Adware.UpSpiralBar

Printer Friendly Page

Updated: February 13, 2007 11:43:12 AM

Type: Adware

Version: 3.0.0.5

Risk Impact: Low

File Names: tbinstall.exe; snbupt.exe; upspiral.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.UpSpiralBar is run it:

Creates the following files:
- %Windir%\Downloaded Program Files\upspiral.dll (detected as Adware.UpSpiralBar)
- %ProgramFiles%\Upspiral Toolbar\Uninstall.exe
- %ProgramFiles%\Upspiral Toolbar\Cache\ebay.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\highlight.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\home.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\logo.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\pop_on.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\search.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\spamarrest.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\Thumbs.db
- %ProgramFiles%\Upspiral Toolbar\Cache\tools.bmp
- %ProgramFiles%\Upspiral Toolbar\Cache\upspiraltb0300.cfg
- %Windir%\tbinstall.exe (detected as Adware.UpSpiralBar)
- %Windir%\unist2.exe
  
  Notes:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-DEFF-ED65A486AA28} HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-DEFF-ED65A486AA29} HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-DEFF-ED65A486AA2A} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-DEFF-ED65A486AA28} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\Upspiral HKEY_CLASSES_ROOT\upspiral.UPSPIRAL HKEY_CLASSES_ROOT\upspiral.UPSPIRALMenu Button HKEY_CLASSES_ROOT\upspiral.UPSPIRALToggle Button HKEY_CURRENT_USER\Software\Upspiral Toolbar
Adds the following value:

{4E7BD74F-2B8D-469E-DEFF-ED65A486AA28}

to one or more of the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Adds the value:

"snbupt" = "C:\Windows\snbupt.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the Adware.UpSpiralBar runs and updates itself every time Windows starts.
May attempt to modify some of the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search BarHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrlHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}