TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
ADW_HOTBAR.A
Overview
Solution

QUICK LINKS  

Download the latest scan engine

In the wild: No

Reported detections:

 Low
 
Description:

Alias: Adware.Hotbar (Symantec), HotBar (Ad-Aware), HotBar (Mcafee), HotBar (PestPatrol), Hotbar (SpyBot)

This adware modifies the search page of Internet Explorer.

It monitors Web activities of a system user, such as Web sites visited and search performed.

It tracks Web usage habits of a system user to determine the more appropriate subject when displaying advertisements.

It displays the following search bar at the upper right corner of Internet Explorer:

Special Offer!...Search

It runs on Windows 95, 98, ME, NT, 2000 and XP.

Solution: 

Minimum scan engine version needed: 7.100


Identifying the Spyware Program

Download the latest spyware pattern file and scan your system. Note all files detected as ADW_HOTBAR.A.

Uninstalling the Program

To remove the adware, uninstall all installed Hotbar application. To do this, do the following:

  1. Go to Control Panel.
  2. Double-click Add Remove Programs.
  3. Select the corresponding program then click the "Add/Remove" button. It usually have the string "by Hotbar" in the display name.

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer homepage and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel.
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
  5. Click the “Reset Web Settings…” button.
  6. Select “Also reset my home page.” Click Yes.
  7. Click OK.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as ADW_HOTBAR.A.

Details: 

Installation

This adware program arrives via the Web, as downloaded programs, and through manual installation. It is also known to be bundled with older releases of the famous peer-to-peer application called iMesh.

It installs itself at the following path by default:

    %Program Files%\Hotbar\bin\%Version%

(Note: %Program Files% is the program files directory of Windows, which is usually C:\Program Files. On the other hand, %Version% is the version number of the installed Hotbar.)

It also creates the following folder where it stores the collected Web usage habits of a system user:

    %Application Data%\Hotbar\%Version%\Hotbar

(Note: %Application Data% is the application data files directory of a user in the system, which is usually C:\Windows\Application Data.)

Upon installation, it also registers several classes to the system.

To automatically update its copy, this program creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Hotbar = %Program Files%\Hotbar\bin\%Version%\HbInst.exe/Upgrade

Payload

This adware sets the search page of Internet Explorer to its domain by modifying the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = http://www.hotbar.com/dyn/hotbar/
%Version%/sb_searchPageHome.htm

It displays the following search bar at the upper right corner of Internet Explorer:

Special Offer!...Search

It monitors Web activities of a system user, such as Web sites visited and search performed. It tracks Web usage habits of a system user to determine the more appropriate subject when displaying advertisements.

Other Details

Some versions of this program is compressed using UPX.
Analysis by: Broderick Aquilino

For additional information about this threat, see:
Solution

Description created: Jan 6, 2004




Tell us how we did. Take our quick survey.