Friday
2008-11-29, 23:59
The following instructions have been created to help you to get rid of "AlexaToolbar" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
spyware
Description:
AlexaToolbar collects and transmits data of the user's website surfing behaviour. It is usually bundled with other software.
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$SYSDIR>\AlxTB1.dll".
Make sure you set your file manager to display hidden and system files. If AlexaToolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\Alexa Toolbar".
Make sure you set your file manager to display hidden and system files. If AlexaToolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{19C33034-3878-4beb-B843-62C2761AFF96}" at "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Research\Sources\".
Delete the registry key "{27D784D7-9217-4227-B43B-E06E4781E0CB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{69A72A8A-84ED-4a75-8CE7-263DBEF3E5D3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{EA20F195-32DA-4bd6-B348-FD01FC7D3D5A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{04D79E9F-09A9-4AED-9FC2-6E63A3BCA51E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0B32BCCD-4D64-48EB-8EC3-9BA0807D1349}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3F41980D-B681-488E-9757-0C9744F9C3CE}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{49160F0D-6BE2-4F5F-BCDB-9256DA3BB120}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5A9961FD-B0A6-4065-9552-EBFC199683A3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6912BEB3-E20C-4953-8C8E-E91B12B55BFC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{738CB0ED-54A7-4061-AE2E-40EFD9B1EEF6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9AF74448-EBD1-484C-8B06-35E597C0B54C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9BAB764B-E4F3-4C7B-99AD-CDF636BBE3A8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A6A08CBD-6673-41B1-B997-3F83A25B45B0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ABF7C4D4-53EF-4C15-8951-D22F63C98E9F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AC2A5E17-05ED-4E62-86E5-84779E8F0BCA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B71C7D9A-DA43-4E8B-BB9B-1684AC2AF324}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B79D9232-A798-43DB-9E61-281D550460E4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DC21CEDE-3B81-43D7-B816-DAEFA7B4901F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EACAA5CE-99B3-470E-9629-8F9EF4C4B637}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry value "{4D5C8C2A-D075-11D0-B416-00C04FB90376}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
If AlexaToolbar uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
spyware
Description:
AlexaToolbar collects and transmits data of the user's website surfing behaviour. It is usually bundled with other software.
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$SYSDIR>\AlxTB1.dll".
Make sure you set your file manager to display hidden and system files. If AlexaToolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\Alexa Toolbar".
Make sure you set your file manager to display hidden and system files. If AlexaToolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{19C33034-3878-4beb-B843-62C2761AFF96}" at "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Research\Sources\".
Delete the registry key "{27D784D7-9217-4227-B43B-E06E4781E0CB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{69A72A8A-84ED-4a75-8CE7-263DBEF3E5D3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{EA20F195-32DA-4bd6-B348-FD01FC7D3D5A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{04D79E9F-09A9-4AED-9FC2-6E63A3BCA51E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0B32BCCD-4D64-48EB-8EC3-9BA0807D1349}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3F41980D-B681-488E-9757-0C9744F9C3CE}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{49160F0D-6BE2-4F5F-BCDB-9256DA3BB120}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5A9961FD-B0A6-4065-9552-EBFC199683A3}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6912BEB3-E20C-4953-8C8E-E91B12B55BFC}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{738CB0ED-54A7-4061-AE2E-40EFD9B1EEF6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9AF74448-EBD1-484C-8B06-35E597C0B54C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9BAB764B-E4F3-4C7B-99AD-CDF636BBE3A8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A6A08CBD-6673-41B1-B997-3F83A25B45B0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ABF7C4D4-53EF-4C15-8951-D22F63C98E9F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AC2A5E17-05ED-4E62-86E5-84779E8F0BCA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B71C7D9A-DA43-4E8B-BB9B-1684AC2AF324}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B79D9232-A798-43DB-9E61-281D550460E4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DC21CEDE-3B81-43D7-B816-DAEFA7B4901F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EACAA5CE-99B3-470E-9629-8F9EF4C4B637}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry value "{4D5C8C2A-D075-11D0-B416-00C04FB90376}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\".
Delete the registry value "{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
If AlexaToolbar uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.