Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.SecureServicePk

Adware.SecureServicePk

Updated:
June 01, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version May 27, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date May 31, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

The risk is installed as a Browser Helper Object DLL file.

Note: The DLL file is referenced by the following registry value:
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}\InProcServer32\"(Default)" = "[PATH TO DLL]"

When the risk is installed, it adds the following registry subkeys:
HKEY_CLASSES_ROOT\SecureServicePack.BHO.1
HKEY_CLASSES_ROOT\SecureServicePack.BHO
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_CLASSES_ROOT\CLSID\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\TypeLib\{90BB6171-83D8-43DE-94D4-6C0078DD7896}
HKEY_CLASSES_ROOT\Interface\{B5918C1E-B0CD-4123-A0CB-CFE9703A265B}

The risk monitors the URL of Internet Explorer to check if it is one of the following:
frazoo.com/results.php
dogpile.com/info.dogpl/search/web
xpsn.com/Search/SmartSearch4.asp
xpsn.com/Search/
yandex.
search.yahoo.com/
search.com/
overture.com/
search.netscape.com/
search.msn.com/
lycos.
hotbot.com/
google.
fastsearch.com/
.excite.
search.ebay.com/
cnn.com/
ask.com/
search.aol.com/
altavista.com/
alltheweb.com/

It then inserts an advertisement into the top of the search result page.

Note: It may cause a difficulty in viewing the result page due to the unexpected insertion of contents on some Web sites, such as www.yandex.ru .
Writeup By: Masaki Suenaga