Behavior
Adware.BigTrafficNet is an adware program that displays advertisements. It works as a Browser Helper Object in Internet Explorer.
Symptoms
The files are detected as Adware.BigTrafficNet.
Transmission
Installed automatically when certain Web sites are visited.
technical details
File names: ns[random characters].dll
Adware.BigTrafficNet runs as a Browser Helper Object, which means that the adware component will receive information regarding all the actions inside Internet Explorer. Browser Helper Objects require Internet Explorer 4 or later to function.
When Adware.BigTrafficNet is installed, it does the following:
1. Creates some or all of the following files:
* %System%\ns[random characters].dll
* %UserProfile%\Desktop\Free Xbox 360.url
* %UserProfile%\Desktop\Free Sony PS3.url
* %UserProfile%\Desktop\Kill All Spyware.url
* %UserProfile%\Desktop\Kill Spyware.url
* %UserProfile%\Desktop\Spyware Killer.url
* %UserProfile%\Desktop\Sexsearch.url
* %UserProfile%\Desktop\Virus Hunter.url
* %UserProfile%\Favorites\1111\1111.url
Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
2. Creates the following registry subkeys and adds a number of entries under these subkeys:
HKEY_CURRENT_USER\Software\[.dll file name]
HKEY_CLASSES_ROOT\btnetw.amo
HKEY_CLASSES_ROOT\btnetw.amo.1
HKEY_CLASSES_ROOT\btnetw.iiittt
HKEY_CLASSES_ROOT\btnetw.iiittt.1
HKEY_CLASSES_ROOT\btnetw.momo
HKEY_CLASSES_ROOT\btnetw.momo.1
HKEY_CLASSES_ROOT\btnetw.ohb
HKEY_CLASSES_ROOT\btnetw.ohb.1
HKEY_CLASSES_ROOT\CLSID\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
HKEY_CLASSES_ROOT\CLSID\{BC54B24C-5A97-4C19-9181-8B8A05B2E931}
HKEY_CLASSES_ROOT\CLSID\{BD9584EF-C28C-4F6D-8D49-0CEE3C0E442F}
HKEY_CLASSES_ROOT\CLSID\{C7888681-1A83-4C14-B9A5-95F91240B44F}
HKEY_CLASSES_ROOT\Interface\{15D53B86-E055-43B1-BBEE-A91A0F37BD2A}
HKEY_CLASSES_ROOT\Interface\{6B882C34-A832-4F5B-BEF1-7E198BE3F094}
HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}
HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}
HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}
HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}
HKEY_CLASSES_ROOT\Interface\{9B6B4031-1D6D-4C65-ACBA-021916853822}
HKEY_CLASSES_ROOT\Interface\{9FF60A27-0C0C-4A6A-A15F-B21B644D67BB}
HKEY_CLASSES_ROOT\Interface\{F3C41C1D-22F1-4692-8A7A-88DE70A2E9E2}
HKEY_CLASSES_ROOT\Interface\{FA6FA7A5-2C49-4567-BA74-6DD1C36099EE}
HKEY_CLASSES_ROOT\TypeLib\{BF56BE6A-0AEA-45F3-8B10-7312876584A8}
HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
3. Contacts a Web site on the
www.bigtrafficnetwork.com domain and display pop-up advertisements.
4. Contacts a Web site on the
www.bigtrafficnetwork.com domain and downloads remote files. The following files may be downloaded:
* dsktrf.dll (A copy of Adware.Begin2search.)
* thin_poker_installerV36.exe (A copy of Trojan.Dropper.)
* installerv3.exe( A copy of Spyware.SafeSurfing.)
* thin-94-1-x-x.exe(A copy of Adware.BetterInternet)
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/adware.bigtrafficnet.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
3. Navigate to and delete the subkeys:
HKEY_CURRENT_USER\Software\[.dll file name]
HKEY_CLASSES_ROOT\btnetw.amo
HKEY_CLASSES_ROOT\btnetw.amo.1
HKEY_CLASSES_ROOT\btnetw.iiittt
HKEY_CLASSES_ROOT\btnetw.iiittt.1
HKEY_CLASSES_ROOT\btnetw.momo
HKEY_CLASSES_ROOT\btnetw.momo.1
HKEY_CLASSES_ROOT\btnetw.ohb
HKEY_CLASSES_ROOT\btnetw.ohb.1
HKEY_CLASSES_ROOT\CLSID\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
HKEY_CLASSES_ROOT\CLSID\{BC54B24C-5A97-4C19-9181-8B8A05B2E931}
HKEY_CLASSES_ROOT\CLSID\{BD9584EF-C28C-4F6D-8D49-0CEE3C0E442F}
HKEY_CLASSES_ROOT\CLSID\{C7888681-1A83-4C14-B9A5-95F91240B44F}
HKEY_CLASSES_ROOT\Interface\{15D53B86-E055-43B1-BBEE-A91A0F37BD2A}
HKEY_CLASSES_ROOT\Interface\{6B882C34-A832-4F5B-BEF1-7E198BE3F094}
HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}
HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}
HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}
HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}
HKEY_CLASSES_ROOT\Interface\{9B6B4031-1D6D-4C65-ACBA-021916853822}
HKEY_CLASSES_ROOT\Interface\{9FF60A27-0C0C-4A6A-A15F-B21B644D67BB}
HKEY_CLASSES_ROOT\Interface\{F3C41C1D-22F1-4692-8A7A-88DE70A2E9E2}
HKEY_CLASSES_ROOT\Interface\{FA6FA7A5-2C49-4567-BA74-6DD1C36099EE}
HKEY_CLASSES_ROOT\TypeLib\{BF56BE6A-0AEA-45F3-8B10-7312876584A8}
HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
4. Exit the Registry Editor.
4. Delete remaining files related to the risk
1. Click Start > Programs > Accessories > Windows Explorer
2. Navigate to and delete the following files:
* %UserProfile%\Desktop\Free Xbox 360.url
* %UserProfile%\Desktop\Free Sony PS3.url
* %UserProfile%\Desktop\Kill All Spyware.url
* %UserProfile%\Desktop\Kill Spyware.url
* %UserProfile%\Desktop\Spyware Killer.url
* %UserProfile%\Desktop\Sexsearch.url
* %UserProfile%\Desktop\Virus Hunter.url
* %UserProfile%\Favorites\1111\1111.url
3. Exit Windows Explorer.
AlphaOne Technology Support Forums
Author
Logged
