Description

AutoSearch is an IE Browser Helper Object that hijacks address-bar searches. It knows about some of the other prevalent search-hijackers — IGetNet, CommonName and NewDotNet — and will steal back any address bar searches they take over

Also known as

AutoSearchBHO\Hijacker by Ad-Aware. MSInfoSys after its filename.

Distribution

As yet unknown.

What it does

Advertising

No, though Wink/ASWnk does. (See below.)

Any address bar search you do is sent to a single page at www.tunders.com (which includes only static adverts, no search results).

Privacy violation

No.

Security issues

No.

Stability problems

None known.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll

You should now be able to delete the 'msinfosys.dll' file in your System folder (inside the Windows folder; called 'System32' on Windows NT/2000/XP).

It is believed that AutoSearch is installed with or by Wink/ASWnk — check your system for this parasite.

Wink removal

Wink is a family of parasites based on an original dialler. It cannot be detected by the script at this site. Some variants of Wink are actual diallers; others have had this function disabled and act as adware. Wink can download and execute arbitrary unsigned code from its controlling server at 204.177.92.204. It also puts an entry in Add/Remove Programs to run a file '[variant name]_uninstall.exe' in the Windows System folder, which doesn't uninstall the software, but in dialler variants makes the software hide instead of showing itself at startup.

Wink can be spotted by opening the registry (click 'Start', choose 'Run', enter 'regedit') and finding the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run; Wink variants have a characteristic run string ending in '/noconnect'. This entry should be deleted, along with the key HKEY_CURRENT_USER\Software\SiteIcons, and, in dialler variants, HKEY_CLASSES_ROOT\.WINK and HKEY_CLASSES_ROOT\WINK File.

If you use Netscape 4, dialler variants will also add themselves to the 'User Trusted External Applications' in HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator; its entries here should be deleted.

Then restart and delete the program file, which usually lives in a folder called 'dialers' in 'C:\Program Files', but see the following variants:

Wink/Party: dialler, program file in 'files\dialers\online_party\online_party.exe'.

Wink/hot: various diallers: at least hot_swiss, hot_canada and hotsurprise_in have been seen. Program file is in the form 'dialers\hot_swiss\hot_swiss.exe' (and so on for the other variants).

Wink/HornyCam: various diallers: at least hornycam_jp has been seen. Program file is in the form 'comsoft\dialers\hornycam_jp\hornycam_jp.exe'.

Wink/EasyDates: various diallers: at least hornycam_jp has been seen. Program file is in the form 'comsoft\dialers\easydates_jp\easydates_jp.exe'.

Wink/UKVideo2: another dialler, program file 'dialers\ukvideo2\ukvideo2.exe'.

Wink/VideoAction: more diallers: at least videoaction_se has been seen. Program file in the form 'comsoft\dialers\videoaction_se\videoaction_se.exe'.

Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl have been seen. Program file in the form 'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key 'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is ASWnk.exe in a Program Files folder called 'primesoft\ASWnk' (instead of the usual 'dialers').

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath) 0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com. Program file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake pop-up-killer application (which claims it has failed to run), by stopannoyingpopups.com; exploitation of an IE security hole is suspected here.

Wink/dluca: not a dialler. Program file is 'msinstall\dlu32\dluca\dluca.exe', hidden in the Windows System[32] folder instead of Program Files.

Wink/infwin: not a dialler. Program file is 'infwin.exe', hidden in the Windows System[32] folder instead of Program Files.

Wink/win and Wink/win32: not a dialler. Program file depends on country; at least 'winde.exe', 'win32us.exe', 'win32gb.exe' have been seen, in the Windows System[32] folder.