McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a browser helper object that provides a search toolbar while also delivering targeted advertising.

Upon visiting the homepage ( www.websearch.com ) it appears that the program has at least two methods of installation. The first is to install using a signed ActiveX control.  If the user elects not to install using ActiveX (installation is attempted twice) another page is presented and a stub downloader (edow.exe) file is offered via standard file download.  In both cases the user is encouraged to press the button which will allow the software to install through the use of graphical examples and flashing arrows.  However, the warning about first reading the license agreement is present in multiple locations (a link in the ActiveX download dialogue window and a link on the web page itself).

The license agreement clearly indicates the functionality of the software (it will block some advertisement popups, but will also display advertisements of its own, that the software may silently update, among other actions).  It is open-ended, allowing ammendments to the agreement at any time.

Link to full license agreement: http://www.websearch.com/legal/terms.aspx

Privacy

Links to the privacy policy and terms of use are added to a Start Menu group "Web Search Tools".  The privacy policy clearly states what information is to be collected by the software (information entered in online forms/fields, clickstream data, IP and URLs of sites visited, codes for products viewed or purchased).  It also warns that personally identifiable data may be included in the data collected as a matter of course (email, address, name, etc), although the claim is made that it is not the intent of the publisher to assemble links between these data collections and individual user identities.

Link to full privacy policy: http://www.websearch.com/legal/privacy.aspx

Although options are presented to the user to view the EULA and privacy policy when installing directly from the Websearch site, it is possible that the software could be installed without presenting this information.  If the stub downloader is simply saved instead of executed (using the "save" option instead of "open" when prompted) and then later run, the toolbar is installed without any indication and notification is only presented after installation is complete (a web browser window opened and pointed to http://download.websearch.com/install/tb_confirm_info.aspx )  Thus, using the stub executable it would be possible to bundle the application with another program in such a way that no license agreement is displayed beforehand.

Files Added

NOTE: Some of the filenames may be randomly generated.

c:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\
Frequently Asked Questions.url
Home.url
Privacy Policy.url
Terms of Use.url

c:\Program Files\Common Files\WinTools\
rmhgxlmu.wzg
WSup.exe *
WToolsA.exe *
WToolsB.dll (MD5: A8CA460B18E6A6AC46A573BDB71FACD0)
WToolsC.cfg
WToolsD.cfg
WToolsP.cfg
WToolsS.exe (MD5: A50CC5A1C855CCFB3DD6750BE078F043)

* These two files are identical (MD5: 6893D364626F37BAFDE64610270FFD4C)

c:\Program Files\Toolbar\
common.dll  (MD5: 50D186D3ECAB84C41F130AA74E01654A)
gykhxlmu.rmr
IExploreSkins.exe (MD5: C3C549AC942AAABFE9D7DBBC29EF08EE)
nzqlihv.wzg
PIB.exe (MD5: 96F0D1EE0B20E8B7F3C460E971112756)
rw.wzg
TBPS.exe ‡
TBPSSvc.exe ‡
toolbar.dll (MD5: 3C79B2B063006D9D09D3F0BE78CC44FE)
WSG.exe (MD5: CC966FEBF1B745F911D1C0F02C586878)
xlmurin.wzg
xzxsv.wzg

‡ These two files are identical (MD5: 96F0D1EE0B20E8B7F3C460E971112756)

c:\Program Files\Toolbar\Cursors\cursors.xml
c:\WINDOWS\system32\TBPS.ini

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CURRENT_USER\Software\Toolbar
HKEY_CURRENT_USER\Software\WinTools
HKEY_CLASSES_ROOT\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}
HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}
HKEY_CLASSES_ROOT\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}
HKEY_CLASSES_ROOT\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}
HKEY_CLASSES_ROOT\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}
HKEY_CLASSES_ROOT\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
HKEY_CLASSES_ROOT\CLSID\{87766247-311C-43B4-8499-3D5FEC94A183}
HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}
HKEY_CLASSES_ROOT\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}
HKEY_CLASSES_ROOT\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-921475004E7D}
HKEY_CLASSES_ROOT\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}
HKEY_CLASSES_ROOT\CLSID\{CABCF5E7-0C79-4F1C-909D-B9CF68FED746}
HKEY_CLASSES_ROOT\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}
HKEY_CLASSES_ROOT\CLSID\{F1616B86-9288-489D-B71A-0CCF2F1A89DA}
HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}
HKEY_CLASSES_ROOT\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}
HKEY_CLASSES_ROOT\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}
HKEY_CLASSES_ROOT\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}
HKEY_CLASSES_ROOT\Interface\{66C22569-F05C-4A70-A142-763B337E1002}
HKEY_CLASSES_ROOT\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}
HKEY_CLASSES_ROOT\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}
HKEY_CLASSES_ROOT\Interface\{D1951679-1D52-43FC-9585-0737143585F5}
HKEY_CLASSES_ROOT\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}
HKEY_CLASSES_ROOT\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}
HKEY_CLASSES_ROOT\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}
HKEY_CLASSES_ROOT\TypeLib\{DB9A4E78-35DF-4A54-B6C5-C5190CEAF949}
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\WToolsB.ResProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}
HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\WinTools
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TBPSSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinToolsSvc

Values Added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "TBPS"
Data: C:\PROGRA~1\Toolbar\TBPS.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinTools"
Data: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Network Impact

Additional overhead in bandwidth during web browsing due to extra advertisement data.
Additional overhead in bandwidth due to silent updates.

Removal

Aliases

Aliases

N/A