ADW_Amonatize

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware adds the following folders:

• %Application Data%\Mozilla\Firefox\Profiles\{random folder}\extensions\extension@linkeyproject.com
• %Program Files%\ASP
• %Program Files%\Assets Manager
• %Program Files%\Linkey
• %Program Files%\RCP
• %TEMP%\ns{random value}
• %TEMP%\ns{random value}.tmp
• %Application Data%\systweak

It drops the following file(s)/component(s):

• %All Users Profile%\Application Data\Systweak\Advanced System~Protector\AddonSafelist
• %All Users Profile%\Application Data\Systweak\Advanced System~Protector\log.xslt
• %All Users Profile%\Desktop\Advanced System~Protector.lnk
• %All Users Profile%\Desktop\RegClean Pro.lnk
• %All Users Profile%\Start Menu\Programs\Advanced System~Protector\Advanced System~Protector.lnk
• %All Users Profile%\Start Menu\Programs\Advanced System~Protector\Register Advanced System~Protector.lnk
• %All Users Profile%\Start Menu\Programs\Advanced System~Protector\Uninstall Advanced System~Protector.lnk
• %All Users Profile%\Start Menu\Programs\RegClean Pro\RegClean Pro.lnk
• %All Users Profile%\Start Menu\Programs\RegClean Pro\Register RegClean Pro.lnk
• %All Users Profile%\Start Menu\Programs\RegClean Pro\Uninstall RegClean Pro.lnk

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This adware creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
RDReminder = "%Program Files%\RCP\RegCleanPro.exe -rem"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SystweakASP = "%Program Files%\RCP\systweakasp.exe" \verysilent"

Other System Modifications

This adware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Systweak

HKEY_LOCAL_MACHINE\SOFTWARE\Systweak\
Advanced System~Protector

HKEY_LOCAL_MACHINE\SOFTWARE\Systweak\
RegClean Pro\Version 6.1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Assets Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
RegClean-Pro_is1

HKEY_CURRENT_USER\Software\Linkey

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MainHKEY_LOCAL_MACHINE\SOFTWARE\
SmdmF

HKEY_CURRENT_USER\Software\LogMeInRescueCallingCard

HKEY_CURRENT_USER\Software\systweak

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http:\www.default-search.net?sid=498&aid=156&itype=n&tm=747&src=ds&p="

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http:\www.default-search.net?sid=498&aid=156&tm=747&src=hmp"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http:\www.default-search.net?sid=498&aid=156&itype=n&tm=747&src=ds&p="

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Toolbar
Locked = "1"

Other Details

This adware connects to the following possibly malicious URL:

• http://www.{BLOCKED}ceast.com/FCL_Co_Unq_remote_v2.php
• http://www.{BLOCKED}etwest.com/DSS_Unq_IMapplication_mon_remote.php
• http://www.{BLOCKED}etwest.com/DS_Unq_trackstats_mon.php
• http://download.cdn.{BLOCKED}e.com/cdn/partners/installmonetizer/1/DSManagerSetup.exe
• http://service.{BLOCKED}e.com/install_statistics.php
• http://www.{BLOCKED}t-search.net/typ?sid=498&aid=156
• http://service.{BLOCKED}project.com/install_statistics.php
• http://cloudfront.{BLOCKED}ak.com/downloads/new/rcpsetup_17970.exe
• http://www.{BLOCKED}ak.com/registryCleaner/afterinstall.asp?newrcp=1&utm_content=AfterInstall&utm_term=Setup&page=install&utm_source=17970&affiliate=17970&utm_campaign=17970&utm_medium=newbuild&affiliateid=17970&LangID=en
• http://www.{BLOCKED}ak.com/Systweak.css
• http://www.{BLOCKED}ak.com/Images/common/Mainbg.jpg
• http://www.{BLOCKED}ak.com/Images/Common/HeadProducts.jpg
• http://www.{BLOCKED}ak.com/Images/rc/common/RC_ss1.jpg
• http://www.{BLOCKED}ak.com/Images/rc/common/steps1.jpg
• http://www.{BLOCKED}ak.com/Images/rc/common/awards.jpg
• http://www.{BLOCKED}ak.com/Images/Common/header_bottom_black.jpg
• http://www.{BLOCKED}ak.com/Images/footer_bg.gif
• http://d2ct7xlg6sc6l3.{BLOCKED}ront.net/asp/slnew/aspsetup_systweak_default.exe
• http://dl.{BLOCKED}utinfonet.com/monti/llyun/hd/setup.exe