Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.SideBar

Adware.SideBar

Updated:
February 13, 2007
Risk Impact:
Low
File Names:
spoolsvv.exe somaticCAB.exe
Systems Affected:
Windows

Behavior


Adware.SideBar installs itself as a toolbar inside Internet Explorer, replacing the default search page.

Symptoms


A new toolbar inside Internet Explorer.

Behavior


Has to be installed manually.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version January 05, 2004
  • Latest Daily Certified version January 20, 2015 revision 034
  • Initial Weekly Certified release date January 07, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Adware.SideBar is an adware component that will add itself as a toolbar inside Internet Explorer. It will also replace the default search page. This adware component has the ability to display advertisements in Internet Explorer. Adware.SideBar also contains code such that it can download and execute files from the Internet.

When Adware.SideBar is installed, it performs the following actions:
  1. Creates the following file:

    %System%\spoolsvv.exe

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds one of the following values:

    "Spoolsvv" = "C:\WINDOWS\system32\spoolsvv.exe - invisible"
    "Spoolsvv" = "[Path where spoolsvv.exe was run from] - invisible"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware is executed every time Windows starts.

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{BB0578ED-E672-4697-9663-EC5A0460B949}
    HKEY_CLASSES_ROOT\CLSID\{C258EAA1-F9FE-491E-B8FF-CE9AF7A7AFF5}
    HKEY_CLASSES_ROOT\Interface\{831975B3-13A0-4DA4-AA6F-6C427175C30E}
    HKEY_CLASSES_ROOT\Interface\{FF6AAA4C-9FB8-4663-A04C-EB9D02568D1D}
    HKEY_CLASSES_ROOT\TypeLib\{D1020AD1-3754-4C54-BF4D-EA01652EC4BE}
    HKEY_CLASSES_ROOT\TypeLib\{EF5ABEC9-965E-4E2D-B9C9-D168A2706670}
    HKEY_CLASSES_ROOT\SomaticCAB.Setup
    HKEY_CLASSES_ROOT\spoolsvv.Class1
    HKEY_LOCAL_MACHINE\SOFTWARE\MyGeekInstalled



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.SideBar.
  3. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start your Symantec antivirus program and run a full system scan..
  2. If any files are detected as Adware.SideBar, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

3. Deleting the value from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document "How to make a backup of the Windows registry " for instructions.
  1. Click Start > Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "Spoolsvv" = "C:\WINDOWS\system32\spoolsvv.exe - invisible"
    "Spoolsvv" = "[Path where spoolsvv.exe was run from] - invisible"

  5. Navigate to and delete the following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{BB0578ED-E672-4697-9663-EC5A0460B949}
    HKEY_CLASSES_ROOT\CLSID\{C258EAA1-F9FE-491E-B8FF-CE9AF7A7AFF5}
    HKEY_CLASSES_ROOT\Interface\{831975B3-13A0-4DA4-AA6F-6C427175C30E}
    HKEY_CLASSES_ROOT\Interface\{FF6AAA4C-9FB8-4663-A04C-EB9D02568D1D}
    HKEY_CLASSES_ROOT\TypeLib\{D1020AD1-3754-4C54-BF4D-EA01652EC4BE}
    HKEY_CLASSES_ROOT\TypeLib\{EF5ABEC9-965E-4E2D-B9C9-D168A2706670}
    HKEY_CLASSES_ROOT\SomaticCAB.Setup
    HKEY_CLASSES_ROOT\spoolsvv.Class1
    HKEY_LOCAL_MACHINE\SOFTWARE\MyGeekInstalled

  6. Exit the Registry Editor.