Systweak Spyware Library
Systweak Spyware Library text
More than 1309737 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adware.WebSearch.a Analysis Report
Threat Submitted On: 5/11/2007 3:31:50 AM
Threat Analysed On: 5/11/2007 8:31:50 AM
Threat Updated On: 11/7/2009 11:05:22 AM
Type : Adware
Symptoms of WebSearch.a
  • Displays porn/abusive content or intrusive third-party advertisements.
  • Shows deceptive or false warning.
  • Generates advertisement even when the program is not running
  • Synchronously installs other bundled program.
  • The program can places unwanted adverts on computer screen.
Information
Alias : AdWare.Win32.WebSearch.a
Md5 Hash : [e6b6b8ae869941bb6c64b29b199ed527]
File Size : (473088 bytes)

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: frequently asked questions.url
Path : %allusersprofile%\start menu\programs\web search tools

Md5Hash :36bb46090166d31b1fb1779caeda3767 ( 141 bytes)
File: home.url
Path : %allusersprofile%\start menu\programs\web search tools

Md5Hash :3b070a18e46e10e88fe9738b6492bc6b ( 97 bytes)
File: privacy policy.url
Path : %allusersprofile%\start menu\programs\web search tools

Md5Hash :7cac8edd5ad02c6fb89cd197af0c34ce ( 133 bytes)
File: terms of use.url
Path : %allusersprofile%\start menu\programs\web search tools

Md5Hash :6e8b9a7aa17dee4315df6d5fe97d34c6 ( 129 bytes)
File: common.dll
Path : %workingdir%

Md5Hash :06c9f9ef47cc166241322007fe332b52 ( 681472 bytes)
File: toolbar.dll
Path : %workingdir%

Md5Hash :1589c687bc1452eb20490096fa1e420b ( 729600 bytes)
File: common.dll
Path : %workingdir%\update

Md5Hash :06c9f9ef47cc166241322007fe332b52 ( bytes)
File: toolbar.dll
Path : %workingdir%\update

Md5Hash :1589c687bc1452eb20490096fa1e420b ( bytes)
File: xlmurin.wzg
Path : %workingdir%

Md5Hash :cff4ce330373b3b49bb1b4ead804e8ba ( 10 bytes)
File: zwipvbh.wzg
Path : %workingdir%

Md5Hash :65ef8b42092ede3be751ba0489197390 ( 100 bytes)
File: tbps.ini
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1d14fb4527487e5176aa50f77415d14b ( 577 bytes)
99dc5a6899f0c48d097843e8de42d6f1 ( 153 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2390efafae9fd21b8ae33e34ad7c4034 ( 473090 bytes)
2390efafae9fd21b8ae33e34ad7c4034 ( 473090 bytes)
7a8bc935ea3eeb52a8b8bd0e366921ec ( bytes)
7a8bc935ea3eeb52a8b8bd0e366921ec ( 193024 bytes)
d08e733a9aa56bd260ef9b3fb0a03190 ( 790528 bytes)
e6b6b8ae869941bb6c64b29b199ed527 ( 473088 bytes)
e6b6b8ae869941bb6c64b29b199ed527 ( 473088 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : acc.txt
Path : %workingdir%

Md5Hash :5798c2a97deb9c095c7f88a0aa862558 ( bytes)
File : cursors.xml
Path : %workingdir%\cursors

Md5Hash :6708a6451fb960dc98302fabbf6820d8 ( 167 bytes)
File : pib.exe
Path : %workingdir%

Md5Hash :e6b6b8ae869941bb6c64b29b199ed527 ( 473088 bytes)
File : acc.txt
Path : %workingdir%\update

Md5Hash :( bytes)
File : common.cab
Path : %workingdir%\update

Md5Hash :( bytes)
File : tb3.cab
Path : %workingdir%\update

Md5Hash :( bytes)
File : tbps.cab
Path : %workingdir%\update

Md5Hash :( bytes)
File : tbpssvc.cab
Path : %workingdir%\update

Md5Hash :( bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
install_confirmed_user = "0"
|__ Value Added :
p_admin = "1"
|__ Value Added :
p_usr = "1"
|__ Value Added :
tuid = "v4fc459815e99c42a692332ae665129913-x6029002180"
|__ Value Added :
tbps = "%SYSTEMDRIVE%\data\tbps.exe"
|__ Value Added :
displayicon = "%SYSTEMDRIVE%\data\tbps.exe"
|__ Value Added :
displayname = "websearch toolbar"
|__ Value Added :
uninstallstring = "%SYSTEMDRIVE%\data\tbps.exe uninst"
|__ Value Added :
filename = "tbps.exe"
|__ Value Added :
path = ""
|__ Value Added :
url = ""
|__ Value Added :
filename = "common.dll"
|__ Value Added :
filename = "tbpssvc.exe"
|__ Value Added :
path = ""
|__ Value Added :
url = ""
|__ Value Added :
filename = "toolbar.dll"
|__ Value Added :
path = ""
|__ Value Added :
ask_plugin_inst = "1"
|__ Value Added :
cfg_check_hour = "16"
|__ Value Added :
cfg_url = "http://download.websearch.com/st3config.asmx/getxml?tbid=%tb_id%&tuid=%tuid%&v_lst=%cfg_v_lst%&plugins=%cfg_plugins%&srv_v=%cfg_srv_v%&stats=%cfg_stats%"
|__ Value Added :
cfg_ver = "1.0.0.0"
|__ Value Added :
cursor_confirm = "http://skins.websearch.com/getskin.asmx/setcursordwnllog?cursorid=%currentcursor%&tbid=50048&tuid=%tuid%"
|__ Value Added :
d_cfg_upd = "20080327 04:19:35"
|__ Value Added :
install_confirm_1 = "http://download.websearch.com/tbstatinstlog.asmx/setstatus?tbid=%tb_id%&modul=st3ps&tuid=%tuid%&info=searchinstall&sdate=%idate%&stime=%itime%"
|__ Value Added :
install_confirm_sys = "http://download.websearch.com/tbinstlog.asmx/getxml?tbid=%tb_id%&taskid=0&modul=confirm&event_id=st3ps_sys&power_u=%p_usr%&info=%reason%&tuid=%tuid%"
|__ Value Added :
install_confirm_sysex = "http://download.websearch.com/tbinstlog.asmx/getxml?tbid=%tb_id%&taskid=0&modul=confirm&event_id=st3ps_sysex&power_u=%p_usr%&info=%reason%&tuid=%tuid%"
|__ Value Added :
install_confirmed = "0"
|__ Value Added :
install_level = "0"
|__ Value Added :
lc_cfg = "20080327 04:19:47"
|__ Value Added :
manual_update = "http://download.websearch.com/dnl/t_50048/toolbar3.cab"
|__ Value Added :
ntsvc_display = "websearch toolbar support nt service"
|__ Value Added :
random_cursor = "http://skins.websearch.com/getskin.asmx/getcursor?cursorid=%currentcursor%&tbid=50048"
|__ Value Added :
random_skin = "http://skins.websearch.com/getskin.asmx/getskin?skinid=%currentskin&tbid=50048"
|__ Value Added :
show_uninstall_question = "1"
|__ Value Added :
skin_confirm = "http://skins.websearch.com/getskin.asmx/setdwnllog?skinid=%currentskin&tbid=%tb_id&tuid=%tuid"
|__ Value Added :
tuid = "v4fc459815e99c42a692332ae665129913-x6029002180"
|__ Value Added :
uninst_aboutinfo = ""
|__ Value Added :
uninst_confirm = "http://download.websearch.com/tbstatinstlog.asmx/setstatus?tbid=%tb_id%&modul=st3ps_un&tuid=%tuid%&info=searchinstall&sdate=%idate%&stime=%itime%"
|__ Value Added :
uninst_helpinfo = ""
|__ Value Added :
uninst_name = "websearch toolbar"
|__ Value Added :
uninst_publisher = ""
|__ Value Added :
uninst_updateinfo = ""
|__ Value Added :
uninstall_info_1 = "http://download.websearch.com/support/st_uninstall.aspx"
|__ Value Added :
uninstall_info_2 = "http://download.websearch.com/support/st_uninstall_3.aspx?id=%tb_id%&aff=%af_id%"
|__ Value Added :
verbose = "1"
Creates the following child process(s) on execution:

%workingdir%\tbps.exe

%workingdir%\pib.exe

services.exe

%workingdir%\tbpssvc.exe -i

%workingdir%\tbpssvc.exe

%workingdir%\tbps.exe /regsvr

%workingdir%\tbps.exe /showurl 0 http://download.websearch.com/install/tb_ssaver.aspx?id=50196&url_log_enable=on

Creates the Following MUTEX(s) on user's System:-
pluginrunmtxe6b6b8ae869941bb6c64b29b199ed527
pluginrunmtxtbps
pluginmastermutex
st3_hookmtx
pluginfileopmtx
raspbfile
pluginpluginrepositorymtx
plugininstallmtx
st_v_3_mtx
pluginclientrepositorymtx
pluginrunmtxpib
pluginslavemutex
tbps_datamap_mutex
pluginrunmtxtbps/regsvr
pluginregistermtx
pluginrunmtxtbps/hiturl
pluginrunmtxtbps/showurl
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
146.82.109.210/st3config.asmx/getxml
Http_Version :http/1.1
146.82.109.210/dnl/t_50196/tbps.cab
Http_Version :http/1.1
146.82.109.210/dnl/t_50196/tbpssvc.cab
Http_Version :http/1.1
146.82.109.210/dnl/t_50196/tb3.cab
Http_Version :http/1.1
146.82.109.210/dnl/t_50196/common.cab
Http_Version :http/1.1
146.82.109.210/tbstatinstlog.asmx/setstatus
Http_Version :http/1.1
146.82.109.210/tbinstlog.asmx/getxml
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %workingdir%\tbps.exe

Copies :%workingdir%\tbps.exe

To : %workingdir%\pib.exe

Moves the Following Files to Given Location :-
Moves :%workingdir%\update\tbps.exe
To : %workingdir%\tbps.exe
Moves :%workingdir%\update\tbpssvc.exe
To : %workingdir%\tbpssvc.exe
Moves :%workingdir%\update\toolbar.dll
To : %workingdir%\toolbar.dll
Moves :%workingdir%\update\common.dll
To : %workingdir%\common.dll

NOTE:

1. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
2. %workingdir% Refers to the current directory in which user is working.
3. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.