Microsoft security software detects and removes this threat.

This family of trojan downloaders download malware from the Trojan:Win32/Wintrim family. These trojans redirect search engine results and display pop-ups based on keywords you enter into certain search engines. They might also send information about your computer to a remote server.

What to do now

This threat may create an uninstaller that can be accessed from the Control Panel:

  • For Windows 8 and 8.1, open the Start screen and type Uninstall. In the search results, go to Uninstall a program (in Windows 8, first select Settings).
  • For Windows 7 and Vista, open the Start menu and navigate to Control Panel>Programs>Uninstall a Program
  • For XP, open the Start menu and navigate to Control Panel>Add or Remove Programs

The entry may be called "Lollipop".

If an uninstaller is not available, does not work properly, or you do not want to use it, you can use the following scanning and removal tools to detect and remove this threat and other malicious software from your PC:

Even if we've already detected and removed this particular threat, running a full scan might find other threats that are hiding on your PC.

Threat behavior

Variants of TrojanDownloader:Win32/Wintrim may be downloaded and run by software bundlers, such as SoftwareBundler:Win32/Lollipox and SoftwareBundler:Win32/Lollipos.

When run, the trojan downloader checks for the presence of security software on your PC (in the wild, we have observed it checking for the presence of Avast security software). Depending on whether you have security software installed and running or not, the trojan will download and run an executable file from the following URL:<removed>/download.php?cc=<encoded data>

The trojan downloader saves the file as Lollipop.exe into the %TEMP% folder, and then moves the file to the %LOCALAPPDATA% folder. The file is detected as a variant of the Trojan:Win32/Wintrim family of trojans that display pop-up ads in certain search engines.

Analysis by Geoff McDonald 


The following could indicate that you have this threat on your PC:
  • The appearance of pop-up ads, particularly ones that are pornographic in nature, or being redirected to search results you did not intend to visit
  • The presence of the following file:


Alert level: Severe
First detected by definition: 1.151.543.0
Latest detected by definition: 1.203.1472.0 and higher
First detected on: May 21, 2013
This entry was first published on: Dec 07, 2006
This entry was updated on: Oct 11, 2013

This threat is also detected as:
  • Win32/Adware.Lollipop.C (ESET)
  • Adware.Lollipop.E (BitDefender)
  • Adware/Lollipop.E.1 (Avira)
  • (Kaspersky)