Follow:

 

Adware:Win32/EoRezo


Microsoft security software detects and removes this program.

This program shows you targeted ads as you browse the Internet.

Find out more about how and why we identify unwanted software.



What to do now

This program poses a high threat to your PC.

Remove programs

You might need to manually remove this program:

If an uninstaller is not available, does not work properly, or you do not want to use it, you can use the following free tools to detect and remove this program and other unwanted software from your PC:

You should also run a full scan. A full scan might find hidden threats.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The program creates these registry entries:

In subkey: HKLM\Software\EoRezo
Sets value: "HostGUID"
With data: "<Host GUID>"

In subkey: HKCU\Software\EoRezo
Sets value: "LCID"
With data: "<LCID>"

It also creates the mutex "EoRezo".

It installs itself as a Browser Helper Object (BHO) and creates the following registry entries:

In subkey: HKLM\SOFTWARE\Classes\AppID\EoEngineBHO.DLL
Sets value: "AppID"
With data: "{afbb7970-789a-4264-ba70-e8127dece400}"

In subkey: HKLM\SOFTWARE\Classes\AppID\{AFBB7970-789A-4264-BA70-E8127DECE400}
Sets value: "(default)"
With data: "eoenginebho"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\InprocServer32
Sets value: "(default)"
With data: "<adware file>"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\ProgID
Sets value: "(default)"
With data: "eoenginebho.eobho.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\TypeLib
Sets value: "(default)"
With data: "{{18af7201-4f14-4bcf-93fe-45617cf259ff}}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\VersionIndependentProgID
Sets value: "(default)"
With data: "eoenginebho.eobho"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO.1
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO.1\CLSID
Sets value: "(default)"
With data: "{c10dc1f4-ccdf-4224-a24d-b23afc3573c8}"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO\CLSID
Sets value: "(default)"
With data: "{c10dc1f4-ccdf-4224-a24d-b23afc3573c8}"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO\CurVer
Sets value: "(default)"
With data: "eoenginebho.eobho.1"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}
Sets value: "(default)"
With data: "ieobho"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}\TypeLib
Sets value: "(default)"
With data: "{18af7201-4f14-4bcf-93fe-45617cf259ff}"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0
Sets value: "(default)"
With data: "eoenginebho 1.0 type library"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0\0\win32
Sets value: "(default)"
With data: "<adware file>"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0\HELPDIR
Sets value: "(default)"
With data: "<current folder>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
Sets value: "(default)"
With data: "eobho"

Behavior

The program is known to:

  • Display pop-up ads.
  • Connect to certain servers, for example, eorezo.com and alpha00001.com.
  • Change the home page and search engine used by Internet Explorer and Mozilla Firefox.
  • Send out information about your PC to a remote server.
  • Connect to a remote server to get configuration data.

Analysis by Jireh Sanico


Symptoms

The following could indicate that you have this program on your PC:

  • You have this registry entry:
    In subkey: HKLM\Software\EoRezo
    Value: "HostGUID"
  • For a complete list of all registry modifications, including those created when Adware:Win32/EoRezo is created as a BHO, see the Technical Details section.

Prevention


Alert level: High
First detected by definition: 1.113.515.0
Latest detected by definition: 1.185.3495.0 and higher
First detected on: Sep 28, 2011
This entry was first published on: Oct 18, 2011
This entry was updated on: Nov 20, 2014

This threat is also detected as:
  • Win32/Adware.EoRezo.E application (ESET)
  • AdWare.Win32.EoRezo (Ikarus)
  • Adware-Eorezo (McAfee)
  • ADW_EOZERO (Trend Micro)