A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19715  by thisisu
 Fri Jun 21, 2013 9:57 pm
MD5: 96fbde8218339481d5b7c8399b77dfe4 -- https://www.virustotal.com/en/file/8d39 ... /analysis/
Code: Select all
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects				6/21/2013 4:40 PM
trueads			c:\windows\system32\b9d98fa7-6ad6-270a-5c0a-2ec55760be2c.dll	2/1/2010 7:48 AM
__

MD5: 074bf97a1481dc8e6009626e5fbe7c1e -- https://www.virustotal.com/en/file/c116 ... 371851637/
Code: Select all
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects				6/21/2013 4:40 PM
trueads search enhancer			c:\windows\system32\korucuffqhslaed.dll	8/1/2009 10:02 AM
__

MD5: fed0a66d60769d4e2bce382fae14e78a -- https://www.virustotal.com/en/file/153d ... 371851737/
Code: Select all
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects				6/21/2013 4:40 PM
TextLinks Class			c:\program files\livingplay\lplaytl.dll	6/8/2011 7:05 AM
Attachments
pass: infected
(96.27 KiB) Downloaded 55 times
pass: infected
(258.75 KiB) Downloaded 69 times
pass: infected
(876.35 KiB) Downloaded 54 times
 #19799  by Blaze
 Tue Jun 25, 2013 10:31 am
@thisisu:

Seeing a lot of variants on "Continuetosave", a few examples:
contuInnueotOossAve
contuinnUeToSaave
ContuinUaEotaosave
contyinueteoSaivE
coointiynnuetoosavE
coointiynnuetoosavE
CoonnTinauetossauve
coonteinuuetosavve
coontiinUUetosavE
coontInnuuetosave
coontinueotoysavee
countinUoetuosavE
Same for Browse2save and some others. Any idea where these come from or who's behind it?
 #19813  by thisisu
 Tue Jun 25, 2013 11:54 pm
It can be downloaded from the program's website or it may be bundled with some third-party software installation programs.
http://www.microsoft.com/security/porta ... tails_link

BHO CLSID and name are random. As far as I know, AdwCleaner and ComboFix have both implemented ways of detection and removal of this type of adware.