1. /
  2. Security Response/
  3. Adware.FindemNow

Adware.FindemNow

Updated:
February 13, 2007 11:36:54 AM
Type:
Adware
Risk Impact:
High
File Names:
Msxmlpp.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Adware.FindemNow is a .dll file and cannot be directly executed. Another program, such as Trojan.Bookmarker.F, executes it.

When another program calls Adware.FindemNow, it does the following:
  1. Overwrites the system Hosts file.

    The new hosts file contains two entries;

    127.0.0.1 localhost
    213.159.117.235 auto.search.msn.com


  2. Registers itself by creating and populating the following registry keys:

    HKEY_LOCAL_MACHINE\TypeLib\{53B95204-7D77-11D2-9F80-00104B107C96}
    HKEY_CLASSES_ROOT\Interface\{53B95210-7D77-11D2-9F80-00104B107C96}
    HKEY_CLASSES_ROOT\Xmlmimefilter.XMLMimeFilterPP.1
    HKEY_CLASSES_ROOT\CLSID\{53B95211-7D77-11D2-9F80-00104B107C96}


  3. Changes the value to:

    "CLSID"="{53B95211-7D77-11D2-9F80-00104B107C96}"

    in the registry key:

    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about

  4. When Internet Explorer is started, the Browser Helper Object displays an HTML page instead of the configured home page. It also resets the home page to "about:blank" and overwrites the hosts file, repeating step 3 above.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver