When Adware.180Search is executed, it does the following:
- May create the following folder:
%Windir%\FLEOK\
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- Installs itself to one or more of the following locations:
- %ProgramFiles%\180search Assistant\sain.exe
- %ProgramFiles%\180search Assistant\hsr.dll
- %ProgramFiles%\180search Assistant\sau.exe
- %ProgramFiles%\180search Assistant\sau.log
- %ProgramFiles%\180search Assistant\sau.dll
- %ProgramFiles%\180search Assistant\sau_[3 RANDOM LETTERS].dat
- %ProgramFiles%\180search Assistant\sauau.dat
- %ProgramFiles%\180search Assistant\sac.exe
- %ProgramFiles%\180searchassistant\salm.exe
- %ProgramFiles%\180searchassistant\salmau_update.dat
- %ProgramFiles%\180searchassistant\salm.dat
- %ProgramFiles%\180searchassistant\salm_[3 RANDOM LETTERS].dat
- %ProgramFiles%\180searchassistant\salm_3 RANDOM LETTERS]_update.dat
- %ProgramFiles%\180searchassistant\sac_[3 RANDOM LETTERS]_update.dat
- %ProgramFiles%\180searchassistant\sac_[3 RANDOM LETTERS].dat
- %ProgramFiles%\180searchassistant\sackyf.dat
- %ProgramFiles%\180searchassistant\sacau.dat
- %Windir%\[RANDOM FILE NAME].exe
- %Windir%\salm.exe
- %Windir%\salm[Random letters].dat
- %Windir%\salm_gdf.dat
- %Windir%\salm_kyf.dat
- %Windir%\salm.log
- %Temp%\180sainstallernusalm.exe
- %UserProfile%\Local Settings\Temp\180ax.exe
- %UserProfile%\Local Settings\Temp\180ax.log
- %Windir%\ClientInstaller.log
Notes:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
- May create the following files:
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\180search Assistant\180search Assistant.com.url
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\180search Assistant\Uninstall 180search Assistant Instructions.lnk
Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
- May add the values:
"MSBB" = "[PATH TO FILE]"
"sau" = "%ProgramFiles%\180search assistant\sau.exe"
"sac" = "%ProgramFiles%\180searchassistant\sac.exe"
"sain" = "%ProgramFiles%\180search assistant\sain.exe"
"salm" = "[PATH TO FILE]\"salm.exe"
"180ax" = "%userprofile%\local settings\temp\180ax.exe"
"[RANDOM FILE NAME]" = "%Windir%\[RANDOM FILE NAME].exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs when every time Windows starts.
- Creates some of the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{B10031B2-F184-4803-9A88-D239C0641D70}
HKEY_CLASSES_ROOT\Interface\{A79F8202-E09D-4F0F-AD4D-DCAE1DAC5994}
HKEY_CLASSES_ROOT\TypeLib\{F2BF4713-E933-4B66-8694-22ED243709C7}
HKEY_CLASSES_ROOT\180SAInstaller.180SAInstaller
HKEY_CLASSES_ROOT\180SAInstaller.180SAInstaller.1
HKEY_LOCAL_MACHINE\SOFTWARE\sau
HKEY_LOCAL_MACHINE\SOFTWARE\sac
HKEY_LOCAL_MACHINE\SOFTWARE\sain
HKEY_LOCAL_MACHINE\SOFTWARE\salm
HKEY_LOCAL_MACHINE\SOFTWARE\180ax
HKEY_CURRENT_USER\Software\sau
HKEY_CURRENT_USER\Software\sac
HKEY_CURRNET_USER\Software\sain
HKEY_CURRENT_USER\SOFTWARE\salm
HKEY_CURRENT_USER\SOFTWARE\180ax
HKEY_CURRENT_USER\Software\180solutions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\180ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\nCASE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\msbb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\sac
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\sain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\salm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\sau
- May add the value:
"LoginSessionDisable" = "1"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control
to prevent the risk from causing the system to automatically dial to an ISP.
- Monitors the contents of Web browser windows. When certain (configurable) keywords are detected in Web search or shopping browser windows, the adware displays the Web page of a partner site. The information collected includes:
- Words typed into the Web browser.
- The address of Web site that words were typed into.
- Operating System version (including service pack).
- Web browser used (including exact version number).
- Screen width and height.
- Monitors the state of the adware application, if the adware is partially removed, it will reinstall the missing components.
