When Adware.WhenUSearchBar is installed, it performs the following actions:
- Creates the following files:
- %ProgramFiles%\WhenUSearch\search.dll
- %ProgramFiles%\WhenUSearch\uninst.exe
- %ProgramFiles%\WhenUSearch\search.exe
- %ProgramFiles%\WhenUSearch\whse.exe
- %ProgramFiles%\WhenUSearch\content\*.*
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the file %CurrentFolder%\search.db.
Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed
- Adds the value:
"WhenUSearch" = "%ProgramFiles%\WhenUSearch\Search.exe"
"WhenUSearchWHSE" = "%ProgramFiles%\WhenUSearch\SearchWHSE.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs when Windows starts.
- Creates some of the following registry subkeys:
HKEY_CLASSES_ROOT\WUSE.1
HKEY_CLASSES_ROOT\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKEY_CLASSES_ROOT\CLSID\{715839CD-ABEC-45D8-A83C-1275F2D837CD}
HKEY_CLASSES_ROOT\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}
HKEY_CLASSES_ROOT\CLSID\{45E5DADB-DFDF-4FC3-A46C-DD34B6CDDB38}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearchB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearchF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{737830B7-F1F9-4bae-A8FC-1433C71BEDFF}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{715839CD-ABEC-45D8-A83C-1275F2D837CD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Browser Helper Objects\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
