Limited Time!
Totally FREE Web Design!
Click here!

Parasite: NeoToolbar

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

NeoToolbar is an Internet Explorer toolbar and Browser Helper Object (BHO) and backdoor, targeted at searchbar.info and distributed by neo-toolbar.com. (‘Alcrodant Ltd.’ aka adult-empire.com; signed by ‘Microtex Systems Ltd’.)

Variants

NeoToolbar/MSQSB: first variant, around October 2004, filename msqsb.dll. NeoToolbar/SearchBar: second variant, around November 2004, filename searchbar.dll.

Also known as

CoolWebSearch.Neo by GIANT anti-spyware. NeoToolbar is closely related to the CoolWebSearch family of parasites.

Distribution

Installed by ‘aggressive‘ ActiveX drive-by download (repeatedly opening errors until the download is accepted) on unrelated web sites. Also installed through Trusted Zone hacks by the CoolWebSearch group of Internet Explorer security hole exploits.

The installer for NeoToolbar/SearchBar may also install the Look2Me/v3 and nCase parasites.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary unsigned code from from its controlling server.

At the time of writing this is used to install a TIBS premium-rate dialler and a CoolWebSearch homepage and search hijacker pointed at gfhjkhgi.biz, from the site happynewyear.biz (also associated with other CoolWebSearch hijackers).

Stability problems

The backdoor downloader mentioned above activates every time a new Internet Explorer or file browser window is opened, slowing computer usage down considerably.

Removal

With the SearchBar variant there may be a ‘Neo Technology Search Engine’ entry in the Control Panel’s Add/Remove Programs list. This removes the toolbar itself; see below to remove the downloader and hijacks.

Manual removal

Open a Command Prompt window (from Start->Programs->Accessories; called ‘DOS Prompt’ on Windows 95/98/Me) and enter the following commands, for the MSQSB variant:

cd "%WinDir%\System"
regsvr32 /u msqsb.dll

Or, for the SearchBar variant:

cd "%WinDir%\System"
regsvr32 /u searchbar.dll

NeoToolbar also typically includes a download ActiveX control. This is not resuable so should not present a security risk. To remove it, open the Downloaded Program Files folder (inside the Windows folder) and right-click-remove the ‘InstControl Class’ entry.

Finally, use the Internet Options->Programs->Reset Web Settings button to restore the default homepage and search settings.

You can also remove the registry key ‘HKEY_CURRENT_USER\Software\Microsoft\MSQSB’ to clean up if you like.