How to Remove PokaPoka.

The following is a detail page of Virtual Grub Street's Adware & Malware Identifier Index:

The information in the Adware & Malware Identifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis

log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.



EliteBar Toolbar, EliteSideBar, ETBRUN, PokaPoka, SearchMiracle, YupSearch

• Associated Worms/Trojans: backdoor.pokapoka
• Executable Files: O4 - HKLM\..\Run: [etbrun] c:\windows\system32\elite***32.exe; eliteabu32.exe; elitebhi32.exe; elitebyj32.exe; elitecfh32.exe; eliteckj32.exe; elitecla32.exe; elitecxw32.exe; elitedbt32.exe; elitedph32.exe; elitednv32.exe; eliteetx32.exe; eliteeys32.exe; elitefmj32.exe; elitefyb32.exe; elitegdp32.exe; elitehaf32.exe; elitehln32.exe; elitehxt32.exe; eliteine32.exe; eliteizj32.exe; elitejhs32.exe; elitejko32.exe; elitekck32.exe; elitekpi32.exe; elitekyk32.exe; elitelaj32.exe; elitelfv32.exe; elitelgy32.exe; elitelhg32.exe; elitemoa32.exe; elitemol32.exe; elitemuc32.exe; elitenii32.exe; elitenne32.exe; elitenrz32.exe; eliteoey32.exe; eliteosm32.exe; eliteoxx32.exe; eliteozz32.exe; elitepam32.exe; elitepdt32.exe; eliteptl32.exe; elitepye32.exe; elitepys32.exe; elitervh32.exe; eliterwr32.exe; eliteuej32.exe; eliteutt32.exe; eliteuzz32.exe; elitevaj32.exe; elitewfu32.exe; elitewjf32.exe; elitewug32.exe; elitewvn32.exe; elitevba32.exe; elitevji32.exe; elitexdk32.exe; elitexiy32.exe; elitexlp32.exe; elitexxe32.exe; elitexyi32.exe; eliteyif32.exe; elitezgx32.exe; elitezvo32.exe; elitezwk32.exe; etc. pokapoka**.exe; pokapoka62.exe; pokapoka65.exe; pokapoka66.exe; pokapoka67.exe; pokapoka68.exe; pokapoka70.exe; pokapoka75.exe; pokapoka76.exe.
• Dynamic Link Libraries: EliteSideBar 08.dll (a.k.a. EliteBar.b).
• Directory/Search Page:
• Uninstall Page URL:
• Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. PokaPoka.exe + Nothing = YupSearch (October 19, 2005); EliteBar Removal Tool Updates to 2.0.1 (September 21, 2005); SearchMiracle.EliteBar Then and Now (September 20, 2005); More on Variant ADW_ELITEBAR.D.(May 27, 2005); Diabolical New EliteBar Variant Strikes the Web!!!! (May 22, 2005); EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005); HijackThis vs. the Elitebar Removal Tool (April 23, 2005); EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005); HijackThis vs. SearchMiracle/EliteBar (April 11, 2005); How to Remove SearchMiracle/ EliteBar (February 27, 2005); Important Removal Tool Note.
• Notes: PokaPoka is a variant of SearchMiracle.EliteBar (a.k.a. YupSearch) that downloads the PokaPoka backdoor trojan. It is downloaded together with a traditional elite***32 file.


• PokaPoka can be removed by the SimplyTech freeware Elite Toolbar Remover and by the LQfix freeware removal tool. The LQfix tool must be run in Safe Mode for this infection.
• Ewido Security Suite trialware can remove the active files of this infection. For variants PokaPoka76.exe and later, the Ewido Security Suite should be run prior to the Elite Toolbar Remover or LQfix tools in order to remove all vestiges of the infection.

Also See:

• Man-Boy Love Advocate Accused of Using Wikipedia to Troll for Interested Parties (March 4, 2007). (March 4, 2007). Rookie Revolyob, Clayboy, Zanthalon, et al: Why is Wikpedia a Pedophile Haven?

CCleaner Information Page

The information in Virtual Grub Street's computer postings is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.

*

Intro. CCleaner is freeware that can remove Windows cache, temporary, history (incl. index.dat) and recycle bin files, cookies and more. According to its creators, it can also clean unwanted files from "Firefox, Opera, Media Player, eMule, Kazaa, Google Toolbar, Netscape, Office XP, Nero, Adobe Acrobat, WinRAR, WinAce, WinZip and more...". CCleaner can also be used to check Windows registry status. A back-up capability is provided as part of the package.

Description: According to Small Business Computing.com: "CCleaner's initial OS/browser analysis of our test system took a bit less than three minutes and uncovered about 2.9 GB worth of files to be eliminated. The actual cleaning process took around two minutes and reported an actual amount of 2.5 GB of space cleared (which we verified...)".

Versions. --

Latest Version Covered: CCleaner v1.25.201

File Size. CCsetup125.exe: 513KB.

File Type. C++.

Most recent update. CCleaner v1.25.201 (11/07/05).

Compatible Operating Systems: Windows 98/ME/2000/XP.



Downloads. CCleaner can be downloaded from the following locations:

• http://www.ccleaner.com/download125.asp
• http://www.filehippo.com/download_ccleaner.html
• http://www.download.com/3000-2144_4-10315544.html
• http://fileforum.betanews.com/detail/CCleaner_Crap_
  Cleaner/1100194579/1

The first listing is CCleaner's own page. The tool may have to be run with Windows in Safe Mode for some cleaning tasks. The download does not come with a User's Manual. A brief but informative online tutorial/manual is available here at the CCleaner forum.

The following example instructions for CCleaner are also selected from the CCleaner forum tutorial:

• [At the] Windows [tab]:

• On your left you have check boxes to select what you would like to clean or not to clean.

  Tip: I recommend using the default checked boxes and running Advanced maybe once a month or so.

  At the bottom of Progress you have Analyze and Run Cleaner.

  Clicking on Analyze will create a list of everything CCleaner is going to clean. You can right click in the big white box and save the list as a text file.

  Clicking on Run Cleaner will clean everything. You can right click in he big white box and save the list as a text file. Note: you do not have to run Analyze, if you do not wish too.

• [At the] Applications [tab]

• On your left you have check boxes to select what you would like to clean or not to clean.

  Tip: I recommend having them all checked. Unless you are a business or use the documents alot, I would uncheck the Office box under Applications.

  The Applications cleaning is tied in with the Windows cleaning, so it cleans them both at once. You do not have to click on each individual tab to clean Windows and Applications.

The tutorial can be downloaded from the following location:

• CCleanerBeginnerGuide.zip

Other VGS Freeware/Trialware Information Pages:

• Ad-Aware;
• CleanUp!;
• Elite Toolbar Remover;
• EliteBarfix.bat;
• Ewido Security Suite;
• HijackThis;
• LQfix;
• Nailfix.exe:
• Pocket KillBox;
• SpyBot S&D;
• SpyWall
  (Captured first place in the 2006 Enterprise Security category of Datamation's Product of the Year awards.).

Also See:

• Is Wikipedia Handing Out Your Browsing Information to Thousands? Who needs malware when there's Wikipedia? (VGS alert)

EliteBarfix.bat Information Page

The information in Virtual Grub Street's computer postings is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.

*

Intro. The EliteBarfix.bat removal tool was created by Michael J. Cermak, Jr.'s Tech Support Guy forums. The forum was founded in 1996 and is well known throughout the web tech community.

The tool consists of a simple MS-Dos program designed to remove key files and registry entries associated with SearchMiracle.EliteBar. It works on all standard Windows systems, Windows 95 through XP. It must be run in Safe Mode.

File Size. 3KB.

File Type. MS-Dos.

Most recent update. 04/19/05.

EliteBarfix.bat is thus far only used by the experts of TSG forums. It is used in conjunction with either CCleaner or Cleanup and either the Ewido Security Suite or Pocket KillBox anti-trojan program. The three-pronged attack (EliteBarfix.bat + cleaner + anti-trojan) is followed up with a separate removal of search-hooks, hijack target-pages, and, in the case of a multiple infection, other miscellaneous files. Run alone, this tool it does not entirely remove any EliteBar infection.

Downloads. EliteBarfix.zip can be downloaded from the following location: http://attachments.techguy.org/attachment.php?attachmentid=57317.

Other VGS Freeware/Trialware Information Pages:

• Ad-Aware;
• CCleaner;
• CleanUp!;
• Elite Toolbar Remover;
• EliteBarfix.bat;
• Ewido Security Suite;
• HijackThis;
• LQfix;
• Nailfix.exe;
• Pocket KillBox;
• SpyBot S&D;
• SpyWall
  (Captured first place in the 2006 Enterprise Security category of Datamation's Product of the Year awards.).

Also see:

• PokaPoka.exe + Nothing = YupSearch (October 19, 2005). What do people mean when they say they have "YupSearch" instead of "EliteBar"?
• LQfix Information Page (October 15, 2005) There's a new tool in town!
• Elite Toolbar Remover Information Page (October 17, 2005).
• How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
• EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005) The EliteBar Removal Tool now comes in two flavors and two generations!
• SearchMiracle.EliteBar Then and Now (September 21, 2005). Hijacks, heroes, updates and links.
• EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
• More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
• Diabolical new EliteBar variant Strikes the Web!!!!or the one the EliteBar Removal Tool can't remove (May 22, 2005).
• EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005). Includes expanded list of infections removed by the removal tool.
• Key File Index (May 18, 2005).
• Adware & Malware Identifier Index (May 9, 2005). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
• Is Google Associated with a SearchMiracle Knock-Off? (April 27, 2005). "A question begs the asking: How does NetNucleus generate revenue from its Mirar Toolbar search directory if it enters search terms in the Google Search Engine?"
• HijackThis vs. the Elitebar Removal Tool (April 23, 2005). "While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force."
• EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
• HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).
• How to Remove SearchMiracle/EliteBar (February 27, 2005).
• Online Bibliography (Regularly updated) A bibliography of Gilbert Wesley Purdy's work on the Web and elsewhere including computer topics.

LQfix Information Page

The information in Virtual Grub Street's computer postings is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.

*

Intro. The LQfix removal tool was created by a 30 year old Belgian woman who goes by the handle "miekiemoes". [M]iekiemos has long been a regular participant in numerous web forums.

The name "LQfix" refers to the fact that the tool removes the signature registry entry "HKCU\Software\LQ" as a key step of its process. It is not clear that any infection that does not include this entry can be removed by this tool.

Versions. There are two versions of LQfix that have been made available by free download since September 27, 2005. The first is refered to by the name "LQfix.exe". It is the full LQfix removal program. A new limited one-click batch-process version, for targetted use, is refered to as "LQfix.bat". LQfix.bat is only available via the zip file download "LQfix.zip".

File Size. LQfix.exe 2.1: 656KB; LQbat: 10KB.

File Type. LQbat: MS-Dos.

Most recent update. LQfix.exe 2.1; 10/22/05; LQbat: 10/12/05.

vs. PokaPoka76.exe. Versions of LQfix prior to 10/22/05 alone can not remove pokapoka76.exe file. It is not clear whether the new version can or not. Previous versions of LQfix can, however, definitely remove PokaPoka76.exe in combination with the Ewido Security Suite's trialware trojan remover. A example Ewido scan report, relating to pokapoka76 removal should read as follows:

[####] C:\WINNT\etb\nt_hide76.dll -> Trojan.EliteBar.a : Cleaned with
backup

[####] C:\WINNT\etb\pokapoka76.exe -> Trojan.EliteBar.a : Cleaned with
backup

*

C:\Documents and Settings\gward\Local Settings\Temp\1246052_2340_2308_1816_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup

C:\Documents and Settings\gward\Local
Settings\Temp\131564_3584_2888_548_76.41.tmp -> Trojan.EliteBar.a : Cleaned
with backup

*

C:\Documents and Settings\gward\Local
Settings\Temp\262588_2208_3968_2508_76.41.tmp -> Trojan.EliteBar.a : Cleaned
with backup

C:\Documents and Settings\gward\Local
Settings\Temp\66126_2832_2504_3884_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup

C: \Documents and Settings\gward\Local
Settings\Temp\66262_2340_2308_3020_76.41.tmp -> Trojan.EliteBar.a : Cleaned with backup

*

C:\Documents and Settings\gward\Local Settings\Temp\k_AA09.tmp ->
Trojan.EliteBar.a : Cleaned with backup

Typically, both tools are employed in Safe Mode in order to remove this infection. Ewido is run first, to remove the actual files associated with Trojan.EliteBar.a (PokaPoka76), followed by LQfix, to remove the other files associated with the infection.

Downloads. LQfix.exe can be downloaded from the following locations:

• http://www.downloads.subratam.org/LQfix.exe
• http://miekiemoes.geekstogo.com/tools/LQfix.exe
• http://users.pandora.be/bluepatchy/miekiemoes/tools/LQfix.exe

The last site listed is miekiemoes's own page.

The following example instructions for LQfix.exe (the version prior to 2.1) appear at the Geeks to Go forum:

• Double-Click LQfix.exe and click Next > Next > Install.
• Leave the default settings, if you change them, the fix will Fail!
• You need an active internetconnection, so make sure your you're not blocking any connection now.
• Now make sure the "Launch LQfix" box is checked. Click the Finish button, after clicking the Finish button the fix will start.
• Follow the on-screen prompts.
• Your system will reboot afterwards. Please be patient after the reboot, there is a script running in the background that needs to complete.

The tool must be run in Safe Mode.


LQfix.bat (LQfix.zip) can be downloaded from the following locations:

• http://users.telenet.be/bluepatchy/miekiem...tools/LQfix.zip
• http://www.downloads.subratam.org/LQfix.zip

LQfix.bat is deployed by opening the LQfix folder and clicking on "LQfix.bat".

Other VGS Freeware/Trialware Information Pages:

• Ad-Aware;
• CCleaner;
• CleanUp!;
• Elite Toolbar Remover;
• EliteBarfix.bat;
• Ewido Security Suite;
• HijackThis;
• LQfix;
• Nailfix.exe;
• Pocket KillBox;
• SpyBot S&D;
• SpyWall
  (Captured first place in the 2006 Enterprise Security category of Datamation's Product of the Year awards.).

Also see:

• Is Wikipedia Handing Out Your Browsing Information to Thousands? Who needs malware when there's Wikipedia? (VGS alert)
• EliteBarfix.bat Information Page (October 20, 2005). Yet another new removal tool, sort of.
• PokaPoka.exe + Nothing = YupSearch (October 19, 2005). What do people mean when they say they have "YupSearch" instead of "EliteBar"?
• Elite Toolbar Remover Information Page (October 17, 2005).
• How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
• EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005) The EliteBar Removal Tool now comes in two flavors and two generations!
• SearchMiracle.EliteBar Then and Now. (September 21, 2005). Hijacks, heroes, updates and links.
• EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
• More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
• Diabolical new EliteBar variant Strikes the Web!!!!or the one the EliteBar Removal Tool can't remove (May 22, 2005).
• EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005). Includes expanded list of infections removed by the removal tool.
• Key File Index (May 18, 2005).
• Adware & Malware Identifier Index (May 9, 2005). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
• HijackThis vs. the Elitebar Removal Tool (April 23, 2005). "While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force."
• EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
• HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).
• How to Remove SearchMiracle/ EliteBar (February 27, 2005).

EliteBar Removal tool updates to 2.0.1.

In addition to the removal tool update VGS announced in the recent article EliteBar Removal Tool Updates to V.2.0.0!!!!!, SimplyTech.it has added yet another feature. As announced here in SimplyTech's Forum, EliteBar Removal Tool now comes in two flavors:

We have some new versions of the ETRemover to offer. You can download them from here:

Version 2.0.1 for people who don't get "RunTime Error 5" messages. http://www.simplytech.it/ETRemover/ETRemover_V201.zip

BETA Version 2.0.1 for people who get "RunTime Error 5" messages. http://www.simplytech.it/ETRemover/ETRemover_v201_Beta.zip

For those who find the 2.x.x. series does not work for them, SimplyTech is also continuing to download a 1.3.2 version from here: http://www.simplytech.it/ETRemover/revomeRTE_V132_Beta.zip . In the words of Giancarlo Calo:

Well, we have decided to take the old v.1.3.x and fill it with the latest malware definitions, so we can now offer the v.1.3.2 that is more stable but is and remain a discontinued Beta product.

It will no longer be supported, however, nor does SimplyTech have any specific plans to update its definitions in the future.



Also see:

• PokaPoka.exe + Nothing = YupSearch (October 19, 2005). What do people mean when they say they have "YupSearch" instead of "EliteBar"?
• Elite Toolbar Remover Information Page (October 17, 2005).
• LQfix Information Page (October 15, 2005) There's a new tool in town!
• How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
• SearchMiracle.EliteBar Then and Now (September 21, 2005).
• EliteBar Removal Tool Updates to 2.0.0!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
• More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
• Diabolical new EliteBar variant Strikes the Web!!!!or the one the EliteBar Removal Tool can't remove (May 22, 2005).
• EliteBar Removal Tool Updates to 1.3.0!!!!! or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 2).
• Key File Index (May 18, 2005).
• Adware & Malware Identifier Index (May 9, 2005). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
• Is Google Associated with a SearchMiracle Knock-Off? (April 27, 2005). "A question begs the asking: How does NetNucleus generate revenue from its Mirar Toolbar search directory if it enters search terms in the Google Search Engine?"
• HijackThis vs. the Elitebar Removal Tool (April 23, 2005). "While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force."
• EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
• HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).
• How to Remove SearchMiracle/ EliteBar (February 27, 2005).
• Online Bibliography (Regularly updated). A bibliography of Gilbert Wesley Purdy's work on the Web and elsewhere including computer topics.

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar ETBrun YupSearch Yup Search.]

ISearchTech.SideFind Update (08-27-05)

A couple of recent comments appended to Virtual Grub Street's "How to Remove ISearchTech.SideFind" inform me that SpyBot S&D is no longer able to remove the newer versions of ISearchTech.SideFind or ISearchTech's Your Site Bar. A preliminary check around the net verifies that the following message is received when the SpyBot S&D 1.4 (most recent version) scan is run:

ISearchTech.SideFind: Settings (Registry key, fixing
failed)HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar

ISearchTech.YSB: Settings (Registry key, fixing
failed)HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar

It is clear that ISearchTech is becoming the King Kong of the adware/malware world. The first place a user might wish to check, in his search for answers is this Computing.net post, which lists a number of approaches that failed:

http://computing.net/security/wwwboard/forum/16387.html

This should save time.

An approach that seems to have worked, is to combine Pocket KillBox with Panda scans and the Rand1038 registry search tool available at the Tom Coyote site (http://tomcoyote.org/rand1038/vbscript/RegScan.zip). This is an exceptional piece of work by LonnyRJones at Net-Integration. The thread in question can be found here: http://forums.net-integration.net/index.php?showtopic=32253. It addresses a serious multiple infection, two components of which are ISearchTech's SideFind and YourSiteBar, and I will not be able to sit down with it an to melt it down into a simpler format for a while. Other duties call.

Warning! The infected machine, in the thread, is a Windows 2000 machine. For 2000/Nt machines it may be necessary to follow these instructions from the N-I thread:

Download and install pserv.cpl: http://p-nand-q.com/e/pserv.html

start the tool, it will have made a shortucut, in the windows control panel called "Services & Devices".

You need to be carefull and always double check. On its toolbar go display>display devices>find this item > HexadecimaRepresentation)

Doublecheck you have the correct device, by ensureing it is pointing to C:\WINNT\Edit.exe

Rick click on it in the context menue choose delete.
Close Pserve CPL

Download System Security Suite. http://www.igorshpak.net/
If that site is unavailable use this link please
http://forums.subratam.org/index.php?act=A...e=post&id=25013
Extract it from the zip file and run setup.exe after the install you can delete setup.exe and the downloaded zip file Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click 'Clear Selected Items'. You will be prompted to reboot, do so or the job doesnt get done.

The file "HexadecimaRepresentation" is an indication of the W32/Sdbot-AAY worm (a backdoor downloader) and I have not yet had the time to trace which of the multiple infections it is associated with. It is not clear what equivalent steps are necessary in order to remove the infection for other versions of windows.

If the user is not particularly experienced, it would perhaps be wiser to contact Net-Integration and to ask for step-by-step guidance. Be prepared to download a range of free software in order to meet N-I's prereqs and to get rid of the infection.

Another promising shorthand approach should be to run the the Rand1038 registry search tool and delete all registry entries for ISearchTech and then to do Spybot (off-line) and Panda Active-X scans.

Also See:

• Man-Boy Love Advocate Accused of Using Wikipedia to Troll for Interested Parties (March 4, 2007). Rookie Revolyob, Clayboy, Zanthalon, et al: Why is Wikpedia a Pedophile Haven?;
• Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize.
• How to Remove ISearchTech.SideFind;
• How to Remove YourSiteBar;
• Adware & Malware Indentifier Index.

Adware & Malware Indentifier Index: Letter C.

The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.




C2, Lop

• Executable Files: asshuktr.exe; bilyooas.exe; byb_save.exe; crgbeaoa.exe; dmvcrthl.exe; eaymulyl.exe; eeublidc.exe; glxshmcr.exe; ijlysseb.exe; jqumysto.exe; kfriegbs.exe; llfggrdr.exe; lltckiey.exe; lopsearc.exe; meemnckyqbr.exe; meepajlr.exe; mprcouie.exe; oofrkxpe.exe; peebqusz.exe; quveioot.exe; shoucrck.exe; ssmeeibl.exe; tchpeatr.exe; tglblrll.exe; trdzhtxf.exe; trstdris.exe; ulyuiexeechp.exe; vestufck.exe; vfthrcbr.exe; xogyfhp.exe; ykphmbre.exe; ylynfste.exe; yxogltoo.exe.
• Dynamic Link Libraries: blztstulla.dll; blztstullc.dll; blztstullj.dll; blztstullp.dll; blztstulls.dll; blztstullt.dll; blztstully.dll; blztstullpr.dll; blztstulltr.dll; blztstulloo.dll; chksbdrlya.dll; eaeeishllblc.dll; eelykofrllfrpr.dll; eelykofrllfrj.dll; ealymfrprwch.dll; epllkeeoopr.dll; freabrlaouw.dll; gldqumssfrie.dll; hglllyxrxw.dll; icdrhwno.dll; heeachmstll.dll; meepajlr.dll; ousszidrta.dll; plg_ie*.dll; prxzoustustgr.dll; prnouestssstx.dll; quizbt*.dll; quglwachfs.dll; sstroallhqch.dll; tblchepruprgr.dll; trstshcrscksr.dll; ukfroigl.dll; upckeetoutw.dll; veaeyglckr.dll; woafrquzn.dll; yeecrsoustoull.dll; ziebaeeoaeepr.dll.
• Directory/Search Page: http://lop.com/ and many others.
• Uninstall page URL: See: How to Remove Lop.
• Related Articles: Important Removal Tool Note.
• Notes: Lop has utilized stealth downloads and has downloaded via bundling in the past. Some variants of this infection can also effect the Mozilla and Netscape browsers. See: How to Remove Lop.
  

CashToolBar

• Executable Files: cashtoolbar.exe.
• Dynamic Link Libraries: browseraidbarwnd.dll ; cashtoolbarie.dll.
• Directory/Search Page: http://www.cashtoolbar.com/.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: See: How to Remove CashToolBar.

Claria, Gain, Gator

• Executable Files: cmessys.exe; fsg.exe; fsg-ag.exe; fsg*.exe; gain_trickler_*.exe.
• Dynamic Link Libraries:
• Directory/Search Page:
• Uninstall page URL: See: How to Remove Claria, Gain, Gator.
• Related Articles: Important Removal Tool Note.
• Notes: This infection generally downloads bundled with other software which the user has voluntarilty accepted. It utilizes a "trickler" technology designed to limit its use of processor time. It claims to be entirely removable via the Windows "Add/Remove Programs" utility. It provides uninstall instructions at the above URLs. See: How to Remove Claria, Gain, Gator.
  
  

ConfuSearch

• Executable Files: cisvc32.exe.
• Dynamic Link Libraries: ConfuSearch.dll; strad32.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: See: How to Remove ConfuSearch.

How to Remove AproposMedia.

The following is a detail page of Virtual Grub Street's Adware & Malware Indentifier Index:

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.




AproposMedia, PeopleOnPage, POP

• Executable Files: 9yxuen.exe; addit.exe; all_files10.exe; aprload.exe; apropos.exe; apropos_client_loader.exe; apropos_uninstaller.exe; aufo.exe; autoupdate.exe; auto_update_install.exe; cxtpls.exe; dx8iext.exe; load.exe; magicinlayinstall.exe; midaddle.exe; monpop.exe; mv7dizbww.exe; mw.exe; mw_4s_stub.exe; notify.exe; ororoxid.exe; phomac.exe; popsrv225.exe; _ps_inst.exe; qnqyiee.exe; rcisp.exe; sepinst.exe; sfl.exe; shmhupnp.exe; sm1ay.exe; sysai.exe; update_1.exe; updater.exe; vmpremov.exe; wrifo.exe; z.exe; zga.exe.
• Dynamic Link Libraries: 199e866.dll; 6ktkk.dll; 7ggoo.dll; acsdir.dll; activeinstall2.dll; aproposplugin.dll; atla.dll; atlw.dll; cxtpls.dll; directxvercheck.dll; dsetup.dll; dsetup16.dll; dsetup32.dll; pop225.dll; pophook4.dll; proxystub.dll; qnqyiee.dll; qtinstallerhelper.dll; sidesearch.dll; toolbar.dll; truetypefontinfo.dll; wingenerics.dll; write_ph.dll; z.dll; zga.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. Important Removal Tool Note.
• Notes: According to the Spyware Information Center, this infection is also known as Adware/Apropos [Panda], Adware/SideSearch [Panda], Adware/WinTools [Panda], Backdoor.Agent.ag [Kaspersky], Trj/Upseter.A [Panda], TrojanDownloader.Win32.Apropo.b [Kaspersky], TrojanDownloader.Win32.Apropo.g [Kaspersky], Win32/Agent.AG trojan [Eset], Win32/TrojanDownloader.Apropo.B trojan [Eset], Win32/TrojanDownloader.Apropo.G trojan [Eset]. It is sometimes possible to remove this infecftion via the Windows Add/Remove Programs utility. The program will be listed as "AM Server," "POP," "SysAI," and/or "CtxPls". This malware can be removed by the freeware versions of both Lavasoft's Ad-Aware and SpyBot S&D.

Also See:

• Man-Boy Love Advocate Accused of Using Wikipedia to Troll for Interested Parties (March 4, 2007). Rookie Revolyob, Clayboy, Zanthalon, et al: Why is Wikpedia a Pedophile Haven?

How to Remove DyFuCa.

The following is a detail page of Virtual Grub Street's Adware & Malware Indentifier Index:

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.



DyFuCa

• Executable Files: actalert.exe; goldentiger.exe; idctup20.exe; optimize.exe; thi6026.tmp\preinstt.exe; ssupdate.exe; view-m~1.exe.
• Dynamic Link Libraries: iopti130.dll; nem207.dll; nem211.dll; nem214.dll; nem219.dll; nem220.dll; wsem210.dll; wsem216.dll; wsem218.dll; wsem302.dll; wsem303.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. Important Removal Tool Note.
• Notes: DyFuCa is a porn dialer trojan. When downloaded as part of InternetOptimizer, it is also a 404 page ("Page Not Found") hijacker. The Spyware Information Center lists the following aliases: Spyware/Dyfuca [Panda], Spyware/SafeSurf [Panda], TrojanDownloader.Win32.Dyfuca.bw [Kaspersky], TrojanDownloader.Win32.Dyfuca.cn [Kaspersky], TrojanDownloader.Win32.Dyfuca.dc [Kaspersky], Trojan-Downloader.Win32.Dyfuca.dp [Kaspersky], TrojanDownloader.Win32.Dyfuca.gen [Kaspersky], Win32/TrojanDownloader.Dyfica.NAB trojan [Eset], Win32/TrojanDownloader.Dyfica.NAC trojan [Eset]. This infection can be removed by Lavasoft's Ad-Aware freeware.
  

Also See:

• Man-Boy Love Advocate Accused of Using Wikipedia to Troll for Interested Parties (March 4, 2007). Rookie Revolyob, Clayboy, Zanthalon, et al: Why is Wikpedia a Pedophile Haven?

How to Remove HuntBar.

The following is a detail page of Virtual Grub Street's Adware & Malware Indentifier Index:

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.



HuntBar

• Executable Files: wtoolss.exe.
• Dynamic Link Libraries: ...btiein.dll; ...msielink.dll; ...msiein.dll; ...qdow.dll; ...SToolbar.dll; ...toolbar.dll; ...WToolsB.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. Important Removal Tool Note.
• Notes: "Toolbar.dll" is a name widely used for legitimate and malware BHOs. It is not necessarily indicative of a particular BHO.
• This infection can be removed by SpyBot S&D.

Also See:

• Man-Boy Love Advocate Accused of Using Wikipedia to Troll for Interested Parties (March 4, 2007). Rookie Revolyob, Clayboy, Zanthalon, et al: Why is Wikpedia a Pedophile Haven?

Adware & Malware Identifier Index: Letter S.

The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.





SearchBus

• Executable Files:
• Dynamic Link Libraries: sbus.dll.
• Directory/Search Page: http://www.searchbus.com/
• Uninstall page URL:
• Related Articles:
• Notes:
  

SearchForFree

• Executable Files: htmlsync.exe; icasserv.exe; isystem.exe; ldriver.exe; zlibc.exe.
• Dynamic Link Libraries: k6c40rvk.dll; rcj.dll.
• Directory/Search Page: http://www.searchforfree.info/.
• Uninstall page URL:
• Related Articles: HijackThis vs. SearchForFree (June 15, 2005); Important Removal Tool Note.
• Notes: The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) . The file "nvdsvc32.exe" is associated with "icasserv.exe" and may be present. The most recent variant of this infection downloads the file "zlibc.exe" instead of "icasserv.exe". The file zlibc.exe indicates that the infection is being downloaded by the Troj/Chorus-A (a.k.a. AdClicker-CM and Trojan-Clicker.Win32.Small.ft ) as of late June 2005. As of early July 2005, it is not clear whether fixes for the "fd" version of the infection work for the "ft" version. See: How to Remove SearchForFree.

SearchHH, SearchMeUp, UmaxSearch, WhitePages

• Executable Files: C:\WINDOWS\SYSTEM\explorer32.exe; ...nvidia32.exe; ...systime.exe.
• Dynamic Link Libraries:
• Directory/Search Page: http://www.searchmeup.com/; http://search-center.com/search.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: See: How to Remove SearchMeUp.

EliteBar Toolbar, EliteSideBar, ETBRUN, SearchMiracle, YupSearch

• Executable Files: O4 - HKLM\..\Run: [etbrun] c:\windows\system32\elite***32.exe; eliteabu32.exe; elitebhi32.exe; elitebyj32.exe; elitecfh32.exe; eliteckj32.exe; elitecla32.exe; elitedbt32.exe; elitedph32.exe; elitednv32.exe; eliteetx32.exe; eliteeys32.exe; elitefmj32.exe; elitegdp32.exe; elitehaf32.exe; elitehln32.exe; elitehxt32.exe; eliteine32.exe; eliteizj32.exe; elitejhs32.exe; elitejko32.exe; elitekck32.exe; elitekpi32.exe; elitekyk32.exe; elitelaj32.exe; elitelfv32.exe; elitelgy32.exe; elitemoa32.exe; elitemol32.exe; elitemuc32.exe; elitenii32.exe; elitenne32.exe; elitenrz32.exe; eliteoey32.exe; eliteosm32.exe; eliteoxx32.exe; eliteozz32.exe; elitepam32.exe; elitepdt32.exe; elitepye32.exe; elitepys32.exe; elitervh32.exe; eliterwr32.exe; eliteuej32.exe; eliteutt32.exe; eliteuzz32.exe; elitevaj32.exe; elitewjf32.exe; elitewug32.exe; elitewvn32.exe; elitexlp32.exe; elitexxe32.exe; elitexyi32.exe; eliteyif32.exe; elitezgx32.exe; elitezvo32.exe; elitezwk32.exe; etc. C:\windows\system32\kalv***32.exe; c:\windows\nail.exe.
• Dynamic Link Libraries: C:\WINDOWS\EliteBar\EliteBar version 50.dll; C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll; etc.
• Directory/Search Page: http://www.audioseek.net/; http://ad1.searchmiracle.com/ http://www.searchmiracle.com/; http://www.yupsearch.com/search.php.
• Uninstall Page URL: Direct download link/file from search directory pages. An uninstall file is also downloaded along with the infection but is reputed to be ineffective.
• Related Articles: More on Variant ADW_ELITEBAR.D.(May 27, 2005); Diabolical New EliteBar Variant Strikes the Web!!!! (May 22, 2005); EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005); HijackThis vs. the Elitebar Removal Tool (April 23, 2005); EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005); HijackThis vs. SearchMiracle/EliteBar (April 11, 2005); How to Remove SearchMiracle/ EliteBar (February 27, 2005); Important Removal Tool Note.
• Notes: Automatically reinstalls upon removal. The EliteBar Removal Tool can not remove the variant adw_elitebar.d. See Diabolical New EliteBar Variant Strikes the Web!!!! and More on Variant ADW_ELITEBAR.D for further details.
  
  

SearchRelevancy

• Executable Files: ...searchrelevancy\uninstall.exe.
• Dynamic Link Libraries: searchrelevancy.dll.
• Directory/Search Page: None.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: According to DoxDesk, "SearchRelevancy is an Internet Explorer Browser Helper Object (BHO) that adds advertising links to search engine results pages as fake results. Clicking the links sends the browser to the listed site via a hidden redirect through searchbrowser.com which adds affiliate codes to the URL. " See: How to Remove SearchRelevancy.
  

KeenValue, SearchUpgrader Toolbar

• Executable Files: SearchUpgrader.exe.
• Dynamic Link Libraries: bho.dll; pwrs0rbi.dll; IncFindBHO.dll.
• Directory/Search Page: http://www.searchupgrader.com/.
• Uninstall Page URL:
• Related Articles: Important Removal Tool Note.
• Notes: Some versions of these infections are also known as eUniverse (Ad-Aware), KeenValue (Mcafee), Euniverse (PestPatrol), PowerSearch (PestPatrol), eUniverse.IncrediFind (Spybot), KeenValue.PerfectNav (Spybot), Adware.Keenval (Symantec), SPYW_KEENVAL.A (Trend Micro). See: How to Remove KeenValue.

ISTBar, SideFind.

• Executable Files: gjefpet.exe; istdownload.exe; istrecover.exe; istsvc.exe; juhpad.exe; sfsetup.exe; sidefind.exe; srchupdt.exe.
• Dynamic Link Libraries: cmctl.dll; istactivex.dll; istbar.dll; istbarcm.dll; istbar_dh.dll; mscache.dll; sfbho.dll; sidefind.dll; sidefind13.dll; srchfst.dll; ysb.dll; ysbactivex.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: According to the Spyware Information Center, this infection is also known as: Adware/SearchFast [Panda], Adware/SideFind [Panda], Spyware/ISTbar [Panda], Trojan Horse [Panda], TrojanDownloader.Win32.Istbar.eo, TrojanDownloader.Win32.IstBar.gen [Kaspersky]. This infection is spread by stealth downloads, generally from game and porn sites. Numerous variants are at large and some may not be removable by the removal tool referenced on this page. All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately. See: How to Remove ISTBar.

Sweetbar

• Executable Files: C:\Windows\System32\web.exe.
• Dynamic Link Libraries:
• Directory/Search Page: http://www.sweetbar.com/
• Uninstall page URL:
• Related Articles: None.
• Notes: Downloaded by Trojan.Anicmoo which utilizes Windows vulnerability described in Microsoft Security Bulletin MS05-002: "Cursor and Icon Format Handling Vulnerability - CAN-2004-1049: A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. " The trojan downloads the file "SecurityRisk.Downldr" which downloads "update.txt" which in turn downloads the Browser Helper Object (BHO) to connect to http://www.sweetbar.com/.

Adware & Malware Indentifier Index: Letter M.

The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.




The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.





Mirar Toolbar

• Executable Files: HKLM\..\Run: [t7Eh39Q] mlaodctr.exe; HKLM\...\MirarSetup.exe; HKCU\..\Run: [cwxnRVc4X] mcdresizem6.exe.
• Dynamic Link Libraries: NN_Bar**.dll; WinDmy.dll; Winnb**.dll.
• Directory/Search Pages: http://awbeta.net-nucleus.com/ and http://ny.contentmatch.net/.
• Uninstall Page URL: See: How to Remove Mirar Toolbar.
• Related Articles: Is Google Associated with a SearchMiracle Knock-Off? (April 27, 2005). "A question begs the asking: How does NetNucleus generate revenue from its Mirar Toolbar search directory if it enters search terms in the Google Search Engine?" Important Removal Tool Note.
• Notes: See: How to Remove Mirar Toolbar.
  
  
  

MySearchBar, MyWay Speed Bar, MyWebSearch

• Executable Files: hbinst.exe; s4bareq.exe; s42ns.exe; mwsoemon.exe; my2ns.exe; mysetp.exe; mysetup1.exe; websearch1.exe.
• Dynamic Link Libraries: f3htmlmu.dll; hbhostie.dll; msiehobj.dll; mybar.dll; mypopswt.dll; mysrchas.dll; mwsbar.dll; mwsoestb.dll; mwssrcas.dll; npmyway.dll; s4bar.dll.
• Directory/Search Page: http://www.mysearch.com/jsp/home.jsp; http://bar.mywebsearch.com/menusearch.
• Uninstall Page URL:
• Related Articles: None.
• Notes:

Adware & Malware Indentifier Index: Letter I.

The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.



If you are seeking information on generic winREG.lowzones.f, Virtual Grub Street's "How to Remove ISearchTech.SindFind" page, which was the number one listing for most lowzones.f keywords, until 12/03/06, when it was removed from search engine coverage, two days after the rush began (mostly in Western Europe) for lowzones.f information, you can find it >>> here.

If you wish to go directly to VGS's new "How to Remove Trojan.winreg.LowZones.f" page, click >>> here.

Should you be looking for neither, please feel free to continue.

Ibis Toolbar

• Executable Files: wintools.exe; wsup.exe; wtoolsa.exe.
• Dynamic Link Libraries: common.dll; toolbar.dll.
• Directory/Search Page: http://www.websearch.com/.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: This malware is related to HuntBar and WinTools. "toolbar.dll" and "common.dll" are names used for legitimate and malware BHOs. They are not necessarily indicative of a particular BHO. See: How to Remove Ibis Toolbar.

IELoader

• Executable Files: aaa.exe; bbb.exe; iagold.exe; msudpb.exe ; py.exe; zzb.exe.
• Dynamic Link Libraries: ieloader.dll; msudpb.dll.
• Directory/Search Page:
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: Added by TrojanDownloader.Small.RR. Installs TrojanDialer.Freeload, which, according to Symantec, "is an ActiveX component that can be used by Web pages to download dialer programs. The dialer program may be used to access premium-rate services including pornographic and astrological services." See: How to Remove IELoader.

ILookUp

• Executable Files:
• Dynamic Link Libraries: abeb.dll; bmeb.dll; chrgrs.dll; drbr.dll; ineb.dll.
• Directory/Search Page: http://www.i-lookup.com/;http://domainhop.com/domain.cool?domain=hardsexhouse.com.
• Uninstall page URL:
• Related Articles: Important Removal Tool Note.
• Notes: See: How to Remove I-LookUp.
  

ISearchTech.SideFind

• Associated Worms/Trojans:

Downloader.Dyfica.3.L (Grisoft ); Troj/LowZone-AL [a.k.a. Downloader-QG; QLowZones-26; Trojan.WinREG.LowZones.f ]; Troj/SideFind-A; TR/Spy.Shutcom; TrojanDownloader:Win32/IstBar.EO; W32/Istbar.O@dl.

Executable Files: sfexd001.exe; sidefind.exe; sidefind[1].exe; istrecover[1].exe; sskc.exe; ISTsvc.exe.

Dynamic Link Libraries: sfbho.dll; sidefind.dll.

Directory/Search Page:

Uninstall page URL:

Related Articles: How to Remove YourSiteBar; ISearchTech.SideFind Update (08-27-05); How to Remove ISTBar; How to Remove Trojan.winreg.LowZones.f; Important Removal Tool Note.

Notes: Click this link for instructions on >>> How to remove generic / stand-alone versions of Trojan.winREG.LowZones.f.

Variations on this infection are also known as Troj/SideFind-A [Sophos], ADW_SideFind-A [TrendMicro] and ADW_sideFind-C [TrendMicro]. This group of trojan downloaded side bars may be identified by one of the following values being detected in the HKEY_USERS section of the registry: {8CBA1B49-8144-4721-A7B1-64C578C9EED7}; {10E42047-DEB9-4535-A118-B3F6EC39B807}. See: How to Remove ISearchTech.SideFind.

ISearchTech.YSB, YourSiteBar

• Associated Worms/Trojans: Troj/LowZone-AL [a.k.a. Downloader-QG; QLowZones-26; Trojan.WinREG.LowZones.f ].
• Executable Files:
• Directory/Search Page:
• http://www.sidefind.com/ist/softwares/sidefind/; http://www.sidefind.com/ist/softwares/sidefind/v1.3/.
• Uninstall page URL: See "How to Remove YourSiteBar."
• Related Articles: How to Remove ISearchTech.SideFind; ISearchTech.SideFind Update (08-27-05); How to Remove ISTBar; How to Remove Trojan.winreg.LowZones.f; Important Removal Tool Note.
• Notes: Click this link for instructions on >>> How to remove generic / stand-alone versions of Trojan.winREG.LowZones.f.
• As of 10/03/05, according to the YSB EULA, this software comes bundled with the following additional adware: BullsEye; ContextPlus; DealHelper; Internet Optimizer; ShopAtHomeSelect; and Surfaccuracy. See "How to Remove YourSiteBar."

ISTBar, SideFind.

• Associated Worms/Trojans:
• Executable Files:

gjefpet.exe; istdownload.exe; istrecover.exe; istsvc.exe; juhpad.exe; sfsetup.exe; sidefind.exe; srchupdt.exe.

Dynamic Link Libraries: cmctl.dll; istactivex.dll; istbar.dll; istbarcm.dll; istbar_dh.dll; mscache.dll; sfbho.dll; sidefind.dll; sidefind13.dll; srchfst.dll; ysb.dll; ysbactivex.dll.

Directory/Search Page:

Uninstall page URL:

Related Articles: How to Remove YourSiteBar; How to Remove ISearchTech.SideFind; ISearchTech.SideFind Update (08-27-05); Important Removal Tool Note.

Notes: According to the Spyware Information Center, this infection is also known as: Adware/SearchFast [Panda], Adware/SideFind [Panda], Spyware/ISTbar [Panda], Trojan Horse [Panda], TrojanDownloader.Win32.Istbar.eo, TrojanDownloader.Win32.IstBar.gen [Kaspersky]. This infection is spread by stealth downloads, generally from game and porn sites. Numerous variants are at large and some may not be removable by the removal tool referenced on this page. All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately. See: How to Remove ISTBar.

How to Remove Lop.

The following is a detail page of Virtual Grub Street's Adware & Malware Indentifier Index:

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.


C2, Lop

• Executable Files: asshuktr.exe; bilyooas.exe; byb_save.exe; crgbeaoa.exe; dmvcrthl.exe; eaymulyl.exe; eeublidc.exe; glxshmcr.exe; ijlysseb.exe; jqumysto.exe; kfriegbs.exe; llfggrdr.exe; lltckiey.exe; lopsearc.exe; meemnckyqbr.exe; meepajlr.exe; mprcouie.exe; oofrkxpe.exe; peebqusz.exe; quveioot.exe; shoucrck.exe; ssmeeibl.exe; tchpeatr.exe; tglblrll.exe; trdzhtxf.exe; trstdris.exe; ulyuiexeechp.exe; vestufck.exe; vfthrcbr.exe; xogyfhp.exe; ykphmbre.exe; ylynfste.exe; yxogltoo.exe.
• Dynamic Link Libraries: blztstulla.dll; blztstullc.dll; blztstullj.dll; blztstullp.dll; blztstulls.dll; blztstullt.dll; blztstully.dll; blztstullpr.dll; blztstulltr.dll; blztstulloo.dll; chksbdrlya.dll; eaeeishllblc.dll; eelykofrllfrpr.dll; eelykofrllfrj.dll; ealymfrprwch.dll; epllkeeoopr.dll; freabrlaouw.dll; gldqumssfrie.dll; hglllyxrxw.dll; icdrhwno.dll; heeachmstll.dll; meepajlr.dll; ousszidrta.dll; plg_ie*.dll; prxzoustustgr.dll; prnouestssstx.dll; quizbt*.dll; quglwachfs.dll; sstroallhqch.dll; tblchepruprgr.dll; trstshcrscksr.dll; ukfroigl.dll; upckeetoutw.dll; veaeyglckr.dll; woafrquzn.dll; yeecrsoustoull.dll; ziebaeeoaeepr.dll.
• Directory/Search Page: http://lop.com/ and many others.
• Uninstall page URL: The Lop help page http://lop.com/help.html offers a "universal uninstall" download from http://lop.com/new_unistall.exe.
• Related Articles: Fighting Malware with Standard Windows Tools (February 25, 2007). You may have more in your bag of tricks than you realize. Important Removal Tool Note.
• Notes: Lop has utilized stealth downloads and has downloaded via bundling in the past. Some variants of this infection can also effect the Mozilla and Netscape browsers. Some variants can be entirely or partially unistalled from the standard "Add/Remove Programs" utility.
• This infection can be removed by the freeware versions of both Lavasoft's Ad-Aware and Spybot S&D.

Also See:

• Man-Boy Love Advocate Accused of Using Wikipedia to Troll for Interested Parties Who needs malware when there's Wikipedia? (March 4, 2007).