Adware.Medload

Printer Friendly Page

Updated: February 13, 2007 11:41:23 AM

Type: Adware

Publisher: trin

Risk Impact: Medium

File Names: medload.exe medload3.exe mm63.ocx mm67.ocx mm81.ocx seeve.exe newpop446.exe newpop63.ex

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003

When Adware.Medload is executed, it performs the following actions:

Creates the following files:
- %Windir%\medload.exe
- %Windir%\Downloaded Program Files\mm63.ocx
- %Windir%\Downloaded Program Files\m67m.ocx
- %Windir%\seeve.exe
- %Windir%\unstall.exe
- %Windir%\ubber60.ini
- %Windir%\hisistheurls.exe
- %Windir%\mm63.ocx
- %Windir%\tempf.txt
- %Windir%\affbun.txt
- %Windir%\thin-143-1-x-x.exe
- %UserProfile%\Desktop\Cartoons and Animations.url
- %UserProfile%\Desktop\Celebrity News.url
- %UserProfile%\Desktop\free games to win real cash.url
- %UserProfile%\Desktop\Imgiant Instant Messenger.url
- %UserProfile%\Desktop\Joystick News.url
- %UserProfile%\Desktop\Screen Savers.url
- %Program Files%\joystick networks\setup\celebs.ico
- %Program Files%\joystick networks\setup\gamesjoy.ico
- %Program Files%\joystick networks\setup\imgiant.ico
- %Program Files%\joystick networks\setup\joywar.ico
- %Program Files%\joystick networks\setup\myurlsagain.exe
- %Program Files%\joystick networks\setup\news.ico
- %Program Files%\joystick networks\setup\savers.ico
- %SystemDrive%\asdf.txt
  
  Notes:
  - %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  - %UserProfile% is a variable that refers to the current user's profile folder. By default, this is
    C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
  - %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
  - %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
Adds some of the following values:

"loads.exe" = "%Windir%\medload.exe" "sixtysix" = "[PATH TO ORIGINAL FILE]" "popuppers" = "[PATH TO ORIGINAL FILE]" "popuppers64" = "[PATH TO ORIGINAL FILE]" "seeve.exe" = "[PATH TO ORIGINAL FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the adware runs every time Windows starts.
Adds the values:

"(Default)" = "%Windir%\system32\objsafe.tlb" "(Default)" = "%Windir%\Downloaded Program Files\m67m.ocx"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Adds the value:

"media-motor" = "%Windir%\unstall.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Adds the values:

"%ProgramFiles%\joystick networks\setup" = "%ProgramFiles%\joystick networks\setup" "%UserProfile%\Desktop" = "%UserProfile%\Desktop"

to the registry subkey:

HKEY_CURRENT_USER\Software\WinRAR SFX
Creates some of the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} HKEY_CLASSES_ROOT\CLSID\{E0CE16CB-741C-4B24-8D04-A817856E07F4}HKEY_CLASSES_ROOT\Interface\{3E4BCF50-865B-4EF4-A0BC-BF57229EA525} HKEY_CLASSES_ROOT\Interface\{5F08A37A-11BB-4FCE-9AE4-21897CABAA7E} HKEY_CLASSES_ROOT\Interface\{64A5BD22-8D8A-4193-9CF8-7DB5212ABB17} HKEY_CLASSES_ROOT\Interface\{674A6BD5-317A-49CF-9647-1E085E660CE0} HKEY_CLASSES_ROOT\Interface\{79D6F884-C4C3-4CC8-9430-D8C17B47FF0E} HKEY_CLASSES_ROOT\Interface\{9F61CFDF-5C79-4D35-B4DA-766B28367223} HKEY_CLASSES_ROOT\Interface\{AD29366C-63AA-4FF3-944F-91AD7193BCA2} HKEY_CLASSES_ROOT\Interface\{E832FFDE-8ED2-47B7-BE50-729A238040A0} HKEY_CLASSES_ROOT\Interface\{A9136CFD-FD01-41B8-9969-0B37720ED8AB} HKEY_CLASSES_ROOT\Interface\{B2EEDA99-DA99-4D0D-9F7F-143C30521388} HKEY_CLASSES_ROOT\TypeLib\{78A163D2-2358-464D-807B-0E2A078C7727} HKEY_CLASSES_ROOT\TypeLib\{466C63AC-F26E-49F1-861A-E07DA768A46A} HKEY_CLASSES_ROOT\IObjSafety.DemoCtl HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\ Distribution Units\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\media-motor HKEY_LOCAL_MACHINE\SOFTWARE\mm HKEY_ALL_USERS%\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\ZoneMap\Domains\media-motor.net HKEY_ALL_USERS%\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\ZoneMap\Domains\popuppers.com HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ModuleUsage\C:/WINDOWS/Downloaded Program Files/m67m.ocx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ModuleUsage\C:/WINDOWS/system32/objsafe.tlb
Opens an Internet Explorer window displaying the following URL:

[http://]www.popuppers.com/[REMOVED]/popsn16.php?firstd=[parameter]&aff=[parameter]&c=[parameter]

which may redirect the browser to advertisements.
May install Adware.180Search, Adware.BetterInternet and Adware.PopUppers.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}