1. /
  2. Security Response/
  3. Adware.Websearch

Adware.Websearch

Updated:
February 13, 2007 11:35:02 AM
Type:
Adware
Publisher:
IBIS LLC
Risk Impact:
Low
File Names:
common.dll IExploreSkins.exe PIB.exe QDow_AS2.dll setupex.exe TBPS.exe toolbar.dll WSG.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Websearch is executed, it performs the following actions:
  1. May create the following registry entries, each of which may contain multiple subkeys:

    HKEY_CLASSES_ROOT\CLSID\{0A68C5A2-64AE-4415-88A2-6542304A4745}
    HKEY_CLASSES_ROOT\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}
    HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}
    HKEY_CLASSES_ROOT\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}
    HKEY_CLASSES_ROOT\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}
    HKEY_CLASSES_ROOT\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}
    HKEY_CLASSES_ROOT\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
    HKEY_CLASSES_ROOT\CLSID\{87766247-311C-43B4-8499-3D5FEC94A183}
    HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}
    HKEY_CLASSES_ROOT\CLSID\{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}
    HKEY_CLASSES_ROOT\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}
    HKEY_CLASSES_ROOT\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-921475004E7D}
    HKEY_CLASSES_ROOT\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}
    HKEY_CLASSES_ROOT\CLSID\{CABCF5E7-0C79-4F1C-909D-B9CF68FED746}
    HKEY_CLASSES_ROOT\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}
    HKEY_CLASSES_ROOT\CLSID\{F1616B86-9288-489D-B71A-0CCF2F1A89DA}
    HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}
    HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}
    HKEY_CLASSES_ROOT\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}
    HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}
    HKEY_CLASSES_ROOT\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}
    HKEY_CLASSES_ROOT\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}
    HKEY_CLASSES_ROOT\TypeLib\{DB9A4E78-35DF-4A54-B6C5-C5190CEAF949}
    HKEY_CLASSES_ROOT\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}
    HKEY_CLASSES_ROOT\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}
    HKEY_CLASSES_ROOT\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}
    HKEY_CLASSES_ROOT\Interface\{66C22569-F05C-4A70-A142-763B337E1002}
    HKEY_CLASSES_ROOT\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}
    HKEY_CLASSES_ROOT\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}
    HKEY_CLASSES_ROOT\Interface\{BD6F129A-08DB-4CC5-A75A-F2AB79E55B6E}
    HKEY_CLASSES_ROOT\Interface\{D1951679-1D52-43FC-9585-0737143585F5}
    HKEY_CLASSES_ROOT\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{0A68C5A2-64AE-4415-88A2-6542304A4745}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}
    HKEY_CLASSES_ROOT\Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_CLASSES_ROOT\Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features
    \CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products
    \CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\UpgradeCodes
    \53E709BA426171644AFC9A3F08B933A7
    HKEY_CLASSES_ROOT\Installer\UpgradeCodes
    \53E709BA426171644AFC9A3F08B933A7
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
    \Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\Components\C3D2CDB9A41E452EA544AB5033418FCB
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\UpgradeCodes\53E709BA426171644AFC9A3F08B933A7
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\UserData\S-1-5-18\Components\C3D2CDB9A41E452EA544AB5033418FCB
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\UserData\S-1-5-18\Products\CA2E4A17C7EE67447B98D93D8144E0D0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\{71A4E2AC-EE7C-4476-B789-9DD318440E0D}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Setup\RC
    HKEY_CURRENT_USER\Software\MSIETS
    HKEY_CURRENT_USER\Software\Toolbar
    HKEY_CURRENT_USER\Software\Toolbar\Files\SVC
    HKEY_CURRENT_USER\Software\Toolbar\Files\TBR
    HKEY_CURRENT_USER\Software\Toolbar\PlugIns\COMMON
    HKEY_CURRENT_USER\Software\WinTools
    HKEY_CLASSES_ROOT\Common.Buttons\Clsid
    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tpro
    HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol
    HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\WToolsB.ResProtocol
    HKEY_CLASSES_ROOT\Radio.RadioPlayer
    HKEY_CLASSES_ROOT\TBPS.PluginConfig
    HKEY_CLASSES_ROOT\TBPS.PluginDown
    HKEY_CLASSES_ROOT\TBPS.PluginEvents
    HKEY_CLASSES_ROOT\TBPS.PluginInst
    HKEY_CLASSES_ROOT\TBPS.PluginServer
    HKEY_CLASSES_ROOT\TBPS.ToolbarScript
    HKEY_CLASSES_ROOT\toolbar.IToolbarScriptClass
    HKEY_CLASSES_ROOT\toolbar.ResProtocol
    HKEY_CLASSES_ROOT\WSG.WSGObj
    HKEY_CLASSES_ROOT\WToolsB.ResProtocol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\UserData\STO
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\TTOOL_UNINSTALL
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\WinTools
    HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\COMMON
    HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\SVC
    HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\TBR
    HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns\COMMON
    HKEY_LOCAL_MACHINE\SOFTWARE\WinTools
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\websearch
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\CustomizeSearch
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchAssistant
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj.BTIEINScriptConfig
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63B78BC1-A711-4D46-AD2F-C581AC420D41}
    HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN
    HKEY_CURRENT_USER\Software\BTIEIN


  2. May add the values:

    "TBPS" = ""

    "WinTools" = ""
    "OETool" = ""

    "TB_setup"= ""

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

  3. May add the value:

    "{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser

  4. May add the values:

    "{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}" = "00"
    "{339BB23F-A864-48C0-A59F-29EA915965EC}" = "00"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

  5. May add the values:

    "{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

  6. May add the values:

    "TUID" = ""
    "WTInstallDate" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData

  7. May add the values:

    "%SystemDrive%/WINDOWS/Downloaded Program Files/QDow_AS2.dll
    \{87067F04-DE4C-4688-BC3C-4FCF39D609E7}" =  ""
    "%SystemDrive%/WINDOWS/Downloaded Program Files/QDow_AS2.dll
    \.Owner" = "{87067F04-DE4C-4688-BC3C-4FCF39D609E7}"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage

    Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  8. May add the value:

    "%CommonProgramFiles%\MSIETS\" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Installer\Folders

    Note: %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.

  9. May add the value:

    "%Windir%\Downloaded Program Files\QDow_AS2.dll" =  "1"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  10. May modify the value:

    "ShellNext" = "[path to executable]"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard

  11. May modify the value:

    "Search Bar" = "[Web site on the websearch.com or huntbar.com domain]"

    in the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  12. May modify the value:

    "Start Page" = "[Web site on the websearch.com or huntbar.com domain]"

    in the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  13. May modify the value:

    "CustomizeSearch" = "res://%SystemDrive%\PROGRA~1\Toolbar\toolbar.dll/sa"

    in the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  14. May modify the value:

    "SearchAssistant" = "[Web site on the websearch.com or huntbar.com domain]"

    in the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search


  15. Attempts to download files from a predetermined Web site. If the download is successful, it decompresses the files into multiple folders, and starts multiple programs. Files may be created in the following folders:

    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools
    • %CommonProgramFiles%\WinTools
    • %CommonProgramFiles%\WinTools\Update
    • %ProgramFiles%\Toolbar
    • %ProgramFiles%\Toolbar\Cursors
    • %ProgramFiles%\Toolbar\Recordings
    • %ProgramFiles%\Toolbar\Skins
    • %ProgramFiles%\Toolbar\Update
    • %ProgramFiles%\websearch
    • [original folder]\Cursors
    • [original folder]\Skins
    • [original folder]\temp

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. <original folder> refers to the folder the adware was executed in.

  16. Appears in the Internet Explorer as a search toolbar, and in the System Tray as an icon.

  17. Logs keywords from searches and sends the logs to a predetermined Web site.

  18. May download an updated version of itself.

  19. May open Internet Explorer to www.websearch.com.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver