Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.FindemNow

Adware.FindemNow

Updated:
February 13, 2007
Risk Impact:
High
File Names:
Msxmlpp.dll
Systems Affected:
Windows

Behavior


Adware.FindemNow is a UPX-packed Browser Helper Object that displays an HTML page in Internet Explorer when "about:blank" is supposed to be displayed.

Symptoms


The webcoolsearch.com home page appears as the Internet Explorer home page, even if the home page is reset or the computer is disconnected from the Internet.

Behavior



Another program, often Trojan.Bookmarker.F , installs Adware.FindemNow.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version February 29, 2004
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date February 29, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


Adware.FindemNow is a .dll file and cannot be directly executed. Another program, such as Trojan.Bookmarker.F , executes it.

When another program calls Adware.FindemNow, it does the following:
  1. Overwrites the system Hosts file.

    The new hosts file contains two entries;

    127.0.0.1 localhost
    213.159.117.235 auto.search.msn.com

  2. Registers itself by creating and populating the following registry keys:

    HKEY_LOCAL_MACHINE\TypeLib\{53B95204-7D77-11D2-9F80-00104B107C96}
    HKEY_CLASSES_ROOT\Interface\{53B95210-7D77-11D2-9F80-00104B107C96}
    HKEY_CLASSES_ROOT\Xmlmimefilter.XMLMimeFilterPP.1
    HKEY_CLASSES_ROOT\CLSID\{53B95211-7D77-11D2-9F80-00104B107C96}

  3. Changes the value to:

    "CLSID"="{53B95211-7D77-11D2-9F80-00104B107C96}"

    in the registry key:

    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about

  4. When Internet Explorer is started, the Browser Helper Object displays an HTML page instead of the configured home page. It also resets the home page to "about:blank" and overwrites the hosts file, repeating step 3 above.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the virus definitions.
  2. Remove the registry values that the adware added.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Adware.FindemNow, and then restart in normal mode.
  5. Reset the Internet Explorer settings.
  6. Remove the lines that were added to the hosts file.
For details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

    2. Removing the registry values that load the Adware


    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

      Then click OK. (The Registry Editor opens.)

    3. Navigate to the key:

      HKEY_LOCAL_MACHINE\TypeLib\

    4. In the left pane, delete the subkey:

      {53B95204-7D77-11D2-9F80-00104B107C96}

    5. Navigate to the key:

      HKEY_CLASSES_ROOT\Interface\

    6. In the left pane, delete the subkey:

      {53B95210-7D77-11D2-9F80-00104B107C96}

    7. Navigate to the key:

      HKEY_CLASSES_ROOT\

    8. In the left pane, delete the subkey:

      Xmlmimefilter.XMLMimeFilterPP.1

    9. Navigate to the key:

      HKEY_CLASSES_ROOT\

    10. In the left pane, delete the subkey:

      {53B95211-7D77-11D2-9F80-00104B107C96}

    11. Navigate to the key:

      HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about

    12. In the right pane, restore "CLSID" to it's original value.
      The probable original value is:

      "CLSID" = "{53B95211-7D77-11D2-9F80-00104B107C96}"
    3. Restarting the computer in Safe mode
    Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode ."

    4. Scanning for and deleting the files
    1. Start your Symantec antivirus program and run a full system scan.
    2. If any files are detected as Adware.FindemNow, click Delete.
    3. Restare the computer in Normal mode. For instructions, read the document, "How to start the computer in Safe Mode."

    5. Resetting the Internet Explorer settings
    1. Start Internet Explorer.
    2. Click the Tools menu > Internet Options.
    3. On the Programs Tab, click "Reset Web Settings."
    4. In the Reset Web Settings box, make sure that "Also reset my home page" is selected, and then click Yes.
    6. Removing the lines from the Hosts file


    Note: The location of the Hosts file may vary and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.

    Follow the instructions for your operating system:
    • Windows 98/Me/2000
      1. Click Start, point to Find or Search, and then click Files or Folders.
      2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
      3. In the "Named" or "Search for..." box, type:

        hosts

      4. Click Find Now or Search Now.
      5. For each one that you find, right-click it, and then click "Open With."
      6. Deselect the "Always use this program to open this program" check box.
      7. Scroll through the list of programs and double-click Notepad.
      8. Delete any lines begin with:

        213.159.117.235
      9. Close Notepad and save your changes when prompted.

    • Windows XP
      1. Click Start, and then click Search.
      2. Click All files and folders.
      3. In the "All or part of the file name" box, type:

        hosts

      4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
      5. Click "More advanced options."
      6. Check "Search system folders."
      7. Check "Search subfolders."
      8. Click Search.
      9. Click Find Now or Search Now.
      10. For each one that you find, right-click it, and then click "Open With."
      11. Deselect the "Always use this program to open this program" check box.
      12. Scroll through the list of programs and double-click Notepad.
      13. Delete any lines begin with:

        213.159.117.235.
      14. Close Notepad and save your changes when prompted.