Adware.SecureServicePk

Adware.SecureServicePk

Updated:
01 June 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 02 October 2014 revision 022
  • Initial Daily Certified version 27 May 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 31 May 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

The risk is installed as a Browser Helper Object DLL file.

Note: The DLL file is referenced by the following registry value:
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}\InProcServer32\"(Default)" = "[PATH TO DLL]"

When the risk is installed, it adds the following registry subkeys:
HKEY_CLASSES_ROOT\SecureServicePack.BHO.1
HKEY_CLASSES_ROOT\SecureServicePack.BHO
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_CLASSES_ROOT\CLSID\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\TypeLib\{90BB6171-83D8-43DE-94D4-6C0078DD7896}
HKEY_CLASSES_ROOT\Interface\{B5918C1E-B0CD-4123-A0CB-CFE9703A265B}

The risk monitors the URL of Internet Explorer to check if it is one of the following:
frazoo.com/results.php
dogpile.com/info.dogpl/search/web
xpsn.com/Search/SmartSearch4.asp
xpsn.com/Search/
yandex.
search.yahoo.com/
search.com/
overture.com/
search.netscape.com/
search.msn.com/
lycos.
hotbot.com/
google.
fastsearch.com/
.excite.
search.ebay.com/
cnn.com/
ask.com/
search.aol.com/
altavista.com/
alltheweb.com/

It then inserts an advertisement into the top of the search result page.

Note: It may cause a difficulty in viewing the result page due to the unexpected insertion of contents on some Web sites, such as www.yandex.ru .
Writeup By: Masaki Suenaga