1. Symantec/
  2. Security Response/
  3. Adware.EasySearch


February 13, 2007 11:38:59 AM
Risk Impact:
File Names:
Systems Affected:

When Adware.EasySearch runs, it does the following:

  1. Downloads a program from a predetermined site and installs it as:


    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Copies the above program to the following files:
    • %Windir%\stisvsq.exe
    • %Windir%\svshost.exe
    • %Windir%\msqdevl.exe
    • %Windir%\lssas.exe
    • %Windir%\mservice.exe

  3. Adds the value:

    "Start Page"="[URL on the domain easy-search.biz]"

    to the registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

    to redirect the Internet Explorer start page.

  4. Adds the values:


    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    to set Adware.EasySearch as a proxy server that Internet Explorer uses to access the Internet.

  5. Adds the values:

    "Microsoft Internet Acceleration Utility"="iau.exe"
    "Internet Connection Wizard"="stisvsq.exe"
    "Games Acceleration"="svshost.exe"
    "Internet Mail and News"="msqdevl.exe"
    "Microsoft Management Console"="lssas.exe"
    "Multimedia extensions"="mservice.exe"

    to the registry keys:


    so that Adware.EasySearch runs when Windows starts.

  6. Runs on port 8080 on the infected computer as a proxy to Internet Explorer.

  7. Periodically redirects the user to one of the following domains:
    • worldtracker.biz
    • pornlandz.com

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube