Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADWARE/ShareW.Gen
Date discovered:10/04/2014
Type:Adware
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.11.142.94 - Thursday, April 10, 2014
IVDF version:7.11.142.94 - Thursday, April 10, 2014

 General ADWARE/ - Adware

This class of detection flags software that display ads, usually in the internet browser by modifying displayed pages or opening aditional pages with ads. These adware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option).

Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad displaying software.

This detection can be disabled and is recommended if the user is aware of the software installed on his/her system and doesn't want this type of software to be detected.
Method of propagation:
   • No own spreading routine


Aliases:
   •  Eset: MSIL/DownloadGuide.E
   •  GData: Win32.Application.DownloadGuide.A


Platforms / OS:
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads files
   • Downloads malicious files

 Files  It creates the following directories:
   • %HOME%\Application Data\BupSystem
   • %HOME%\Application Data\Mozilla\Firefox\Profiles\sx0igrdm.default\extensions\a54e453c-130a-4769-9333-c5ec2aa914c5@9bd7cc89-9c7c-44e9-a03b-89-9c7c-44e9-a03b-042b92d363f0.com\
   • %HOME%\Application Data\Mozilla\Firefox\Profiles\sx0igrdm.default\extensions\staged\security@protegere.org
   • %HOME%\Application Data\Security System 2
   • %PROGRAM FILES%\Plus-HD-9.1
   • %PROGRAM FILES%\ResultsAlpha

– %HOME%\Application Data\BupSystem\bup.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
– %HOME%\Application Data\Mozilla\Firefox\Profiles\sx0igrdm.default\extensions\a54e453c-130a-4769-9333-c5ec2aa914c5@9bd7cc89-9c7c-44e9-a03b-042b92d363f0.com\install.rdf Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%PROGRAM FILES%\Plus-HD-9.1\52916.xpi Furthermore it gets executed after it was fully created.
%PROGRAM FILES%\Plus-HD-9.1\Plus-HD-9.1-bg.exe Furthermore it gets executed after it was fully created.
%PROGRAM FILES%\ResultsAlphaUninstall.exe Furthermore it gets executed after it was fully created.
– %HOME%\Application Data\Security System 2\uninstaller.exe Furthermore it gets executed after it was fully created.

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\ControlSet001\Services\bupService
   • "ImagePath"="%HOME%\Administrator\Application Data\BupSystem\bup.exe"



It registers browser helper objects (BHOs) by adding the following keys:

The registered DLL file changes the startpage of Internet Explorer to: http://de.search.yahoo.com/search?p={searchTerms}&fr=vc_trans_%4&type=protegere
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{11111111-1111-1111-1111-110511291116}
   • "(Default)"="CrossriderApp0052916"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{93471173-a533-4fbd-8889-318b3e154ed9}
   • "(Default)"="ResultsAlpha"



The following registry keys are added:

– HKCU\Software\Crossrider
– HKCU\Software\InstalledBrowserExtensions
– HKCU\Software\Plus-HD-9.1
– HKCU\Software\ResultsAlpha
– HKLM\SOFTWARE\InstalledBrowserExtensions
– HKLM\SOFTWARE\Plus-HD-9.1
– HKLM\SOFTWARE\ResultsAlpha

Description inserted by Bernd Aufrecht on Friday, April 11, 2014
Description updated by Oscar Anduiza on Friday, April 11, 2014

Back . . . .