1. Symantec/
  2. Security Response/
  3. Adware.Mediafinder

Adware.Mediafinder

Updated:
April 4, 2012 1:47:33 AM
Type:
Adware
Infection Length:
Varies
Risk Impact:
Low
Systems Affected:
Windows
This security risk must be manually installed.

Once executed, the security risk creates the following files:
  • C:\Documents and Settings\All Users\Desktop\Media Finder.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Get the Media Finder License.URL
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Media Finder on the Web.url
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Media Finder.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Uninstall Media Finder.lnk
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\brs.js
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\brs.xul
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\dm_intercept.js
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\dm_intercept.xul
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome.manifest
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\install.rdf
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome\content\icon.png
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome\content\main.js
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome\content\overlay.xul
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome.manifest
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\install.rdf
  • %UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.crx
  • %UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.dll
  • %UserProfile%\Application Data\Media Finder\Extensions\IEPlugin32.dll
  • %UserProfile%\Application Data\Media Finder\Extensions\mf_plugin_gc.crx
  • %UserProfile%\Application Data\Media Finder\link.cfg
  • %UserProfile%\Application Data\Media Finder\Sett.cfg
  • %UserProfile%\Application Data\Media Finder\Temp\downloads.xml
  • %ProgramFiles%\Media Finder\borlndmm.dat
  • %ProgramFiles%\Media Finder\borlndmm.dll
  • %ProgramFiles%\Media Finder\hook.html
  • %ProgramFiles%\Media Finder\MF.exe
  • %ProgramFiles%\Media Finder\mf.ico
  • %ProgramFiles%\Media Finder\Plugins\depositfiles.dll
  • %ProgramFiles%\Media Finder\Plugins\extabit.dll
  • %ProgramFiles%\Media Finder\Plugins\filepost.dll
  • %ProgramFiles%\Media Finder\Plugins\furk.dll
  • %ProgramFiles%\Media Finder\Plugins\hotfile.dll
  • %ProgramFiles%\Media Finder\Plugins\letitbit.dll
  • %ProgramFiles%\Media Finder\Plugins\madshare.dll
  • %ProgramFiles%\Media Finder\Plugins\rapidshare.dll
  • %ProgramFiles%\Media Finder\Plugins\turbobit.dll
  • %ProgramFiles%\Media Finder\Plugins\unibytes.dll
  • %ProgramFiles%\Media Finder\Plugins\uploading.dll
  • %ProgramFiles%\Media Finder\Plugins\uploadstation.dll
  • %ProgramFiles%\Media Finder\Plugins\wupload.dll
  • %ProgramFiles%\Media Finder\Plugins\_4shared.dll
  • %ProgramFiles%\Media Finder\unins000.dat
  • %ProgramFiles%\Media Finder\unins000.exe

The security risk creates the following registry entry, so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Media Finder" = ""%ProgramFiles%\Media Finder\MF.exe" /opentotray"

It then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\IEPlugin.DLL\"AppID" = "{3F39D17D-50C7-4AC4-A63A-CDF6CDBD0C61}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3F39D17D-50C7-4AC4-A63A-CDF6CDBD0C61}\"" = "IEPlugin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\VersionIndependentProgID\"" = "IEPlugin.IEWebHook"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\TypeLib\"" = "{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\ProgID\"" = "IEPlugin.IEWebHook.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\InprocServer32\"" = "%UserProfile%\Application Data\Media Finder\Extensions\IEPlugin32.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\"" = "Plugin for Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\ProgID\"" = "gencrawler_gc.GenCrawler"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\InprocServer32\"" = "%UserProfile%\Application Data\MEDIAF~1\EXTENS~1\GENCRA~1.DLL"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\"" = "Help the General-Search Project"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\TypeLib\"" = "{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\TypeLib\"Version" = "1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\ProxyStubClsid32\"" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\ProxyStubClsid\"" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\"" = "IIEWebHook"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\0\win32\"" = "%UserProfile%\Application Data\Media Finder\Extensions\IEPlugin32.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\HELPDIR\"" = "%UserProfile%\Application Data\Media Finder\Extensions"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\FLAGS\"" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\"" = "IEPlugin 1.0 Type Library"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gencrawler_gc.GenCrawler\Clsid\"" = "{CA4520F3-AE13-4FB1-A513-58E23991C86D}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gencrawler_gc.GenCrawler\"" = "Help the General-Search Project"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook\CurVer\"" = "IEPlugin.IEWebHook.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook\CLSID\"" = "{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook\"" = "Plugin for Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook.1\CLSID\"" = "{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook.1\"" = "Plugin for Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\shell\open\command\"" = ""%ProgramFiles%\Media Finder\MF.exe" "%1""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\shell\"" = "open"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\DefaultIcon\"" = ""%ProgramFiles%\Media Finder\MF.exe",0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\"URL Protocol" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\"NoExplorer" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\"" = "IEWebHook"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\"NoExplorer" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\%UserProfile%\Application Data\Media Finder\Extensions\"IEPlugin32.dll" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\%UserProfile%\Application Data\Media Finder\Extensions\"gencrawler_gc.dll" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Setup Version" = "5.4.2 (u)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: App Path" = "%ProgramFiles%\Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"InstallLocation" = "%ProgramFiles%\Media Finder\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Icon Group" = "Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: User" = "User"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Selected Tasks" = "desktopicon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Deselected Tasks" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Language" = "english"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"DisplayName" = "Media Finder 1.0.9.20"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"UninstallString" = "%ProgramFiles%\Media Finder\unins000.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"QuietUninstallString" = ""%ProgramFiles%\Media Finder\unins000.exe" /SILENT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"DisplayVersion" = "1.0.9.20"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"URLInfoAbout" = "http://www.media-finder.net/"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"HelpLink" = "http://www.media-finder.net/"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"URLUpdateInfo" = "http://www.media-finder.net/"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"NoModify" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"NoRepair" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"InstallDate" = "20080303"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"MajorVersion" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"MinorVersion" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"version" = "1.1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\mf_plugin_gc.crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"version" = "2.5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"version" = "1.1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\mf_plugin_gc.crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"version" = "2.5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.crx"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder\"Contexts" = 0x00000022
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder\"" = "%ProgramFiles%\Media Finder\hook.html"
  • HKEY_CURRENT_USER\Software\Classes\MF\shell\open\command\"" = ""%ProgramFiles%\Media Finder\MF.exe" "%1""
  • HKEY_CURRENT_USER\Software\Classes\MF\shell\"" = "open"
  • HKEY_CURRENT_USER\Software\Classes\MF\DefaultIcon\"" = ""%ProgramFiles%\Media Finder\MF.exe",0"
  • HKEY_CURRENT_USER\Software\Classes\MF\"URL Protocol" = ""
  • HKEY_CURRENT_USER\Software\Classes\MF\"" = "URL:Media Finder"
  • HKEY_CURRENT_USER\Software\MediaFinder\"IEPluginEnabled" = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"FFPluginEnabled" = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"GCPluginEnabled" = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"ClipboardEnabled = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"FileShares" = "[DATA]"
  • HKEY_CURRENT_USER\Software\MediaFinder\"Extensions" = "|7z|ace|arj|avi|bin|doc|exe|fml|grs|gz|hqx|iso|lzh|mp3|mp4|mpeg|mpg|msi|pdf|psd|r0|rar|sit|tar|tgz|txt|xls|z|zip|"
  • HKEY_CURRENT_USER\Software\MediaFinder\"NotSupported" = "[DATA]"
  • HKEY_CLASSES_ROOT\MF\shell\open\command\"" = ""%ProgramFiles%\Media Finder\MF.exe" "%1""
  • HKEY_CLASSES_ROOT\MF\shell\"" = "open"
  • HKEY_CLASSES_ROOT\MF\DefaultIcon\"" = ""%ProgramFiles%\Media Finder\MF.exe",0"
  • HKEY_CLASSES_ROOT\MF\"URL Protocol" = ""
  • HKEY_CLASSES_ROOT\MF\"" = "URL:Media Finder"

It then monitors access to certain websites, mostly associated with file sharing. If a page on one of of those sites is opened, a HTTP request may be made to the following location and the result may be injected into the Web page, depending on the extension of the URL:
1mediafindergeneral-cralwer.com
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube