McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that generates pop-up advertisements while browsing the web.

The adware attempts to modify the default search page and redirect the search traffic through adserve.com. It uses "searchx.htm" (please see "Files Added" below) for this purpose. The adware also hijacks keywords on the searchpage and adds it's own hyperlinks in the searchpage. The result of such a hijack will be fake hyperlinks pointing to ad supporting websites. Please see images below.

The application generates four random named files in %sysdir% with .exe extension, where each file name consists of 8 characters. First few characters are taken from already existing DLL files in %sysdir% directory. It may try to download other adwares from shopathomeselect.com through activex control. Additionally, it will add various URLs at the desktop and in the favorites of Internet Explorer. These URL points to various ad-serving sites.

This application does not display a license agreement when installed.

Privacy

A privacy policy is not displayed during installation.

System Changes

Files Added

• %SystemDir%\searchx.htm (1 KB)
  
• %SystemDir%\pinstaller.exe (44 KB)
  
• %SystemDir%\(random1*).exe (24 KB)
  
• %SystemDir%\(random2*).exe (72 KB)
  
• %SystemDir%\(random3*).exe (88 KB)
  
• %SystemDir%\(random4*).exe (212 KB)
  
• c:\documents and settings\administrator\local settings\temp\hi-story.tmp (1 KB)
  
• c:\documents and settings\administrator\favorites\
  (random_name) .url (1 KB)
  
• c:\documents and settings\administrator\desktop\
  (random_name) .url (1 KB)

Note: * (random#) is a 8 character random name.

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Uninstall\(random12*) "UninstallString"="C:\WINDOWS\System32\(random1).exe" (24KB file)
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Uninstall\(random12*) "DisplayName"="IE Host R3"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Run "(random12*) "="C:\WINDOWS\System32\(random3).exe" (88KB file)
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  "Search Bar"="file://C:\WINDOWS\System32\Searchx.htm"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  "Use Custom Search URL"="1"

*(random12) is 12 character random Key.

Network Impact

The application may contact following sites to download Ads and URL files, and also to redirect search results

• www.adserve.com
• search.adwave.com
• realmedia.com  
• www.103092804.com
• i.gms1.net
• i.superbrewards.com

Additional overhead in bandwidth is due to download of advertising content and transmission of browsing data to remote servers.

Images

Image showing hijack of search keyword and fake hyperlinking insertion. The subsequent images how clicking on keyword "application" redirects the results to ad supported site.

Clicking on application will redirect to the the link as shown below

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Aliases

Aliases

N/A