AutoSearch is an IE Browser Helper Object that hijacks address-bar searches.
It knows about some of the other prevalent search-hijackers - IGetNet,
CommonName and NewDotNet - and will steal back any address bar searches they
take over
Also known as
AutoSearchBHO\Hijacker by Ad-Aware. MSInfoSys after its filename.
Distribution
As yet unknown.
What it does
Advertising
No, though Wink/ASWnk does. (See below.)
Any address bar search you do is sent to a single page at
www.tunders.com
(which includes only static adverts, no search results).
Privacy violation
No.
Security issues
No.
Stability problems
None known.
Removal
Open a DOS command prompt window (from Start->Programs->Accessories) and
enter the following commands:
cd "%WinDir%\System"
regsvr32 /u msinfosys.dll
You should now be able to delete the 'msinfosys.dll' file in your System
folder (inside the Windows folder; called 'System32' on Windows NT/2000/XP).
It is believed that AutoSearch is installed with or by Wink/ASWnk - check
your system for this parasite.
Wink removal
Wink is a family of parasites based on an original dialler. It cannot be
detected by the script at this site. Some variants of Wink are actual
diallers; others have had this function disabled and act as adware. Wink can
download and execute arbitrary unsigned code from its controlling server at
204.177.92.204. It also puts an entry in Add/Remove Programs to run a file
'[variant name]_uninstall.exe' in the Windows System folder, which doesn't
uninstall the software, but in dialler variants makes the software hide
instead of showing itself at startup.
Wink can be spotted by opening the registry (click 'Start', choose 'Run',
enter 'regedit') and finding the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; Wink
variants have a characteristic run string ending in '/noconnect'. This entry
should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons,
and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK
File. If you use Netscape 4, dialler variants will also add themselves to
the 'User Trusted External Applications' in
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here
should be deleted.
Then restart and delete the program file, which usually lives in a folder
called 'dialers' in 'C:\Program Files', but see the following variants:
Wink/Party: dialler, program file in
'files\dialers\online_party\online_party.exe'.
Wink/hot: various diallers: at least hot_swiss, hot_canada and
hotsurprise_in have been seen. Program file is in the form
'dialers\hot_swiss\hot_swiss.exe' (and so on for the other variants).
Wink/HornyCam: various diallers: at least hornycam_jp has been seen. Program
file is in the form 'comsoft\dialers\hornycam_jp\hornycam_jp.exe'.
Wink/EasyDates: various diallers: at least hornycam_jp has been seen.
Program file is in the form 'comsoft\dialers\easydates_jp\easydates_jp.exe'.
Wink/UKVideo2: another dialler, program file
'dialers\ukvideo2\ukvideo2.exe'.
Wink/VideoAction: more diallers: at least videoaction_se has been seen.
Program file in the form
'comsoft\dialers\videoaction_se\videoaction_se.exe'.
Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl
have been seen. Program file in the form
'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key
'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos
anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.
Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is
ASWnk.exe in a Program Files folder called 'primesoft\ASWnk' (instead of the
usual 'dialers').
Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath)
0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com. Program
file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake
pop-up-killer application (which claims it has failed to run), by
stopannoyingpopups.com; exploitation of an IE security hole is suspected
here.
Wink/dluca: not a dialler. Program file is
'msinstall\dlu32\dluca\dluca.exe', hidden in the Windows System[32] folder
instead of Program Files.
Wink/infwin: not a dialler. Program file is 'infwin.exe', hidden in the
Windows System[32] folder instead of Program Files.
Wink/win and Wink/win32: not a dialler. Program file depends on country; at
least 'winde.exe', 'win32us.exe', 'win32gb.exe' have been seen, in the
Windows System[32] folder.
Parasite detection & information
(e-mail address removed)
I used