This page is in the process of being transformed into a special targetted adware/malware index. It is not presently being updated. The new Adware & Malware Identifier Index is located >>> Here.
The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.
The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.
Indexed by Common Infection Name:
-[A]- -[B]- -[C]- -[D]- -[E]- -[F]- -[G]- -[H]- -[I]- -[J]- -[K]- -[L]- -[M]- -[N]- -[O]- -[P]- -[Q]- -[R]- -[S]- -[T]- -[U]- -[V]- -[W]- -[X]- -[Y]- -[Z]-
AproposMedia, PeopleOnPage, POP
- Executable Files: 9yxuen.exe; addit.exe; all_files10.exe; aprload.exe; apropos.exe; apropos_client_loader.exe; apropos_uninstaller.exe; aufo.exe; autoupdate.exe; auto_update_install.exe; cxtpls.exe; dx8iext.exe; load.exe; magicinlayinstall.exe; midaddle.exe; monpop.exe; mv7dizbww.exe; mw.exe; mw_4s_stub.exe; notify.exe; ororoxid.exe; phomac.exe; popsrv225.exe; _ps_inst.exe; qnqyiee.exe; rcisp.exe; sepinst.exe; sfl.exe; shmhupnp.exe; sm1ay.exe; sysai.exe; update_1.exe; updater.exe; vmpremov.exe; wrifo.exe; z.exe; zga.exe.
- Dynamic Link Libraries: 199e866.dll; 6ktkk.dll; 7ggoo.dll; acsdir.dll; activeinstall2.dll; aproposplugin.dll; atla.dll; atlw.dll; cxtpls.dll; directxvercheck.dll; dsetup.dll; dsetup16.dll; dsetup32.dll; pop225.dll; pophook4.dll; proxystub.dll; qnqyiee.dll; qtinstallerhelper.dll; sidesearch.dll; toolbar.dll; truetypefontinfo.dll; wingenerics.dll; write_ph.dll; z.dll; zga.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: According to the Spyware Information Center, this infection is also known as Adware/Apropos [Panda], Adware/SideSearch [Panda], Adware/WinTools [Panda], Backdoor.Agent.ag [Kaspersky], Trj/Upseter.A [Panda], TrojanDownloader.Win32.Apropo.b [Kaspersky], TrojanDownloader.Win32.Apropo.g [Kaspersky], Win32/Agent.AG trojan [Eset], Win32/TrojanDownloader.Apropo.B trojan [Eset], Win32/TrojanDownloader.Apropo.G trojan [Eset]. See: How to Remove AproposMedia.
C2, Lop
- Executable Files: asshuktr.exe; bilyooas.exe; byb_save.exe; crgbeaoa.exe; dmvcrthl.exe; eaymulyl.exe; eeublidc.exe; glxshmcr.exe; ijlysseb.exe; jqumysto.exe; kfriegbs.exe; llfggrdr.exe; lltckiey.exe; lopsearc.exe; meemnckyqbr.exe; meepajlr.exe; mprcouie.exe; oofrkxpe.exe; peebqusz.exe; quveioot.exe; shoucrck.exe; ssmeeibl.exe; tchpeatr.exe; tglblrll.exe; trdzhtxf.exe; trstdris.exe; ulyuiexeechp.exe; vestufck.exe; vfthrcbr.exe; xogyfhp.exe; ykphmbre.exe; ylynfste.exe; yxogltoo.exe.
- Dynamic Link Libraries: blztstulla.dll; blztstullc.dll; blztstullj.dll; blztstullp.dll; blztstulls.dll; blztstullt.dll; blztstully.dll; blztstullpr.dll; blztstulltr.dll; blztstulloo.dll; chksbdrlya.dll; eaeeishllblc.dll; eelykofrllfrpr.dll; eelykofrllfrj.dll; ealymfrprwch.dll; epllkeeoopr.dll; freabrlaouw.dll; gldqumssfrie.dll; hglllyxrxw.dll; icdrhwno.dll; heeachmstll.dll; meepajlr.dll; ousszidrta.dll; plg_ie*.dll; prxzoustustgr.dll; prnouestssstx.dll; quizbt*.dll; quglwachfs.dll; sstroallhqch.dll; tblchepruprgr.dll; trstshcrscksr.dll; ukfroigl.dll; upckeetoutw.dll; veaeyglckr.dll; woafrquzn.dll; yeecrsoustoull.dll; ziebaeeoaeepr.dll.
- Directory/Search Page: http://lop.com/ and many others.
- Uninstall page URL: See: How to Remove Lop.
- Related Articles: Important Removal Tool Note.
- Notes: Lop has utilized stealth downloads and has downloaded via bundling in the past. Some variants of this infection can also effect the Mozilla and Netscape browsers. See: How to Remove Lop.
CashToolBar
- Executable Files: cashtoolbar.exe.
- Dynamic Link Libraries: browseraidbarwnd.dll ; cashtoolbarie.dll.
- Directory/Search Page: http://www.cashtoolbar.com/.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove CashToolBar.
Claria, Gain, Gator
- Executable Files: cmessys.exe; fsg.exe; fsg-ag.exe; fsg*.exe; gain_trickler_*.exe.
- Dynamic Link Libraries:
- Directory/Search Page:
- Uninstall page URL: See: How to Remove Claria, Gain, Gator.
- Related Articles: Important Removal Tool Note.
- Notes: This infection generally downloads bundled with other software which the user has voluntarilty accepted. It utilizes a "trickler" technology designed to limit its use of processor time. It claims to be entirely removable via the Windows "Add/Remove Programs" utility. It provides uninstall instructions at the above URLs. See: How to Remove Claria, Gain, Gator.
ConfuSearch
- Executable Files: cisvc32.exe.
- Dynamic Link Libraries: ConfuSearch.dll; strad32.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove ConfuSearch.
DyFuCa
- Executable Files: actalert.exe; goldentiger.exe; idctup20.exe; optimize.exe; thi6026.tmp\preinstt.exe; ssupdate.exe; view-m~1.exe.
- Dynamic Link Libraries: iopti130.dll; nem207.dll; nem211.dll; nem214.dll; nem219.dll; nem220.dll; wsem210.dll; wsem216.dll; wsem218.dll; wsem302.dll; wsem303.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: DyFuCa is a porn dialer trojan. When downloaded as part of InternetOptimizer, it is also a 404 page ("Page Not Found") hijacker. The Spyware Information Center lists the following aliases: Spyware/Dyfuca [Panda], Spyware/SafeSurf [Panda], TrojanDownloader.Win32.Dyfuca.bw [Kaspersky], TrojanDownloader.Win32.Dyfuca.cn [Kaspersky], TrojanDownloader.Win32.Dyfuca.dc [Kaspersky], Trojan-Downloader.Win32.Dyfuca.dp [Kaspersky], TrojanDownloader.Win32.Dyfuca.gen [Kaspersky], Win32/TrojanDownloader.Dyfica.NAB trojan [Eset], Win32/TrojanDownloader.Dyfica.NAC trojan [Eset]. See: How to Remove DyFuCa.
EasyBar, HotOffers
- Executable Files: dwvem.exe; file_0.exe; iau.exe; lssas.exe ; mservice.exe; msqdevl.exe; runwin32.exe; stisvsq.exe; svshost.exe; tibs3.exe [a.k.a. Troj/HideDial-A]; wininet32.exe.
- Dynamic Link Libraries: csrss.dll.
- Directory/Search Page: http://www.easy-search.biz.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: The url http://www.easy-search.biz/ is no longer an active search engine. More recent versions of this infection appear to involve single ad pages, pop-ups and pop-unders, and redirects to hard porn sites. They utilize a CHM exploit to execute through an unpatched Microsoft hole. If you have "iau.exe" on your machine without "runwin32.exe" you have the far more virulent, newer, heavily bundled CHM exploit version. This version somehow hides in the Windows text files areas, if removed, and reinstalls on the next reboot. See: How to Remove EasySearch, HotOffers.
EliteBar, Elite Toolbar, Elite SideBar, Elitum, ETBRUN, SearchMiracle, YupSearch
- Executable Files: O4 - HKLM\..\Run: [etbrun] c:\windows\system32\elite***32.exe; eliteabu32.exe; elitebhi32.exe; elitebyj32.exe; elitecfh32.exe; eliteckj32.exe; elitecla32.exe; elitedbt32.exe; elitedph32.exe; elitednv32.exe; eliteetx32.exe; eliteeys32.exe; elitefmj32.exe; elitegdp32.exe; elitehaf32.exe; elitehln32.exe; elitehxt32.exe; eliteine32.exe; eliteizj32.exe; elitejhs32.exe; elitejko32.exe; elitekck32.exe; elitekpi32.exe; elitekyk32.exe; elitelaj32.exe; elitelfv32.exe; elitelgy32.exe; elitemoa32.exe; elitemol32.exe; elitemuc32.exe; elitenii32.exe; elitenne32.exe; elitenrz32.exe; eliteoey32.exe; eliteosm32.exe; eliteoxx32.exe; eliteozz32.exe; elitepam32.exe; elitepdt32.exe; elitepye32.exe; elitepys32.exe; elitervh32.exe; eliterwr32.exe; eliteuej32.exe; eliteutt32.exe; eliteuzz32.exe; elitevaj32.exe; elitewjf32.exe; elitewug32.exe; elitewvn32.exe; elitexlp32.exe; elitexxe32.exe; elitexyi32.exe; eliteyif32.exe; elitezgx32.exe; elitezvo32.exe; elitezwk32.exe; etc. C:\windows\system32\kalv***32.exe; c:\windows\nail.exe.
- Dynamic Link Libraries: C:\WINDOWS\EliteBar\EliteBar version 50.dll; C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll; etc.
- Directory/Search Page: http://www.audioseek.net/; http://ad1.searchmiracle.com/ http://www.searchmiracle.com/; http://www.yupsearch.com/search.php.
- Uninstall Page URL: Direct download link/file from search directory pages. An uninstall file is also downloaded along with the infection but is reputed to be ineffective.
- Related Articles: PokaPoka.exe + Nothing = YupSearch (October 19, 2005); EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005); SearchMiracle.EliteBar Then and Now (September 21, 2005); EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005); More on Variant ADW_ELITEBAR.D.(May 27, 2005); Diabolical New EliteBar Variant Strikes the Web!!!! (May 22, 2005); EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005); HijackThis vs. the Elitebar Removal Tool (April 23, 2005); EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005); HijackThis vs. SearchMiracle/EliteBar (April 11, 2005); How to Remove SearchMiracle/ EliteBar (February 27, 2005); Important Removal Tool Note.
- Notes: Automatically reinstalls upon removal. The EliteBar Removal Tool can not remove the variant adw_elitebar.d. See Diabolical New EliteBar Variant Strikes the Web!!!! and More on Variant ADW_ELITEBAR.D for further details.
FastWebSearch, FreshBar
- Executable Files:
- Dynamic Link Libraries: C:\WINDOWS\System32\docntrop.dll; ...iecust.dll; ...iecustom32.dll; ...iesp1.dll; ...iesp2.dll; ...t.dll; ...bar.dll; ...bar11.dll.
- Directory/Search Page: http://clearsurfing.net/; http://fastsearchweb.com/.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove FreshBar.
GlobalWebSearch, ISearch
- Executable Files:
- Dynamic Link Libraries: gws.dll; isrvs\mfiltis.dll.
- Directory/Search Page: http://www.globalwebsearch.com/; http://www.isearch.com/; http://auto.isearch.com/xml.php.
- Uninstall Page URL: See: How to Remove GlobalWebSearch/ISearch.
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove GlobalWebSearch/ISearch.
HotWebSearch
- Executable Files:
- Dynamic Link Libraries:
- Directory/Search Page: http://download.websearch.com/; http://www.hotwebsearch.com/.
- Uninstall Page URL: See: How to Remove HotWebSearch.
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove HotWebSearch.
HuntBar
- Executable Files: wtoolss.exe.
- Dynamic Link Libraries: ...btiein.dll; ...msielink.dll; ...msiein.dll; ...qdow.dll; ...SToolbar.dll; ...toolbar.dll; ...WToolsB.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: "Toolbar.dll" is a name widely used for legitimate and malware BHOs. It is not necessarily indicative of a particular BHO. See: How to Remove HuntBar.
Ibis Toolbar
- Executable Files: wintools.exe; wsup.exe; wtoolsa.exe.
- Dynamic Link Libraries: common.dll; toolbar.dll.
- Directory/Search Page: http://www.websearch.com/.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: This malware is related to HuntBar and WinTools. "toolbar.dll" and "common.dll" are names used for legitimate and malware BHOs. They are not necessarily indicative of a particular BHO. See: How to Remove Ibis Toolbar.
IELoader:
- Executable Files: aaa.exe; bbb.exe; iagold.exe; msudpb.exe ; py.exe; zzb.exe.
- Dynamic Link Libraries: ieloader.dll; msudpb.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: Added by TrojanDownloader.Small.RR. Installs TrojanDialer.Freeload, which, according to Symantec, "is an ActiveX component that can be used by Web pages to download dialer programs. The dialer program may be used to access premium-rate services including pornographic and astrological services." See: How to Remove IELoader.
ILookUp
- Executable Files:
- Dynamic Link Libraries: abeb.dll; bmeb.dll; chrgrs.dll; drbr.dll; ineb.dll.
- Directory/Search Page: http://www.i-lookup.com/;http://domainhop.com/domain.cool?domain=hardsexhouse.com.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove I-LookUp.
ISearchTech.SideFind
- Associated Worms/Trojans: Associated Worms/Trojans: Downloader.Dyfica.3.L; Troj/LowZone-AL [a.k.a. Downloader-QG; QLowZones-26; Trojan.WinREG.LowZones.f ]; Troj/SideFind-A; TR/Spy.Shutcom; TrojanDownloader:Win32/IstBar.EO; W32/Istbar.O@dl.
- Executable Files: sfexd001.exe; sidefind.exe; sidefind[1].exe; istrecover[1].exe; sskc.exe; ISTsvc.exe.
- Dynamic Link Libraries: sfbho.dll; sidefind.dll.
- Directory/Search Page: http://www.sidefind.com/ist/softwares/sidefind/; http://www.sidefind.com/ist/softwares/sidefind/v1.3/.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: Click this link for instructions on >>> How to remove generic / stand-alone versions of Trojan.winREG.LowZones.f.
- Variations on this infection are also known as Troj/SideFind-A [Sophos], ADW_SideFind-A [TrendMicro] and ADW_sideFind-C [TrendMicro]. This group of trojan downloaded side bars may be identified by one of the following values being detected in the HKEY_USERS section of the registry: {8CBA1B49-8144-4721-A7B1-64C578C9EED7}; {10E42047-DEB9-4535-A118-B3F6EC39B807}. See: How to Remove ISearchTech.SideFind.
ISTBar, SideFind.
- Executable Files: gjefpet.exe; istdownload.exe; istrecover.exe; istsvc.exe; juhpad.exe; sfsetup.exe; sidefind.exe; srchupdt.exe.
- Dynamic Link Libraries: cmctl.dll; istactivex.dll; istbar.dll; istbarcm.dll; istbar_dh.dll; mscache.dll; sfbho.dll; sidefind.dll; sidefind13.dll; srchfst.dll; ysb.dll; ysbactivex.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: According to the Spyware Information Center, this infection is also known as: Adware/SearchFast [Panda], Adware/SideFind [Panda], Spyware/ISTbar [Panda], Trojan Horse [Panda], TrojanDownloader.Win32.Istbar.eo, TrojanDownloader.Win32.IstBar.gen [Kaspersky]. This infection is spread by stealth downloads, generally from game and porn sites. Numerous variants are at large and some may not be removable by the removal tool referenced on this page. All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately. See: How to Remove ISTBar.
KeenValue, SearchUpgrader Toolbar
- Executable Files: SearchUpgrader.exe.
- Dynamic Link Libraries: bho.dll; pwrs0rbi.dll; IncFindBHO.dll.
- Directory/Search Page: http://www.searchupgrader.com/.
- Uninstall Page URL:
- Related Articles: Important Removal Tool Note.
- Notes: Some versions of these infections are also known as eUniverse (Ad-Aware), KeenValue (Mcafee), Euniverse (PestPatrol), PowerSearch (PestPatrol), eUniverse.IncrediFind (Spybot), KeenValue.PerfectNav (Spybot), Adware.Keenval (Symantec), SPYW_KEENVAL.A (Trend Micro). See: How to Remove KeenValue.
Mirar Toolbar
- Executable Files: HKLM\..\Run: [t7Eh39Q] mlaodctr.exe; HKLM\...\MirarSetup.exe; HKCU\..\Run: [cwxnRVc4X] mcdresizem6.exe.
- Dynamic Link Libraries: NN_Bar**.dll; WinDmy.dll; Winnb**.dll.
- Directory/Search Pages: http://awbeta.net-nucleus.com/ and http://ny.contentmatch.net/.
- Uninstall Page URL: See: How to Remove Mirar Toolbar.
- Related Articles: Is Google Associated with a SearchMiracle Knock-Off? (April 27, 2005). "A question begs the asking: How does NetNucleus generate revenue from its Mirar Toolbar search directory if it enters search terms in the Google Search Engine?" Important Removal Tool Note.
- Notes: See: How to Remove Mirar Toolbar.
MySearchBar, MyWay Speed Bar, MyWebSearch
- Executable Files: hbinst.exe; s4bareq.exe; s42ns.exe; mwsoemon.exe; my2ns.exe; mysetp.exe; mysetup1.exe; websearch1.exe.
- Dynamic Link Libraries: f3htmlmu.dll; hbhostie.dll; msiehobj.dll; mybar.dll; mypopswt.dll; mysrchas.dll; mwsbar.dll; mwsoestb.dll; mwssrcas.dll; npmyway.dll; s4bar.dll; w6bar.dll.
- Directory/Search Page: http://www.mysearch.com/jsp/home.jsp; http://bar.mywebsearch.com/menusearch.
- Uninstall Page URL:
- Related Articles: Important Removal Tool Note.
- Notes:
NavExcell Toolbar
- Executable Files:
- Dynamic Link Libraries:
- Directory/Search Page:
- Uninstall page URL:
- Related Articles:
- Notes:
NaviSearch
- Executable Files: navisearch\uninstall.exe; nls.exe.
- Dynamic Link Libraries: nvms.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove NaviSearch.
nCase, Zango
- Executable Files: 180adsolution.exe; 180ax.exe; msbb.exe; saap.exe; saie.exe; sain.exe; sais.exe; salm.exe; zango.exe.
- Dynamic Link Libraries: 180adsolutionhook.dll ; 180axhook.dll; atpartners.dll; msbbhook.dll; ncmyb.dll; saaphook.dll; saiehook.dll; sainhook.dll; saishook.dll; zangohook.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: These items stealth install. See Spyware Information Center on Zango variant: "Based on eTrust PestPatrol Spyware Scorecard v2.05.03 Zango violates the following criteria: First, Installs itself or any other item without user permission or knowledge at time of installation...." See: How to Remove nCase, Zango.
Network Essentials, SmartPops
- Executable Files: launcher.exe; ne.exe; networkessentials.exe; rh.exe.
- Dynamic Link Libraries: me1.dll; ne.dll; networkessentials.dll.
- Directory/Search Page:
- Uninstall Page URL: http://www.smartpops.com/customersvc.html (vendor's manual removal instructions only).
- Related Articles: None.
- Notes: Uses trojan downloader. According to Spyware Information Center: "Gathers info on your browsing habits to display popup ads targeted at your interests. Info gathered includes: Username, Zip, Gender, Age, Country, Address, Email, LastName, FirstName, CPU Speed, OS Version, Memory, SubProvider, Provider, Providers, Download."
SearchBus
- Executable Files:
- Dynamic Link Libraries: sbus.dll.
- Directory/Search Page: http://www.searchbus.com/
- Uninstall page URL:
- Related Articles:
- Notes:
SearchForFree
- Executable Files: htmlsync.exe; icasserv.exe; isystem.exe; ldriver.exe; zlibc.exe.
- Dynamic Link Libraries: k6c40rvk.dll; rcj.dll.
- Directory/Search Page: http://www.searchforfree.info/.
- Uninstall page URL:
- Related Articles: HijackThis vs. SearchForFree (June 15, 2005); Important Removal Tool Note.
- Notes: The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) . The file "nvdsvc32.exe" is associated with "icasserv.exe" and may be present. The most recent variant of this infection downloads the file "zlibc.exe" instead of "icasserv.exe". The file zlibc.exe indicates that the infection is being downloaded by the Troj/Chorus-A (a.k.a. AdClicker-CM and Trojan-Clicker.Win32.Small.ft ) as of late June 2005. As of early July 2005, it is not clear whether fixes for the "fd" version of the infection work for the "ft" version. See: How to Remove SearchForFree.
SearchHH, SearchMeUp, UmaxSearch, WhitePages
- Executable Files: C:\WINDOWS\SYSTEM\explorer32.exe; ...nvidia32.exe; ...systime.exe.
- Dynamic Link Libraries:
- Directory/Search Page: http://www.searchmeup.com/; http://search-center.com/search.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: See: How to Remove SearchMeUp.
SearchRelevancy
- Executable Files: ...searchrelevancy\uninstall.exe.
- Dynamic Link Libraries: searchrelevancy.dll.
- Directory/Search Page: None.
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: According to DoxDesk, "SearchRelevancy is an Internet Explorer Browser Helper Object (BHO) that adds advertising links to search engine results pages as fake results. Clicking the links sends the browser to the listed site via a hidden redirect through searchbrowser.com which adds affiliate codes to the URL. " See: How to Remove SearchRelevancy.
Sweetbar
- Executable Files: C:\Windows\System32\web.exe.
- Dynamic Link Libraries:
- Directory/Search Page: http://www.sweetbar.com/
- Uninstall page URL:
- Related Articles: None.
- Notes: Downloaded by Trojan.Anicmoo which utilizes Windows vulnerability described in Microsoft Security Bulletin MS05-002: "Cursor and Icon Format Handling Vulnerability - CAN-2004-1049: A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. " The trojan downloads the file "SecurityRisk.Downldr" which downloads "update.txt" which in turn downloads the Browser Helper Object (BHO) to connect to www.sweetbar.com.
VX2
- Executable Files: bios32.exe; boot.exe; f0e66c68.exe; hjfp.exe; infwin.exe.
- Dynamic Link Libraries: ablui.dll; akledit.dll; blowfish.dll; iehelper.dll; ktp6177s1.dll; multimpp.dll; rdfsaps.dll; vx2.dll.
- Directory/Search Page:
- Uninstall page URL:
- Related Articles: Important Removal Tool Note.
- Notes: The following aliases are listed at the Spyware Information Center page for this malware: Adware/MSView [Panda], Application/HideWindow.A [Panda], Application/Psexec.A [Panda], Application/ToolWget.A [Panda], Backdoor Program [Panda], Backdoor.Bionet.405 [Kaspersky], Backdoor.IRC.Zapchast [Kaspersky], Backdoor.IRC.Zcrew [Kaspersky], Backdoor/Bionet.405!Server [Computer Associates], Backdoor/IRC.Zcrew [Computer Associates], Backdoor/ZCrew.B [Computer Associates], Backdoor/ZCrew.B.IRC [Computer Associates], Backdoor/Zcrew.G [Computer Associates], BAT.IRCFlood [Computer Associates], BAT.Noshare.B [Computer Associates], Bat/Flood.C!Trojan [Computer Associates], Bck/IRC.Mirc.Based [Panda], Bck/Multi.I [Panda], Bck/Zcrew.B [Panda], Bck/Zcrew.G [Panda], Blackstone Data Transponder. Was also distributed under the name NetPal by netpalnow.com, but the software now available there is the newer NetPal parasite which isn't the same code., DoS.Win32.Nenet [Kaspersky], Flooder.Win32.WarPing [Kaspersky], Flooder/Nenet. A [Panda], IRC.Flood [Computer Associates], mIRC/Flood.I!Trojan [Computer Associates], mIRC/Flood.RmtCfg!Trojan [Computer Associates], NetPal, RemoteProcessLaunch [McAfee], Sputnik (name used by VX2), Spyware/BetterInet [Panda], Trj/Femad.A [Panda], Trj/Flood.BI [Panda], Trj/Passer.C [Panda], Trojan [Name used by Ad-aware], Trojan Horse [Panda], TrojanDownloader.Win32.Femad.b [Kaspersky], VX2 RespondMiter., VX2.Clean Get-Away, VX2.MSView, VX2.My PanicButton, VX2.Respondmiter, VX2.SiteHelper, VX2.Transponder, Win32.BettInet.C [Computer Associates], Win32.Bionet.405 [Computer Associates], Win32.Femad.A [Computer Associates], Win32.IRCFlood [Computer Associates], Win32.Startpage.KF!downloader [Computer Associates], Win32/Femad.B trojan [Eset], Win32/Rslocal.B!Downloader [Computer Associates], Win32/SillyDL.70656!Trojan [Computer Associates], Win32/Spybot.FR!Worm [Computer Associates], Win32/Startpage.KF!Downloader [Computer Associates]. See: How to Remove VX2.
VGS is in the process of compiling a Trojan and Worm Appendix to the Malware Identifier Index. At present the following trojans/worms (listed by one or more popular name or by key file shown in parentheses) are being investigated and a freeware or trialware removal tool has been found:
Trojans: AdClicker-H; Win32.Backdoor.AfCore; Win32.Agent.Trojan; TrojanDownloader.Win32.Agent.al; TrojanDownloader.Win32.Agent.an; TrojanDownloader.Win32.Agent.z; Trojan/Backdoor-BDD; Win32.TrojanSpy.Banker; Win32.Dasmin.B; Trojan/Dasmin-F; Win32.Delf.Trojan.A; Trojan/Dloader-AB; Trojan/Downloader-LO; Win32.Trojan.IEStartpage; Win32.Trojan.Krepper; Win32.TrojanDownloader.Lemmy; Win32.Mitglieder Trojan; Trojan.Poldo.B; Win32.Trojan.Post; Win32.Backdoor.RBot; Win32.Dialer.Saristar; Win32.Sced.Trojan; Win32.Small.Trojan; Win32.TrojanDownloader.Small; Win32.TrojanProxy.Small; Win32.Backdoor.Spyboter; Win32.TrojanDownloader.Swizzor.br.
Worms: Win32.Padobot; Win32.Sasser; Win32.Spybot.worm.
- The above malware items can be removed by Lavasoft's Ad-Aware freeware.
Trojans: Win32.Bagle.AV; Win32.Bagle.B; Win32.Bagle.C; Win32.Bagle.E; Win32.Bagle.F; Win32.Bagle.G; Win32.Bagle.H; Win32.Bagle.I; Win32.Bagle.J; Win32.Bagle.N; Win32/Crowt-A; Trojan/Win32.Hwbot-A; Trojan/Haxdoor-H; Trojan/Peper; Trojan/RS-Local-A; Win32.R-Bot; Trojan/Startpage-EH; Backdoor.VB.nb; TrojanDownloader.Win32.VB.q; Trojan/Webus-D; Trojan/Winser-A; Trojan/Zwax.
- The above malware items can be removed by Spybot S&D.
Trojans: (installer_MEDIAWHIZ3.exe; installer_MARKETING10.exe; installer_MARKETING11.exe ) TrojanDownloader.Adload.a; (A0000090.exe ) TrojanDownloader.Apropo.r; (GLF6EGLF6E.EXE ) TrojanDownloader.TSUpdate.f; (61[1].bin ) TrojanDropper.Small.ul.
- The above malware items can be removed by the Ewido 14-day trialware product on the other side of this >>> link
Trojans: Backdoor.Win32.Wootbot; Backdoor.Win32.Agobot; Backdoor.Win32.Forbot; Backdoor.Win32.Rbot; Worm.P2P.Spybot; Backdoor.Win32.IRCBot; Backdoor.Win32.SdBot; Backdoor.Win32.Poebot; Backdoor.Win32.Codbot.
- The above malware items can be removed by the F-Secure freeware product on the other side of these links. Associated readme texts are also provided for more information."Download: http://www.f-secure.com/tools/f-bot.zip Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip The unpacked version is available from here: Download: http://www.f-secure.com/tools/f-bot.exe Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe Readme: http://www.f-secure.com/tools/f-bot.txt Readme: ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt System administrators can download the JAR version from here: Download: http://www.f-secure.com/tools/f-bot.jar Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bot.jar"
Worms: I-Worm.BadtransII; Badtrans.B@mm; W32/Badtrans.B ; WORM_BADTRANS.B; W32/Badtrans-B; W32/Badtrans.B@mm; W32/BadTrans@MM; Win32.Badtrans.29020; Worm/Badtrans.B.
- The above malware items can be removed by the F-Secure freeware product on the other side of these links. "BT_B_DisThe BT_B_Dis tool is used to unlock Badtrans.b worm file, so it could be deleted after system restart. Download: ftp://ftp.f-secure.com/anti-virus/tools/bt_b_dis.reg Download: ftp://ftp.f-secure.com/anti-virus/tools/bt_b_dis.zip"
Worms: W32/Bagle.A@mm W32/Bagle.B@mm W32/Bagle.C@mm W32/Bagle.D@mm W32/Bagle.E@mm W32/Bagle.F@mm W32/Bagle.G@mm W32/Bagle.H@mm W32/Bagle.I@mm W32/Bagle.J@mm W32/Bagle.K@mm W32/Bagle.L@mm W32/Bagle.M@mm W32/Bagle.O@mm W32/Bagle.U@mm W32/Bagle.V@mm W32/Bagle.W@mm W32/Bagle.X@mm W32/Bagle.Y@mm W32/Bagle.Z@mm W32/Bagle.AL@mm W32/Bagle.AC W32/Bagle.AF@mm W32/Bagle.AH@mm W32/Bagle.AI@mm W32/Bagle.AN@mm W32/Bagle.AO@mm W32/Bagle.AT@mm W32/Bagle.AU@mm W32/Bagle.AV@mm ("test version") W32/Bagle.AX@mm W32/Bagle.AY@mm Email-Worm.Win32.Bagle.ba Email-Worm.Win32.Bagle.bb Email-Worm.Win32.Bagle.bc Email-Worm.Win32.Bagle.pac (1 variant).
Trojans: W32/Mitglieder.S W32/Mitglieder.T W32/Mitglieder.AA W32/Mitglieder.AJ W32/Mitglieder.AG W32/Mitglieder.AV.
- The above malware items can be removed by the F-Secure freeware product on the other side of these links. "The F-Bagle utility disinfects computers infected with the certain Bagle worm variants. Please see the readme.txt file for more information. Download: http://www.f-secure.com/tools/f-bagle.zip Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip The unpacked version is available from here: Download: http://www.f-secure.com/tools/f-bagle.exe Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe Readme: http://www.f-secure.com/tools/f-bagle.txt Readme: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt System administrators can download the JAR version from here: Download: http://www.f-secure.com/tools/f-bagle.jar Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.jar"
Worms: W32/Bugbear.A; W32/Bugbear.B; (I-Worm.Tanatos.A); (I-Worm.Tanatos.B).
- The above malware items can be removed by the F-Secure freeware product on the other side of these links. The F-Bugbr utility disinfects computers infected with W32/Bugbear.A and 32/Bugbear.B (also known as Tanat or Tanatos) worms. Download: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bugbr.zip Download: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bugbr.exe Readme: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bugbr.txt.
Trojans: Trojan.Win32.Killav.q.
Worms: Win32.Deborm.R; Backdoor.Litmus.203; W32/Litmus.C; Backdoor.SDbot.gen; W32/SDBot.J.
- The above malware items can be removed by the F-Secure freeware product on the other side of these links. Download: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-deborm.zip Download: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-deborm.exe Readme: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-deborm.txt
No comments:
Post a Comment