Manual Spy Bot Removal > Pugi
Pugi is a search toolbar program which has been customised and stealth-installed by many different sites.
Variants
Pugi/Searchit , pointed at www.searchit.com, distributed through inet-traffic.com.
Pugi/SearchExplorer , pointed at www.search-explorer.com, distributed through and controlled by adpowerzone.com.
Pugi/Qidion , controlled by qidion.com, pointed at www.findwhatevernow.com.
Pugi/Masterbar , pointed at masterbar.com; also sets search pages to point at masterbar.com.
Pugi/XXXToolbar , part of the ISTbar/XXXToolbar parasite, documented on the ISTbar page.
Distribution
ActiveX drive-by download in pop-up adverts.
Pugi/SearchExplorer is also installed by the 2ndThought parasite from June 2003.
Advertising
Possible. The SearchExplorer variant is the only version known to use this facility.
Privacy violation
Possible, again in the SearchExplorer variant which may pass URLs being viewed to its controlling server every few pages (including local folders viewed using the Windows Explorer!).
Security issues
Yes. Can download and execute arbitrary code as directed by its controlling site, as an update feature.
Stability problems
None known.
Removal
Open Add/Remove Programs in the Control Panel and remove the entry 'Searchit - toolbar' (Searchit variant), 'Toolbar - My toolbar' (Search-Explorer variant), 'qidion - toolbar' (Qidion variant) or 'masterbarHallmedia.net' (MasterBar variant).
Manual Removal
Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for Pugi/Searchit:
cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\srchitbar.dll"
Or, for Pugi/SearchExplorer:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Search-Explorer\explbar.dll"
Or, for Pugi/Qidion:
cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\qi32.dll"
Or, for Pugi/MasterBar:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\MasterBar\masterbar.dll"
Restart the computer and you should be able to delete the program files. For the SearchExplorer and MasterBar variants you can delete the entire 'Search-Explorer' or 'MasterBar' folder in the Program Files on the C: drive (regardless whether or not that is your system drive).
For Pugi/Qidion use this command to delete the files:
del "%WinDir%\Downloaded Program Files\qi32.dll"
For Pugi/Searchit use this command to delete the files:
del "%WinDir%\Downloaded Program Files\srchitbar.dll"
2ndThought removal
If you had Pugi/SearchExplorer, check whether it was installed by 2ndThought. 2ndThought is a commercial trojan controlled by 2nd-thought.com. It is installed by ActiveX drive-by-downloads from the advertising network AdsCPM, who wrote it (as well as FreeScratchAndWin ).
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the 'stcloader' entry if you have it. If so, restart the computer and you should be able to delete the 'STC' folder inside Program Files, and '2ndsrch.dll' and 'stcloader.exe' from the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP).
|
