Content

Adware-SafeSearch

Type
Program
SubType
Adware
Discovery Date
03/29/2005
Minimum DAT
4305 (11/19/2003)
Updated DAT
4639 (11/29/2005)
Minimum Engine
5.1.00
Description Added
04/15/2004
Description Modified
06/13/2005 5:26 AM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

This is not a virus or a Trojan. It is an adware application.

Installation:

File: Safesearch.exe
Hash: a8798c5cac485187b7de4e5b78d7e4ee

Upon installation of this adware application the following changes occur in the user's system.

This adware application creates the following directories.

  • %ProgramFiles%\primesoft
  • %ProgramFiles%\primesoft\safesearch

SafeSearch.dll is installed as Browser Helper Object .

Browser Helper Objects are executable files that are loaded when the browser is launched. They can perform various task, such as generating extra pop-up ads, monitoring page navigation, etc.

The following Registry keys are added in order to get executed on each reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SafeSearch" = "c:\program files\primesoft\safesearch\safesearch.exe"

The following Registry keys are added:

HKEY_CURRENT_USER\Software\PrimeSoft
HKEY_CURRENT_USER\Software\SafeSearch
HKEY_CURRENT_USER\Software\PrimeSoft\SafeSearch
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO\CLSID
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO\CurVer
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO.1
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO.1\CLSID

This application adware redirects the web browser to "http:/ /204.177.**.***/search/index.html" for some of the URLs like

  • www. auto.search.msn.com
  • www. mykeysearch.com

This adware is pornographic in nature.
It redirects error pages to www. kjdhendieldiouyu.com.

Aliases

Aliases

    N/A