1. /
  2. Security Response/
  3. Adware.Topsearch

Adware.Topsearch

Updated:
February 13, 2007 11:32:46 AM
Type:
Adware
Version:
Not available
Publisher:
Altnet, Inc.
Risk Impact:
Medium
File Names:
Topsearch.dll; asm.exe; asmps.dll; Points Manager.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Adware.TopSearch is executed, it will perform some of the following actions:
  1. Creates the following files:

    • %ProgramFiles%\KaZaA\topsearch.dll (may be installed at other locations.)
    • %ProgramFiles%\Altnet\Download Manager\asm.exe
    • %ProgramFiles%\Altnet\Download Manager\asmps.dll
    • %ProgramFiles%\Altnet\Download Manager\altinst1.dll
    • %ProgramFiles%\Altnet\Download Manager\altinst2.dll
    • %ProgramFiles%\Altnet\My Altnet Shares\ (may contain a number of files)
    • %ProgramFiles%\Altnet\DBBackup\Sigfiles.db
    • %ProgramFiles%\Altnet\Points Manager\Local Pages (may contain a number of .gif and .html files)
    • %ProgramFiles%\Altnet\Points Manager\Skin (may contain a number of .bmp files)
    • %ProgramFiles%\Altnet\Points Manager\Temp Internet Shares (may contain a number of files)
    • %ProgramFiles%\Altnet\Points Manager\points manager.exe
    • %ProgramFiles%\Altnet\Points Manager\Points Manager.exe.Manifest
    • %ProgramFiles%\Altnet\Points Manager\settings.cab
    • %ProgramFiles%\Altnet\Points Manager\setup.cab
    • %ProgramFiles%\Altnet\Points Manager\sysdetect.dll
    • %Windir%\smdat32m.sys
    • %Windir%\smdat32a.sys
    • %Windir%\Fonts\acrsec.fon
    • %Windir%\Fonts\acrsecI.fon
    • %Windir%\Fonts\acrsecB.fon
    • %System%\TopSearch.dll

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the file [ORIGINAL FILE NAME].Manifest

    Note: [ORIGINAL FILE NAME] refers to the file that originally executed the security risk.

  3. Creates the following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
    HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}
    HKEY_CLASSES_ROOT\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
    HKEY_CLASSES_ROOT\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}
    HKEY_CLASSES_ROOT\CLSID\{E813099D-5529-47F4-9B37-4AFAFCB00A43}
    HKEY_CLASSES_ROOT\Interface\{AD5BC1F0-72D8-44B3-8E3D-8E8FECCE43FB}
    HKEY_CLASSES_ROOT\Interface\{E813099D-5529-47F4-9B37-4AFAFCB00A43}
    HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE
    HKEY_CLASSES_ROOT\SigningModule.SigningModule
    HKEY_CLASSES_ROOT\SigningModule.SigningModule.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AltnetDM
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltnetDM
    HKEY_LOCAL_MACHINE\SOFTWARE\Altnet


  4. Adds the following value:
    "AltnetPointsManager" = "Random Location"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so the risk runs on startup.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report