Adware.Mywebsearch.F
( AdTool.Win32.MyWebSearch.f )
|
Spreading:
|
medium
|
|
|
Damage:
|
low
|
|
Size:
|
~80 kb
|
|
Discovered:
|
2006 Aug 15
|
SYMPTOMS:
A toolbar for Internet Explorer named MyWebSearch.
A process with the name "mwsoemon.exe" listed under TaskManager's "Processes" list.
TECHNICAL DESCRIPTION:
MyWebSearch Toolbar is a customizable Internet Explorer search toolbar which comes with some few other tools like: screensavers, pop-up blocker, cursors.
When this adware is installed, it performs the following actions:
a) Creates one or more of the following directories (and subdirectories)
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
b) Creates the following file
C:\WINNT\system32\f3PSSavr.scr
c) It add a toolbar named "MyWebSearch" to InternetExplorer
d) Create the following registry keys
HKEY_CLASSES_ROOT\FunWebProducts.DataControl.1
HKEY_CLASSES_ROOT\FunWebProducts.DataControl
HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler.1
HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler
HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar.1
HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.1
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.2
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu
HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager.1
HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager
HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager.1
HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton.1
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl.1
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl
HKEY_CLASSES_ROOT\FunWebProducts.ShellViewControl.1
HKEY_CLASSES_ROOT\FunWebProducts.ShellViewControl
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel
HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin.1
HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin
HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin.1
HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin
HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin.1
HKEY_CLASSES_ROOT\MyWebSearchToolBar.ToolbarPlugin
HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller.1
HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\sources [f3PopularScreensavers = "C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL"]
e) Runs one or more of the following:
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
f) Adds ore ore more of the following value for
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[MyWebSearch Email Plugin = "C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe"]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[My Web Search Bar = "rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S"]
[MyWebSearch Email Plugin = "C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe"]
which will run "mwsoemon.exe" when Microsoft Windows starts.
Removal instructions:
Please let BitDefender disinfect your computer.
ANALYZED BY:
Mihai Cimpoesu, Virus Researcher
