Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/IEToolbar.J.1
Date discovered:12/07/2012
Type:Adware
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:506.536 Bytes
MD5 checksum:0204eb5e66e17a5f6f98d77c44b987cc
VDF version:7.11.36.08 - Thursday, July 12, 2012
IVDF version:7.11.36.08 - Thursday, July 12, 2012

 General Method of propagation:
   • No own spreading routine
   •  Symantec: Spyware.IEToolbar
   •  Eset: Win32/Toggle
     Norman: W32/Zugo.FFW


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
    Opens website in web browser

 Files – Temporary files that might be deleted afterwards:
   • C:\TEMP\captura.bmp
   • C:\TEMP\nsb4.tmp\img_en.gif
   • C:\TEMP\nsb4.tmp\InstallOptions.dll
   • C:\TEMP\nsb4.tmp\ioSpecial.ini
   • C:\TEMP\nsb4.tmp\LangDLL.dll
   • C:\TEMP\nsb4.tmp\linker.dll
   • C:\TEMP\nsb4.tmp\modern-wizard.bmp
   • C:\TEMP\nsb4.tmp\NSISdl.dll
   • C:\TEMP\nsb4.tmp\show_page_toolbar
   • C:\TEMP\nsb4.tmp\System.dll
   • C:\TEMP\nsb4.tmp\UAC.dll

 Miscellaneous Accesses internet resources:
   • http://do**********ers/nsis/pantallatoolbar_babylon_coupish_en.ini
   • http://do**********ar/babylon/captura.bmp
   • http://pf.to**********26-nero-burning-rom.exe
   • http://pf.to**********26_64_fab3.gif
   • 


String:
Furthermore it contains the following strings:
   • of SweetIM.
   • of Babylon toolbar
   • \Nero Burning Rom
   • /toolbar.exe
   • chrome.exe
   • firefox.exe
   • \KillProc.dll
   • ChangeStartPageIE
   • ChangeStartPageFirefox
   • browser.startup.homepage
   • start ChangeDefaultSearchFirefox
   • \extensions\
   • \Toolbar\*
   • \Mozilla Firefox\firefox.exe
   • \places.sqlite
   • "cmd.exe" "ASSOC .JS=JSFile"
   • wscript.exe "
   • \chrome.js"
   • .exe

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Martin Muench on Saturday, July 14, 2012
Description updated by Martin Muench on Saturday, July 14, 2012

Back . . . .