Adware.CashBackBuddy

Printer Friendly Page

Updated: February 13, 2007 11:46:31 AM

Type: Adware

Version: 1.0.0.5

Publisher: eXact Advertising

Risk Impact: Medium

File Names: cashback.exe cb.exe flash.exe mscb.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CashBackBuddy is executed, it performs the following actions:

Creates the following files:
- %ProgramFiles%\CashBack\ad.dat
- %ProgramFiles%\CashBack\bb_auto_wider.swf
- %ProgramFiles%\CashBack\bb_click_wider.swf
- %ProgramFiles%\CashBack\bb_welcome.html
- %ProgramFiles%\CashBack\bb_welcome1.swf
- %ProgramFiles%\CashBack\bin\cashback.exe
- %ProgramFiles%\CashBack\bin\cb.exe
- %ProgramFiles%\CashBack\bin\flash.exe
- %ProgramFiles%\CashBack\blank.gif
- %ProgramFiles%\CashBack\icon.gif
- %ProgramFiles%\CashBack\logo.gif
- %ProgramFiles%\CashBack\template.html
- %ProgramFiles%\CashBack\template2.html
- %ProgramFiles%\CashBack\template_signin.html
- %ProgramFiles%\CashBack\ub.dat
- %ProgramFiles%\CashBack\Uninstall.exe
- %System%\mscb.dll
- %Temp%\bb_auto_wider.swf
- %Temp%\bb_click_wider.swf
- %Temp%\bb_welcome.html
- %Temp%\bb_welcome1.swf
- %Temp%\blank.gif
- %Temp%\exTmp0.html
- %Temp%\icon.gif
- %Temp%\logo.gif
- %Temp%\template_signin.html
- %Windir%\Downloaded Program Files\installer_CASHBACK.exe
  
  Note:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CB.UrlCatcher HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack HKEY_LOCAL_MACHINE\SOFTWARE\CashBack HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ModuleUsage\C:/WINDOWS/Downloaded Program Files/installer_CASHBACK.exe
Adds the value:

"CashBack" = "%ProgramFiles%\CashBack\bin\cashback.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows is executed.
Adds the value:

"SharedDLLs" = "%Windir%\Downloaded Program Files\installer_CASHBACK.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}