Adware:W32/Popmenu is a Browser Helper Object (BHO) that installs a toolbar on the Internet Explorer (IE) web browser and displays out of context advertisements unrelated to the user's search.
Installation
When Popmenu's executable file is first run, it opens a new window showing the installation progress of 'Desktop Smiley toolbar'. No End User License Agreement is shown and no input from the user is needed during installation.
During installation, the program attempts to download files from these websites:
- https://www.desktopsmiley.com/[...].dop.pixelType=16 admin=1& User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;& .NET&& CLR 2.0.50727)
- https://www.desktopsmiley.com/toolbar/desktopsmiley/[...]/CurrentVersion.xml& User-Agent: HTTP Wininet
The installation is aborted if the download is not successful.
The adware is installed in the following folder:
- C:/Program Files/DoubleD/Desktop Smiley Toolbar/[version]
Where the [version] is obtained from the website. The adware also installs the following files:
- stb0.dll
- stbAol.dll
- stbapp.dll
- stbapp.exe
- stbappHelper.exe
- stbasst.exe
- stbdl.exe
- stbIE.dll
- stbMsn.dll
- stbOL.dll
- stbOLEX.dll
- stbsvc.exe
- stbYahoo8.dll
- stbYahoo9.dll
The following registry key is modified to enable the adware to run at system start up:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run& Data="C:/Program Files/DoubleD/Desktop Smiley Toolbar/[version] folder/stbapp.exe"
While the following registry key is modified to install a toolbar in IE:
- HKLM\Software\Microsoft\Internet Explorer\Toolbar& Data="C:/Program Files/DoubleD/Desktop Smiley Toolbar/[version] folder/stb0.dll"