1. /
  2. Security Response/
  3. Adware.ILookup

Adware.ILookup

Updated:
February 13, 2007 11:35:25 AM
Type:
Adware
Risk Impact:
Medium
File Names:
ineb.dll gws.dll chgrgs.dll abeb.dll bmeb.dll sbus.dll drbr.dll Winsrm32.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.ILookup is installed, it performs the following actions:
  1. Creates one of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{18B79968-1A76-4953-9EBB-B651407F8998}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\
    {0AEE4D0C-4B38-4196-AE32-70ACE5656647}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61D029AC-972B-49FE-A155-962DFA0A37BB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{753AA023-02D1-447D-8B55-53A91A5ABF18}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FBAA0B9E-A059-43E4-9699-76EB0AEB975B}


    in order to register a .dll file as a Browser Helper Object.

  2. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{18B79968-1A76-4953-9EBB-B651407F8998}
    HKEY_CLASSES_ROOT\CLSID\{6EF3AE25-5A7D-40C2-9B44-9ED0068621C0}
    HKEY_CLASSES_ROOT\CLSID\{89580613-09BB-4DF6-8C2F-41896F7EA5CD}
    HKEY_CLASSES_ROOT\CLSID\{895FDAAE-9464-458D-A2F8-0DBE95788620}
    HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}
    HKEY_CLASSES_ROOT\CLSID\{4B8F38C7-62FC-4762-B9A0-27E63F768167}
    HKEY_CLASSES_ROOT\CLSID\{41D13E9A-BB94-402A-8502-AFA78526B63D}
    HKEY_CLASSES_ROOT\CLSID\{74F25A2C-22B3-4023-8F1A-CA616C30A8B5}
    HKEY_CLASSES_ROOT\CLSID\{0AEE4D0C-4B38-4196-AE32-70ACE5656647}
    HKEY_CLASSES_ROOT\CLSID\{356F7928-CB5D-4E2F-906C-04CB8DB29BE2}

    HKEY_CLASSES_ROOT\Interface\{00A4C65F-31ED-4A99-8264-4425960320AD}
    HKEY_CLASSES_ROOT\Interface\{09E88006-6F0E-430D-95E8-24AE44C3ADB0}  
    HKEY_CLASSES_ROOT\Interface\{1A8BBF6D-E27B-4E5D-8FA6-B2C56B2B3B86}
    HKEY_CLASSES_ROOT\Interface\{25B211A3-8CF0-410C-89BD-FA305DC58D58}
    HKEY_CLASSES_ROOT\Interface\{34BAFAAF-99C5-472D-8613-EB309903FDC5}
    HKEY_CLASSES_ROOT\Interface\{3FD0EE3A-96AF-434B-8B05-6970699905AE}
    HKEY_CLASSES_ROOT\Interface\{41F108A6-539D-4D0F-B93B-8A446A18645D}
    HKEY_CLASSES_ROOT\Interface\{48EB9347-32EF-4FEA-803D-3CD314105CB5}
    HKEY_CLASSES_ROOT\Interface\{6CE5322C-F6B3-4AC5-973C-6E0E2098EBF0}
    HKEY_CLASSES_ROOT\Interface\{7BA07821-D9EF-45DF-8E7B-E2C242568F7F}
    HKEY_CLASSES_ROOT\Interface\{7BA3AEE4-8BD2-4D88-A1EB-7627A086C2E6}
    HKEY_CLASSES_ROOT\Interface\{7E893886-5641-4867-A323-2D8ABB7B4D6D}
    HKEY_CLASSES_ROOT\Interface\{8B6D1A16-E636-4127-9EF6-4F1DD93AC2A9}
    HKEY_CLASSES_ROOT\Interface\{8B6D96BE-CBDD-409B-8988-590354A71CC1}
    HKEY_CLASSES_ROOT\Interface\{9DD1AD56-8D03-4BA8-BEE2-7C9A46182ED2}
    HKEY_CLASSES_ROOT\Interface\{B0632EC9-BD27-48C4-B16C-294F8823BFF0}
    HKEY_CLASSES_ROOT\Interface\{B7383D80-81AA-4FD7-8AC2-D852677CDEAE}
    HKEY_CLASSES_ROOT\Interface\{C8418B66-7898-4131-A131-F2B839308C15}
    HKEY_CLASSES_ROOT\Interface\{D28B0B4C-C2A8-4F2D-8A9C-E98844D293D2}
    HKEY_CLASSES_ROOT\Interface\{D309267C-4699-4E70-B09E-B50B674493FA}
    HKEY_CLASSES_ROOT\Interface\{D3FE1D95-100F-4F4E-9467-A407C83308B6}
    HKEY_CLASSES_ROOT\Interface\{D65377CD-5BA2-4108-B670-D2565DE0FB69}
    HKEY_CLASSES_ROOT\Interface\{E53B0BE9-B055-4230-9F9D-68FB0C76F130}
    HKEY_CLASSES_ROOT\Interface\{E6ED4741-A9DF-4BB1-A203-C7461FC00355}
    HKEY_CLASSES_ROOT\Interface\{E432B411-6E00-4A49-B715-A88E1CC90CC5}
    HKEY_CLASSES_ROOT\Interface\{F3A898B0-6D64-4155-BDF9-C26C99E15071}
    HKEY_CLASSES_ROOT\Interface\{FC4153DC-18D5-4AAB-BCFB-BB521FD4962B}
    HKEY_CLASSES_ROOT\TypeLib\{557C2534-07BF-4C22-B075-00EE5C1EE062}
    HKEY_CLASSES_ROOT\TypeLib\{660B38CB-6349-4C67-A418-AADABAE09C38}
    HKEY_CLASSES_ROOT\TypeLib\{66E377BD-6FF9-43E9-9A5D-DAC6FD7A05AC}
    HKEY_CLASSES_ROOT\TypeLib\{ABC5BE1B-5339-4640-8550-945BFE210F2E}
    HKEY_CLASSES_ROOT\TypeLib\{E0B21438-DC59-4DF6-97DC-C9FE60DC6930}
    HKEY_CLASSES_ROOT\TypeLib\{EDD73C85-28B8-4145-AB9C-673C74C667E6}
    HKEY_CLASSES_ROOT\windec.amo.1
    HKEY_CLASSES_ROOT\windec.dbi.1
    HKEY_CLASSES_ROOT\windec.iiittt
    HKEY_CLASSES_ROOT\windec.iiittt.1
    HKEY_CLASSES_ROOT\windec.momo
    HKEY_CLASSES_ROOT\windec.momo.1
    HKEY_CLASSES_ROOT\windec.ohb
    HKEY_CLASSES_ROOT\windec.ohb.1

    HKEY_CLASSES_ROOT\Software\share_srm
    HKEY_CLASSES_ROOT\winsrm.dbi.1
    HKEY_CLASSES_ROOT\winsrm.dbi
    HKEY_CLASSES_ROOT\winsrm.iiittt.1
    HKEY_CLASSES_ROOT\winsrm.iiittt
    HKEY_CLASSES_ROOT\winsrm.momo.1
    HKEY_CLASSES_ROOT\winsrm.momo
    HKEY_CLASSES_ROOT\winsrm.ohb.1
    HKEY_CLASSES_ROOT\winsrm.ohb
    HKEY_CLASSES_ROOT\winsrm.amo
    HKEY_CLASSES_ROOT\winsrm.amo.1
    HKEY_CURRENT_USER\Software\bmeb
    HKEY_CURRENT_USER\Software\gws
    HKEY_CURRENT_USER\Software\ineb
    HKEY_CURRENT_USER\Software\srcbus

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{0AEE4D0C-4B38-4196-AE32-70ACE5656647}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{4B8F38C7-62FC-4762-B9A0-27E63F768167}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{4C759EC6-96BD-4551-A320-E61A1D68437F}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{61D029AC-972B-49FE-A155-962DFA0A37BB}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{8E4C16F3-45C8-4B24-99E6-F55082B7C4F1}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{D35A69A7-7A34-4C67-814A-3F508C0BF371}
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{0AAF602E-72A1-45FE-BAB1-06971E07EAA2}
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{753AA023-02D1-447D-8B55-53A91A5ABF18}


  3. Adds some of the following registry values:

    "{0AAF602E-72A1-45FE-BAB1-06971E07EAA2}"
    "{4B8F38C7-62FC-4762-B9A0-27E63F768167}"
    "{6EF3AE25-5A7D-40C2-9B44-9ED0068621C0}"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

  4. Changes the Internet Explorer home page.

  5. Connects to one of the following Web sites, depending on the .dll installed:

    • i-lookup.com
    • globalwebsearch.com
    • superwebsearch.com
    • traffichog.com
    • searchbus.com
    • globaltoolbar.com
    • searchmall.com

  6. Displays pop-up advertisements, many of which are pornographic in nature.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver