Behavior
Adware.BestSearch is a search hijacker that is installed as a Browser Helper Object.
Symptoms
Your Symantec program detects Adware.BestSearch.
Transmission
The Adware.BestSearch installer must be executed. The installer may be embedded in a HTML Help (.chm) file.
technical details
File names: MegaInstaller.exe
When Adware.BestSearch is executed, it performs the following actions:
1. Creates the following files:
%UserProfile%\Local Settings\Temp\MegaHost.dll
%UserProfile%\Local Settings\Temp\MegaInstaller.exe
%UserProfile%\Local Settings\Temp\temp.dll
Notes:
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
2. Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MegaSearch
HKEY_CURRENT_USER\Software\MegaHost
3. Adds the values:
"@" = "%UserProfile%\Local Settings\Temp\MegaHost.dll"
"ThreadingModel" = "Apartment"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}\InprocServer32
4. Adds the value:
"@" = "Mega!"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}
5. Adds the values:
"UninstallString" = "%UserProfile%\Local Settings\Temp\MegaInstaller.exe /u"
"DisplayName" = "MegaSearch"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MegaSearch
6. Adds the value:
"Use Search Asst" = "no"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
7. Adds the values:
"page" = "0x00000001"
"Use Search Asst" = "no"
"SearchAssistant" = "http:/ /ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"Start Page" = "http:/ /www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"cid" = "cb719ff8-7813-4a5e-916f-66692534204e"
to the registry subkey:
HKEY_CURRENT_USER\Software\MegaHost
8. Modifies the value:
"SearchAssistant" = "http:/ /best-search.us/?page=search&pid=sext01"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
9. Displays pop-up ads.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/adware.bestsearch.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to and delete the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8BC6346B-FFB0-4435-ACE3-FACA6CD77816}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MegaSearch
HKEY_CURRENT_USER\Software\MegaHost
4. Navigate to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
5. In the right pane, delete the value:
"Use Search Asst" = "no"
6. Navigate to and restore the following the following values, if known:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\"SearchAssistant"
7. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
