1. /
  2. Security Response/
  3. Adware.WhenUSearchBar

Adware.WhenUSearchBar

Updated:
February 13, 2007 11:40:04 AM
Type:
Adware
Publisher:
WhenU.com
Risk Impact:
Low
File Names:
search.exe. whse.exe,search.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.WhenUSearchBar is installed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\WhenUSearch\search.dll
    • %ProgramFiles%\WhenUSearch\uninst.exe
    • %ProgramFiles%\WhenUSearch\search.exe
    • %ProgramFiles%\WhenUSearch\whse.exe
    • %ProgramFiles%\WhenUSearch\content\*.*

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the file %CurrentFolder%\search.db.

    Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed

  3. Adds the value:

    "WhenUSearch" = "%ProgramFiles%\WhenUSearch\Search.exe"
    "WhenUSearchWHSE" = "%ProgramFiles%\WhenUSearch\SearchWHSE.exe"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs when Windows starts.

  4. Creates some of the following registry subkeys:

    HKEY_CLASSES_ROOT\WUSE.1
    HKEY_CLASSES_ROOT\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
    HKEY_CLASSES_ROOT\CLSID\{715839CD-ABEC-45D8-A83C-1275F2D837CD}
    HKEY_CLASSES_ROOT\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}
    HKEY_CLASSES_ROOT\CLSID\{45E5DADB-DFDF-4FC3-A46C-DD34B6CDDB38}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearchB
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearchF
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{737830B7-F1F9-4bae-A8FC-1433C71BEDFF}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{715839CD-ABEC-45D8-A83C-1275F2D837CD}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Browser Helper Objects\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver