1. /
  2. Security Response/
  3. Adware.Mediafinder

Adware.Mediafinder

Updated:
April 4, 2012 1:47:33 AM
Type:
Adware
Infection Length:
Varies
Risk Impact:
Low
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
This security risk must be manually installed.

Once executed, the security risk creates the following files:
  • C:\Documents and Settings\All Users\Desktop\Media Finder.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Get the Media Finder License.URL
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Media Finder on the Web.url
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Media Finder.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder\Uninstall Media Finder.lnk
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\brs.js
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\brs.xul
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\dm_intercept.js
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome\content\dm_intercept.xul
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\chrome.manifest
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\install.rdf
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome\content\icon.png
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome\content\main.js
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome\content\overlay.xul
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\chrome.manifest
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com\install.rdf
  • %UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.crx
  • %UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.dll
  • %UserProfile%\Application Data\Media Finder\Extensions\IEPlugin32.dll
  • %UserProfile%\Application Data\Media Finder\Extensions\mf_plugin_gc.crx
  • %UserProfile%\Application Data\Media Finder\link.cfg
  • %UserProfile%\Application Data\Media Finder\Sett.cfg
  • %UserProfile%\Application Data\Media Finder\Temp\downloads.xml
  • %ProgramFiles%\Media Finder\borlndmm.dat
  • %ProgramFiles%\Media Finder\borlndmm.dll
  • %ProgramFiles%\Media Finder\hook.html
  • %ProgramFiles%\Media Finder\MF.exe
  • %ProgramFiles%\Media Finder\mf.ico
  • %ProgramFiles%\Media Finder\Plugins\depositfiles.dll
  • %ProgramFiles%\Media Finder\Plugins\extabit.dll
  • %ProgramFiles%\Media Finder\Plugins\filepost.dll
  • %ProgramFiles%\Media Finder\Plugins\furk.dll
  • %ProgramFiles%\Media Finder\Plugins\hotfile.dll
  • %ProgramFiles%\Media Finder\Plugins\letitbit.dll
  • %ProgramFiles%\Media Finder\Plugins\madshare.dll
  • %ProgramFiles%\Media Finder\Plugins\rapidshare.dll
  • %ProgramFiles%\Media Finder\Plugins\turbobit.dll
  • %ProgramFiles%\Media Finder\Plugins\unibytes.dll
  • %ProgramFiles%\Media Finder\Plugins\uploading.dll
  • %ProgramFiles%\Media Finder\Plugins\uploadstation.dll
  • %ProgramFiles%\Media Finder\Plugins\wupload.dll
  • %ProgramFiles%\Media Finder\Plugins\_4shared.dll
  • %ProgramFiles%\Media Finder\unins000.dat
  • %ProgramFiles%\Media Finder\unins000.exe

The security risk creates the following registry entry, so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Media Finder" = ""%ProgramFiles%\Media Finder\MF.exe" /opentotray"

It then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\IEPlugin.DLL\"AppID" = "{3F39D17D-50C7-4AC4-A63A-CDF6CDBD0C61}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3F39D17D-50C7-4AC4-A63A-CDF6CDBD0C61}\"" = "IEPlugin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\VersionIndependentProgID\"" = "IEPlugin.IEWebHook"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\TypeLib\"" = "{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\ProgID\"" = "IEPlugin.IEWebHook.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\InprocServer32\"" = "%UserProfile%\Application Data\Media Finder\Extensions\IEPlugin32.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\"" = "Plugin for Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\ProgID\"" = "gencrawler_gc.GenCrawler"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\InprocServer32\"" = "%UserProfile%\Application Data\MEDIAF~1\EXTENS~1\GENCRA~1.DLL"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\"" = "Help the General-Search Project"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\TypeLib\"" = "{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\TypeLib\"Version" = "1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\ProxyStubClsid32\"" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\ProxyStubClsid\"" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}\"" = "IIEWebHook"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\0\win32\"" = "%UserProfile%\Application Data\Media Finder\Extensions\IEPlugin32.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\HELPDIR\"" = "%UserProfile%\Application Data\Media Finder\Extensions"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\FLAGS\"" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{71E3A30E-9444-49D9-ABDB-B4B531D0BBA3}\1.0\"" = "IEPlugin 1.0 Type Library"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gencrawler_gc.GenCrawler\Clsid\"" = "{CA4520F3-AE13-4FB1-A513-58E23991C86D}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gencrawler_gc.GenCrawler\"" = "Help the General-Search Project"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook\CurVer\"" = "IEPlugin.IEWebHook.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook\CLSID\"" = "{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook\"" = "Plugin for Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook.1\CLSID\"" = "{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEPlugin.IEWebHook.1\"" = "Plugin for Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\shell\open\command\"" = ""%ProgramFiles%\Media Finder\MF.exe" "%1""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\shell\"" = "open"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\DefaultIcon\"" = ""%ProgramFiles%\Media Finder\MF.exe",0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MF\"URL Protocol" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\"NoExplorer" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\"" = "IEWebHook"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD4DF010-E2FD-43CE-864A-6BD1EDC59AC2}\"NoExplorer" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\%UserProfile%\Application Data\Media Finder\Extensions\"IEPlugin32.dll" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\%UserProfile%\Application Data\Media Finder\Extensions\"gencrawler_gc.dll" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Setup Version" = "5.4.2 (u)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: App Path" = "%ProgramFiles%\Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"InstallLocation" = "%ProgramFiles%\Media Finder\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Icon Group" = "Media Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: User" = "User"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Selected Tasks" = "desktopicon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Deselected Tasks" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"Inno Setup: Language" = "english"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"DisplayName" = "Media Finder 1.0.9.20"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"UninstallString" = "%ProgramFiles%\Media Finder\unins000.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"QuietUninstallString" = ""%ProgramFiles%\Media Finder\unins000.exe" /SILENT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"DisplayVersion" = "1.0.9.20"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"URLInfoAbout" = "http://www.media-finder.net/"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"HelpLink" = "http://www.media-finder.net/"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"URLUpdateInfo" = "http://www.media-finder.net/"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"NoModify" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"NoRepair" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"InstallDate" = "20080303"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"MajorVersion" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{414C790F-E24E-461B-983A-2AD84474DE4B}_is1\"MinorVersion" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"version" = "1.1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\mf_plugin_gc.crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"version" = "2.5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"version" = "1.1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\mf_plugin_gc.crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"version" = "2.5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\"path" = "%UserProfile%\Application Data\Media Finder\Extensions\gencrawler_gc.crx"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder\"Contexts" = 0x00000022
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder\"" = "%ProgramFiles%\Media Finder\hook.html"
  • HKEY_CURRENT_USER\Software\Classes\MF\shell\open\command\"" = ""%ProgramFiles%\Media Finder\MF.exe" "%1""
  • HKEY_CURRENT_USER\Software\Classes\MF\shell\"" = "open"
  • HKEY_CURRENT_USER\Software\Classes\MF\DefaultIcon\"" = ""%ProgramFiles%\Media Finder\MF.exe",0"
  • HKEY_CURRENT_USER\Software\Classes\MF\"URL Protocol" = ""
  • HKEY_CURRENT_USER\Software\Classes\MF\"" = "URL:Media Finder"
  • HKEY_CURRENT_USER\Software\MediaFinder\"IEPluginEnabled" = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"FFPluginEnabled" = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"GCPluginEnabled" = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"ClipboardEnabled = "1"
  • HKEY_CURRENT_USER\Software\MediaFinder\"FileShares" = "[DATA]"
  • HKEY_CURRENT_USER\Software\MediaFinder\"Extensions" = "|7z|ace|arj|avi|bin|doc|exe|fml|grs|gz|hqx|iso|lzh|mp3|mp4|mpeg|mpg|msi|pdf|psd|r0|rar|sit|tar|tgz|txt|xls|z|zip|"
  • HKEY_CURRENT_USER\Software\MediaFinder\"NotSupported" = "[DATA]"
  • HKEY_CLASSES_ROOT\MF\shell\open\command\"" = ""%ProgramFiles%\Media Finder\MF.exe" "%1""
  • HKEY_CLASSES_ROOT\MF\shell\"" = "open"
  • HKEY_CLASSES_ROOT\MF\DefaultIcon\"" = ""%ProgramFiles%\Media Finder\MF.exe",0"
  • HKEY_CLASSES_ROOT\MF\"URL Protocol" = ""
  • HKEY_CLASSES_ROOT\MF\"" = "URL:Media Finder"

It then monitors access to certain websites, mostly associated with file sharing. If a page on one of of those sites is opened, a HTTP request may be made to the following location and the result may be injected into the Web page, depending on the extension of the URL:
1mediafindergeneral-cralwer.com
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver