SecurityHome.eu Adware.MyWebSearch.AU

Home / malware PDF

Adware.MyWebSearch.AU

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Adware.MyWebSearch.AU is also known as AdTool.Win32.MyWebSearch.av.
Explanation :
MyWebSearch Toolbar is a customizable Internet Explorer search toolbar which comes with some few other tools like: screensavers, pop-up blocker, cursors.

When this adware is installed, it performs the following actions:
a) Creates one or more of the following directories (and subdirectories)
C:Program FilesFunWebProducts
C:Program FilesMyWebSearch

b) Creates the following file
C:WINNTsystem32f3PSSavr.scr

c) It add a toolbar named "MyWebSearch" to InternetExplorer

d) Create the following registry keys
HKEY_CLASSES_ROOTFunWebProducts.DataControl.1
HKEY_CLASSES_ROOTFunWebProducts.DataControl
HKEY_CLASSES_ROOTFunWebProducts.HistoryKillerScheduler.1
HKEY_CLASSES_ROOTFunWebProducts.HistoryKillerScheduler
HKEY_CLASSES_ROOTFunWebProducts.HistorySwatterControlBar.1
HKEY_CLASSES_ROOTFunWebProducts.HistorySwatterControlBar
HKEY_CLASSES_ROOTFunWebProducts.HTMLMenu.1
HKEY_CLASSES_ROOTFunWebProducts.HTMLMenu.2
HKEY_CLASSES_ROOTFunWebProducts.HTMLMenu
HKEY_CLASSES_ROOTFunWebProducts.IECookiesManager.1
HKEY_CLASSES_ROOTFunWebProducts.IECookiesManager
HKEY_CLASSES_ROOTFunWebProducts.KillerObjManager.1
HKEY_CLASSES_ROOTFunWebProducts.KillerObjManager
HKEY_CLASSES_ROOTFunWebProducts.PopSwatterBarButton.1
HKEY_CLASSES_ROOTFunWebProducts.PopSwatterBarButton
HKEY_CLASSES_ROOTFunWebProducts.PopSwatterSettingsControl.1
HKEY_CLASSES_ROOTFunWebProducts.PopSwatterSettingsControl
HKEY_CLASSES_ROOTFunWebProducts.ShellViewControl.1
HKEY_CLASSES_ROOTFunWebProducts.ShellViewControl
HKEY_CLASSES_ROOTMyWebSearch.HTMLPanel.1
HKEY_CLASSES_ROOTMyWebSearch.HTMLPanel
HKEY_CLASSES_ROOTMyWebSearch.OutlookAddin.1
HKEY_CLASSES_ROOTMyWebSearch.OutlookAddin
HKEY_CLASSES_ROOTMyWebSearch.PseudoTransparentPlugin.1
HKEY_CLASSES_ROOTMyWebSearch.PseudoTransparentPlugin
HKEY_CLASSES_ROOTMyWebSearchToolBar.SettingsPlugin.1
HKEY_CLASSES_ROOTMyWebSearchToolBar.SettingsPlugin
HKEY_CLASSES_ROOTMyWebSearchToolBar.ToolbarPlugin.1
HKEY_CLASSES_ROOTMyWebSearchToolBar.ToolbarPlugin
HKEY_CLASSES_ROOTScreenSaverControl.ScreenSaverInstaller.1
HKEY_CLASSES_ROOTScreenSaverControl.ScreenSaverInstaller
HKEY_LOCAL_MACHINESOFTWAREFocusInteractive
HKEY_LOCAL_MACHINESOFTWAREFun Web Products
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeOutlookAddinsMyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeWordAddinsMyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallMyWebSearch bar Uninstall
HKEY_LOCAL_MACHINESOFTWAREMyWebSearch
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows MediaWMSDKsources [f3PopularScreensavers = "C:Program FilesMyWebSearchar1.binF3SCRCTR.DLL"]
e) Runs one or more of the following:
C:Program FilesMyWebSearchar1.binmwsoemon.exe

f) Adds ore ore more of the following value for
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
[MyWebSearch Email Plugin = "C:PROGRA~1MYWEBS~1ar1.binmwsoemon.exe"]

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
[My Web Search Bar = "rundll32 C:PROGRA~1MYWEBS~1ar1.binMWSBAR.DLL,S"]
[MyWebSearch Email Plugin = "C:PROGRA~1MYWEBS~1ar1.binmwsoemon.exe"]

which will run "mwsoemon.exe" when Microsoft Windows starts.
Last update 21 November 2011

TOP

Malware :

Last 20