ADW_Amonatize
AdWare.NSIS.InstallMonetizer.a (Kaspersky)
Windows
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
254,567 bytes
EXE
No
10 Jun 2015
Arrival Details
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This adware adds the following folders:
- %Application Data%\Mozilla\Firefox\Profiles\{random folder}\extensions\extension@linkeyproject.com
- %Program Files%\ASP
- %Program Files%\Assets Manager
- %Program Files%\Linkey
- %Program Files%\RCP
- %TEMP%\ns{random value}
- %TEMP%\ns{random value}.tmp
- %Application Data%\systweak
It drops the following file(s)/component(s):
- %All Users Profile%\Application Data\Systweak\Advanced System~Protector\AddonSafelist
- %All Users Profile%\Application Data\Systweak\Advanced System~Protector\log.xslt
- %All Users Profile%\Desktop\Advanced System~Protector.lnk
- %All Users Profile%\Desktop\RegClean Pro.lnk
- %All Users Profile%\Start Menu\Programs\Advanced System~Protector\Advanced System~Protector.lnk
- %All Users Profile%\Start Menu\Programs\Advanced System~Protector\Register Advanced System~Protector.lnk
- %All Users Profile%\Start Menu\Programs\Advanced System~Protector\Uninstall Advanced System~Protector.lnk
- %All Users Profile%\Start Menu\Programs\RegClean Pro\RegClean Pro.lnk
- %All Users Profile%\Start Menu\Programs\RegClean Pro\Register RegClean Pro.lnk
- %All Users Profile%\Start Menu\Programs\RegClean Pro\Uninstall RegClean Pro.lnk
(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Autostart Technique
This adware creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
RDReminder = "%Program Files%\RCP\RegCleanPro.exe -rem"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SystweakASP = "%Program Files%\RCP\systweakasp.exe" \verysilent"
Other System Modifications
This adware adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Systweak
HKEY_LOCAL_MACHINE\SOFTWARE\Systweak\
Advanced System~Protector
HKEY_LOCAL_MACHINE\SOFTWARE\Systweak\
RegClean Pro\Version 6.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Assets Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
RegClean-Pro_is1
HKEY_CURRENT_USER\Software\Linkey
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MainHKEY_LOCAL_MACHINE\SOFTWARE\
SmdmF
HKEY_CURRENT_USER\Software\LogMeInRescueCallingCard
HKEY_CURRENT_USER\Software\systweak
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http:\www.default-search.net?sid=498&aid=156&itype=n&tm=747&src=ds&p="
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http:\www.default-search.net?sid=498&aid=156&tm=747&src=hmp"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http:\www.default-search.net?sid=498&aid=156&itype=n&tm=747&src=ds&p="
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Toolbar
Locked = "1"
Other Details
This adware connects to the following possibly malicious URL:
- http://www.{BLOCKED}ceast.com/FCL_Co_Unq_remote_v2.php
- http://www.{BLOCKED}etwest.com/DSS_Unq_IMapplication_mon_remote.php
- http://www.{BLOCKED}etwest.com/DS_Unq_trackstats_mon.php
- http://download.cdn.{BLOCKED}e.com/cdn/partners/installmonetizer/1/DSManagerSetup.exe
- http://service.{BLOCKED}e.com/install_statistics.php
- http://www.{BLOCKED}t-search.net/typ?sid=498&aid=156
- http://service.{BLOCKED}project.com/install_statistics.php
- http://cloudfront.{BLOCKED}ak.com/downloads/new/rcpsetup_17970.exe
- http://www.{BLOCKED}ak.com/registryCleaner/afterinstall.asp?newrcp=1&utm_content=AfterInstall&utm_term=Setup&page=install&utm_source=17970&affiliate=17970&utm_campaign=17970&utm_medium=newbuild&affiliateid=17970&LangID=en
- http://www.{BLOCKED}ak.com/Systweak.css
- http://www.{BLOCKED}ak.com/Images/common/Mainbg.jpg
- http://www.{BLOCKED}ak.com/Images/Common/HeadProducts.jpg
- http://www.{BLOCKED}ak.com/Images/rc/common/RC_ss1.jpg
- http://www.{BLOCKED}ak.com/Images/rc/common/steps1.jpg
- http://www.{BLOCKED}ak.com/Images/rc/common/awards.jpg
- http://www.{BLOCKED}ak.com/Images/Common/header_bottom_black.jpg
- http://www.{BLOCKED}ak.com/Images/footer_bg.gif
- http://d2ct7xlg6sc6l3.{BLOCKED}ront.net/asp/slnew/aspsetup_systweak_default.exe
- http://dl.{BLOCKED}utinfonet.com/monti/llyun/hd/setup.exe
SOLUTION
9.750
1.631.01
15 May 2015
1.632.00
16 May 2015
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Remove ADW_Amonatize by using its own Uninstall option
Step 4
Scan your computer with your Trend Micro product to delete files detected as ADW_Amonatize. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.