1. /
  2. Security Response/
  3. Adware.IESearch

Adware.IESearch

Updated:
February 13, 2007 11:48:29 AM
Type:
Adware
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once Adware.IESearch is installed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\IESearch\IEBHO.DLL
    • %ProgramFiles%\IESearch\IELSP.DLL
    • %ProgramFiles%\IESearch\IESearchSilent.log
    • %ProgramFiles%\IESearch\VERSIONCHECKER.EXE
    • %ProgramFiles%\IESearch\config.xml
    • %ProgramFiles%\IESearch\uninstall.exe

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{901C2C91-AFE7-416D-9FC1-34F87A264AC8}
    HKEY_CLASSES_ROOT\AppID\IEBHO.DLL
    HKEY_CLASSES_ROOT\AppID\{2E97A338-5092-4B14-B5E7-50994E09EA35}
    HKEY_CLASSES_ROOT\CLSID\{901C2C91-AFE7-416D-9FC1-34F87A264AC8}
    HKEY_CLASSES_ROOT\IEBHOProject.IEBHO
    HKEY_CLASSES_ROOT\IEBHOProject.IEBHO.1
    HKEY_CLASSES_ROOT\Interface\{E128D984-2F06-41D0-B55C-0EAAE5913436}
    HKEY_CLASSES_ROOT\TypeLib\{2E97A338-5092-4B14-B5E7-50994E09EA35}
    HKEY_LOCAL_MACHINE\SOFTWARE\IEsearch
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{901C2C91-AFE7-416D-9FC1-34F87A264AC8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IESearch


  3. Modifies the value:

    "Search Bar" = "[http://]minisearch.startnow.com"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    in order to change the Internet Explorer Search page.

  4. Adds the value:

    "Start Page Backup" = "[PREVIOUS VALUE]"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    in order to create a backup copy of the previous value of the registry entry it will subsequently modify.

  5. Modifies the value:

    "Start Page" = "[http://]www.startnow.com"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    in order to change the Internet Explorer Start page.

  6. Modifies the value:

    "AutoSearch" = "5"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  7. Adds the value:

    "SearchAssistant Backup" = "[PREVIOUS VALUE]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    in order to create a backup copy of the previous value of the registry entry it will subsequently modify.

  8. Modifies the value:

    "SearchAssistant" = "[http://]minisearch.startnow.com"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  9. Creates a service with the following characteristics:

    Service Name: WS2IFSL
    Display Name: Windows Socket 2.0 Non-IFS Service Provider Support Environment
    Path to executable: %System%\drivers\ws2ifsl.sys
    Startup type: Manual

    Note: This is a legitimate service, and is used by Layered Service Providers (LSPs), which do not use Installable File System (IFS) supported sockets.

  10. Installs an LSP to monitor all network traffic to and from the compromised computer, and redirects any HTML error pages to the following domain:

    startnow.com

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver