Content

Spyware-RaxSrch

Type
Program
SubType
Spyware
Discovery Date
01/24/2006
Minimum DAT
4681 (01/24/2006)
Updated DAT
4826 (08/10/2006)
Minimum Engine
5.1.00
Description Added
01/24/2006
Description Modified
01/24/2006 5:40 AM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary:

Spyware-RaxSrch monitors search keywords and sends them to a remote website. Some of the search keywords, which were sent to a remote website are:

Casino
Gambling
Banking

Each time a search is performed on internet, it sends that search keyword to the following URL:
http://www.raxsearch.com/gettotal[Removed]

Installation:

Upon execution, "rxh.dll" is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer so that it runs every time Internet Explorer starts.

It registers itself by creating the following registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{19AD8203-1538-43a0-848B-D136782E09DE}
  • HKEY_CLASSES_ROOT\Interface\{F89C6EE9-8BCA-40D4-82B7-12853BB8BB55}
  • HKEY_CLASSES_ROOT\TypeLib\{8547ADA7-FC77-4AC1-B0A2-C4B79787B460}
  • HKEY_CLASSES_ROOT\RXH.Helper
  • HKEY_CLASSES_ROOT\rxh.rxh
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Browser Helper Objects\{19AD8203-1538-43a0-848B-
    D136782E09DE}

Aliases

Aliases

  • AdWare.Win32.RaxSearch.a (Kaspersky)
  • Spyware/RxSearch (Panda)