Adware & Malware Identifier Index: Letter S.

The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.





SearchBus

• Executable Files:
• Dynamic Link Libraries: sbus.dll.
• Directory/Search Page: http://www.searchbus.com/
• Uninstall page URL:
• Related Articles:
• Notes:
  

SearchForFree

• Executable Files: htmlsync.exe; icasserv.exe; isystem.exe; ldriver.exe; zlibc.exe.
• Dynamic Link Libraries: k6c40rvk.dll; rcj.dll.
• Directory/Search Page: http://www.searchforfree.info/.
• Uninstall page URL:
• Related Articles: HijackThis vs. SearchForFree (June 15, 2005); Important Removal Tool Note.
• Notes: The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) . The file "nvdsvc32.exe" is associated with "icasserv.exe" and may be present. The most recent variant of this infection downloads the file "zlibc.exe" instead of "icasserv.exe". The file zlibc.exe indicates that the infection is being downloaded by the Troj/Chorus-A (a.k.a. AdClicker-CM and Trojan-Clicker.Win32.Small.ft ) as of late June 2005. As of early July 2005, it is not clear whether fixes for the "fd" version of the infection work for the "ft" version. See: How to Remove SearchForFree.

SearchHH, SearchMeUp, UmaxSearch, WhitePages

• Executable Files: C:\WINDOWS\SYSTEM\explorer32.exe; ...nvidia32.exe; ...systime.exe.
• Dynamic Link Libraries:
• Directory/Search Page: http://www.searchmeup.com/; http://search-center.com/search.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: See: How to Remove SearchMeUp.

EliteBar Toolbar, EliteSideBar, ETBRUN, SearchMiracle, YupSearch

• Executable Files: O4 - HKLM\..\Run: [etbrun] c:\windows\system32\elite***32.exe; eliteabu32.exe; elitebhi32.exe; elitebyj32.exe; elitecfh32.exe; eliteckj32.exe; elitecla32.exe; elitedbt32.exe; elitedph32.exe; elitednv32.exe; eliteetx32.exe; eliteeys32.exe; elitefmj32.exe; elitegdp32.exe; elitehaf32.exe; elitehln32.exe; elitehxt32.exe; eliteine32.exe; eliteizj32.exe; elitejhs32.exe; elitejko32.exe; elitekck32.exe; elitekpi32.exe; elitekyk32.exe; elitelaj32.exe; elitelfv32.exe; elitelgy32.exe; elitemoa32.exe; elitemol32.exe; elitemuc32.exe; elitenii32.exe; elitenne32.exe; elitenrz32.exe; eliteoey32.exe; eliteosm32.exe; eliteoxx32.exe; eliteozz32.exe; elitepam32.exe; elitepdt32.exe; elitepye32.exe; elitepys32.exe; elitervh32.exe; eliterwr32.exe; eliteuej32.exe; eliteutt32.exe; eliteuzz32.exe; elitevaj32.exe; elitewjf32.exe; elitewug32.exe; elitewvn32.exe; elitexlp32.exe; elitexxe32.exe; elitexyi32.exe; eliteyif32.exe; elitezgx32.exe; elitezvo32.exe; elitezwk32.exe; etc. C:\windows\system32\kalv***32.exe; c:\windows\nail.exe.
• Dynamic Link Libraries: C:\WINDOWS\EliteBar\EliteBar version 50.dll; C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll; etc.
• Directory/Search Page: http://www.audioseek.net/; http://ad1.searchmiracle.com/ http://www.searchmiracle.com/; http://www.yupsearch.com/search.php.
• Uninstall Page URL: Direct download link/file from search directory pages. An uninstall file is also downloaded along with the infection but is reputed to be ineffective.
• Related Articles: More on Variant ADW_ELITEBAR.D.(May 27, 2005); Diabolical New EliteBar Variant Strikes the Web!!!! (May 22, 2005); EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005); HijackThis vs. the Elitebar Removal Tool (April 23, 2005); EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005); HijackThis vs. SearchMiracle/EliteBar (April 11, 2005); How to Remove SearchMiracle/ EliteBar (February 27, 2005); Important Removal Tool Note.
• Notes: Automatically reinstalls upon removal. The EliteBar Removal Tool can not remove the variant adw_elitebar.d. See Diabolical New EliteBar Variant Strikes the Web!!!! and More on Variant ADW_ELITEBAR.D for further details.
  
  

SearchRelevancy

• Executable Files: ...searchrelevancy\uninstall.exe.
• Dynamic Link Libraries: searchrelevancy.dll.
• Directory/Search Page: None.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: According to DoxDesk, "SearchRelevancy is an Internet Explorer Browser Helper Object (BHO) that adds advertising links to search engine results pages as fake results. Clicking the links sends the browser to the listed site via a hidden redirect through searchbrowser.com which adds affiliate codes to the URL. " See: How to Remove SearchRelevancy.
  

KeenValue, SearchUpgrader Toolbar

• Executable Files: SearchUpgrader.exe.
• Dynamic Link Libraries: bho.dll; pwrs0rbi.dll; IncFindBHO.dll.
• Directory/Search Page: http://www.searchupgrader.com/.
• Uninstall Page URL:
• Related Articles: Important Removal Tool Note.
• Notes: Some versions of these infections are also known as eUniverse (Ad-Aware), KeenValue (Mcafee), Euniverse (PestPatrol), PowerSearch (PestPatrol), eUniverse.IncrediFind (Spybot), KeenValue.PerfectNav (Spybot), Adware.Keenval (Symantec), SPYW_KEENVAL.A (Trend Micro). See: How to Remove KeenValue.

ISTBar, SideFind.

• Executable Files: gjefpet.exe; istdownload.exe; istrecover.exe; istsvc.exe; juhpad.exe; sfsetup.exe; sidefind.exe; srchupdt.exe.
• Dynamic Link Libraries: cmctl.dll; istactivex.dll; istbar.dll; istbarcm.dll; istbar_dh.dll; mscache.dll; sfbho.dll; sidefind.dll; sidefind13.dll; srchfst.dll; ysb.dll; ysbactivex.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: According to the Spyware Information Center, this infection is also known as: Adware/SearchFast [Panda], Adware/SideFind [Panda], Spyware/ISTbar [Panda], Trojan Horse [Panda], TrojanDownloader.Win32.Istbar.eo, TrojanDownloader.Win32.IstBar.gen [Kaspersky]. This infection is spread by stealth downloads, generally from game and porn sites. Numerous variants are at large and some may not be removable by the removal tool referenced on this page. All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately. See: How to Remove ISTBar.

Sweetbar

• Executable Files: C:\Windows\System32\web.exe.
• Dynamic Link Libraries:
• Directory/Search Page: http://www.sweetbar.com/
• Uninstall page URL:
• Related Articles: None.
• Notes: Downloaded by Trojan.Anicmoo which utilizes Windows vulnerability described in Microsoft Security Bulletin MS05-002: "Cursor and Icon Format Handling Vulnerability - CAN-2004-1049: A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. " The trojan downloads the file "SecurityRisk.Downldr" which downloads "update.txt" which in turn downloads the Browser Helper Object (BHO) to connect to http://www.sweetbar.com/.