1. /
  2. Security Response/
  3. Adware.AdBlaster

Adware.AdBlaster

Updated:
February 13, 2007 11:43:55 AM
Type:
Adware
Risk Impact:
High
File Names:
IEExplorer.exe adprot.exe ngpw36.exe ngsh33.dll ngsw31.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.AdBlaster is executed, it performs the following actions:
  1. Creates the following files:

    • %System%\adprot.exe
    • %System%\ngpw36.exe
    • %System%\ngpw36.exe.exe
    • %System%\ngsh33.dll
    • %System%\MSWINSCK.OCX
    • %Windir%\Sngpw36.exe
    • %Windir%\Sngsh33.dll
    • %Windir%\morpheus_internet_accelerator2.exe
    • %System%\sngpw38.exe
    • %System%\ngsw31.dll
    • %Windir%\sngpw38.exe

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Adds the values:

    "ngpw36" = "%System%\ngpw36.exe"
    "adprot" = "%System%\adprot.exe"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  3. Adds the value:

    "Aapp" = "%System%\adprot"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Creates some of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{3836A9DB-B135-4046-901C-46111761647D}
    HKEY_CLASSES_ROOT\CLSID\{941CA48C-3984-4E7D-AAF8-8755ED76EB50}
    HKEY_CLASSES_ROOT\CLSID\{DDC319C4-499F-49CC-80A8-6BF11CBF0923}
    HKEY_CLASSES_ROOT\CLSID\{E9147A0A-A866-4214-B47C-DA821891240F}

    HKEY_CLASSES_ROOT\Interface\{AAA0AA29-58CB-424D-BD48-1CF84E20BFE1}
    HKEY_CLASSES_ROOT\Interface\{EAE7C84F-4A41-4E63-9A6C-E32AA1865C26}
    HKEY_CLASSES_ROOT\Interface\{2955E123-9372-44D1-8BA3-C98DA0FA0F1D}
    HKEY_CLASSES_ROOT\Interface\{B8EF29C3-32B2-4C18-B703-74D48AEC94B9}

    HKEY_CLASSES_ROOT\TypeLib\{EC888FAB-1762-4334-8D14-6F568A80B2E1}
    HKEY_CLASSES_ROOT\TypeLib\{68BDBAE7-647D-4109-9BCC-851E99D82E34}
    HKEY_CLASSES_ROOT\ngsh33.clsDW
    HKEY_CLASSES_ROOT\ngsh33.clsIS

    HKEY_CLASSES_ROOT\ngsw31.clsDW
    HKEY_CLASSES_ROOT\ngsw31.clsIS

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{941CA48C-3984-4E7D-AAF8-8755ED76EB50}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    \{3DB932A2-ECE3-4D5C-9B64-A77C1BC6341F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
    \InternetAccelerator.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Morpheus Upgrades
    HKEY_LOCAL_MACHINE\SOFTWARE\Ashampoo


  5. Continuously displays the same pop-up advertisement from the domain netwebsearch2.com.

  6. Attempts to prevent the security risk from being removed by restoring the files ngpw36.exe and ngsh33.dll if they are removed from the %System% folder.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver