Welcome to BC. From this post
, I assume you work for Spyware Terminator? With all due respect, I think you may be confused with how our startup database works. We do not list Toolbars, BHOs, IE Extensions, DPFs, or UrlSearchHooks in our database. Our database is only executables and DLLs that are started up via automatic run locations, which a toolbar is not. CC on the other hand does have a Toolbar database, but if you are referring to their entry in their startup database, then the information below applies to their entry as well. I will let the CC startup administrators know about this topic so they do not do extra research on their end/
I for one, have no experience with Crawler Toolbar or the company who represents Ctoolbar? From the research I have done, they do indeed appear to be a legitimate Internet Explorer toolbar. Their file is located at C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe.
The confusion we are having is because it is very common for different software to use the same filenames as another one. I think we can all agree on that.
I was able to get the original DoxDesk page from the WayBack machine and we can see that the Wareout infection does indeed use CToolBar.exe filename:http://web.archive.org/web/20060106081903/...te/WareOut.html
As the information comes from Andrew Clover, I think we can be rest assured that it is accurate. So it appears that Wareout did indeed create startup entries that had random reg names and random filenames. One of the random filenames that it would use would be CToolBar.exe. This is further corroborated by some entries found in HijackThis logs.
I have put the filenames in question in bold below. You can also see that in two of the logs, there are two startup entries that match possible startups found in Andrew's writeup.
From this log
:O4 - HKCU\..\Run: [iesetupdll] CToolBar.exe
O4 - HKCU\..\Run: [StatusCheck] InpriseMon.exe
O4 - HKCU\..\Run: [driver64] xsetup.exe
Or from this log
:O4 - HKCU\..\Run: [barint] CToolBar.exe
O4 - HKCU\..\Run: [xsetup] srbho.exe
O4 - HKCU\..\Run: [SpyElim] JAguAr.exe
Or from this log
:O4 - HKCU\..\Run: [TorontoMail] corrida.exe
O4 - HKCU\..\Run: [SysSupport] CToolBar.exe
These are clearly malware and not affiliated with Crawler Toolbar.
For even further clarification, our startup entry for CToolBar.exe
states that the file we are talking about is located in the %System% folder. That alone shows that we are talking about completely different files.
So with all of this said, we will be leaving the entry as it is due to it being accurate. If you have any evidence showing the contrary please let me know and I will be happy to look into it further. To avoid further confusion, I have added a statement into the startup entry stating that it is not the same program as Crawler Toolbar.
Thanks for contacting us.