Home / malware Adware:Win32/Hotbar
First posted on 02 April 2019.
Source: MicrosoftAliases :
There are no other names known for Adware:Win32/Hotbar.
Explanation :
Adware:Win32/Hotbar displays a dynamic toolbar and pop-up ads based on its monitoring of your web-browsing activity.
The program installs a browser toolbar that works in Internet Explorer 6 and above, and Firefox 3.6 and above.
The tool is a multi-component adware program designed to monitor your online browsing behavior to deliver targeted ads. It also installs other components related to Win32/ClickPotato and Win32/ShopperReports.
Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. It might collect information and silently download and run updates or other code from its servers.
The program is delivered by Pinball Publisher Network to Web Publishers via commission, based on the number of installs, also referred as pay-per-install.
Adware:Win32/Hotbar creates numerous files during an installation, and may install itself to paths that include the following:
In %LOCALAPPDATA%: AppKikxSA BlueTurtleGamesSA BrightBreezeSA CheeryChickenSA ClickPotatoLiteSA FREEzeFlipSA GigglingGamesSA hbtools HippoGeekSA hotbar KangoBoxSA LhootSA MossySkySA PopcornTVShowsSA RavenBleuSA SeekmoSA SeeqDoSA ShamrockSpringSA SnappyDeeSA VooMuuSA zManateeSA In %ProgramFiles%: BrightBreeze ClickPotatoLite FREEzeFlip FREEzeFrog HBLite Hotbar MossySky Seekmo VooMuu Zango HbTools
It may use one of the following file names:
HBLiteSA.exe HBLiteSAAX.dll HBLiteSAHook.dll HBLiteUninstaller.exe npclntax_HBLiteSA.dll
Adware:Win32/Hotbar adds numerous keys to the registry, including the following:
HKCUSoftwareHbTools HKLMSOFTWAREHbTools HKCUSoftwareAppKikxSA HKCUSoftwareBlueTurtleGamesSA HKCUSoftwareBrightBreezeSA HKCUSoftwareCheeryChickenSA HKCUSoftwareGigglingGamesSA HKCUSoftwareHippoGeekSA HKCUSoftwareKangoBoxSA HKCUSoftwareLhootSA HKCUSoftwareLukyLuSA HKCUSoftwareMossySkySA HKCUSoftwareRavenBleuSA HKCUSoftwareSeeqDoSA HKCUSoftwareShamrockSpringSA HKCUSoftwareVooMuuSA HKCUSoftwarezManateeSA HKCRAppID{0507FDDE-F3B7-49F5-9E8F-C557E991F39B} HKCRCLSID{0AB71193-EC19-4D70-85C2-E46E2FF02755} HKCRCLSID{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94} HKCRCLSID{31A59636-0FA3-4A56-954D-DB7AD02840D8} HKCRCLSID{3FA917B9-DF69-477F-9E4F-B60D929DE79F} HKCRCLSID{40D8240A-E3A0-4D59-AC55-0443120188D1} HKCRCLSID{420C35C9-E4F2-49F9-BF67-2BE1ECF86989} HKCRCLSID{66B90ADB-0BE3-40AE-8680-84A6F0577CA0} HKCRCLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB} HKCRCLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} HKCRCLSID{8C875948-9C60-4381-9248-0DF180542D53} HKCRCLSID{A14C0D8D-E753-4E73-9E2B-4070791D8940} HKCRCLSID{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881} HKCRCLSID{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541} HKCRCLSID{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}
It may attempt to connect to any of the following affiliate websites:
appbundler.net appcapps.net appkikx.com appservicesdl.com blueturtlegames.com brightbreeze.com cheerychicken.com clickpotato.tv coughstuffs.com dlsmak.com doktorchip.com doktorcream.com doktordice.com doktorevil.com doktorpants.com doktoryes.com dotticom.com drcornchip.com drnacho.com eagleeyeopeners.com ficklebox.com ficklefix.com ficklespot.com fivemillionfriends.com flixsee.net freeflixapp.net freelandmedia.com freetodl.com freezeflip.com freezefrog.com freezefrog.tv fuegohunt.com giant-wall-nut.com gobsmak.net good-findings.com gossipingchicks.com greeneggapps.net greenflyswatter.com greentechbug.com hippogeek.com hotbar.com jellyclown.com jellyfool.com jesssquared.com kangobox.com lhoot.com lhoot.net liteflames.com loopysquid.com lostgaze.com loveacceleration.com lukylu.com luvlygirl.com martiandance.com missingwatch.com moonrkr.com mossysky.com myrtleboxturtle.com netapptastik.net nibblecheese.com nibbleflip.com nibblepants.com ninjachop.com peachfuzzapples.com piccadilyfarm.com pickalittlemore.com pinballcorp.com platrium.com pnutbritl.com potato-mine.com rambaman.com ravenbleu.com robotskanks.com roxiegirl.com rubyhound.com samuraicart.com securewebsiteaccess.com seekmo.com seeqdeal.com seeqdo.com sevensplay.com shamrockspring.com shoeskidoo.com shopperreports.com smartshopper.com snafuday.com snappydee.com sodazip.com softdelio.com softnibble.com software-dl.info source-software.org sourceflix.info sourcesoftware.info sourchips.com sourdoktor.com spikeyspikeweed.com splashspark.com sportbacon.com spottycom.com swiftsave.net talkalittle.com televisiontwister.com thefreeappshop.com thefreeappshop.net therealizt.com thetvpool.com thirdeyeopeners.com treewrapper.com tubesnapper.com tubewhirl.com updowndiz.com videotamale.com vidsmak.com vidsneak.com vidtruck.com voomuu.net webpfkong.com wimpsauce.com zango.com zeedip.com zmanatee.com
It may attempt to connect and install applications (bundled software) via any of the following affiliate websites:
AppKikx.com BlueTurtleGames.com BrightBreeze.com CheeryChicken.com ClickPotato.com FREEzeFlip.com FREEzeFrog.com GigglingGames.com HippoGeek.com Hotbar.com KangoBox.com MossySky.com Platrium.com PopcornTVShows.com RavenBleu.com Seekmo.com SeeqDo.com ShamrockSpring.com SnappyDee.com VooMuu.com zManatee.com
The adware affiliates may offer Hotbar as a way to access premium content. Bundled software may also include BrowserModifier:Win32/Zwangi and Adware:Win32/ZangoSearchAssistant.
You may be lured to a cybersquatting website, such as those seen below, where software bundled with Adware:Win32/Hotbar may be available for download:
PinBall Audacity website
Legitimate Audacity website
PinBall ARES website
Legitimate ARES website
We have observed Adware:Win32/Hotbar being bundled with the following software:
7zip Ares Audacity AVM Converter eMule Farm Frenzy 3 FLV Blaster Free Download Manager Frets on Fire Gimp IFree TV LimeWire OpenOffice PDFCreator Razor Gamer RealPlayer VLC Xvid
For each website that you visit, Hotbar may collect information such as the following:
What URLs you visited to reach the current webpage (web-usage paths) Search terms and demographic data you enter into a browser Hotbar button clicks Link clicks Client-computer IP addresses Hotbar cookie IDs
Hotbar may also collect personal or sensitive information, such as data you have entered when "registering" for the program at third-party websites.
Analysis by Methusela Cebrian Ferrer & Michael JohnsonLast update 02 April 2019