What Is VSToolbar (VSAdd-in.dll)?

Windows Security Tutorials - Herong's Tutorial Examples

∟VSToolbar (VSAdd-in.dll) - Description and Removal

∟What Is VSToolbar (VSAdd-in.dll)?

This section provides a quick description of what is VSToolbar (VSAdd-in.dll).

After removing Trojan Vundo, I saw two more suspicious entries in the HijackThis report:

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03}
   - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452}
   - C:\Program Files\VSAdd-in\VSAdd-in.dll

File System Checking: Using File Explorer, I was able to locate this suspicious DLL file:

Directory: \Program Files\VSAdd-in

File:
10/31/2006  09:59 PM            68,864 VSAdd-in.dll

Analysis: This adware DLL file seemed to infected to the system at the same time as the other Vundo DLL file:

10/31/2006  09:59 PM            60,436 gidijvia.dll

Was this a coincident? I don't think so. I am guessing that the Trojan Vundo was able to visit its source Website, download new adware, and install it on the infected Windows system.

Google Search Result: When I searched for "VSAdd-in.dll" with Google, I got the following interesting items out of 352 matches:

1. From fileinfo.prevx.com/fileinfo.asp?PXC=f77250043136, it was an information page about VSAdd-in.dll:

DEFINITION OF: VSADD-IN.DLL
* Safety Rating: Known Malware, do not run
* Malware Family: Part of Malware group - Adware VSToolbar
* Malware Form: EXPLOIT
* Protection: Prevx1 is a very powerful PC security product, 
  it will protect, disinfect, cleanup and remove VSADD-IN.DLL 
  and safeguard your PC against viruses, trojans, worms, spyware, 
  rootkits and adware
* New Users: You can download the full Prevx1 product and use it 
  to cleanup and remove VSADD-IN.DLL and other infections free of 
  charge, then leave it to monitor your PC for other infections
* First seen: Oct 26 2006 (GMT)
* Last seen: Oct 26 2006 (GMT)
* File Size: 126,976 bytes

2. From www.castlecops.com/t170608-VSAdd_in_dll.html, it was a forum post dated on Oct 31, 2006. The post reported that VSAdd-in toolbar links to hxxp://xxx.searchcolours.com, and searching for antispyware products spawns numerous rogue antispyware applications.

3. From www.techspot.com/vb/topic62105.html, it was a forum post dated on Nov 2, 2006, reporting a case of infection with 3 related entries in HijackThis report:

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03}
   - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} 
   - C:\WINDOWS\system32\rvxjdqom.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452}
   - C:\Program Files\VSAdd-in\VSAdd-in.dll

4. From forums.techguy.org/security/514824-i-am-direneed-help-vsadd.html, it was a forum post dated on Nov 2, 2006, reporting a case of infection with 3 related entries in HijackThis report:

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} 
   - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} 
   - C:\WINDOWS\system32\gfbfpnyc.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452}
   - C:\Program Files\VSAdd-in\VSAdd-in.dll

It was interesting to see that Norton Internet Security was also installed on the infected system, offering no protection at all:

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298...}
 - C:\Program Files\Common Files\Symantec ...\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} 
 - C:\Program Files\Norton Internet ...\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19...}
 - C:\Program Files\Common Files\Symantec ...\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF0...}
 - C:\Program Files\Norton Internet ...\Norton AntiVirus\NavShExt.dll