||||
Symantec.com > Security Response > Threats and Risks > Adware.OrbitExplorer
PRINT THIS PAGE

Adware.OrbitExplorer

Printer Friendly Page

Updated: February 13, 2007 11:42:15 AM
Type: Adware
Publisher: www.orbitexplorer.com
Risk Impact: High
File Names: OELoader.dll OELoader.exe ad.exe update.exe view.exe redirector.dll search.dll toolbar.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.OrbitExplorer runs, it does the following:
  1. Downloads and installs the following adware programs:
    • Adware.DealHelper
    • Adware.180Search
    • Adware.NCase

  2. Creates the following files:
    • %Windir%\Downloaded Program Files\OELoader.dll (this file is detected as Adware.OrbitExplorer)
    • %Windir%\Downloaded Program Files\OELoader.exe (this file is detected as Adware.OrbitExplorer)
    • %Windir%\Downloaded Program Files\OELoader.inf
    • %Windir%\Temp\download.exe (this file is detected as Adware.DealHelper)
    • %Windir%\Temp\msbb_.exe (this file is detected as Adware.180Search)
    • %ProgramFiles%\Orbit\ad.exe (this file is detected as Adware.OrbitExplorer)
    • %ProgramFiles%\Orbit\update.exe (this file is detected as Adware.OrbitExplorer)
    • %ProgramFiles%\Orbit\view.exe (this file is detected as Adware.OrbitExplorer)
    • %ProgramFiles%\Orbit\OEHomepage.cfg
    • %ProgramFiles%\Orbit\update.oe
    • %ProgramFiles%\Orbit\home.oe
    • %CommonProgramFiles%\OE\redirector.dll (this file is detected as Adware.OrbitExplorer)
    • %CommonProgramFiles%\OE\search.dll (this file is detected as Adware.OrbitExplorer)
    • %CommonProgramFiles%\OE\toolbar.dll (this file is detected as Adware.OrbitExplorer)
    • %CommonProgramFiles%\OE\msbb.dll (this file is detected as Adware.Ncase)
    • %CommonProgramFiles%\OE\uninstallwa.exe

      Notes:
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
      • %ProgramFiles% is a variable that refers to the Program Files folder. By default, this is C:\Program Files.
      • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.

  3. Adds the values:

    "OELoader" = "%WinDir%\Downloaded Program Files\OELoader.exe"
    "OrbitUpdate" = "%ProgramFiles%\Orbit\update.exe"
    "OrbitView" = "%ProgramFiles%\Orbit\view.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that various Adware.OrbitExplorer components run every time Windows starts.

  4. Adds the values:

    "%WinDir%\Downloaded Program Files\OELoader.dll" = ""
    "%WinDir%\Downloaded Program Files\OELoader.exe" = ""

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls

  5. Replaces the value:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

    with:

    "{341FB59F-3507-443b-8147-423B4E3B2B15}" = ""

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    so that searches from the Internet Explorer address bar use www.orbitexplorer.com.

  6. Modifies the values:

    "SearchAssistant" = "[URL on the domain orbitexplorer.com]"
    "CustomizeSearch" = ""

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    so that Internet Explorer Search Assistant uses www.orbitexplorer.com.

  7. Modifies the values:

    "Start Page" = "htttp://www.orbitexplorer.com/cgi-bin/toolbar.cgi?bid=&affid=123"
    "Search Bar" = "htttp://www.orbitexplorer.com/cgi-bin/IESearch.cgi?bid=&affid=123"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    so that the Internet Explorer Start Page and search settings are changed.

  8. Adds the following registry keys:

    HKEY_CURRENT_USER\CLSID\{0FDA4D2B-7975-405d-8D7C-F5E2247EAE80}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OELoader.dll
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OELoader.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Orbit
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{702AD576-FDDB-4d0f-9811-A43252064684}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D48F2E28-68E2-4920-9848-D6E6C7AB3EB7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{702AD576-FDDB-4d0f-9811-A43252064684}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D7B3E460-9968-4191-BD6F-BEED1BC18482}
    HKEY_CLASSES_ROOT\Update.Redirector
    HKEY_CLASSES_ROOT\Update.Redirector.1
    HKEY_CLASSES_ROOT\TypeLib\{ECC4AB37-565F-4424-8802-E4BC7766BA58}
    HKEY_CLASSES_ROOT\TypeLib\{C3E17D0D-593A-457B-A1DA-6D082E29323A}
    HKEY_CLASSES_ROOT\TypeLib\{92A0BFEF-D370-4D4F-BA70-F0C0AFB19B9F}
    HKEY_CLASSES_ROOT\TypeLib\{8594CB7B-5A4B-414C-B40F-6C42152B4D2B}
    HKEY_CLASSES_ROOT\CLSID\{341FB59F-3507-443b-8147-423B4E3B2B15}
    HKEY_CLASSES_ROOT\CLSID\{702AD576-FDDB-4d0f-9811-A43252064684}
    HKEY_CLASSES_ROOT\CLSID\{D48F2E28-68E2-4920-9848-D6E6C7AB3EB7}
    HKEY_CLASSES_ROOT\CLSID\{D7B3E460-9968-4191-BD6F-BEED1BC18482}
    HKEY_CLASSES_ROOT\Interface\{030A8576-686B-479A-AF79-94B9FEA79BC5}
    HKEY_CLASSES_ROOT\Interface\{1D22A25E-B181-4AEE-88FF-2209F7C24FCB}
    HKEY_CLASSES_ROOT\Interface\{229B6742-97C5-4FA1-89D0-0117BE82FC39}
    HKEY_CLASSES_ROOT\Interface\{EC99CBB3-6275-4923-BC54-8F27AC45F577}
    HKEY_CLASSES_ROOT\OESearch.OESearchHook
    HKEY_CLASSES_ROOT\OESearch.OESearchHook.1
    HKEY_CLASSES_ROOT\SQLoader.Loader
    HKEY_CLASSES_ROOT\SQLoader.Loader.1
    HKEY_CLASSES_ROOT\Toolbar.Band
    HKEY_CLASSES_ROOT\Toolbar.Band.1
  9. Adds the following Internet Explorer Favorites:
    • Entertainment\Cars
    • Entertainment\Entertainment
    • Entertainment\Games
    • Entertainment\MP3
    • Entertainment\Travel
    • Finance\B2B
    • Finance\Banking
    • Finance\Business
    • Finance\Careers
    • Finance\Credit Cards
    • Finance\Finance
    • Finance\Insurance
    • Finance\Office
    • Finance\Printing
    • Free Stuff\Auction
    • Free Stuff\Classifieds
    • Free Stuff\Free Email
    • Free Stuff\Free Homepage
    • Free Stuff\Free Services
    • Free Stuff\Homework
    • Free Stuff\School Essays
    • Free Stuff\Services
    • Gambling\Blackjack
    • Gambling\Chips
    • Gambling\Craps
    • Gambling\Multi Player
    • Gambling\Online Casinos
    • Gambling\Poker
    • Gambling\Roulette
    • Gambling\Slots
    • Gambling\Sports Book
    • Inernet\Computer Games
    • Inernet\Computer Stores
    • Inernet\Dedicated Server
    • Inernet\Domain Names
    • Inernet\Hardware
    • Inernet\Laptops
    • Inernet\Software
    • Inernet\Web Design
    • Inernet\Web Hosting
    • Shopping\Accessories
    • Shopping\Aparrel
    • Shopping\Cards
    • Shopping\Electronics
    • Shopping\Flowers
    • Shopping\Gifts
    • Shopping\Jewelry
    • Shopping\Retail Products
    • Shopping\Shoes
    • Shopping\Shopping
    • Shopping\Toys

Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS