Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.AdultLinks

Adware.AdultLinks

Updated:
February 13, 2007
Version:
2003, 4, 29, 1
Risk Impact:
High
File Names:
QaBar.dll QcBar.dll SetupAdultLinks.exe
Systems Affected:
Windows

Behavior


Adware.AdultLinks is an adware application that modifies the search feature and adds a toolbar to Internet Explorer. The adware also monitors browsing activities in Internet Explorer.

Note: Definitions dated April 1st, 2005 or earlier may detect this security risk as Adware.AdultLinks.B.

Symptoms


The following symptoms indicate the presence of Adware.AdultLinks:
  • The presence of several links to adult pages in Internet Explorer.
  • The default search page changed to dev.ntcor.com.


Behavior


May be installed via Web pages. The user has to agree to the installation.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version November 26, 2003
  • Latest Daily Certified version February 08, 2011 revision 002
  • Initial Weekly Certified release date November 26, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When the self-extracting .zip file for Adware.AdultLinks is executed, it will perform the following actions:
  1. Copies QaBar.dll to %windir%\system32\


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Adds the value

    "ForceShow" = "rundll32.exe <path to file>,ForceShowBar"

    or

    "ForceShow" = "res://<path to file>/ForceShow.HTML"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce


    Note: This registry key will be removed once the computer has been rebooted.

  3. Adds the value

    "SearchAssistant" = "dev.ntcor.com/search.html"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

    which changes the default search page in Internet Explorer.

  4. Adds the value

    "{965e6b07-6832-4738-bdbe-25f226ba2ab0}" = "Adult Links"

    or

    "{765E6B09-6832-4738-BDBE-25F226BA2AB0} " = "Adult Links"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar

    which adds a toolbar called AdultLinks to Internet Explorer.

  5. Adds in the following keys (some keys may be added by specific versions of AdultLinks only):


    HKEY_CLASSES_ROOT\CLSID\{965e6b07-6832-4738-bdbe-25f226ba2ab0}
    HKEY_CLASSES_ROOT\CLSID\{dd1bca06-f674-424d-a08e-42da97c4d5dd}
    HKEY_CLASSES_ROOT\CLSID\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}
    HKEY_CLASSES_ROOT\CLSID\{5C015AA7-3392-4044-90CC-8E95019CFFF1}
    HKEY_CLASSES_ROOT\CLSID\{765E6B09-6832-4738-BDBE-25F226BA2AB0}
    HKEY_CLASSES_ROOT\Interface\{6D7D135E-F7C2-4A27-A87C-C0DFEB3A628F}
    HKEY_CLASSES_ROOT\Interface\{D1320CBB-403D-483D-AE9A-688960A96977}
    HKEY_CLASSES_ROOT\Interface\{ED7D1356-F7C2-4A27-A87C-C0DFEB3A628F}
    HKEY_CLASSES_ROOT\Interface\{242CA913-1637-4F74-9729-EA349AF3ECAC}
    HKEY_CLASSES_ROOT\Interface\{3FAA7D43-6889-4108-BD33-D66242C45BE0}
    HKEY_CLASSES_ROOT\TypeLib\{D02EE3A0-1881-419F-A5EF-737223463292}
    HKEY_CLASSES_ROOT\TypeLib\{C02EE3A0-1881-419F-A5ED-737223463292}
    HKEY_CLASSES_ROOT\TypeLib\{60381D4B-8129-449A-A5F2-5417AD0571CC}
    HKEY_CLASSES_ROOT\TypeLib\{0b1673d7-c165-4d41-bf65-1932324de17f}
    HKEY_CLASSES_ROOT\QcBar\
    HKEY_CLASSES_ROOT\QcBar.1\
    HKEY_CLASSES_ROOT\QABar
    HKEY_CLASSES_ROOT\QaBar.1\
    HKEY_CLASSES_ROOT\QABar.AdultSearch
    HKEY_CLASSES_ROOT\QABar.AdultSearch.1
    HKEY_CLASSES_ROOT\Allch.IEObj\
    HKEY_CLASSES_ROOT\Allch.IEObj.1\
    HKEY_CURRENT_USER\Software\QcBar\
    HKEY_CLASSES_ROOT\QaBar.AdultSearch.1\
    HKEY_CLASSES_ROOT\AdultBar.AdultBar
    HKEY_CLASSES_ROOT\AdultBar.AdultBar.1
    HKEY_CLASSES_ROOT\AdultSearch.AdultSearch
    HKEY_CLASSES_ROOT\AdultSearch.AdultSearch.1
    HKEY_CLASSES_ROOT\LinkZZ2.NullCtrl
    HKEY_CLASSES_ROOT\LinkZZ2.NullCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{765E6B09-6832-4738-BDBE-25F226BA2AB0} HKEY_LOCAL_MACHINE\Software\QcBar\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}

    which allow the adware to monitor Internet Explorer activities.

  6. Attempts to download a Web page from www.mainentrypoint.com containing a list of links. The adware will add these links to the Favorites menu in Internet Explorer.


    Note: Security Response has observed 47 links in the list at the time of this writing.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Delete the value that was added to the registry and reboot the system.
  3. Run a full system scan and delete all the files detected as Adware.AdultLinks
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  4. In the right pane, if it exists, delete the value:

    "ForceShow" = "rundll32.exe C:\%windir%\system32\qabar.dll,ForceShowBar"

    or

    "ForceShow" = "res://C:\%windir%\system32\qcbar.dll/ForceShow.HTML"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ToolBar

  6. In the right pane, delete the value:

    "{965e6b07-6832-4738-bdbe-25f226ba2ab0}" = "Adult Links"

    or

    "{765E6B09-6832-4738-BDBE-25F226BA2AB0} " = "Adult Links"

  7. Navigate to the key:

    HKEY_CLASSES_ROOT\CLSID\

  8. In the left pane, delete the keys:

    • {765E6B09-6832-4738-BDBE-25F226BA2AB0}
    • {D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}
    • {965e6b07-6832-4738-bdbe-25f226ba2ab0}
    • {dd1bca06-f674-424d-a08e-42da97c4d5dd}
    • {5C015AA7-3392-4044-90CC-8E95019CFFF1}
    • {765E6B09-6832-4738-BDBE-25F226BA2AB0}

  9. Navigate to the key:

    HKEY_CLASSES_ROOT\CLASSES\Interface\

  10. In the left pane, delete the keys:

    • {ED7D1356-F7C2-4A27-A87C-C0DFEB3A628F}
    • {242CA913-1637-4F74-9729-EA349AF3ECAC}
    • {6D7D135E-F7C2-4A27-A87C-C0DFEB3A628F}
    • {D1320CBB-403D-483D-AE9A-688960A96977}
    • {ED7D1356-F7C2-4A27-A87C-C0DFEB3A628F}
    • {242CA913-1637-4F74-9729-EA349AF3ECAC}
    • {3FAA7D43-6889-4108-BD33-D66242C45BE0}


  11. Navigate to the key:

    HKEY_CLASSES_ROOT\TypeLib\

  12. In the left pane, delete the key:

    • {C02EE3A0-1881-419F-A5ED-737223463292}
    • {60381D4B-8129-449A-A5F2-5417AD0571CC}
    • {D02EE3A0-1881-419F-A5EF-737223463292}
    • {C02EE3A0-1881-419F-A5ED-737223463292}
    • {0b1673d7-c165-4d41-bf65-1932324de17f}

  13. Navigate to the key

    HKEY_CLASSES_ROOT\

  14. In the left pane, delete the keys

    • QcBar
    • QcBar.1
    • Allch.IEObj
    • Allch.IEObj.1
    • QABar
    • QaBar.1
    • QABar.AdultSearch
    • QABar.AdultSearch.1
    • Allch.IEObj
    • Allch.IEObj.1
    • QaBar.AdultSearch.1
    • AdultBar.AdultBar
    • AdultBar.AdultBar.1
    • AdultSearch.AdultSearch
    • AdultSearch.AdultSearch.1
    • LinkZZ2.NullCtrl
    • LinkZZ2.NullCtrl.1

  15. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software

  16. In the left pane, delete the key:

    QcBar

  17. Exit the Registry Editor.

  18. Reboot the computer.
3. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information on how to do this, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Adware.AdultLinks, click Delete.

4. To reset the Internet Explorer home page
  1. Start Microsoft Internet Explorer.
  2. Connect to the Internet, and then go to the page that you want to set as your home page.
  3. Click Tools > Internet Options.
  4. In the Home page section of the General tab, click Use Current > OK.

For additional information, or if this procedure does not work, read the Microsoft Knowledge Base article: Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting, Article ID 320159 .
    5. To reset the Internet Explorer Search page
      Follow the instructions for your version of Windows.

      Windows 98/Me/2000
      1. Start Microsoft Internet Explorer.
      2. Click the Search button on the toolbar.
      3. In the Search pane, click Customize.
      4. Click Reset.
      5. Click Autosearch Settings.
      6. Select a search site from the drop-down list, and then click OK.
      7. Click OK.

      Windows XP
      Because Windows XP is set by default to use animated characters in the search, how you do this can vary. Read all the instructions before you start.
      1. Start Microsoft Internet Explorer.
      2. Click the Search button on the toolbar.
      3. Do one of the following:
        • If the pane that opens looks similar to the following picture, click the word Customize and proceed to step h:




        • If the pane that opens has the words "Search Companion" at the top, and the center looks similar to the following picture, click the Change preferences link and proceed with step d.




      4. Click the Change Internet search behavior link.
      5. Under "Internet Search Behavior," click With Classic Internet Search.
      6. Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
      7. Start Internet Explorer. When the search pane opens, it should look similar to the following picture:





        Click the word Customize, and then proceed with the next step.

      8. In the Search pane, click Customize.
      9. Click Reset.
      10. Click Autosearch Settings.
      11. Select a search site from the drop-down list, and then click OK.
      12. Click OK.
      13. Do one of the following:
        • If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
        • If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.

      14. Click the word Customize again.
      15. In the "Customize Search Settings" window, click Use Search Companion > OK.
      16. Close Internet Explorer. The next time you open it, it will again use the Search Companion