Behavior
Adware.GoGoTools is a Browser Helper Object that displays advertisements and downloads files.
Symptoms
Your Symantec program detects Adware.GoGoTools
Transmission
This security risk must be manually installed.
technical details
File names: GoGoDisplay.exe
GoGoLaunch.exe
GoGoTools.exe
HTMLEdit.dll
TrackInst.exe
When Adware.GoGoTools is executed, it performs the following actions:
1. Creates the following files:
%Program files%\GoGotools\GoGoware\GoGoDisplay.exe
%Program files%\GoGotools\GoGoware\GoGoLaunch.exe
%Program files%\GoGotools\GoGoware\GoGoTools.exe
%Program files%\GoGotools\GoGoware\HTMLEdit.dll
%Program files%\GoGotools\GoGoware\TrackInst.exe
%Program files%\GoGotools\GoGoware\Config.txt
%Program files%\GoGotools\unins000.exe
%Program files%\GoGotools\unins000.dat
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"RUNGogoTools" = "%Program files%\GoGotools\GoGoware\GoGoLaunch.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
3. Creates the following registry entries as well:
HKEY_CLASSES_ROOT\Adware.IETrackerIF
HKEY_CLASSES_ROOT\Adware.IETrackerIF.1
HKEY_CLASSES_ROOT\AppID\Adware.EXE
HKEY_CLASSES_ROOT\AppID\{5B134722-D775-431E-93DF-CC9A74EE6BCA}
HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\CLSID\{3BEC9062-7625-4DE8-8ABE-B96AE461DC78}
HKEY_CLASSES_ROOT\HTMLEdit.IETracker
HKEY_CLASSES_ROOT\HTMLEdit.IETracker.1
HKEY_CLASSES_ROOT\Interface\{09964F9E-E1D4-47C3-9697-28258DBCBB77}
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\TypeLib\{8EF07273-3C9F-4BA6-A748-FAD0E7FAF1FD}|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GogoTools_is1
HKEY_LOCAL_MACHINE\Software\SpecificMEDIA\GoGoTools
4. Connects to the
www.gogotools.com and displays advertisements.
To delete the value from the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool,
http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html and then continue with the removal.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"RUNGogoTools" = "%Program files%\GoGotools\GoGoware\GoGoLaunch.exe"
5. Navigate to and delete the following keys:
HKEY_CLASSES_ROOT\Adware.IETrackerIF
HKEY_CLASSES_ROOT\Adware.IETrackerIF.1
HKEY_CLASSES_ROOT\AppID\Adware.EXE
HKEY_CLASSES_ROOT\AppID\{5B134722-D775-431E-93DF-CC9A74EE6BCA}
HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\CLSID\{3BEC9062-7625-4DE8-8ABE-B96AE461DC78}
HKEY_CLASSES_ROOT\HTMLEdit.IETracker
HKEY_CLASSES_ROOT\HTMLEdit.IETracker.1
HKEY_CLASSES_ROOT\Interface\{09964F9E-E1D4-47C3-9697-28258DBCBB77}
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\TypeLib\{8EF07273-3C9F-4BA6-A748-FAD0E7FAF1FD}|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GogoTools_is1
HKEY_LOCAL_MACHINE\Software\SpecificMEDIA\GoGoTools
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
