2Search

2Search is adware which will silently connect to remote server when using Internet Explorer, and manipulates search engine results.

2search is typically installed to the folder <Program Files>\2search, and ,depending on the version, the following files created:

<Program Files>\2search\2search.dll or <Program Files>\2search\plugin.dll
<Program Files>\2search\get.exe
<Program Files>\2search\main.exe
<Program Files>\2search\uninstall.exe

A file <System>\up?00.exe, where ? is a version number, currently ranging from 2 to 4, may also be created.

The following registry entry is created to run main.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2Search
<Program Files>\2search\main.exe

The dll file is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, typcially creating registry entries under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(4508E20C-ACAD-11D2-9FC0-00550076E06F)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(4508E20C-ACAD-11D2-9FC0-00550076E06F)
HKCR\CLSID\(4508E20C-ACAD-11D2-9FC0-00550076E06F)
HKCR\GoogleCatch.clsIESpy\
HKCR\Interface\(9C33138E-0581-4C28-A943-BC238A68208C)
HKCR\Interface\(F79A1360-2754-43F3-8297-8A39408BE2BF)
HKCR\TypeLib\(4508E20A-ACAD-11D2-9FC0-00550076E06F)

The following registry entry is set:

HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow
*.hottestgames.net

Registry entries are created under:

HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2search\

2search provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Uninstall 2search".