.IRCFlood [Computer Associates], BAT.Noshare.B [Computer Associates], Bat/Flood.C!Trojan [Computer Associates], Bck/IRC.Mirc.Based [Panda], Bck/Multi.I [Panda], Bck/Zcrew.B [Panda], Bck/Zcrew.G [Panda], Blackstone Data Transponder. Was also distributed under the name NetPal by netpalnow.com, but the software now available there is the newer NetPal parasite which isn't the same code., DoS.Win32.Nenet [Kaspersky], Flooder.Win32.WarPing [Kaspersky], Flooder/Nenet. A [Panda], IRC.Flood [Computer Associates], mIRC/Flood.I!Trojan [Computer Associates], mIRC/Flood.RmtCfg!Trojan [Computer Associates], NetPal, RemoteProcessLaunch [McAfee], Sputnik (name used by VX2), Spyware/BetterInet [Panda], Trj/Femad.A [Panda], Trj/Flood.BI [Panda], Trj/Passer.C [Panda], Trojan [Name used by Ad-aware], Trojan Horse [Panda], TrojanDownloader.Win32.Femad.b [Kaspersky], VX2 RespondMiter., VX2.Clean Get-Away, VX2.MSView, VX2.My PanicButton, VX2.Respondmiter, VX2.SiteHelper, VX2.Transponder, Win32.BettInet.C [Computer Associates], Win32.Bionet.405 [Computer Associates], Win32.Femad.A [Computer Associates], Win32.IRCFlood [Computer Associates], Win32.Startpage.KF!downloader [Computer Associates], Win32/Femad.B trojan [Eset], Win32/Rslocal.B!Downloader [Computer Associates], Win32/SillyDL.70656!Trojan [Computer Associates], Win32/Spybot.FR!Worm [Computer Associates], Win32/Startpage.KF!Downloader [Computer Associates]. See: How to Remove VX2.


    VGS is in the process of compiling a Trojan and Worm Appendix to the Malware Identifier Index. At present the following trojans/worms (listed by one or more popular name or by key file shown in parentheses) are being investigated and a freeware or trialware removal tool has been found:





    Trojans: AdClicker-H; Win32.Backdoor.AfCore; Win32.Agent.Trojan; TrojanDownloader.Win32.Agent.al; TrojanDownloader.Win32.Agent.an; TrojanDownloader.Win32.Agent.z; Trojan/Backdoor-BDD; Win32.TrojanSpy.Banker; Win32.Dasmin.B; Trojan/Dasmin-F; Win32.Delf.Trojan.A; Trojan/Dloader-AB; Trojan/Downloader-LO; Win32.Trojan.IEStartpage; Win32.Trojan.Krepper; Win32.TrojanDownloader.Lemmy; Win32.Mitglieder Trojan; Trojan.Poldo.B; Win32.Trojan.Post; Win32.Backdoor.RBot; Win32.Dialer.Saristar; Win32.Sced.Trojan; Win32.Small.Trojan; Win32.TrojanDownloader.Small; Win32.TrojanProxy.Small; Win32.Backdoor.Spyboter; Win32.TrojanDownloader.Swizzor.br.


    Worms: Win32.Padobot; Win32.Sasser; Win32.Spybot.worm.




    • The above malware items can be removed by Lavasoft's Ad-Aware freeware.



    Trojans: Win32.Bagle.AV; Win32.Bagle.B; Win32.Bagle.C; Win32.Bagle.E; Win32.Bagle.F; Win32.Bagle.G; Win32.Bagle.H; Win32.Bagle.I; Win32.Bagle.J; Win32.Bagle.N; Win32/Crowt-A; Trojan/Win32.Hwbot-A; Trojan/Haxdoor-H; Trojan/Peper; Trojan/RS-Local-A; Win32.R-Bot; Trojan/Startpage-EH; Backdoor.VB.nb; TrojanDownloader.Win32.VB.q; Trojan/Webus-D; Trojan/Winser-A; Trojan/Zwax.



    • The above malware items can be removed by SpyBot S&D.



    Trojans: (installer_MEDIAWHIZ3.exe; installer_MARKETING10.exe; installer_MARKETING11.exe ) TrojanDownloader.Adload.a; (A0000090.exe ) TrojanDownloader.Apropo.r; (GLF6EGLF6E.EXE ) TrojanDownloader.TSUpdate.f; (61[1].bin ) TrojanDropper.Small.ul.





How to Remove ISTBar.

The following is a detail page of Virtual Grub Street's Adware & Malware Identifier Index:


The information in the Adware & Malware Identifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk. ISTBar, SideFind



  • Associated Worms/Trojans: W32.IST [Panda]; Win32.IstBar.ap; Win32.IstBar.bp; Win32.IstBar.bm; Win32.Istbar.bo; Win32.Istbar.bu; Win32.Istbar.bx; Win32/IstBar.ce [Computer Associates]; W32/Istbar.CK@dl [F-Prot]; Win32.Istbar.cl; Win32.Istbar.dh; Win32.Istbar.dr; Win32.IstBar.e [Kaspersky]; Win32.Istbar.eo; Win32.IstBar.gen [Kaspersky]; Win32.IstBar.gu [Kaspersky]; Win32.IstBar.i; W32/Istbar.MY [NORMAN]; Win32.IstBar.p[Kaspersky]; Win32.Istbar.u; Win32/PMagic.A [Computer Associates].

  • Executable Files: l9lecc.exe; istsvc[1].exe; bb.exe; bundlernetscape.exe; crack.exe; dust.exe; games.exe; iinstall.exe; iinstall19866.exe; installs.exe; ist.exe; ist1.exe; istdownload.exe; istinstall_154074.exe; istinstall_netscape.exe; optimize.exe; scan.exe; penmzp.exe; sidefind.exe; srcle32.exe; ssdbkup.exe; start.exe; uveu42at.exe; ymhfvu.exe.

  • Dynamic Link Libraries: acsproxy.dll; cmctl.dll; flashplayer.dll; fwntoolbar.dll; gzlib.dll; istbar.dll; imgconv.dll; intrigue.dll; istactivex.dll; istbar_mainstream[1].dll; istbarcm.dll; lhqibp.dll; mediaaccc.dll; nem218.dll; sfbho.dll; sidefind.dll; srchbar.dll; vic32.dll; ysbactivex.dll.

  • Directory/Search Page:

  • Uninstall page URL:

  • Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. How to Remove ISearchTech.SideFind; ISearchTech.SideFind Update (08-27-05); How to Remove YourSiteBar; Important Removal Tool Note.

  • Notes: According to the Spyware Information Center, this infection is also known as: "DownloadPlus and SearchBarCash-Hijacker. ISTbar/MSCache is also known as MSUpdates\MSCache., Trj/W32.IST[Panda], TrojanDownloader.Win32.IstBar.e[Kaspersky], Spyware/ISTbar[Panda], TrojanDownloader.Win32.IstBar.p[Kaspersky], Trojan Horse[Panda], Adware/nCase[Panda], Win32/IstBar.ce!Downloader[Computer Associates], TrojanDownloader.Win32.IstBar.t[Kaspersky], Win32/PMagic.A!Trojan[Computer Associates], TrojanDownloader.Win32.IstBar.p, actalert.exe, W32/Istbar.CK@dl [F-Prot], Trojan-Downloader.Win32.IstBar.gu [Kaspersky], Adware-ISTbar [McAfee], W32/Istbar.MY [NORMAN]". All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately.
  • Most versions of this infection can now be removed by using Spybot S&D.

VGS encourages you to post comments about the service it offers, and, in particular, about your experiences with the removal tools suggested in its pages. Removal tool comments will be most effective in helping those who come after you if you post them to the individual detail page for the malware item you used the tool to remove. Please be as clear and as detailed as possible. The most effective comments might include such information as: 1) What browser and operating system you are are running on your computer (i.e. Windows 98, NT, XP, Linux, Internet Explorer 6.0, Firefox); 2) What updates are installed (i.e. SP1, SP2); 3) What anti-virus/malware package(s) are resident in your computer; and 4) the actions you took in the order you took them.

Wednesday, November 16, 2005

EliteBar Removal Tool Updates to V.2.0.0!!!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 3)




Giancarlo Calo, over at SimplyTech.it, remains aggressive with his freeware Elite Toolbar Remover. Among the infections it claims its version V.2.0.0 can remove "every trace" of are the following. The items highlighted in red are linked to Virtual Grub Streets's "How to Remove/Detailed Information" pages:

EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); WinMoviePlugIn; and [InternetExplorer Plugin].


The "How to Remove" detail pages for SearchMiracle/EliteBar consist of the articles regularly posted at VGS. The file information for EliteBar is located on the Adware & Malware Indentifier Index itself. Further detail pages will be added on a continuing basis.

Simply Tech's description of the reason why SearchMiracle/EliteBar is so difficult to remove verifies the information in the various Virtual Grub Street articles over the past months:

Actually some software like [SpyBot S&D] v.1.3, CWShredder v.2.12, Noadware, [Ad-Aware] v.6, SpyNuker 2004 and SBC Yahoo! Anti-spy have no success in deleting this very frustrating malware. These programs find and delete it, but it keeps coming back since this new variant is very difficult to remove from the operating system.

The main problem is that the malware creates a lot of registry entries and executes at PC startup, winding itself into RAM and deletes its own *.exe from the C:\Windows\System32 directory.

When ordinary tools try to remove it, they only clean the registry calls, the C:\Windows\EliteToolbar directory and the cabinets files where it originated from, but they don't take any action against the malware itself that is currently running in RAM and waiting for the PC OS to be shut down only to repeat the infestation once again!


This is now well known to be a trick that the newer adware and malware products are widely copying. Perhaps this is the reason that the Elitebar Removal Tool has added so many products to the list of infections it removes. It is certainly the reason that most HijackThis and manual removal instructions direct the user to do file deletions while in Safe Mode.

Giancarlo describes the new feature specific to Version 2.0.0 as follows:

An [h]euristhic search done with commercial antivirus programs (like Norton AntiVirus and McAfee Virus Scan) gave some FALSE POSITIVE messages when they opened the ETRemover_V130.exe and ETRemover_V131.exe files....

The new version 2.0.1 (and the previous beta V.2.0.0) overcomes to this problem by using an external ETRDEF.DAT file wich contains the definitions of all the malwares, virus, trojans and the Registry keys scanned by the program to clean the infected pc.

The new version has also added InternetExplorer Plugin to the list of infections it claims to remove. Otherwise, the removal tool would seem to be unchanged.



Also see:



[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elitum Elite Toolbar Elite Tool Bar ETBrun YupSearch Yup Search.]

How to Remove small.gz.

The following is a detail page of Virtual Grub Street's Adware & Malware Identifier Index:

The information in the Adware & Malware Identifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.


small.gz

  • Executable Files: desktopdancer[1].exe; setup.exe.
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. Important Removal Tool Note.
  • Notes: This trojan has recently been used to download SearchMiracle.EliteBar. I have personally found, on one occasion, that Panda detected but did not remove the small.gz trojan but there are reports that this infection can now be removed using Panda's Free Online Scan.






VGS encourages you to post comments about the service it offers, and, in particular, about your experiences with the free removal tools suggested in its pages. Removal tool comments will be most effective in helping those who come after you if you post them to the individual detail page for the malware item you used the tool to remove. Please be as clear and as detailed as possible. The most effective comments might include such information as: 1) What browser and operating system you are are running on your computer (i.e. Windows 98, NT, XP, Linux, Internet Explorer 6.0, Firefox); 2) What updates are installed (i.e. SP1, SP2); 3) What anti-virus/malware package(s) are resident in your computer; and 4) the actions you took in the order you took them.

How to Remove downloader.bjg.

The following is a detail page of Virtual Grub Street's Adware & Malware Identifier Index:

The information in the Adware & Malware Identifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.



downloader.bjg





VGS encourages you to post comments about the service it offers, and, in particular, about your experiences with the free removal tools suggested in its pages. Removal tool comments will be most effective in helping those who come after you if you post them to the individual detail page for the malware item you used the tool to remove. Please be as clear and as detailed as possible. The most effective comments might include such information as: 1) What browser and operating system you are are running on your computer (i.e. Windows 98, NT, XP, Linux, Internet Explorer 6.0, Firefox); 2) What updates are installed (i.e. SP1, SP2); 3) What anti-virus/malware package(s) are resident in your computer; and 4) the actions you took in the order you took them.

How to Remove YourSiteBar.

The following is a detail page of Virtual Grub Street's Adware & Malware Identifier Index:


The information in the Adware & Malware Identifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.


ISearchTech.YSB, YourSiteBar






VGS encourages you to post comments about the service it offers, and, in particular, about your experiences with the removal tools suggested in its pages. Removal tool comments will be most effective in helping those who come after you if you post them to the individual detail page for the malware item you used the tool to remove. Please be as clear and as detailed as possible. The most effective comments might include such information as: 1) What browser and operating system you are are running on your computer (i.e. Windows 98, NT, XP, Linux, Internet Explorer 6.0, Firefox); 2) What updates are installed (i.e. SP1, SP2); 3) What anti-virus/malware package(s) are resident in your computer

PokaPoka.exe + Nothing = YupSearch.

Some few of readers may recall the article YupSearch Addendum posted in VGS's pages this past March 18th. Of course, seven months ago is ancient history on the Internet (and especially ancient in matters of adware and malware). I had since noticed, in passing, that there seemed to have been some changes in how that search engine front-page was being employed. I promised myself to set aside some time, eventually, in order to check out the new version and have discovered a few items to pass along.


To recap, very briefly, a key point from the Addendum:



YupSearch... detects when "404" pages ("page not found") load up into the browser and redirects the browser to the base search engine in their place.


The original YupSearch was a redirect target only. It had no toolbar of its own.


That ended with the EliteSideBar version of the EliteBar infection (a.k.a. adw_elitebar.b). The EliteSideBar opens on left side of screen with numerous entries from the YupSearch front-page rather than from Searchmiracle. Or at least at first, for the EliteSideBar is programmed to download the full-bore Elite ToolBar after the SideBar is installed. If the download is successful, an Elite***32.exe or Kalv***32.exe file is installed and the file InprocServer32 and the YupSearch hijack target are deleted. Thus:



EliteSideBar 08dll + InprocServer32 = the adw_elitebar.b version of YupSearch


or perhaps better put:



EliteSideBar 08dll + Nothing = YupSearch (EliteBar.b version).


Correspondingly:



EliteSideBar 08dll + elite***32.exe (or kalv***32.exe) = EliteSideBar with a YupSearch redirect


and the user (or technician) will find a HijackThis (or other) entry for the SearchMiracle front-page as hijacker target.


The EliteSideBar, however, with its EliteSideBar 08dll and InprocServer32, seems not to have been a very effective variant of EliteBar. It has been all but abandoned for another trojan downloader the name of which has since become infamous: PokaPoka**.exe. The scheme is the same:



PokaPoka + Nothing = YupSearch


Correspondingly:



PokaPoka.exe + Elite***32.exe = EliteBar with a YupSearch redirect..


Once Elite***.exe is downloaded, the YupSearch hijacker target is deleted and the SearchMiracle hijacker installed. The YupSearch front-page target now only appears, if it appears at all, on special redirects, the most common being redirects away from 404 ("page not found") pages.


The reason I refer to SearchMiracle and YupSearch "front-pages" rather than "search engines" is explained in YupSearch Addendum.




Also See:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]