Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.SearchCounter

Adware.SearchCounter

Updated:
February 13, 2007
Risk Impact:
Low
Systems Affected:
Windows

Behavior


Adware.SearchCounter changes Internet Explorer's search and home pages, redirects network traffic, and displays browser popup windows.

Symptoms


Attempts to connect to auto.search.msn.com are redirected to in.webcounter.cc.
  • The default search and home pages in Internet Explorer are changed to in.webcounter.cc.
  • Internet Explorer popup windows displaying in.webcounter.cc are automatically opened.
  • On logon, Windows error messages are displayed, stating that "fntldr.exe cannot be found."


Behavior


This adware component can be manually installed or installed as a component of another program.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version April 13, 2015 revision 048
  • Initial Daily Certified version December 01, 2003
  • Latest Daily Certified version April 14, 2015 revision 005
  • Initial Weekly Certified release date December 03, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.SearchCounter is executed, it performs the following actions:
  1. Modifies the following registry keys as shown:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer

    "Search"="<WebAddress>"


    Note: <WebAddress> is a variable. The adware places the value:

    http:/ /%69%6e%2e%77%65%62%63%6f%75%6e%74%65%72%2e%63%63/%2d%2d/?%62%7a%62%6a%72

    in the given registry location.



    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    "Default_Search"= [WebAddress]
    "Search Page"= [WebAddress]
    "Start Page"= [WebAddress]
    "Use Search Assistant"="yes"


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles

    "User Stylesheet"="%Windir%\hh.htt"
    "Use My Stylesheet"= dword:00000001


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    "Search Assistant"="<WebAddress>"
    "CustomizeSearch"="<WebAddress>"


    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer

    "ReconfLast"=dword:07D30C01


    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer

    "Search"="<WebAddress>"
    "SearchURL"="<WebAddress>"


    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main

    "Start Page"="<WebAddress>"
    "Search Page"="<WebAddress>"
    "Default_Search"="<WebAddress>"
    "Default_Page"="<WebAddress>"
    "Use SearchAssistant"= "yes"
    "Search Bar"="<WebAddress>"

    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Search

    "Search Assistant"="<WebAddress>"
    "CustomizeSearch"= "<WebAddress>"


    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles

    "User Stylesheet"="%Windir%\Web\tips.ini"
    "Use My Stylesheet"= dword:00000001

  2. Creates two identical files:
    • %Windir%\Web\tips.ini
    • %Windir%\hh.htt


      These files cause a browser popup window displaying "<WebAddress>" to appear every time an Internet Explorer page contains any of these META tags:
      • sex
      • porn
      • adult
      • thehun

  3. Adds this line to the Hosts file:

    1089288654 auto.search.msn.com

    This causes all the attempts to contact auto.search.msn.com to be redirected to "<WebAddress>"

  4. Adds the following line to the Win.ini file:

    run=fntldr.exe

    This is designed to cause the file Fntldr.exe to be run every time you start Windows 95/98/Me. However, during testing by Security Response, the adware did not create or download the Fntldr.exe file. Instead, error dialogs appear after every logon, stating that Fntldr.exe could not be found.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.SearchCounter.
  3. Reverse the changes that were made to the registry.
  4. Remove the line that was added to the Hosts file.
  5. For Windows 95/98/Me: Edit the line that was added to the Win.ini file.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Adware.SearchCounter, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

3. Reversing the changes that were made to the registry

Note: This adware makes at least 20 modifications to the registry. Some of the changes that were made can be reset to the default settings from within Internet Explorer. You may have to reset the settings for each person that logs on as a specific user to the computer.

Symantec cannot guarantee that the instructions that follow will reset all the modifications.

If you are familiar with the registry and would like to attempt to reset the changes using the Registry Editor, refer to the Additional Information section below for basic information.

  1. Start Microsoft Internet Explorer.
  2. Connect to the Internet and go to the page that you want to set as your home page.
  3. Click Tools, and then click Internet Options.
  4. In the Home page section of the General tab, click Use Current, and then click OK.
  5. On the Internet Explorer tool bar, click Search.
  6. In the Search pane, click Customize.
  7. Click Reset.
  8. Select the "Find a Web page" box (others are optional).
  9. Click Autosearch and select a search site from the dropdown tool.
  10. Click OK.
4. Removing the line that was added to the Hosts file

All the computers will not have this file, and the location can vary. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and in Windows 2000, it is in the C:\WINNT\SYSTEM32\DRIVERS\ETC folder. Also, there may be multiple copies of this file in different locations.

The most efficient way to locate the file is to search for it.

Follow the instructions for your operating system:
  • Windows 95/98/Me/NT/2000
    1. Click Start, point to Find or Search, and then click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the "Named" or "Search for..." box, type:

      hosts

    4. Click Find Now or Search Now.
    5. For each one that you find, right-click it, and then click "Open With."
    6. Deselect the "Always use this program to open this program" check box.
    7. Scroll through the list of programs and double-click Notepad.
    8. Look for the following line and delete it if found:

      1089288654 auto.search.msn.com

    9. Close Notepad and save your changes when prompted.

  • Windows XP
    1. Click Start, and then click Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

      hosts

    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click "More advanced options."
    6. Check "Search system folders."
    7. Check "Search subfolders."
    8. Click Search.
    9. Click Find Now or Search Now.
    10. For each one that you find, right-click it, and then click "Open With."
    11. Deselect the "Always use this program to open this program" check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. Look for the following line and delete it if found:

      1089288654 auto.search.msn.com

    14. Close Notepad and save your changes when prompted.
5. Editing the Win.ini file
If you are running Windows 95/98/Me, follow these steps:
  1. The function you perform depends on your operating system:
    • Windows 95/98: Go to step B.
    • Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Win.ini file that you need to edit. If this backup copy exists, it will be in the C:\Windows\Recent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:
      1. Start Windows Explorer.
      2. Browse to and select the C:\Windows\Recent folder.
      3. In the right pane, select the Win.ini file and delete it. The Win.ini file will be regenerated when you save your changes to it in step F.

  2. Click Start, and then click Run.
  3. Type the following, and then click OK.

    edit c:\windows\win.ini

    (The MS-DOS Editor opens.)

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.

  4. In the [windows] section of the file, look for a line similar to:

    run=fntldr.exe

  5. If this line exists, delete everything to the right of run=.

  6. Click File, and then click Save.
  7. Click File, and then click Exit.


Additional Information
The following information is provided for those who prefer to undo the registry changes by manually editing the registry.

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

  • The keys that were given the value <WebAddress> should be changed to:

    about:blank

  • The "Use SearchAssistant" keys should be given the value:

    no

  • The "Use My Stylesheet" keys should be given the value:

    0

  • The "User Stylesheet" keys should be given blank values.