My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Adware.Myway.T

VERY HIGH
LOW
approx 1.5KB
( MySearch)

Symptoms

The presence of a toolbar in Internet Explorer or Netscape Navigator that may contain one of the strings: “My Way”,”MySearch”

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Razvan Benchea, virus researcher

Technical Description:


The program comes bundled with another program. Upon installation, the adware creates the following files:

  • %ProgramFiles%\MyWay\myBar\1.bin\MWHTMLMU.DLL
  • %ProgramFiles%\MyWay\myBar\1.bin\MY2NS.EXE
  • %ProgramFiles%\MyWay\myBar\1.bin\MYBAR.DLL
  • %ProgramFiles%\MyWay\myBar\1.bin\MYPOPSWT.DLL -

  • %ProgramFiles%\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
  • %ProgramFiles%\MyWay\myBar\1.bin\NPMYWAY.DLL
  • %ProgramFiles%\MyWay\myBar\1.bin\PARTNER.DAT
  • %ProgramFiles%\MyWay\myBar\1.bin\PARTNER2.DAT

It creates registry keys so it can start with Internet Explorer and Netscape Navigator. Here are some keys it creates:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0494D0DE-F8E0-41ad-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25642629-2705-43d4-ADDE-68922C0E6BA7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{465BB38F-2B83-43e1-BDE1-5F413D014350}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{825E5863-834C-4C9E-861A-5402FB2FA854}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6C8ACD2-C524-4dd9-87BE-84E6E01FEE63}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0494D0D4-F8E0-41AD-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0494D0D6-F8E0-41AD-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0494D0DA-F8E0-41AD-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0494D0DC-F8E0-41AD-92A3-14154ECE70AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{25642628-2705-43D4-ADDE-68922C0E6BA7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2564262A-2705-43D4-ADDE-68922C0E6BA7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39AE719A-B3AE-4711-8143-65CD1F97DC7C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBE36A96-C9C4-492F-A5E2-C0A9E6DB687B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\MyWay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall

The following values are used so the adware can start with Internet Explorer and Netscape Navigator:

  • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Automation Startup \  MyWayToolBar.NetscapeStartup.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects \ {0494D0D1-F8E0-41ad-92A3-14154ECE70AC}

The search is done through the web site: www.mysearch.com. Even though you may select your search engine (Google, Yahoo, Ask.com) the information you search, your IP address, your domain, your browser language and the data in any undeleted cookies that the browser accepted from myway.com is collected for the use of myway.
By using their website to display the results from the selected search engine, the adware doesn’t need to use popups to display commercial ads because it can display them directly on the page.