McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing adware application that generates pop-up advertisements while browsing the web.  Installation is achieved via an ActiveX control ( www.sqwire.com/toolbar ).  Many files are dropped and several registry entries are created. Following installation many links are added to several folders in the user's Favorites.  A Browser Helper Object (BHO) is installed in Internet Explorer and a DLL (u.dll) is injected into the explorer.exe process.  Registry "Run" keys are set to launch two of the component executables at each boot. The default browser homepage setting is altered, default searches are re-directed, and the default "page not found" page is replaced to include search functionality.  The software is set to "check in" every few days, which it does via the BHO when Internet Explorer is launched while an Internet connection is present.

While there is an uninstall entry created in the Add/Remove Programs control panel, it does not remove the application when instructed.  It simply proclaims success and the "Web Helper" entry is removed.  The BHO and toolbar remain installed.  No evident change in functionality was observed.

Similarly misleading is an option within one of the toolbar dropdown menus.  It is labeled "Remove Toolbar" which implies that the toolbar software will be removed.  However, selecting the option merely hides the toolbar.  It can be revealed again by right-clicking in the IE toolbar area and re-enabling "Search Toolbar" in the context menu.

Privacy

Links to the terms of use and privacy policy are available during installation, but the user is not required to view them for installation to take place.  Many rights are established in the Privacy Policy for SQWire to collect and store browsing data.

Link to full EULA: http://www.sqwire.com/conditions.html
Link to full Privacy Policy: http://www.sqwire.com/privacy.html

System Changes

The following folders are created in the users Favorites, and many links are added within each (names may vary):

Entertainment
Finance
Free Stuff
Gambling
Inernet [sic]
Shopping

Files Added

The following files are added to C:\Program Files\Sqwire\

Name: ad.exe
Size: 28,672 bytes
MD5: CBC1013F96E5ACBEBC93E27A631C40BF

Name: cc.exe
Size: 49,152 bytes
MD5: 8EE6C84D1C6FC75DAB472CEBF8710B81

Name: m.dat
Size: 15,418 bytes
MD5: varies

Name: p.dat
Size: 13 bytes
MD5: varies

Name: s.dll
Size: 36,864 bytes
MD5: 8D5567C717F710236CDE7B2CCC026BDB

Name: t.dll
Size: 61,440 bytes
MD5: 7F67710CF6414CCEB49919528CEA4720

Name: tsl_rc0.dll
Size: 258,048 bytes
MD5: B858FF0A651221F67726CCBCD25C3F2D

Name: u.dll
Size: 45,056 bytes
MD5: B1DE87E4206D9EB6FF7697B1DE97E621

Name: uc.exe
Size: 32,768 bytes
MD5: AF1B82EF2B8F4E1D272433A109421AEA

Name: wa.dll
Size: 53,248 bytes
MD5: 13AB55EF82C9DD21DC0D81060007B904

The following 4 files are added to C:\WINDOWS\Downloaded Program Files\ and make up the ActiveX control that performs the software installation.

Name: SQInstaller.exe
Size: 65,536 bytes
MD5: 94CCBBDC8AC8C290450DD56EDFCC1B39

Name: SQLoader.dll
Size: 53,248 bytes
MD5: B25993273A07C1B4BFD25EAC0A78D829

Name: SQLoader.exe
Size: 24,576 bytes
MD5: 0DDB85998F1F33D7DAC39DA481D1A740

Name: SQLoader.inf
Size: 236 bytes

C:\WINDOWS\system32\sqwire.log
Size: varies

C:\WINDOWS\Temp\tsl_rc0_wrap.exe
Size: 229,376 bytes
MD5: F69BB21A599B33C4A3779FB5BC207CB8

C:\Program Files\Common Files\SQ\uwa.exe
Size: 24,576 bytes
MD5: FEEF5CA7356172E1AEB451D76B5A7809

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main
HKEY_CURRENT_USER\Software\SQ
HKEY_CLASSES_ROOT\CLSID\{2662BDD7-05D6-408F-B241-FF98FACE6054} HKEY_CLASSES_ROOT\CLSID\{3C5BA506-6C30-4738-9CED-797ACADEA8DC}
HKEY_CLASSES_ROOT\CLSID\{57E69D5A-6539-4d7d-9637-775DE8A385B4}
HKEY_CLASSES_ROOT\CLSID\{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}
HKEY_CLASSES_ROOT\Interface\{1A8B567B-BD3F-44A1-8B94-F50D37A1914E}
HKEY_CLASSES_ROOT\Interface\{3ECE4A8F-98FE-4A3C-908D-D9304565A614}
HKEY_CLASSES_ROOT\Interface\{B8CFDC9E-E634-40E3-A51E-C097F23D53B9}
HKEY_CLASSES_ROOT\Interface\{D686DB39-659A-491A-A35C-60B99495C16E}
HKEY_CLASSES_ROOT\SQLoader.Loader
HKEY_CLASSES_ROOT\SQLoader.Loader.1
HKEY_CLASSES_ROOT\SQToolbar.Band
HKEY_CLASSES_ROOT\SQToolbar.Band.1
HKEY_CLASSES_ROOT\TypeLib\{118AF62F-21B1-4492-8111-C1A03C5E09CB}
HKEY_CLASSES_ROOT\TypeLib\{4D0AC936-BDE8-4EA2-B4FB-9F89E5B4C186}
HKEY_CLASSES_ROOT\TypeLib\{805AF2C8-98C7-4F3C-A7C9-25EBF27567F3}
HKEY_CLASSES_ROOT\TypeLib\{83B027C5-1489-4EC5-A290-47DA8058AC04}
HKEY_CLASSES_ROOT\TypeLib\{909E0059-F545-42DE-9D2C-CC4A3E336EC3}
HKEY_CLASSES_ROOT\TypeLib\{C6C2871F-7467-4A35-90FA-9E9894BC1916}
HKEY_CLASSES_ROOT\XTSearch.XTSearchHook
HKEY_CLASSES_ROOT\XTSearch.XTSearchHook.1
HKEY_CLASSES_ROOT\XTUpdate.XT
HKEY_CLASSES_ROOT\XTUpdate.XT.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3C5BA506-6C30-4738-9CED-797ACADEA8DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{2662BDD7-05D6-408F-B241-FF98FACE6054} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ModuleUsage\C:/WINDOWS/Downloaded Program Files/SQLoader.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ModuleUsage\C:/WINDOWS/Downloaded Program Files/SQLoader.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Sqwire

Values Added:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar"
Data: http://www.sqwire.com/searchpage.php?aid=592

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks "{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}"
Data:

Note: 36 values related to configuration of the software are stored under the HKEY_CURRENT_USER\Software\SQ key.  Some of the most interesting are listed below.

HKEY_CURRENT_USER\Software\SQ "Change Home Page"
Data: Y
 
HKEY_CURRENT_USER\Software\SQ "Change IE Search button"
Data: Y

HKEY_CURRENT_USER\Software\SQ "SQTempFolder"
Data: C:\WINDOWS\Downloaded Program Files\

HKEY_CURRENT_USER\Software\SQ "SQVersion"
Data: Toolbar + WebAssistant

HKEY_CURRENT_USER\Software\SQ "ToolbarUninstalled"
Data: FALSE

HKEY_CURRENT_USER\Software\SQ "Updates List"
Data: s.dll|t.dll|u.dll|ad.exe|cc.exe|wa.dll|tsl_rc0.dll|

HKEY_CURRENT_USER\Software\SQ "WebAssistantUninstalled"
Data: FALSE

HKEY_CLASSES_ROOT\CLSID\{2662BDD7-05D6-408F-B241-FF98FACE6054}\InprocServer32 "(Default)"
Data: C:\Program Files\Sqwire\u.dll

HKEY_CLASSES_ROOT\CLSID\{3C5BA506-6C30-4738-9CED-797ACADEA8DC}\InprocServer32 "(Default)"
Data: C:\WINDOWS\Downloaded Program Files\SQLoader.dll

HKEY_CLASSES_ROOT\CLSID\{57E69D5A-6539-4d7d-9637-775DE8A385B4}\InprocServer32 "(Default)"
Data: C:\Program Files\Sqwire\t.dll

HKEY_CLASSES_ROOT\CLSID\{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}\InprocServer32 "(Default)"
Data: C:\Program Files\Sqwire\s.dll

HKEY_CLASSES_ROOT\TypeLib\{118AF62F-21B1-4492-8111-C1A03C5E09CB}\1.0\0\win32 "(Default)"
Data: C:\Program Files\Sqwire\tsl_rc0.dll

HKEY_CLASSES_ROOT\TypeLib\{4D0AC936-BDE8-4EA2-B4FB-9F89E5B4C186}\1.0\0\win32 "(Default)"
Data: C:\Program Files\Sqwire\t.dll

HKEY_CLASSES_ROOT\TypeLib\{805AF2C8-98C7-4F3C-A7C9-25EBF27567F3}\1.0\0\win32 "(Default)"
Data: C:\Program Files\Sqwire\wa.dll

HKEY_CLASSES_ROOT\TypeLib\{83B027C5-1489-4EC5-A290-47DA8058AC04}\1.0\0\win32 "(Default)"
Data: C:\WINDOWS\Downloaded Program Files\SQLoader.dll

HKEY_CLASSES_ROOT\TypeLib\{909E0059-F545-42DE-9D2C-CC4A3E336EC3}\1.0\0\win32 "(Default)"
Data: C:\Program Files\Sqwire\s.dll

HKEY_CLASSES_ROOT\TypeLib\{C6C2871F-7467-4A35-90FA-9E9894BC1916}\1.0\0\win32 "(Default)"
Data: C:\Program Files\Sqwire\u.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SQConfigChecker"
Data: C:\Program Files\Sqwire\cc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SQUpdatesChecker"
Data: C:\Program Files\Sqwire\uc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
SharedDLLs "C:\WINDOWS\Downloaded Program Files\SQLoader.dll"
Data: 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
SharedDLLs "C:\WINDOWS\Downloaded Program Files\SQLoader.exe"
Data: 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Sqwire "DisplayName"
Data: Web Helper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Sqwire "UninstallString"
Data: C:\Program Files\Common Files\SQ\uwa.exe

Network Impact

Additional overhead in bandwidth due to download of advertising content and software updates.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Aliases

Aliases

N/A