Adware.Adlogix Browser Helper Object

[TJ]

Behavior
Adware.Adlogix is a Browser Helper Object that downloads advertisements from a remote server and periodically displays them on the client machine.

This adware is also found as a component in other installers.

Symptoms
Your Symantec program detects Adware.Adlogix.

Transmission
This adware has to be manually installed.

technical details
File names:
IEEnhancer.dll
AdStartup.exe
AdUpdater.exe

When Adware.Adlogix runs, it performs the following actions:

   1. Adds the value:

      "CLSID" = "{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

      so that the program is launched every time Internet Explorer starts.

   2. Creates the following files:

          * %ProgramFiles%\adlcontrolcomp.xml
          * %System%\adupdater.exe
          * %System%\<random>.dll
          * %System%\<random>a.xml
          * %System%\<random>b.xml
          * %System%\<random>c.exe
          * %System%\<random>d.exe
          * %System%\<random>e.xml
          * %System%\<random>f.exe
          * %System%\unpack.exe
          * %System%\pacifisy.dll
          * %System%\*.dat

            Note:
                o %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
                o %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
                o <random> is a variable that refers to a 5 character random filename.

   3. Creates the following:

          * 2 randomly named executable files. These files run as watchdog processes that are hidden by the .sys file mentioned below.
          * A randomly named .sys file. This is a kernel driver that overrides selected services from the Service Descriptor Table. This allows the risk to hide processes, files, and registry keys from the user.
          * A randomly named dll file that acts as a Browser Helper Object.
          * A randomly named Virtual Device Driver (.vxd) used for hooking selected system services on Windows 95 and Windows 98 systems.

   4. Adds the values:

      "guarnset" = "%System%\guarnset.exe"
      "<random_name>" = "<path to randomly named executable>"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

      Note: These values are hidden from the user by the kernel driver described in Step 3 above.

   5. Adds the value:

      "Adstartup" = "%SYSTEM%\Adstartup.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the program runs everytime Windows starts.

   6. Refers to its built-in file data.xml for a list of server addresses to obtain advertisements.

   7. Uses the AdStartup and AdUpdater components to update the adware from http:/ /64.69.[REMOVED].

      Note: At the time of writing the site was inactive.

   8. Creates the following registry keys:

      HKEY_CLASSES_ROOT\CLSID\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
      HKEY_CLASSES_ROOT\CLSID\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B}
      HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
      HKEY_CLASSES_ROOT\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101}
      HKEY_CLASSES_ROOT\Interface\{21194DBC-E80C-4B83-8C82-74CBF52C8AAD}
      HKEY_CLASSES_ROOT\TypeLib\{E2C6E243-5F01-4031-9218-6178426985B1}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BLUE
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Other
      HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\PPS
      HKEY_LOCAL_MACHINE\SOFTWARE\y036
      HKEY_CLASSES_ROOT\Bho8.adlog
      HKEY_CLASSES_ROOT\Bho8.adlog.1
      HKEY_CLASSES_ROOT\IEEnhancer.IEEhncrObj
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
      HKEY_LOCAL_MACHINE\SOFTWARE\Adlogix

      Note: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} is a randomly generated CLSID.

   9. Creates a randomly named service with the following attributes:

          * Service name: random name corresponding to one of the executable files in Step 3 above.
          * Display name: random name corresponding to one of the executable files in Step 3 above.
          * Path to executable: "<path to randomly named executable in Step 3 above>"
          * Startup type: "Automatic"

  10. Creates a randomly named service with the following attributes:

          * Service name: random name corresponding to the kernel driver in Step 3 above.
          * Display name: random name corresponding to the kernel driver in Step 3 above.
          * Path to executable: "<path to randomly named kernel driver in Step 3 above>"
          * Startup type: "Automatic"

To delete the values from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

   3. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the values:

      "AdStartUp"="%SYSTEM%\Adstartup.exe"
      "guarnset" = "%System%\guarnset.exe"
      "<random_name>" = "<path to file detected as Adware.Adlogix>"

   5. Navigate to and delete the following registry keys:

      HKEY_CLASSES_ROOT\CLSID\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
      HKEY_CLASSES_ROOT\CLSID\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B}
      HKEY_CLASSES_ROOT\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101}
      HKEY_CLASSES_ROOT\Interface\{21194DBC-E80C-4B83-8C82-74CBF52C8AAD}
      HKEY_CLASSES_ROOT\TypeLib\{E2C6E243-5F01-4031-9218-6178426985B1}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BLUE
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Other
      HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\PPS
      HKEY_LOCAL_MACHINE\SOFTWARE\y036
      HKEY_CLASSES_ROOT\Bho8.adlog
      HKEY_CLASSES_ROOT\Bho8.adlog.1
      HKEY_CLASSES_ROOT\IEEnhancer.IEEhncrObj
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Adlogix

   6. Navigate to and select the key:

      HKEY_CLASSES_ROOT\CLSID

   7. Click Edit > Find.

   8. In the "Find what" box, type the file name of the .dll file that was detected as Adware.Adlogix in section 3.

   9. If you find an entry of the form:

      "(Default)" = "%System%\<detected file name>.dll"

      in the registry key:

      HKEY_CLASSES_ROOT\CLSID\{<random clsid>}\InProcServer32

      then write down the <random clsid> value

      Then, in the left pane, delete the subkey:

      HKEY_CLASSES_ROOT\CLSID\{<random clsid>}

  10. Next, click Edit > Find to repeat the search, as there may be more than one such key. Delete any that are found.

  11. Navigate to and delete the key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<random clsid>}

      where {<random clsid>} matches one of the values found and deleted in the previous searches.

  12. Exit the registry editor.