Limited Time!
Totally FREE Web Design!
Click here!

Parasite: Pugi

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Pugi is a family of customised toolbars/browser hijackers based on toolbar code from Softomate Solutions (besttoolbars.net). The behaviours of Pugi variants depends on the details in the configuration XML file supplied and updated by the customisers, but typically there will be a toolbar with a search box and link buttons, coupled with an address bar search hijacker, DNS error hijacker and sometimes homepage hijacker or search sidebar hijacker.

Some of Pugi-based toolbars have been installed by various non-legitimate means and are considered parasites.

Variants

Pugi/Searchit, pointed at www.searchit.com, distributed through inet-traffic.com.

Pugi/SearchExplorer, pointed at www.search-explorer.com, distributed through and controlled by adpowerzone.com.

Pugi/Qidion, controlled by qidion.com, pointed at www.findwhatevernow.com.

Pugi/Masterbar, pointed at masterbar.com; also sets search pages to point at masterbar.com.

Pugi/WhyPPC, controlled and targeted at whyppc.com, operated by YesUp Ecommerce Solutions.

Pugi/iSearch, pointed at isearch.com, controlling server auto.isearch.com. Distributed and controlled by iDownload.com. Some versions of its installer also include a Hosts file hijacker that blocks access to several dozen anti-parasite web sites, including DOXdesk. If doxdesk.com resolves to the address 127.0.0.9, this is the parasite responsible.

Pugi/411Ferret, controlling server and search target 411ferret.com (typically redirecting to 123search.com for searches). Pugi/SearchLocate, search target searchlocate.com, also includes a sidebar that opens with pay-per-click links when a search is carried out on another search engine. Both 411Ferret and SearchLocate are operated by Avatar Resources, who also operate the AutoStartup parasite.

Pugi/Gexus: controlling server and search target gexus.com.

Pugi/Yuups: controlling server and hompage hijack site yuups.com. Uses graphics from the Google toolbar; some of the buttons from the toolbar link to Google instead of YuupSearch.

ISTbar/XXXToolbar and RichFind also include Pugi-based toolbars as part of their code.

Also known as

Softomate toolbar. Browser Angel (SearchLocate variant).

Distribution

ActiveX drive-by download in pop-up adverts. Pugi/iSearch is installed by ActiveX drive-by-downloads triggered by Windows Media DRM licensing through protectedmedia.com/instantdrm.com, and also through exploitation of IE security holes on porn sites using traffic monitors from Porngraph.

Pugi/SearchExplorer was also installed by the 2ndThought parasite from June 2003.

Pugi/WhyPPC was installed by ActiveX drive-by download in pop-ups from popinads.com (part of paypopup.com/YesUp, which also operates whyppc.com).

Pugi/411Ferret was bundled with Grokster around late 2004.

Pugi/Gexus was distributed by ActiveX drive-by download from serialspot.com (adzoma.com).

Pugi/Yuups was distributed by IE security hole exploits in the usual CoolWebSearch manner.

What it does

Advertising

Possible, if enabled in the toolbar’s configuration. The SearchExplorer variant is the only version known to use this facility.

Privacy violation

Possible, again in the SearchExplorer variant which may pass URLs being viewed to its controlling server every few pages (including local folders viewed using the Windows Explorer!), and also in the SearchLocate variants, which passes all searches made on other sites to its servers, which set a cookie so that search usage can be tracked.

Security issues

Has a self-updating feature, which is usually not turned on, but might be enabled in some variants.

Stability problems

None known.

Removal

Open Add/Remove Programs in the Control Panel and remove the entry ‘Searchit - toolbar’ (Searchit variant), ‘Toolbar - My toolbar’ (Search-Explorer variant), ‘qidion - toolbar’ (Qidion variant), ‘masterbarHallmedia.net’ (MasterBar variant), ‘IE Toolbar’ (WhyPPC variant), ‘autoSearch’ (SearchLocate variant), ‘411Ferret Toolbar’ (411Ferret variant) or ‘YuupSearch Toolbar’ (Yuups variant).

In the SearchLocate variant, the Add/Remove Programs entry removes the software but not the A/R P entry itself. To clear up, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A55581DC-2CDB-4089-8878-71A080B22342}.

In the Yuups variant, the Add/Remove Programs entry removes the toolbar but leaves behind a program set to run at startup which opens the yuups.com site in a pop-up. See below to remove this.

Manual Removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for Pugi/Searchit:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\srchitbar.dll"

Or, for Pugi/SearchExplorer:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Search-Explorer\explbar.dll"

Or, for Pugi/Qidion:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\qi32.dll"

Or, for Pugi/MasterBar:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\MasterBar\masterbar.dll"

Or, for Pugi/WhyPPC:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\toolbar.dll"

Or, for Pugi/iSearch:

cd "%WinDir%\System"
regsvr32 /u toolbar.dll

Or, for Pugi/SearchLocate:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\SearchLocate\sidebar.dll"

Or, for Pugi/411Ferret:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\411Ferret\toolbar.dll"

Or, for Pugi/Gexus:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\toolbar.dll"

Or, for Yuups:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\YuupSearch Toolbar\google_toolbar.dll"

Restart the computer and you should be able to delete the program files. For the SearchExplorer and MasterBar variants you can delete the entire ‘Search-Explorer’ or ‘MasterBar’ folder in the Program Files on the C: drive (regardless whether or not that is your system drive).

For the SearchLocate, 411Ferret and Yuups variants you can delete the entire ‘SearchLocate’, ‘411Ferret’ or ‘YuupSearch Toolbar’ folders from the normal Program Files folder.

For the iSearch variant you can delete the files toolbar.dll and version.txt from the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me).

For Pugi/Qidion use this command to delete the files:

del "%WinDir%\Downloaded Program Files\qi32.dll"

For Pugi/Searchit:

del "%WinDir%\Downloaded Program Files\srchitbar.dll"

For Pugi/Gexus and Pugi/WhyPPC:

del "%WinDir%\Downloaded Program Files\toolbar.dll"

To clean up, you can also remove the settings in a subkey under the registry key HKEY_LOCAL_MACHINE\Software. The subkey is called search-explorer (SearchExplorer variant), searchit (Searchit variant), qidion (qidion variant), masterbar (Masterbar variant), iSearch (iSearch variant), Softomate (SearchLocate and WhyPPC variants), BTB (411Ferret variant) or XBTB01500 (Yuups variant).

For the Yuups variant, you should also remove the yuups.com-opening startup task. To do this, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, right-click the entry ‘MSTask’ pointing to run_dll.exe and choose ‘Delete’. Restart the computer and you should be able to delete the file run_dll.exe in the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me).

iSearch variant

After removal, check your Hosts file. This can be found inside the Windows folder on Windows 95/98/Me, or in System32\drivers\etc in the Windows folder on Winddows NT/2000/XP/2003. Load it into a text editor such as Notepad and check for lines pointing addresses from 127.0.0.2 upwards at spyware-related sites. If they are there, delete all of these, and correct the entry for localhost to 127.0.0.1 instead of 127.0.0.0.

2ndThought removal

If you had Pugi/SearchExplorer, check whether it was installed by 2ndThought. 2ndThought is a commercial trojan controlled by 2nd-thought.com. It is installed by ActiveX drive-by-downloads from the advertising network AdsCPM, who wrote it (as well as FreeScratchAndWin).

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the ‘stcloader’ entry if you have it. If so, restart the computer and you should be able to delete the ‘STC’ folder inside Program Files, and ‘2ndsrch.dll’ and ‘stcloader.exe’ from the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP).