1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AdwareRemover Activity

HTTP AdwareRemover Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects AdwareRemover communicating and requesting information from its controlling server.

Additional Information

When the program executes, it performs the following actions:

1. Creates the following file:

%UserProfile%\Desktop\ADS Adware Remover.lnk

Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the following folders:

* %ProgramFiles%\ADS Adware Remover
* C:\Documents and Settings\All Users\Start Menu\Programs\ADS Adware Remover

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

3. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADS Adware Remover_is1
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\ADS Adware Remover
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ADS Adware Remover

4. Runs a malware scan.

5. Reports a number of false positives.

6. Requires the user to purchase the application so that the false infections can be cleaned.


  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube