Follow:

 

Adware:Win32/Hotbar


Adware:Win32/Hotbar is an adware program that displays advertisements to as you browse the web.

It also installs other adware components related to Win32/ClickPotato and Win32/ShopperReports. Hotbar also installs "skins" that make Internet Explorer, Outlook, and Outlook Express look different.

It may be installed on your computer alongside other software, or you may have downloaded it from a website that mimics another one, such as those seen below:

PinBall Audacity website

Legitimate Audacity website

   

PinBall ARES website

Legitimate ARES website



What to do now

This program may create an uninstaller that can be accessed from the Control Panel. Running this uninstaller may remove some or all of the files related to the program:

  • For Windows 8, open the Start screen, type Uninstall and then go to Settings. In the search results, go to Uninstall a program.
  • For Windows 7 and Vista, open the Start menu and navigate to Control Panel>Programs>Uninstall a Program
  • For XP, open the Start menu and navigate to Control Panel>Add or Remove Programs

The entry for this program may be called "Hotbar Browser", "Weather" or "Wowpapers Tools".

If an uninstaller is not available, does not work properly, or you do not want to use it, you can use the following scanning and removal tools to detect and remove this program and other unwanted software from your computer:

Threat behavior

Adware:Win32/Hotbar displays a dynamic toolbar and pop-up ads based on its monitoring of your web-browsing activity.

The program installs a browser toolbar that works in Internet Explorer 6 and above, and Firefox 3.6 and above.

The tool is a multi-component adware program designed to monitor your online browsing behavior to deliver targeted ads. It also installs other components related to Win32/ClickPotato and Win32/ShopperReports.

Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. It might collect information and silently download and run updates or other code from its servers.

The program is delivered by Pinball Publisher Network to Web Publishers via commission, based on the number of installs, also referred as pay-per-install.

Adware:Win32/Hotbar  creates numerous files during an installation, and may install itself to paths that include the following:

  • In %LOCALAPPDATA%:
    • AppKikxSA
    • BlueTurtleGamesSA
    • BrightBreezeSA
    • CheeryChickenSA
    • ClickPotatoLiteSA
    • FREEzeFlipSA
    • GigglingGamesSA
    • hbtools
    • HippoGeekSA
    • hotbar
    • KangoBoxSA
    • LhootSA
    • MossySkySA
    • PopcornTVShowsSA
    • RavenBleuSA
    • SeekmoSA
    • SeeqDoSA
    • ShamrockSpringSA
    • SnappyDeeSA
    • VooMuuSA
    • zManateeSA
  • In %ProgramFiles%:
    • BrightBreeze
    • ClickPotatoLite
    • FREEzeFlip
    • FREEzeFrog
    • HBLite
    • Hotbar
    • MossySky
    • Seekmo
    • VooMuu
    • Zango
    • HbTools

It may use one of the following file names:

  • HBLiteSA.exe
  • HBLiteSAAX.dll
  • HBLiteSAHook.dll
  • HBLiteUninstaller.exe
  • npclntax_HBLiteSA.dll

Adware:Win32/Hotbar adds numerous keys to the registry, including the following:

  • HKCU\Software\HbTools
  • HKLM\SOFTWARE\HbTools
  • HKCU\Software\AppKikxSA
  • HKCU\Software\BlueTurtleGamesSA
  • HKCU\Software\BrightBreezeSA
  • HKCU\Software\CheeryChickenSA
  • HKCU\Software\GigglingGamesSA
  • HKCU\Software\HippoGeekSA
  • HKCU\Software\KangoBoxSA
  • HKCU\Software\LhootSA
  • HKCU\Software\LukyLuSA
  • HKCU\Software\MossySkySA
  • HKCU\Software\RavenBleuSA
  • HKCU\Software\SeeqDoSA
  • HKCU\Software\ShamrockSpringSA
  • HKCU\Software\VooMuuSA
  • HKCU\Software\zManateeSA
  • HKCR\AppID\{0507FDDE-F3B7-49F5-9E8F-C557E991F39B}
  • HKCR\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}
  • HKCR\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94}
  • HKCR\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}
  • HKCR\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}
  • HKCR\CLSID\{40D8240A-E3A0-4D59-AC55-0443120188D1}
  • HKCR\CLSID\{420C35C9-E4F2-49F9-BF67-2BE1ECF86989}
  • HKCR\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}
  • HKCR\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}
  • HKCR\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
  • HKCR\CLSID\{8C875948-9C60-4381-9248-0DF180542D53}
  • HKCR\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}
  • HKCR\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}
  • HKCR\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}
  • HKCR\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}

It may attempt to connect to any of the following affiliate websites:

  • appbundler.net
  • appcapps.net
  • appkikx.com
  • appservicesdl.com
  • blueturtlegames.com
  • brightbreeze.com
  • cheerychicken.com
  • clickpotato.tv
  • coughstuffs.com
  • dlsmak.com
  • doktorchip.com
  • doktorcream.com
  • doktordice.com
  • doktorevil.com
  • doktorpants.com
  • doktoryes.com
  • dotticom.com
  • drcornchip.com
  • drnacho.com
  • eagleeyeopeners.com
  • ficklebox.com
  • ficklefix.com
  • ficklespot.com
  • fivemillionfriends.com
  • flixsee.net
  • freeflixapp.net
  • freelandmedia.com
  • freetodl.com
  • freezeflip.com
  • freezefrog.com
  • freezefrog.tv
  • fuegohunt.com
  • giant-wall-nut.com
  • gobsmak.net
  • good-findings.com
  • gossipingchicks.com
  • greeneggapps.net
  • greenflyswatter.com
  • greentechbug.com
  • hippogeek.com
  • hotbar.com
  • jellyclown.com
  • jellyfool.com
  • jesssquared.com
  • kangobox.com
  • lhoot.com
  • lhoot.net
  • liteflames.com
  • loopysquid.com
  • lostgaze.com
  • loveacceleration.com
  • lukylu.com
  • luvlygirl.com
  • martiandance.com
  • missingwatch.com
  • moonrkr.com
  • mossysky.com
  • myrtleboxturtle.com
  • netapptastik.net
  • nibblecheese.com
  • nibbleflip.com
  • nibblepants.com
  • ninjachop.com
  • peachfuzzapples.com
  • piccadilyfarm.com
  • pickalittlemore.com
  • pinballcorp.com
  • platrium.com
  • pnutbritl.com
  • potato-mine.com
  • rambaman.com
  • ravenbleu.com
  • robotskanks.com
  • roxiegirl.com
  • rubyhound.com
  • samuraicart.com
  • securewebsiteaccess.com
  • seekmo.com
  • seeqdeal.com
  • seeqdo.com
  • sevensplay.com
  • shamrockspring.com
  • shoeskidoo.com
  • shopperreports.com
  • smartshopper.com
  • snafuday.com
  • snappydee.com
  • sodazip.com
  • softdelio.com
  • softnibble.com
  • software-dl.info
  • source-software.org
  • sourceflix.info
  • sourcesoftware.info
  • sourchips.com
  • sourdoktor.com
  • spikeyspikeweed.com
  • splashspark.com
  • sportbacon.com
  • spottycom.com
  • swiftsave.net
  • talkalittle.com
  • televisiontwister.com
  • thefreeappshop.com
  • thefreeappshop.net
  • therealizt.com
  • thetvpool.com
  • thirdeyeopeners.com
  • treewrapper.com
  • tubesnapper.com
  • tubewhirl.com
  • updowndiz.com
  • videotamale.com
  • vidsmak.com
  • vidsneak.com
  • vidtruck.com
  • voomuu.net
  • webpfkong.com
  • wimpsauce.com
  • zango.com
  • zeedip.com
  • zmanatee.com

It may attempt to connect and install applications (bundled software) via any of the following affiliate websites:

  • AppKikx.com
  • BlueTurtleGames.com
  • BrightBreeze.com
  • CheeryChicken.com
  • ClickPotato.com
  • FREEzeFlip.com
  • FREEzeFrog.com
  • GigglingGames.com
  • HippoGeek.com
  • Hotbar.com
  • KangoBox.com
  • MossySky.com
  • Platrium.com
  • PopcornTVShows.com
  • RavenBleu.com
  • Seekmo.com
  • SeeqDo.com
  • ShamrockSpring.com
  • SnappyDee.com
  • VooMuu.com
  • zManatee.com

The adware affiliates may offer Hotbar as a way to access premium content. Bundled software may also include BrowserModifier:Win32/Zwangi and Adware:Win32/ZangoSearchAssistant.

You may be lured to a cybersquatting website, such as those seen below, where software bundled with Adware:Win32/Hotbar may be available for download:

PinBall Audacity website

Legitimate Audacity website

   

PinBall ARES website

Legitimate ARES website

We have observed Adware:Win32/Hotbar being bundled with the following software:

  • 7zip
  • Ares
  • Audacity
  • AVM Converter
  • eMule
  • Farm Frenzy 3
  • FLV Blaster
  • Free Download Manager
  • Frets on Fire
  • Gimp
  • IFree TV
  • LimeWire
  • OpenOffice
  • PDFCreator
  • Razor Gamer
  • RealPlayer
  • VLC
  • Xvid

For each website that you visit, Hotbar may collect information such as the following:

  • What URLs you visited to reach the current webpage (web-usage paths)
  • Search terms and demographic data you enter into a browser
  • Hotbar button clicks
  • Link clicks
  • Client-computer IP addresses
  • Hotbar cookie IDs

Hotbar may also collect personal or sensitive information, such as data you have entered when "registering" for the program at third-party websites.

Analysis by Methusela Cebrian Ferrer & Michael Johnson


Symptoms

System Changes

The following system changes may indicate the presence of Adware:Win32/Hotbar:

  • The presence of the following files:

    HBLiteSA.exe
    HBLiteSAAX.dll
    HBLiteSAHook.dll
    HBLiteUninstaller.exe
    npclntax_HBLiteSA.dll
  • The presence of the following registry subkeys:

    HKCU\Software\HbTools
    HKLM\SOFTWARE\HbTools
    HKCU\Software\AppKikxSA
    HKCU\Software\BlueTurtleGamesSA
    HKCU\Software\BrightBreezeSA
    HKCU\Software\CheeryChickenSA
    HKCU\Software\GigglingGamesSA
    HKCU\Software\HippoGeekSA
    HKCU\Software\KangoBoxSA
    HKCU\Software\LhootSA
    HKCU\Software\LukyLuSA
    HKCU\Software\MossySkySA
    HKCU\Software\RavenBleuSA
    HKCU\Software\SeeqDoSA
    HKCU\Software\ShamrockSpringSA
    HKCU\Software\VooMuuSA
    HKCU\Software\zManateeSA
    HKCR\AppID\{0507FDDE-F3B7-49F5-9E8F-C557E991F39B}
    HKCR\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}
    HKCR\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94}
    HKCR\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}
    HKCR\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}
    HKCR\CLSID\{40D8240A-E3A0-4D59-AC55-0443120188D1}
    HKCR\CLSID\{420C35C9-E4F2-49F9-BF67-2BE1ECF86989}
    HKCR\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}
    HKCR\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}
    HKCR\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
    HKCR\CLSID\{8C875948-9C60-4381-9248-0DF180542D53}
    HKCR\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}
    HKCR\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}
    HKCR\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}
    HKCR\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}

Prevention


Alert level: High
First detected by definition: 1.45.287.0
Latest detected by definition: 1.191.758.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jun 21, 2006
This entry was updated on: Aug 15, 2013

This threat is also detected as:
No known aliases