What is SurferBar?
Surferbar is an Internet Explorer toolbar that might be associated with a new version of a trojan horse program called AFlooder. It appears to be an ActiveX drive-by download. The SurferBar is also known as AdPlus/AdBar, it sets your homepage to their website along with displaying popup ads.
Today (September 3rd, 2003) Symantec and TrendMicro have both reported discovering this trojan, TrendMicro is calling it the JunkSurf.A trojan.
Based upon visitors comments, I have added information about a 2nd variation of surferbar and instructions on removing it today - September 9, 2003.
This worm exploits another security hole in Internet Explorer that needs to be patched. Two vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user?s system if the user either browsed to a hostile Web site or opened a specially crafted HTML-based email message are patched by this update. You can download the update at the following location:
Information about the security hole in Internet Explorer
Download the patch for this security hole
According to a post in SpywareInfo.com:
BoClean seems to already be updated to remove this trojan file.The new AFlooder is an irc trojan/spybot that uses worm techniques to spread to machines via web pages. It is apparently coded to have qualities of remote access trojans, IRC bots, keyloggers, and even seems to have the capability to carry out DDoS attacks if the owner orders it to. I just a few moments ago heard from a fellow at BOclean that it's a spambot too. It uses an exploit to write and execute its' injector program to machines without the user's acceptance or knowledge, then it uses NTFS's alternate file streams to hide itself where there's very little chance of finding it -- in the actual windows folder system32. On my system, the injector was made up of two files stored in Windows/system32, ezluu.exe and ezluu.dll. This may be randomly selected -- unfortunately I dumped them before I realized I was really infected. If anyone can clarify this, please let me know, and if you have copies of this, definitely let me know as I am collecting "evidence" of this worm at work.
You can determine whether your system is infected by either running Hijack This or by using regedit and navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run.
If you see an key with similar content to the below, you should also have one in RunOnce. Mind you, the letters can be any seven letter combination -- it's randomly selected upon infection and stays constant throughout.
How do I Remove SurferBar?
Follow these steps in removing the Surferbar toolbar. To complete these steps you may have to Start in Safe Mode, however by terminating the running program you should be able to complete the steps normally.
1) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
Locate the following program, click on it and End Task or End Process
wins32.exe (2nd variation)
Close Task Manager
2) Remove the Registry entries
Click on Start, Run, Regedit
In the left panel go to
In the right panel, right-click and delete the following entry
Close the Registry Editor
3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well).
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:
win32.dll (in the Program Files directory)
winsrv32.exe (in the Program Files directory)
drg.exe (in the root directory)
win32.dll (in the Program Files directory)
wins32.exe (in the Program Files directory)
sfbar.exe (in the root directory)
Click Find Now or Search Now.
Delete the displayed files.
4) Change your default Internet home page in Internet Explorer:
Open Internet Explorer
Click on Tools
Click on Internet Options
Click in the Homepage section and reset your homepage to whatever page you would like
5) Open Regedit and search for registry keys containing "surferbar", "adplus", and "adbar", and delete these keys.
This should remove SurferBar from your computer.