Classification

Category :

Malware

Type :

-

Aliases :

Swicer, W32/Swicer.gen, Swicer.gen

Summary

Swicer is a very intrusive adware/spyware software. It installs itself as Internet Explorer plugin and keeps showing popups and downloads executable files from LOP.COM website.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Usually Swicer downloader is dropped to computers from certain webpages if Internet Explorer is used to view them. Then the downloader is activated and it hiddenly downloads and activates main Swicer components. These components are packed inside a single executable file - dropper. When run, this dropper unpacks a few GIF image and one HTML file with random names into Windows folder and then drops the Internet Explorer plugin with a random name into Application Data folder of a current user. So when IE is opened next time, the plugin is activated and a there appears a blue searchbar with several buttons in IE interface. However sometimes the plugin fails to activate.

The plugin shows popups and at some point can open webpages that contain more adware components. To our knowledge there are no uninstallation instructions for Swicer adware available from its manufacturer, so we are providing manual disinfection instructions below.

To get rid of Swicer adware please go to the following folder with your Windows Explorer (by default this folder is on C: drive):

\Documents and Settings\\Application Data\   

where <current_user> is your user name (the name that you log in to your computer, without brackets). In that folder there should be a single DLL file with a random name and about 510-530 kilobytes in size. Please close your Internet Explorer and delete that DLL file. Then the adware problem should be solved.

Also it is recommended to delete the following folder that is used by Swicer adware to download additional components:

\Documents and Settings\\Local Settings\Temp\delete.me   

where <current_user> is your user name (the name that you log in to your computer, without brackets).