Adware.BetterInternet

Printer Friendly Page

Updated: February 13, 2007 11:50:01 AM

Type: Adware

Publisher: stop-popup-ads-now.com

Risk Impact: High

File Names: Varies: Bi.dll and Biprep.exe Belt.exe Belt.ini Belt.inf Buddy.exe ceres.dll Susp.exe Sus

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Depending on the version of the adware, Adware.BetterInternet performs some of the following actions when it is executed:

Creates some of the following files:
- %CurrentFolder%\Belt.ini
- %CurrentFolder%\Belt.inf
- %CurrentFolder%\Susp.ini
- %CurrentFolder%\Susp.in
- %CurrentFolder%\BTGrab.inf
- %Temp%\bho_prob.exe
- %Temp%\bik.inf
- %Temp%\bi.dll
- %Temp%\bik.cab
- %Temp%\biprep.exe
- %Temp%\dummy.htm
- %Temp%\morphrec.exe
- %Temp%\thnall1s.exe
- %Temp%\DrTemp\ceres.cab
- %Temp%\DrTemp\ceres.dll
- %Temp%\DrTemp\ceres.inf
- %Temp%\DrTemp\thnall1b.exe
- %Temp%\DrTemp\thnall1p.exe
- %Temp%\DrTemp\thnall2r.exe
- %Temp%\DrTemp\polall1b.exe
- %Temp%\THI[????].tmp\adrmimg.cab
- %Temp%\THI[????].tmp\imGiant.cab
- %Temp%\THI[????].tmp\adrmimg.inf
- %Temp%\THI[????].tmp\imgiant.inf
- %Temp%\THI[????].tmp\IMGUninst.exe
- %Temp%\THI[????].tmp\imGiant.dll
- %System%\ezxiiyv.exe
- %System%\bdle4012.exe
- %System%\bik.exe
- %System%\imgiant.dll
- %System%\ln_reco.exe
- %System%\laziqn.exe
- %System%\nnmzoq.exe
- %System%\randreco.exe
- %System%\susp_reco.exe
- %System%stmtreco.exe
- %System%\xxvyaj.exe
- %System%\wbtvsffd.exe
- %Windir%\banner.dll
- %Windir%\Bi.dll
- %Windir%\Biprep.exe
- %Windir%\BTGrab.dll
- %Windir%\Buddy.exe
- %Windir%\ceres.dll
- %Windir%\dlmax.dll
- %Windir%\farmmext.exe
- %Windir%\imgiant.dll
- %Windir%\morphacl.dll
- %Windir%\Mxtarget.dll
- %Windir%\Pynix.dll
- %Windir%\speer2.dll
- %Windir%\speeryox.dll
- %Windir%\VoiceIP.dll
- %Windir%\zserv.dll
- %Windir%\BBIIEHPL.ini
- %Windir%\BIILJLLM.ini
- %Windir%\BICJNF.ini
- %Windir%\CCEJHONM.ini
- %Windir%\FCIJLFMN.ini
- %Windir%\FFGDEGOJ.ini
- %Windir%\IDDJHJM.ini
- %Windir%\morphstb.ini
- %Windir%\abiuninst.htm
- %Windir%\IMGUninst.exe
- %Windir%\DrUninst.exe
- %Windir%\inf\adrmcer.inf
- %Windir%\inf\adrmimg.inf
- %Windir%\inf\bik.inf
- %Windir%\inf\ceres.inf
- %Windir%\inf\farmmext.inf
- %Windir%\farmmext.ini
- %Windir%\inf\imgiant.inf
- %Windir%\inf\morphstb.inf
- %Windir%\inf\payload.inf
- %Windir%\inf\payload2.inf
- %Windir%\inf\Pynix.inf
- %Windir%\inf\Pynix.pnf
- %Windir%\inf\sprnopol.inf
- %Windir%\inf\topmins2.inf
- %Windir%\Wininit.ini
- %Windir%\inf\zserv.inf
- %Windir%\LastGood\BICJNF.ini
- %Windir%\LastGood\INF\adrmimg.inf
- %Windir%\LastGood\INF\adrmimg.PNF
- %Windir%\LastGood\INF\bik.inf
- %Windir%\LastGood\INF\bik.pnf
- %Windir%\LastGood\INF\ceres.inf
- %Windir%\LastGood\INF\ceres.pnf
- %Windir%\LastGood\farmmext.ini
- %Windir%\LastGood\INF\farmmext.inf
- %Windir%\LastGood\INF\farmmext.pnf
- %Windir%\LastGood\INF\imgiant.inf
- %Windir%\LastGood\INF\imgiant.PNF
- %Windir%\LastGood\INF\morphstb.PNF
- %Windir%\LastGood\INF\morphstb.inf
- %Windir%\LastGood\INF\payload.PNF
- %Windir%\LastGood\INF\payload.inf
- %Windir%\LastGood\INF\Pynix.inf
- %Windir%\LastGood\INF\Pynix.PNF
- %Windir%\LastGood\INF\zserv.inf
- %Windir%\LastGood\INF\zserv.pnf
- %Windir%\LastGood\DrUninst.exe
- %Windir%\Downloaded Program Files\thin.inf
- %Windir%\LastGood\Downloaded Program Files\thin.inf
- XXVYAJ.exe
  
  Notes:
- %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).
- %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
- [????] is a variable that refers to a random sequence of characters which make up part of the folder name.
Attempts to create some of the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{00000000-59D4-4008-9058-080011001200} HKEY_CLASSES_ROOT\CLSID\{00000000-C1EC-0345-6EC2-4D0300000000} HKEY_CLASSES_ROOT\CLSID\{00000000-DD60-0064-6EC2-6E0100000000} HKEY_CLASSES_ROOT\CLSID\{00000000-F09C-02B4-6EC2-AD0300000000} HKEY_CLASSES_ROOT\CLSID\{00000026-8735-428D-B81F-DD098223B25F} HKEY_CLASSES_ROOT\CLSID\{00000035-92F8-407F-98A5-7D8ADA59B6BB} HKEY_CLASSES_ROOT\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} HKEY_CLASSES_ROOT\CLSID\{0000005D-C175-4405-BAC5-1F3B2BAF67C6} HKEY_CLASSES_ROOT\CLSID\{00000062-2E5F-4AF7-986E-5B64E0951A96}
HKEY_CLASSES_ROOT\CLSID\{00000097-7C67-4BA6-8B42-05128941688A}
HKEY_CLASSES_ROOT\CLSID\{00000250-0320-4DD4-BE4F-7566D2314352}
HKEY_CLASSES_ROOT\CLSID\{000006B1-19B5-414A-849F-2A3C64AE6939}
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_CLASSES_ROOT\CLSID\{0000607D-D204-42C7-8E46-216055BF9918} HKEY_CLASSES_ROOT\CLSID\{002EB272-2590-4693-B166-FBD5D9B6FEA6} HKEY_CLASSES_ROOT\CLSID\{00320615-B6C2-40A6-8F99-F1C52D674FAD} HKEY_CLASSES_ROOT\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740} HKEY_CLASSES_ROOT\CLSID\{D5E06663-DE78-4A48-BB81-7C9AFF2E49E4}
HKEY_CLASSES_ROOT\Interface\{237CB7A2-E26E-443B-B16E-5DA66584B05B} HKEY_CLASSES_ROOT\Interface\{C45C774D-5ECC-4D9E-94E1-AC57189C4435} HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757} HKEY_CLASSES_ROOT\Interface\{C08175C6-B2B2-47FC-AF1A-32F77A6CB673} HKEY_CLASSES_ROOT\Interface\{59EBB576-CEB0-42FA-9917-DA6254A275AD} HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A} HKEY_CLASSES_ROOT\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD} HKEY_CLASSES_ROOT\Interface\{72322CE2-D1C1-423E-9748-FF7E7F1E47C3} HKEY_CLASSES_ROOT\Interface\{19C8E563-D989-47CE-BED8-EA72B5EB62D6} HKEY_CLASSES_ROOT\Interface\{A93B84C6-5278-473A-8027-F6304A291A7A} HKEY_CLASSES_ROOT\Interface\{50F646B1-1C3E-4B01-B818-437E1276E5BE} HKEY_CLASSES_ROOT\TypeLib\{09049E4F-8D9E-4C8A-A952-5BAF1A115C59} HKEY_CLASSES_ROOT\TypeLib\{230C3786-1C2C-45BD-9D2D-9D277FCE6289} HKEY_CLASSES_ROOT\TypeLib\{2390AAA5-E65C-4404-BD3B-3A9EAC22C0A5} HKEY_CLASSES_ROOT\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF} HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC} HKEY_CLASSES_ROOT\TypeLib\{7EFE1256-AB56-44B3-A63A-EB1A2208A490} HKEY_CLASSES_ROOT\TypeLib\{8E0D8965-B97B-468D-8306-A05929E439C1} HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904} HKEY_CLASSES_ROOT\TypeLib\{BBE6D461-41FC-4100-A629-B9D2162BEFAA} HKEY_CLASSES_ROOT\TypeLib\{C0168E40-6211-4113-9202-B9B852CB12FC} HKEY_CLASSES_ROOT\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776} HKEY_CLASSES_ROOT\AppID\{4D980B0A-C3EF-4965-A58F-7F64F3B42E79} HKEY_CLASSES_ROOT\AppID\XParam.DLL HKEY_CLASSES_ROOT\BiDll.BiDllObj HKEY_CLASSES_ROOT\BiDll.BiDllObj.1 HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj.1 HKEY_CLASSES_ROOT\CeresDll.CeresDllObj HKEY_CLASSES_ROOT\CeresDll.CeresDllObj.1 HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj.1 HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj.1 HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj.1 HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj.1 HKEY_CLASSES_ROOT\MxTarget.MxTargetDllObj.1 HKEY_CLASSES_ROOT\PynixDll.PynixDllObj HKEY_CLASSES_ROOT\PynixDll.PynixDllObj.1 HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj.1 HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj.1 HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1 HKEY_CLASSES_ROOT\VoiceIPDll.VoiceIPDllObj.1 HKEY_CLASSES_ROOT\VX2.VX20BJ HKEY_CLASSES_ROOT\XParam.XParamObj HKEY_CLASSES_ROOT\XParam.XParamObj.1 HKEY_CLASSES_ROOT\ZServDll.ZServDllObj HKEY_CLASSES_ROOT\ZServDll.ZServDllObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000000-59D4-4008-9058-080011001200} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000026-8735-428D-B81F-DD098223B25F} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000035-92F8-407F-98A5-7D8ADA59B6BB} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{0000005D-C175-4405-BAC5-1F3B2BAF67C6} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000062-2E5F-4AF7-986E-5B64E0951A96} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000097-7C67-4BA6-8B42-05128941688A} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00000250-0320-4DD4-BE4F-7566D2314352} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{000006B1-19B5-414A-849F-2A3C64AE6939} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{0000607D-D204-42C7-8E46-216055BF9918} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{002EB272-2590-4693-B166-FBD5D9B6FEA6} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00320615-B6C2-40A6-8F99-F1C52D674FAD} HKEY_CURRENT_USER\Software\AHExe HKEY_CURRENT_USER\Software\BTGrab HKEY_CURRENT_USER\Software\ceres HKEY_CURRENT_USER\Software\DLMax HKEY_CURRENT_USER\Software\BTGrab HKEY_CURRENT_USER\Software\Ceres HKEY_CURRENT_USER\Software\imGiant HKEY_CURRENT_USER\Software\morphacl HKEY_CURRENT_USER\Software\MultiMPP HKEY_CURRENT_USER\Software\MxTarget HKEY_CURRENT_USER\Software\sPeer HKEY_CURRENT_USER\Software\sPeer2 HKEY_CURRENT_USER\Software\morphacl HKEY_CURRENT_USER\Software\VoiceIP HKEY_CURRENT_USER\Software\pynix HKEY_CURRENT_USER\Software\VoiceIP HKEY_CURRENT_USER\Software\ZServ HKEY_CURRENT_USER\Software\AHExe HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml HKEY_LOCAL_MACHINE\Software\Dbi HKEY_LOCAL_MACHINE\Software\twaintec HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ceres HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dbi HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMGiant
Adds the value:

"BLLid20fslnst" = "{688DE333-FB9A-4E16-B6B7-D81D266E0009}"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\DBi
Adds some of the values:

"INF/ceres.inf" = "0x00000001" "INF/ceres.pnf" = "0x00000001" "INF/adrmimg.inf" = "0x00000001" "INF/adrmimg.PNF" = "0x00000001" "INF/farmmext.inf" = "0x00000001" "INF/farmmext.pnf" = "0x00000001" "INF/imgiant.inf" = "0x00000001" "INF/imgiant.PNF" = "0x00000001" "INF/payload.inf" = "0x00000001" "INF/payload.pnf" = "0x00000001" "INF/Pynix.PNF = "0x00000001" "INF/Pynix.inf = "0x00000001" "INF/morphstb.PNF" = "0x00000001" "INF/morphstb.inf" = "0x00000001" "INF/zserv.inf" = "0x00000001" "INF/zserv.pnf" = "0x00000001"to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood
Adds the value:

"[File name of adware]" = "[File path to adware]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.
Attempts to connect to one of the following domains to check for updated versions of the adware:
- abetterinternet.com
- stop-popup-ads-now.com
Attempts to perform some of the following actions:
- Display advertisements.
- Display links to related Web sites, and advertisements for related Web sites, based on the Web sites visited on the infected computer.
- Log the Web sites visited by the infected computer.
- Redirect certain URLs, including the Web browser default 404-error page, to or through the Web page used by the threat.
- Automatically update the adware and install added features or functionality. This action is performed without input from, or interaction with the user.
- Install desktop icons, installation files, and other publisher's software.

Some samples that Security Response has received of Belt.exe will not install successfully, as the CAB package it attempts to download is no longer available. In these instances, as well as those when an Internet connection is not available, the adware will add the registry key specified in step 4, and then exit cleanly.

Note: Virus definitions dated prior to November 19, 2003 may detect this as Adware.Ipinsight or Download.Trojan.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}