Content

Adware-Quickbar

Type
Program
SubType
Adware
Discovery Date
09/21/2005
Minimum DAT
4588 (09/22/2005)
Updated DAT
5455 (12/05/2008)
Minimum Engine
5.1.00
Description Added
09/21/2005
Description Modified
02/06/2006 6:34 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a search toolbar application that integrates with Internet Explorer and makes additional low-level changes to the systems networking configuration. A Browser Helper Object is installed in Internet Explorer to provide the toolbar. The software appears to depend on, or otherwise integrate with, NDotNet which is also installed. NDotNet consists of another BHO and an LSP stack modification. Both default address bar searches and 404 errors are redirected to the find.reliableresults.info search page.

This application may display a license agreement when installed. The stub downloader version of the installer runs silently, with no user intervention required and does not display an agreement. The latest full installer available from http://search.qsrch.com does display an installation interface and requires the user to accept a license agreement. The full text of the license agreement can be accessed on the publisher's website here: http://www.new.net/policies_software.tp .

Privacy

A privacy policy is not displayed during installation. In the case of the full installer, a URL is listed under a "Privacy" heading in the license agreement. The full text of the policy can be accessed on the publisher's website via the provided URL here: http://www.new.net/policies_software_privacy.tp   In the case of the stub downloader installer, no indication of the privacy policy is given at all.

The software transmitts URL domain data to 3rd party servers during browsing/searching along with what appearst to be a unique installation ID.

System Changes

General defaults for typical environment variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • %SystemDir%\sporder.dll* (8 KB)
  • %WinDir%\ndnuninstall6_38.exe (49 KB)
    MD5: 77C92713297C1C8B4F4C01C170C2BA89
  • Stub downloader installer: nnezstb1.exe (39 KB)
    MD5: 62B25A7BB6F2462F106AC73DAAAE42AC
  • Latest full installer: QHVqtb_Setup.exe (505 KB)
    MD5: 9118E4EFB5E697E37F0CADCC914C6C4E
  • c:\program files\quickbar\
  • c:\program files\quickbar\toolbar.ini (1 KB)
  • c:\program files\quickbar\quickbar.dll (1137 KB)
    MD5: 81BC45B03A87ADC113AB5ABBC3672824
  • c:\program files\quickbar\cache\
    Note: many graphics and other cached data files are stored in this directory.
  • c:\program files\quickbar\cache\nnezty638.exe (260 KB)
    MD5: 3422C9B34BF912A9EF4803DC4BDD6DEC
  • c:\program files\quickbar\barman.exe (59 KB)
    MD5: 9A0E8F3207A6FBF5C0F153179523CE67
  • c:\program files\newdotnet\uninstall6_38.exe (49 KB)
    MD5: 77C92713297C1C8B4F4C01C170C2BA89
  • c:\program files\newdotnet\readme.html (6 KB)
  • c:\program files\newdotnet\newdotnet6_38.dll (224 KB)
    MD5: B8D2EA737777A3313A3B6FA5251FDC72
  • c:\documents and settings\administrator\cookies\administrator@trafficmp[1].txt (1 KB)
  • c:\documents and settings\administrator\cookies\administrator@qckvis.qsrch[2].txt (1 KB)
  • c:\documents and settings\administrator\cookies\administrator@clicks.emarketmakers[1].txt (1 KB)

Registry (most significant/high-level)

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "New.net Startup"="rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\quickbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\New.net
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\New.net
  • HKEY_LOCAL_MACHINE\SOFTWARE\New.net
    "InstalledPath"="C:\Program Files\NewDotNet\newdotnet6_38.dll"
    Note: The numerical values for the following WinSock2 keys will vary depending on the number of providers in the LSP stack when the software is installed.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
    "DisplayString"="New.net Name Space Provider"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
    "LibraryPath"="C:\Program Files\NewDotNet\newdotnet6_38.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
    LEGACY_STISVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9\Catalog_Entries\000000000019
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9\Catalog_Entries\000000000018
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9\Catalog_Entries\000000000017
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9\Catalog_Entries\000000000016
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \NameSpace_Catalog5\Catalog_Entries\000000000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \NameSpace_Catalog5\Catalog_Entries\000000000004
    "DisplayString"="New.net Name Space Provider"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \NameSpace_Catalog5\Catalog_Entries\000000000004
    "LibraryPath"="C:\Program Files\NewDotNet\newdotnet6_38.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STISVC\0000\Control
  • HKEY_CURRENT_USER\Software\QUICKBAR
  • HKEY_CURRENT_USER\Software\QUICKBAR
    "CLTBID"="7c635898b5888540fddde6ae231936c6"
    Note: This value may vary with the installation
  • HKEY_CURRENT_USER\Software\QUICKBAR
    "BarID"="200509210850121921681165"
    Note: This value may vary with the installation
  • HKEY_CURRENT_USER\Software\QUICKBAR
    "IE"="C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_CURRENT_USER\Software\New.net
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    "{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}"="4F-D7-7B-4E-8D-2B-9E-46-C0-FF-FD-67-B7-9C-AF-2C"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
    "(default)"="http://search.qsrch.com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
    "provider"=""
  • HKEY_CLASSES_ROOT\Tldctl2.URLLink.1
  • HKEY_CLASSES_ROOT\Tldctl2.URLLink
  • HKEY_CLASSES_ROOT\quickbar.QUICKBAR
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2E}
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2E}\InprocServer32
    "(default)"="C:\PROGRA~1\quickbar\quickbar.dll"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2D}
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2D}\InprocServer32
    "(default)"="C:\PROGRA~1\quickbar\quickbar.dll"
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}
  • HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}\InprocServer32
    "(default)"="C:\PROGRA~1\quickbar\quickbar.dll"
  • HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
  • HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\InprocServer32
    "(default)"="C:\Program Files\NewDotNet\newdotnet6_38.dll"

The following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"="(hex data)"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    "ITBarLayout"="(hex data)"
    Note: The numerical values for the following WinSock2 keys will vary depending on the number of providers in the LSP stack when the software is installed.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \NameSpace_Catalog5
    "Num_Catalog_Entries"="4"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \NameSpace_Catalog5
    "Serial_Access_Num"="5"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9
    "Num_Catalog_Entries"="19"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9
    "Next_Catalog_Entry_ID"="1034"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
    \Protocol_Catalog9
    "Serial_Access_Num"="14"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\NameSpace_Catalog5
    "Num_Catalog_Entries"="4"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\NameSpace_Catalog5
    "Serial_Access_Num"="5"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9
    "Num_Catalog_Entries"="19"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9
    "Next_Catalog_Entry_ID"="1034"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    \Parameters\Protocol_Catalog9
    "Serial_Access_Num"="14"

Network Impact

Additional overhead in bandwidth due to transmission of domain URL data to remote servers. Also appears to have self-update capability which could also increase bandwith consumption.

Aliases

Aliases

    N/A