1. Symantec/
  2. Security Response/
  3. Adware.WhileUSurf


February 13, 2007 11:43:16 AM
Razor Media
Risk Impact:
File Names:
wys.dll wys5.dll wys.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.WhileUSurf is executed, it performs the following actions:
  1. Creates the following files:

      • %System%\wys.dll
      • %System%\wys5.dll
      • %System%\wys.exe
      • %System%\svchost.dll
      • %System%\printer32.dll

        Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the following value:

    "Spool" = "%CurrentFolder%\wys.exe /startup"

    to the registry subkey:


    so that the risk runs every time Windows starts.

    Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

  3. Creates the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\While You Surf

  4. Adds the value:

    "SCSI Drive Hash" = "[RANDOM NAME]"

    to the registry subkey:


  5. Displays a high number of advertisements in Internet Explorer.

  6. Crashes Internet Explorer and slows down various applications.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube