Wednesday, December 21, 2011

The Most Dangerous Adware 2011 and How to remove them

 

Adware are Software that periodically pops up advertisements on a user's computer. It displays ads targeted to the individual user based on key words entered in search engines and the types of Web sites the user visits. The marketing data are collected periodically and sent in the background to the adware Web server. Adware is known as "contextual marketing."
If adware is installed in the user's machine without disclosure, it is considered "spyware." Such programs are often delivered as part of another download the user actually did want, but without any notification. Since software licenses are rarely read, there is controversy over what is legitimate adware versus spyware.
Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported. Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements.

Adware.Favorit Symptoms

When executed, Favorit creates the following files:

  • %UserProfile%\Application Data\[RANDOM ALPHABETIC CHARACTERS].dat
  • %UserProfile%\Application Data\[RANDOM ALPHABETIC CHARACTERS].exe
  • %UserProfile%\Application Data\[RANDOM ALPHABETIC CHARACTERS]_nav.dat
  • %UserProfile%\Application Data\[RANDOM ALPHABETIC CHARACTERS]_navps.dat

Favorit also addes the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[RANDOM ALPHABETIC CHARACTERS]
  • HKEY_CURRENT_USER\Software\fcn

The final step is to create this registry entry which ensures that the software starts along with Windows OS:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM ALPHABETIC CHARACTERS]": "%USERAPPDATA%\[RANDOM ALPHABETIC CHARACTERS].exe"
How To Remove Adware Favorit

To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing. Locate following shortcuts and identify where they are pointing to. * Shortcuts named "<$ENV(FAVORIT)>.lnk" and pointing to "<$PROGRAMFILES>\<$ENV(FAVORIT)>\*.exe".

Adware.Gen Aliases and Variants not-a-virus:AdWare.Win32.AdMedia.ed [Kaspersky], AdWare.AdMedia.ED [Ikarus], AdWare.AdMedia.ed [PC Tools], Adware-Cinmus!f [McAfee], Generic PUP.x [McAfee], Adware.PigSearch [Symantec], Adware:Win32/Zhongsou [Microsoft]

%AppData%\lsascs.exe

%ProgramFiles%\coopen\coopenactivecontrol30143.dll

%ProgramFiles%\cracksearch\toolbar.dll

%ProgramFiles%\intelinet\intelin2.exe

%ProgramFiles%\intelinet\intelinet.exe

%ProgramFiles%\malware doctor\validation.dll

%ProgramFiles%\multi password recovery\hooklib.dll

%ProgramFiles%\mynetprotector\mynetprotector.exe

%ProgramFiles%\pcas\pcas.exe

%ProgramFiles%\privacycontrol\privacycontrol.exe

%ProgramFiles%\regfixpro\tcl.dll

%ProgramFiles%\repair registry pro\repairregistrypro.exe

%ProgramFiles%\rewardpot\rewardpotdll.dll

%ProgramFiles%\search enhancer toolbar\ncl.dll

%ProgramFiles%\spyfighter\spyfighter.exe

%ProgramFiles%\spywareremover2009\pp.exe

%ProgramFiles%\teslain kidlogger\hooks.dll

%ProgramFiles%\tritech software\antivirus agent pro\aap.exe

%ProgramFiles%\wind optimizer\windoptimizer.exe

%ProgramFiles%\xpshield\xp-shield.exe

%ProgramFiles%\zcomprdiy\zcomprdiy.exe

%ProgramFiles%\zcomprdiy\zcomprmenu.exe

%System%\adlaunch32.dll

%System%\advhost.exe

%System%\feiplug.dll

%System%\fjmps.exe

%System%\flyplug.dll

%System%\gjnqt.exe

%System%\gkntx.exe

%System%\hknru.exe

%System%\horuy.exe

%System%\kaillera\kaillera.exe

%System%\mpsvz.exe

%System%\msrstart.exe

%System%\nsb4.dll

%System%\nsc4.dll

%System%\nsh4.dll

%System%\nxtepad.exe

%System%\rightplug.dll

%System%\spool\svchost.exe

%System%\trod32.dll

%System%\twex.exe

%System%\ventrilofp.exe

%System%\wr24218.dll

%System%\xbeko.exe

%System%\xunleibho_001.dll

%System%\xwr24218.dll

%Temp%\090322-c-1.exe

%Temp%\10.exe

%Temp%\4.exe

%Temp%\hfs\hfs.exe

%Temp%\lightcertgen.exe

%Temp%\messenger\install.exe

%Temp%\messenger\setup.exe

%Temp%\rarsfx0\setup2.exe

%Temp%\s1.exe

%Temp%\ventrilofp.exe

%Windir%\eilor.exe

%Windir%\resources\themes\quevista\lspatch.exe

%Windir%\svchost.exe

%Windir%\system\ruso\firewall.exe

Adware.Hotbar

Adware.Hotbar adds graphical skins to Internet Explorer, Microsoft Outlook, and Outlook Express toolbars and also adds its own toolbar and search button. These custom toolbars have keyword-targeted advertisements built into them. Hotbar displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.

Adware.Hotbar Symptoms


When executed, Hotbar creates the following folders:

  • %ProgramFiles%\Hotbar
  • %ProgramFiles%\ShopperReports
  • %ProgramFiles%\HbTools
  • %UserProfile%\Application Data\Hotbar
  • %ProgramFiles%\ShopperReports
  • %UserProfile%\Application Data\ShopperReports
  • %UserProfile%\Application Data\HbTools


Next, Hotbar adds these files:

  • HbInstIE.dll
  • hotbar.exe
  • HBCORESRV.DLL
  • HBINST.EXE
  • HbToolbar.dll
  • HBHOSTOE.DLL
  • HBHOSTOL.DLL


Hotbar also addes the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WeatherOnTray" = "%ProgramFiles%\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Hotbar" = "%ProgramFiles%\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM VALUE]" = "%System%\[RANDOM NAME].exe"
 

Adware.lop

Adware.lop is an adware program that adds its own toolbar and search button to Internet Explorer.

Adware.lop Symptoms


When executed, adware.lop:
Creates the following files:

  • %UserProfile%\Application Data\[RANDOM CHARACTERS].dll

Adds the .dll file as a Browser Helper Object in the registry.
May create multiple copies of the following files:

  • %Windir%\[RANDOM FILE NAME].htm
  • %Windir%\[RANDOM FILE NAME].gif

May create the following files:

  • %Temp%\Delete.me\Xpp.idx
  • %Temp%\Delete.me\Tbt.idx

Adds a toolbar and search button to Internet Explorer.
Adds one of the values:

  • "(Default)" = "%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"
  • "(Default)" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].dll"

to one of the following registry subkeys:

  • HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID]\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]\InprocServer32

No comments:

Hasleo Data Recovery FreeV3.2 - Free as in Freeware - Permanently from Hasleo Software

https://www.hasleo.com/win-data-recovery/free-data-recovery.html "Hasleo Data Recovery FreeV3.2 100% Free Data Recovery Software...