SecurityHome.eu Adware:Win32/SaverExtension

Home / malware PDF

Adware:Win32/SaverExtension

First posted on 05 February 2015.
Source: Microsoft
Aliases :
There are no other names known for Adware:Win32/SaverExtension.
Explanation :
Threat behavior

Installation

This program can be installed by third-party software bundlers.

It can add the following files:

%ALLUSERSPROFILE% \SaaverEExtenssioin\1aXycnQeQLl6Es.dat

%ALLUSERSPROFILE% \SaaverEExtenssioin\1aXycnQeQLl6Es.exe

%ALLUSERSPROFILE% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.dat

%ALLUSERSPROFILE% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.exe

%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.dat

%ProgramFiles% \SaaverEExtenssioin\1aXycnQeQLl6Es.dat

%ProgramFiles% \SaaverEExtenssioin\1aXycnQeQLl6Es.dll

%ProgramFiles% \SaaverEExtenssioin\1aXycnQeQLl6Es.exe

%ProgramFiles% \SaaverEExtenssioin\1aXycnQeQLl6Es.tlb

%ProgramFiles% \SaaverEExtenssioin\1aXycnQeQLl6Es.x64.dll

%ProgramFiles% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.dat

%ProgramFiles% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.dat

%ProgramFiles% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.dll

%ProgramFiles% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.exe

%ProgramFiles% \SaveNEiwoaAippz\6Mb3lTFyn0hyba.tlb

It can create or modify the following registry entries:

In subkey: HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{cea16584-6bea-4ade-b69a-63e2bb186854}

In subkey: HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7936c7ad-0222-40a5-a140-29374f4d72b8}

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{cea16584-6bea-4ade-b69a-63e2bb186854}

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7936c7ad-0222-40a5-a140-29374f4d72b8}

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Sets value: {cea16584-6bea-4ade-b69a-63e2bb186854}
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Sets value: {7936c7ad-0222-40a5-a140-29374f4d72b8}
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{cea16584-6bea-4ade-b69a-63e2bb186854}
Sets value: "(Default)"
With data: "SaveNEiwoaAippz"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7936c7ad-0222-40a5-a140-29374f4d72b8}
Sets value: "(Default)"
With data: "SaaverEExtenssioin"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7304C9D1-98AD-55F0-636E-22D8DD57F176}
Sets value: "DisplayName"
With data: "SaveNEiwoaAippz"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{274E3C5C-178E-EAE2-A52F-2863C0EECD46}
Sets value: "DisplayName"
With data: "SaaverEExtenssioin"

This program can install and enable the following web browser add-ons:

SaaverEExtenssioin

SaveNEiwoaAippz

You can't disable or remove these add-ons, as shown below:

Behavior

Shows you extra advertisements

This program shows you ads with incorrect attribution as you browse the Internet, for example:

Extra ads in your search results:

Slider ads:

Ads on newly opened webpages or tabs:

You wouldn't see these extra advertisements if this program wasn't installed.

Analysis by James Dee

Symptoms

The following can indicate that you have this threat on your PC:

You have these files:

%ALLUSERSPROFILE%\SaaverEExtenssioin\1aXycnQeQLl6Es.dat
%ALLUSERSPROFILE%\SaaverEExtenssioin\1aXycnQeQLl6Es.exe
%ALLUSERSPROFILE%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.dat
%ALLUSERSPROFILE%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.exe
%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.dat
%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.dat
%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.dll
%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.exe
%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.tlb
%ProgramFiles%\SaaverEExtenssioin\1aXycnQeQLl6Es.x64.dll
%ProgramFiles%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.dat
%ProgramFiles%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.dat
%ProgramFiles%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.dll
%ProgramFiles%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.exe
%ProgramFiles%\SaveNEiwoaAippz\6Mb3lTFyn0hyba.tlb

You see these entries or keys in your registry:

In subkey: HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{cea16584-6bea-4ade-b69a-63e2bb186854}

In subkey: HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7936c7ad-0222-40a5-a140-29374f4d72b8}

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{cea16584-6bea-4ade-b69a-63e2bb186854}

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7936c7ad-0222-40a5-a140-29374f4d72b8}

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Sets value: {cea16584-6bea-4ade-b69a-63e2bb186854}
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Sets value: {7936c7ad-0222-40a5-a140-29374f4d72b8}
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{cea16584-6bea-4ade-b69a-63e2bb186854}
Sets value: "(Default)"
With data: "SaveNEiwoaAippz"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7936c7ad-0222-40a5-a140-29374f4d72b8}
Sets value: "(Default)"
With data: "SaaverEExtenssioin"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7304C9D1-98AD-55F0-636E-22D8DD57F176}
Sets value: "DisplayName"
With data: "SaveNEiwoaAippz"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{274E3C5C-178E-EAE2-A52F-2863C0EECD46}
Sets value: "DisplayName"
With data: "SaaverEExtenssioin"

You see ads like these:

Last update 05 February 2015

TOP

Malware :

Last 20