Updated: February 13, 2007 11:40:16 AM
Type: Adware
Risk Impact: High
File Names: hexn.dll,[6 random digits].exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Depending on which version is installed, when Adware.UMaxsearch runs, it does the following:
- Creates some of the following files:
- C:\RECYCLER\easysearch_google.jpg
- C:\RECYCLER\index.html
- C:\RECYCLER\uninstall.exe
- C:\RECYCLER\install.exe
- C:\RECYCLER\bin376.dll
- %Sysdir%\[6 random digits].exe
- %Sysdir%\hexn.dll
- %Sysdir%\hfkro.t4y
- %Windir%\blank.htm
- Adds one of the following values:
"EasySearch Start Page"="C:\RECYCLER\install.exe"
or
"Sysrem Restore!"="Rundll hexn.dll, DllRegisterServer"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the install.exe runs every time Windows starts.
- Modifies the value:
"SFCDisable"="1"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Creates the registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\EasySearch Start Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Windows Rescue Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects
\{AD5F75B8-93F3-429D-FF34-660B206D897A}
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
HKEY_CLASSES_ROOT\CLSID\{AD5F75B8-93F3-429D-FF34-660B206D897A}
HKEY_CLASSES_ROOT\CLSID\{AD75B8-93F3-429D-FF34-660B206D897A}
- Each time Microsoft Internet Explorer starts, the page is redirected to the search page C:\RECYCLER\index.html.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
