1. /
  2. Security Response/
  3. Adware.EZToolbar

Adware.EZToolbar

Updated:
February 13, 2007 11:43:16 AM
Type:
Adware
Publisher:
http://www.pickoftheweb.com
Risk Impact:
Medium
File Names:
potwbar.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.EZToolbar is installed, it performs the following actions:
  1. Creates the file %Windir%\Downloaded Program Files\potwbar.dll.

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{4E7BD74F-2B8D-469E-C0FF-FD7BA09AAA7D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\potwbar.POTWBAR
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\POTWBAR
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD7BA09AAA7D}
    HKEY_CURRENT_USER\Software\Dynamic Toolbar\POTWBAR
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
    \Distribution Units\{4E7BD74F-2B8D-469E-C0FF-FD7BA09AAA7D}

  3. Adds the value:

    "{4E7BD74F-2B8D-469E-C0FF-FD7BA09AAA7D}" = "00"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

    so that the adware runs every time Internet Explorer is starts.

  4. Sends information about Internet sites visited and keywords searched in search engines like google, to a server on the toolbar.pickofthe***.com domain.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver