1. /
  2. Security Response/
  3. Adware.LinkMaker

Adware.LinkMaker

Updated:
February 13, 2007 11:42:36 AM
Type:
Adware
Publisher:
www.serverlogic3.com
Risk Impact:
Medium
File Names:
HyperLinker.exe,lmf32v.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.LinkMaker is executed, it performs the following actions
  1. Copies itself as %System%\lmf32v.dll.

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following files:

      • %System%\lmdv.bin
      • %System%\lmf32v.dll
      • %System%\PreUninstall.exe
      • %System%\uninst.exe
      • %System%\Uninst.log
      • %System%\HyperLinker3.exe

  3. Creates the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}


    so that the adware runs every time Internet Explorer is started.

  4. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    \{43B32A8D-3C3D-4969-B44E-CDCF0D233881}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    \{423550E9-2F83-4678-9929-C1774088B180}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LinkMaker.LinkMakerFilter
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LinkMaker.LinkMakerFilter.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LinkMaker.LinkTracker
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LinkMaker.LinkTracker.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\HyperLinker
    HKEY_LOCAL_MACHINE\SOFTWARE\LM

    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}

  5. Contacts [http://]www.serverlogic3.com/[REMOVED] and tries to download and execute a file named winmonv.exe.

  6. Redirects search queries to the Web site [http://]www.srch-results.com/[REMOVED]


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report