Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Replace

Adware.Replace

Updated:
February 13, 2007
Risk Impact:
Medium
File Names:
1.01.00.dll Services.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Behavior


Adware.Replace is an adware program that causes pop-up advertisements to appear.

Symptoms


An unusual number of pop-up windows, even on sites where you would not expect to see any.
Your Symantec program detects this threat as Adware.Replace.

Behavior


This adware component can be manually installed, or installed as a component of another program.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version February 19, 2004 revision 003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date February 25, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Replace is executed, it performs the following actions:
  1. Creates the following files:
    • %System%\Services\Services.exe
    • 1.01.00.dll


      Note: %System% is a variable. The adware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Modifies the value:

    "xpsystem"="%system%\Services\Services.exe"

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  3. Modifies the Win.ini file by adding these lines in the [windows] section:

    run=%system%\Services\Services.exe
    load=%system%\Services\Services.exe

  4. Adds the following section to the System.ini file:

    [windows]
    run=%system%\Services\Services.exe
    load=%system%\Services\Services.exe

  5. Registers 1.01.00.dll as a browser help object.

  6. Attempts to update itself from the Web. The update mechanism can also be used to instruct the adware to download and execute other files, modify the registry, or add a site to Internet Explorer's list of trusted sites.

  7. Displays pop-up advertisements when visiting search engines with Internet Explorer.




Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Unregister the Adware.Replace.dll file.
  3. Run a full system scan and delete all the files detected as Adware.Replace.
  4. Delete the value that was added to the registry.
  5. Edit the Win.ini file.
  6. Edit the System.ini file.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Unregistering the 1.01.00.dll file
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type, or copy and paste, the following text:

    regsvr32 /u "[path to and filename of 1.01.00.dll]"

    then click OK.

  3. If a dialog box confirming this action appears, click OK.

3. Scanning for and deleting the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.Replace, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, note the path and file name. Then use Windows Explorer to locate and delete the file.
4. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.


Note: This is done to make sure that all the keys are removed. They may not be there if regsvr32 removed them.

  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "xpsystem"="%system%\Services\Services.exe"

  5. Exit the Registry Editor.

5. Editing the Win.ini file
If you are running Windows 95/98/Me, follow these steps:
  1. The function you perform depends on your operating system:
    • Windows 95/98: Go to step B.
    • Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Win.ini file that you need to edit. If this backup copy exists, it will be in the C:\Windows\Recent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:
      1. Start Windows Explorer.
      2. Browse to and select the C:\Windows\Recent folder.
      3. In the right pane, select the Win.ini file and delete it. The Win.ini file will be regenerated when you save your changes to it in step F.

  2. Click Start, and then click Run.
  3. Type the following, and then click OK.

    edit c:\windows\win.ini

    (The MS-DOS Editor opens.)

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.

  4. In the [windows] section of the file, look for a line similar to:

    run=%system%\Services\Services.exe
    load=%system%\Services\Services.exe

  5. If this line exists, delete everything to the right of run=.

  6. Click File, and then click Save.

  7. Click File, and then click Exit.

6. Editing the System.ini file
If you are running Windows 95/98/Me, follow these steps:
  1. The function you perform depends on your operating system:
    • Windows 95/98: Go to step B.
    • Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the System.ini file that you need to edit. If this backup copy exists, it will be in the C:\Windows\Recent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:
      1. Start Windows Explorer.
      2. Browse to and select the C:\Windows\Recent folder.
      3. In the right pane, select the Win.ini file and delete it. The System.ini file will be regenerated when you save your changes to it in step F.

  2. Click Start, and then click Run.
  3. Type the following, and then click OK.

    edit c:\windows\system.ini

    (The MS-DOS Editor opens.)

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.

  4. Look for a line similar to:

    [windows]
    run=%system%\Services\Services.exe
    load=%system%\Services\Services.exe

  5. If these line exists, delete them.

  6. Click File, and then click Save.

  7. Click File, and then click Exit.