1. /
  2. Security Response/
  3. Adware.MatrixSearch

Adware.MatrixSearch

Updated:
February 13, 2007 11:42:47 AM
Type:
Adware
Version:
1.0.0.17
Publisher:
www.123mania.com
Risk Impact:
High
File Names:
Mshtmpre.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.MatrixSearch is executed, it performs the following actions:
  1. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{D879A0F1-2B3B-4409-8879-FAD6E49E1EA9}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\
    {9C5B2F29-1F46-4639-A6B4-828942301D3E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\
    {622CC208-B014-4FE0-801B-874A5E5E403A}

    so that the adware runs every time Internet Explorer is started.

  2. Adds the value:

    "LoadHTML" = "rundll32.exe c:\windows\system32\regsvr32.exe,MShtmpre"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows is started.

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{15651C7C-E812-44a2-A9AC-B467A2233E7D}
    HKEY_CLASSES_ROOT\CLSID\{622CC208-B014-4FE0-801B-874A5E5E403A}
    HKEY_CLASSES_ROOT\CLSID\{9C5B2F29-1F46-4639-A6B4-828942301D3E}
    HKEY_CLASSES_ROOT\CLSID\{D879A0F1-2B3B-4409-8879-FAD6E49E1EA9}
    HKEY_CLASSES_ROOT\Interface\{16F6A635-09F8-44E6-953E-81D037647255}
    HKEY_CLASSES_ROOT\Interface\{34DCDBDB-60EF-4281-92C6-68C299AAB8E5}
    HKEY_CLASSES_ROOT\Interface\{FC02833E-9FDE-4862-974F-828887716A28}
    HKEY_CLASSES_ROOT\Interface\{722C6699-FDF7-4B4F-BDD0-F84CF5791A80}
    HKEY_CLASSES_ROOT\TypeLib\{B8F9DD56-4FFA-47B0-B9D7-42F45A752F4E}
    HKEY_CLASSES_ROOT\TypeLib\{E9A45914-275E-4866-BB75-5D65CBC3F311}
    HKEY_CLASSES_ROOT\TypeLib\{5E6895EA-E919-4331-ADBE-827D4D8915AC}
    HKEY_CLASSES_ROOT\AutoSearch1.BHOsrc
    HKEY_CLASSES_ROOT\AutoSearch1.BHOsrc.1
    HKEY_CLASSES_ROOT\AutoSearch1.SrchHook
    HKEY_CLASSES_ROOT\AutoSearch1.SrchHook.1
    HKEY_CLASSES_ROOT\Bho1.html
    HKEY_CLASSES_ROOT\Bho1.html.1
    HKEY_CLASSES_ROOT\Bho.html
    HKEY_CLASSES_ROOT\Bho.html.1

  4. Adds the following values

    "html_unresident" = "res://C:\WINDOWS\System32\SIPSPI32.dll/Desinstala.htm"
    "html_stopengine" = "res://C:\WINDOWS\System32\SIPSPI32.dll/Desactiva.htm"
    "html_gotowork" = "res://C:\WINDOWS\System32\SIPSPI32.dll/Activa.htm"
    "html_onlyone" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p1.htm"
    "html_reconfig3" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p3.htm"
    "html_reconfig5" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p5.htm"
    "html_reconfig9" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p9.htm"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs

  5. Adds the values:

    "ppcimdnnnjbeahepfabjipfginloedkg cfcaak"
    "ppcimdnnnjbeahepfabjipfginloedkg enodaj"
    "
    goicfboogidikkejccmclpieicihhlpo ejfebp"
    "goicfboogidikkejccmclpieicihhlpo imfado"
    "goicfboogidikkejccmclpieicihhlpo igcdca"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust
    \Trust Providers\Software Publishing\Trust Database\0

  6. Opens an unusually high number of Internet Explorer windows.

  7. Redirects non-existent Web site searches to www.123mania.com.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver