Adware.Fastsearchweb

Printer Friendly Page

Updated: February 13, 2007 11:41:55 AM

Type: Adware

Risk Impact: Medium

File Names: subsys.exe; rcpie.dll; protect32.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Fastsearchweb is installed, it does the following:

Installs a Browser Helper Object in %system%\rcpie.dll.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following files:

%System%\iecust.dll
%System%\menu.txt
Adds the values:

"Start Page" = "about:blank" "HOMEOldSP" = "about:blank" "Search Bar" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" "Search Page" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" "Use Search Asst" = "no" "Use Custom Search URL" = "0x1"to the registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
Adds the values:

"Default_Page_URL" = "about:blank" "Default_Search_URL" = "about:blank"to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Adds the value:

"SearchAssistant" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"

to the registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchNote: res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c is an obfuscated form of the string res://C:\WINNT\System32\rcpie.dll/sp.html.
Adds the values:

"Default_Search_URL" = "about:blank"
"Customize_Search" = "about:blank"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
May add the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
Adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Freshbar" = {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Apartment" = {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06ABAA2D-34AB-4902-A326-409BD9B9A7A5} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Apartment" = {0EC7A55C-77D4-40E9-A4A0-9463B12B31E5}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E25DD9-89F9-49FD-A5FC-1B7862BB8167} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69063189-5F20-4361-BB5F-30EF8526284D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D825EF86-59BB-46EA-924F-12088D928D6C}

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}