My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Adware.Mywebsearch.DV

MEDIUM
LOW
aprox. 2.5 Mb
(Adware.Mywebsearch , Adware.MWS)

Symptoms

A toolbar for Internet Explorer named MyWebSearch.
A process with the name "mwsoemon.exe" listed under TaskManager's "Processes" list.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The toolbar is an utility bar for searching the net. It uses other known search engines routed through its own site http:\\www.mywebsearch.com. It stores information about search keywords.
When this adware is installed, it performs the following actions:
a) Creates one or more of the following directories and files
%programfiles% \ MyWebSearch (more files inside)
%system32%\f3PSSavr.scr
%programfiles% \ MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
%programfiles% \ MyWebSearch\bar\1.bin\MWSBAR.DLL

b) It add a toolbar named "MyWebSearch" to InternetExplorer

c) Create the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.DataControl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.DataControl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HistoryKillerScheduler.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HistoryKillerScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HistorySwatterControlBar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HistorySwatterControlBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HTMLMenu.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HTMLMenu.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.HTMLMenu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.IECookiesManager.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.IECookiesManager
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.KillerObjManager.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.KillerObjManager
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterBarButton.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterBarButton
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterSettingsControl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterSettingsControl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.ShellViewControl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FunWebProducts.ShellViewControl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWebSearch.HTMLPanel.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWebSearch.HTMLPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWebSearch.OutlookAddin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWebSearch.PseudoTransparentPlugin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyWebSearch.PseudoTransparentPlugin
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MyWebSearchService

d) Runs one or more of the following:
%programfiles% \ MyWebSearch\bar\1.bin\mwsoemon.exe

e) Adds the following value for
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[MyWebSearch Email Plugin = "%programfiles%"\MYWEBS~1\bar\1.bin\mwsoemon.exe"]

which will run "mwsoemon.exe" when Microsoft Windows starts.