Adware.SecureServicePk

Printer Friendly Page

Updated: June 01, 2006 2:52:36 AM
Type: Adware
Risk Impact: High
Systems Affected: Windows

Behavior

Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version May 27, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date May 31, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Masaki Suenaga

Updated: June 01, 2006 2:52:36 AM
Type: Adware
Risk Impact: High
Systems Affected: Windows

Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

The risk is installed as a Browser Helper Object DLL file.

Note: The DLL file is referenced by the following registry value:
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}\InProcServer32\"(Default)" = "[PATH TO DLL]"

When the risk is installed, it adds the following registry subkeys:
HKEY_CLASSES_ROOT\SecureServicePack.BHO.1
HKEY_CLASSES_ROOT\SecureServicePack.BHO
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_CLASSES_ROOT\CLSID\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\TypeLib\{90BB6171-83D8-43DE-94D4-6C0078DD7896}
HKEY_CLASSES_ROOT\Interface\{B5918C1E-B0CD-4123-A0CB-CFE9703A265B}

The risk monitors the URL of Internet Explorer to check if it is one of the following:
frazoo.com/results.php
dogpile.com/info.dogpl/search/web
xpsn.com/Search/SmartSearch4.asp
xpsn.com/Search/
yandex.
search.yahoo.com/
search.com/
overture.com/
search.netscape.com/
search.msn.com/
lycos.
hotbot.com/
google.
fastsearch.com/
.excite.
search.ebay.com/
cnn.com/
ask.com/
search.aol.com/
altavista.com/
alltheweb.com/

It then inserts an advertisement into the top of the search result page.

Note: It may cause a difficulty in viewing the result page due to the unexpected insertion of contents on some Web sites, such as www.yandex.ru .

Writeup By: Masaki Suenaga