[INFO] AnalystName=Sonia Iuliana Botezatu AnalystEMailID=botezatus@comodo.com Team=Romania Date=12-JAN-2010 Type=ApplicUnsaf Platform=Win32 SunType=Adware Family=Fearads Variant= [OVERVIEW] This application is advertising malicious software Which automatically displays or downloads advertisements to a computer after the software is installed on it or while the application is being used. [TECHNICAL_DESCRIPTION] Registers in-process server DLL, registers BHO and requests files from the internet. Registry keys added: HKEY_LOCAL_MACHINE\SOFTWARE\FieryAds HKLM\SOFTWARE\Classes\CLSID\{6D125299-C2A9-4DBC-BEC3-6F7124E39A41} HKLM\SOFTWARE\Classes\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D125299-C2A9-4DBC-BEC3-6F7124E39A41} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\AdSubscribe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdSubscribe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FieryAds Registry Values added: HKLM\SOFTWARE\Classes\CLSID\{6D125299-C2A9-4DBC-BEC3-6F7124E39A41}\InprocServer32\: "%USERPROFILE%\APPLIC~1\FieryAds\FieryAds.dll" HKLM\SOFTWARE\Classes\CLSID\{6D125299-C2A9-4DBC-BEC3-6F7124E39A41}\InprocServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{6D125299-C2A9-4DBC-BEC3-6F7124E39A41}\: "Доступ к платному контенту FieryAds v2.0.2" HKLM\SOFTWARE\Classes\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}\VersionIndependentProgID\: "AdSubscribe" HKLM\SOFTWARE\Classes\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}\ProgID\: "AdSubscribe" HKLM\SOFTWARE\Classes\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}\InprocServer32\: "%USERPROFILE%\Application Data\AdSubscribe\AdSubscribe.dll" HKLM\SOFTWARE\Classes\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}\InprocServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Classes\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}\: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\AdSubscribe\: "{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}: "AdSubscribe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdSubscribe\DisplayName: "Доступ к условно бесплатному контенту AdSubscribe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdSubscribe\UninstallString: "%USERPROFILE%\Application Data\AdSubscribe\Uninstall.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FieryAds\DisplayName: "Бесплатный контент FieryAds" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FieryAds\UninstallString: "%USERPROFILE%\Application Data\FieryAds\FieryAdsUninstall.exe" Folders added: %AppData%\AdSubscribe %AppData%\AdSubscribe\Feed %AppData%\FieryAds %AppData%\UserData %AppData%\UserData\[random-name-8-characters] Files created: %AppData%\fieryads.dat %AppData%\fieryads\fieryads.dll %ProgramFiles%\fieryads\fieryads.dll %System%\fieryads.dll %ProgramFiles%\fieryads\commlayer.dll %System%\commlayer.dll %AppData%\AdSubscribe\AdSubscribe.dat %AppData%\AdSubscribe\AdSubscribe.dll [SYMPTOMS] Adware specific behavior (e.g. pop-ups). [DISINFECTION] 1.Execute following files to uninstall this adware application, if available. %AppData%\AdSubscribe\Uninstall.exe %AppData%\FieryAds\FieryAdsUninstall.exe 2.It requires to terminate adware-related processes, delete the files on disk and the registry keys associated with the adware program. 3.Recomended solution: Download and install Comodo Internet Security for a safe removal of the application.