Follow:

 

Adware:Win32/Lollipop


Microsoft security software detects and removes this program.

This adware program shows ads as you browse the web. It can also redirect your search engine results, monitor what you do on your PC, download applications, and send information about your PC to a hacker.

It can be downloaded from the program's website or bundled with some third-party software installation programs.

Find out more about how and why we identify potentially unwanted software.



What to do now

This program poses a high threat to your PC.

Remove programs

You might need to manually remove this program:

The entry for this program may be called "Lollipop".

If an uninstaller is not available, does not work properly, or you do not want to use it, you can use the following free tools to detect and remove this program and other potentially unwanted software from your PC:

You should also run a full scan. A full scan might find other, hidden threats.

Remove browser add-ons

You might need to remove add-ons from your browser:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Adware:Win32/Lollipop may be installed by third-party software bundlers, like SoftwareBundler:Win32/Lollipox and SoftwareBundler:Win32/Lollipos.

If you decline to let the software bundler to install Adware:Win32/Lollipop, it will not be installed on your PC.

The following are screenshots of some of the software installers we have observed installing Adware:Win32/Lollipop:

Adware:Win32/Lollipop is installed with the name lollipop.exe into the following folder:

%LOCALAPPDATA% \Lollipop

When run, Adware:Win32/Lollipop creates the following files:

The program sets itself to run every time Windows starts in one of three ways, which it chooses depending on your version of Windows and what security software you have installed.

The three ways are:

  • By changeing the following registry entry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: lollipop
    With data: "%LOCALAPPDATA%\Lollipop\lollipop.exe" lollipop
  • By changeing the following registry entry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: lollipop
    With data: "%LOCALAPPDATA%\Lollipop\lollipop.exe" lollipop
  • By dropping a shortcut to itself in the Windows<startup folder> as Lollipop.lnk

Adware:Win32/Lollipop creates an installation entry in the Programs and Features section of the Control Panel, as follows:

Running this uninstaller may remove some or all of the files related to the adware from your PC.

Behavior

Adware:Win32/Lollipop displays pop-up advertisements to you as you browse the Internet. These ads are based on keywords you enter into certain search engines. The ads differ depending on your geographical location and may be pornographic in nature.

The following is an example of the categories of advertisements displayed:

Redirects search engine results

The adware redirects search results from certain search engines, including the following:

  • Alot
  • AOL
  • Ask
  • Avg
  • Babylon
  • Bing
  • Chatzum
  • claroSearch
  • Conduit
  • DaleSearch
  • Delta
  • Ebay
  • Facemoods
  • Funmoods
  • Google
  • Incredibar
  • MSN
  • mysearch
  • Mywebsearch
  • Softonic
  • Sweetim
  • Yahoo

The adware redirects results when you use the following browsers:

  • AOL
  • Firefox
  • Google Chrome
  • Internet Explorer
  • Opera
  • Safari

For Firefox, the adware may also add an extension named {773F14E2-D643-4642-905E-1124C9A2170B}.xpi by changing the following registry entry:

In subkey: <HKLM or HKCU>\Software\Mozilla\Extensions
Sets value: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
With data: "{773F14E2-D643-4642-905E-1124C9A2170B}.xpi"

For Google Chrome, the adware may also add an extension named nchpfiddbhbdnagofhkjlaiaejmkdcla.crx by changing the following registry entries:

In subkey: HKLM or HKCU\Software\Google\Chrome\Extensions\nchpfiddbhbdnagofhkjlaiaejmkdcla
Sets value: path
With data: "nchpfiddbhbdnagofhkjlaiaejmkdcla.crx"

In subkey: HKLM or HKCU\Software\Wow6432Node\Google\Chrome\Extensions\nchpfiddbhbdnagofhkjlaiaejmkdcla
Sets value: path
With data: "nchpfiddbhbdnagofhkjlaiaejmkdcla.crx"

Adware:Win32/Lollipop sends the following information about your PC to a remote server:

  • The status of any antimalware or antispyware software you have
  • The status of your firewall
  • The locale or region your PC is located
  • Your Internet browsing history
  • Information about your browser session, like the websites you have visited

In the wild, we have observed variants of Adware:Win32/Lollipop contact the following servers via HTTP port 80:

  • www.lollipop-network.com/<removed>.php
  • www.andocomparando.es/<removed>/product_check.php
  • www.andocomparando.es/<removed>/script.php

Analysis by Jaime Wong, Geoff McDonald and Michael Johnson


Symptoms

The following could indicate that you have this program on your PC:

  • You see pop-up ads
  • You see these icons or programs on your desktop, in the Start menu or Start screen, or on your taskbar:


Prevention


Alert level: High
First detected by definition: 1.155.137.0
Latest detected by definition: 1.179.849.0 and higher
First detected on: Jul 17, 2013
This entry was first published on: Jul 17, 2013
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • Skintrim.DVYD (Norman)
  • Adware.Lollipop (BitDefender)
  • Adware.Lollipop (F-secure)
  • AdWare.Win32.Lollipop.dm (Kaspersky)