Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Smartsearch

Adware.Smartsearch

Updated:
February 13, 2007
Publisher:
Smart Search Asia Ltd.
Risk Impact:
High
File Names:
C:\y.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\explore.exe C:\Windows\sys
Systems Affected:
Windows

Behavior


Adware.Smartsearch changes the default prefix of Internet Explorer. The effect of this is that any URLs typed without a http:// prefix will be redirected to http:/ /smartsearch.ws/q=.

It also sets the Internet Explorer home page to http:/ /smartsearch.ws.

Symptoms


Your Symantec antivirus program detects this threat as Adware.Smartsearch.
  • Typed URLs are redirected to http:/ /smartsearch.ws.


Behavior


Adware.Smartsearch may be installed with other programs.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version January 10, 2004
  • Latest Daily Certified version January 26, 2015 revision 023
  • Initial Weekly Certified release date January 14, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Smartsearch is executed, it performs the following actions:
  1. Creates the file, Temp.txt (this file may be several megabytes in size). This file is not a threat, and therefore Symantec antivirus products do not detect it.

  2. Adds the value:

    "SystemEmergency"="<path to Adware.Smartsearch executable file>"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that Adware.Smartsearch runs when you start Windows.

  3. Sets the value:

    "(Default)"="http:/ /smartsearch.ws/?q="

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

    which adds the string, http:/ /smartsearch.ws/?q=, to any URLs typed into the Address bar of Internet Explorer. For example, if a user was to type www.example.com into the Address bar, Internet Explorer would go to the URL, http:/ /smartsearch.ws/?q=www.example.com.

  4. Sets the value:

    "www"="http:/ /smartsearch.ws/?q="

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

  5. Sets the values:
    • "Search"="http:/ /smartsearch.ws/?q="
    • "SearchURL"="http:/ /smartsearch.ws/?q="

      in the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer

  6. Sets the values:
    • "Default_Page_URL"="http:/ /smartsearch.ws"
    • "Default_Search_URL"="http:/ /smartsearch.ws/?q="
    • "Search Bar"="http:/ /smartsearch.ws/?q="
    • "Search Page"="http:/ /smartsearch.ws/?q="
    • "Start Page"="http:/ /smartsearch.ws"

      in the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  7. Sets the values:
    • "CustomizeSearch"="http:/ /smartsearch.ws/?q="
    • "SearchAssistant"="http:/ /smartsearch.ws/?q="

      in the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  8. Sets the values:
    • "Search"="http:/ /smartsearch.ws/?q="
    • "SearchURL"="http:/ /smartsearch.ws/?q="

      in the registry key:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer

  9. Sets the values:
    • "Default_Page_URL"="http:/ /smartsearch.ws"
    • "Default_Search_URL"="http:/ /smartsearch.ws/?q="
    • "Search Bar"="http:/ /smartsearch.ws/?q="
    • "Search Page"="http:/ /smartsearch.ws/?q="
    • "Start Page"="http:/ /smartsearch.ws"

      in the registry key:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

  10. Contacts the Web site, http:/ /smartsearch.ws, and downloads software updates.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.SmartSearch.
  3. Reset the Internet Explorer Home and Search pages.
  4. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start your Symantec antivirus program and run a full system scan.
  2. If any files are detected as Adware.SmartSearch, note their names (which will be helpful in step 3), and then click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

3. Resetting the Internet Explorer Home and Search pages
  1. Start Microsoft Internet Explorer.
  2. Click Tools, and then click Internet Options.
  3. Select the Programs tab.
  4. Click Reset Web Settings.
  5. Make sure that the "Also reset my home page" option is checked.
  6. Click Yes.
  7. Click OK, and then click OK again.

    This will reset the Internet Explorer Home and Search pages to their default settings.

4. Deleting the values from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "SystemEmergency"="<path to file detected as Adware.SmartSearch>"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

  6. In the right pane, delete the value:

    "SystemEmergency"="<path to file detected as Adware.SmartSearch>"

  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

  8. In the right pane, restore the value:

    "(Default)"

    to its correct value. This value is normally "http://" (without quotes).

  9. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

  10. In the right pane, restore the value:

    "www"

    to its correct value. This is normally "http://" (without quotes).

  11. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer

  12. In the right pane, restore the values:
    • "Search"
    • "SearchURL"

      to their correct values or delete them.

  13. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  14. In the right pane, restore the values:

    "Start Page"

    to its correct values or delete them.

  15. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer

  16. In the right pane, restore the values:
    • "Search"
    • "SearchURL"

      to their correct values or delete them.

  17. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

  18. In the right pane, restore the values:
    • "Default_Page_URL"
    • "Default_Search_URL"
    • "Search Bar"

      to their correct values or delete them.

  19. Exit the Registry Editor.