Spyware Scan Details Start Date: 2005-04-13 15:16:09 End Date: 2005-04-13 15:27:53 Total Time: 11 mins 44 secs Detected Threats ShopAtHome Spyware more information... Details: ShopAtHome installs itself in the Winsock layer of your system and redirects your browser to merchant sites to take advantage of the affiliate fees. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected files detected d:\windows\system32\abasa5jrp.exe d:\windows\a95kfrhe.exe Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run abasa5jrp HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\TypeLib {52CACFDF-9170-46A9-AE2E-E594D324C72A} HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\TypeLib Version 1.1 HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc} ICExecute HKEY_LOCAL_MACHINE\software\classes\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8} HKEY_LOCAL_MACHINE\software\classes\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\software\classes\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\software\classes\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\TypeLib {52CACFDF-9170-46A9-AE2E-E594D324C72A} HKEY_LOCAL_MACHINE\software\classes\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\TypeLib Version 1.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run abasa5jrp HKEY_LOCAL_MACHINE\software\classes\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8} _ICExecuteEvents HKEY_LOCAL_MACHINE\software\classes\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc} HKEY_LOCAL_MACHINE\software\classes\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\software\classes\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\software\classes\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\TypeLib {52CACFDF-9170-46A9-AE2E-E594D324C72A} HKEY_LOCAL_MACHINE\software\classes\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}\TypeLib Version 1.1 HKEY_LOCAL_MACHINE\software\classes\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc} ICExecute HKEY_LOCAL_MACHINE\software\winsock2\layered provider sample HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8} HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\TypeLib {52CACFDF-9170-46A9-AE2E-E594D324C72A} HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}\TypeLib Version 1.1 HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8} _ICExecuteEvents HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc} Xrenoder Browser Plug-in more information... Details: Xrenoder is a Trojan that resets your browsers home page and search settings redirecting it to affiliate sites. Xrenoder also displays adult content pop-up advertisements. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected registry keys/values detected HKEY_LOCAL_MACHINE\software\istsvc HKEY_LOCAL_MACHINE\software\istsvc popup_day_count 0 HKEY_LOCAL_MACHINE\software\istsvc popup_day_limit 2 HKEY_LOCAL_MACHINE\software\istsvc update_count 0 HKEY_LOCAL_MACHINE\software\istsvc update_version 1023 HKEY_LOCAL_MACHINE\software\istsvc config_count 1 HKEY_LOCAL_MACHINE\software\istsvc account_id 1000290 HKEY_LOCAL_MACHINE\software\istsvc app_date HKEY_LOCAL_MACHINE\software\istsvc popup_interval 14400 HKEY_LOCAL_MACHINE\software\istsvc popup_last HKEY_LOCAL_MACHINE\software\istsvc update_interval 86400 HKEY_LOCAL_MACHINE\software\istsvc version 1023 HKEY_LOCAL_MACHINE\software\istsvc update_last HKEY_LOCAL_MACHINE\software\istsvc config_interval 86400 HKEY_LOCAL_MACHINE\software\istsvc config_last HKEY_LOCAL_MACHINE\software\istsvc app_name istsvc.exe HKEY_LOCAL_MACHINE\software\istsvc popup_url http://www.ysbweb.com/ist/scripts/istsvc_ads_data.php HKEY_LOCAL_MACHINE\software\istsvc update_url http://www.ysbweb.com/ist/scripts/istsvc_update.php HKEY_LOCAL_MACHINE\software\istsvc config_url http://www.ysbweb.com/ist/scripts/istsvc_config.php HKEY_LOCAL_MACHINE\software\istsvc ui ED4A4DB2-CFAC-4e95-B322-5703D21AD243 HKEY_LOCAL_MACHINE\software\istsvc popup_initial_delay 600 HKEY_LOCAL_MACHINE\software\istsvc popup_count 0 WindUpdates Browser Plug-in more information... Details: WindUpdates downloads additional adware and displays pop-up advertising. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected files detected d:\windows\system32\ide21201.vxd CoolWebSearch Browser Modifier more information... Details: CoolWebSearch is a wide range of browser redirection tools. All variants redirect you to specific Web sites. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected registry keys/values detected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} AvenueMedia.DyFuCA Browser Plug-in more information... Details: AvenueMedia DyFuCA Internet Optimizer is adware that changes your browser error page. It periodically displays pop-up advertisements from its remote sites and may update itself. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected files detected d:\windows\nem220.dll d:\documents and settings\radmin\temporary internet files\content.ie5\kt1vvs5o\nem220[1].dll Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1\CLSID {00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapabout DComment YES HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1 BHObj Class HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001} HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\TypeLib {40B1D454-9CA4-43CC-86AA-CB175EAC52FB} HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001} IBHObj HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb} HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\1.0\0\win32 D:\WINDOWS\nem220.dll HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj.1 HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\1.0\HELPDIR D:\WINDOWS\ HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\1.0 DyFuCA_BH 1.0 Type Library HKEY_CURRENT_USER\Software\Avenue Media HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 RawData HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 Data HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 DiffAll Yes HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 TimeStamp 20041116000000 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 Version 2.2.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper Version 2.2.0 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper ModuleFileName D:\WINDOWS\nem220.dll HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper Options 1,URL Search Optimization,1 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 RawData HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 Data HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 DiffAll Yes HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 TimeStamp 20041116000000 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 Version 2.2.0 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper Version 2.2.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper ModuleFileName D:\WINDOWS\nem220.dll HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper Options 1,URL Search Optimization,1 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer TargetDir HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer TAC Yes HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer CLS wsi25 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer RID c01 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer Version 3.1.3 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer ServerVisited 29704220,1647060880 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer UpdateInterval 43200 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer ID 1-759ae96b1081860e1fe42ad0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer InstallT 1113391869 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer remember[LLT] 1113391869 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer Conn 941,1 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 403 1024 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 404 1024 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 410 1024 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 500 1024 HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer PendingRemoval HKEY_LOCAL_MACHINE\software\avenue media HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper\cf1 RawData HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj.1 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper\cf1 Data HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper\cf1 DiffAll Yes HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper\cf1 TimeStamp 20041116000000 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper\cf1 Version 2.2.0 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper Version 2.2.0 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper ModuleFileName D:\WINDOWS\nem220.dll HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser Helper Options 1,URL Search Optimization,1 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer TargetDir HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer TAC Yes HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer CLS wsi25 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer RID c01 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer Version 3.1.3 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer ServerVisited 29704220,1647060880 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer UpdateInterval 43200 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer ID 1-759ae96b1081860e1fe42ad0 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer InstallT 1113391869 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer remember[LLT] 1113391869 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer Conn 941,1 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 403 1024 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 404 1024 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 410 1024 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 500 1024 HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer PendingRemoval HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1\CLSID {00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 BHObj Class HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID {00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer DyFuCA_BH.BHObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj BHObj Class HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer Changed 0 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dyfuca HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet optimizer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet optimizer DisplayIcon D:\Program Files\Internet Optimizer\optimize.exe HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet optimizer DisplayName Internet Optimizer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet optimizer UninstallString "D:\Program Files\Internet Optimizer\optimize.exe" /u HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapabout HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapabout Comment IST.ISTbar Browser Modifier more information... Details: ISTbar is an Internet Explorer redirector that modifies your homepage and searches without your consent using an Internet Explorer toolbar. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected files detected d:\program\istsvc\istsvc.exe Infected folders detected d:\program\istsvc Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IST Service HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\istsvc NoModify 1 HKEY_CURRENT_USER\software\ist HKEY_CURRENT_USER\software\ist InstallDate 2005-04-13 11:29:38 HKEY_CURRENT_USER\software\ist account_id 1000290 HKEY_CURRENT_USER\software\ist config ysb_l2b HKEY_CURRENT_USER\software\ist Recover !ZpHch֓&6A!_؈F1\#\e">zhwO&y q > HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\istsvc HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\istsvc DisplayName ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\istsvc UninstallString D:\PROGRAM\ISTSVC\ISTSVC.EXE /remove MoneyTree Dialer more information... Details: MoneyTree is an ActiveX installer control that downloads premium-rate dialers, primarily for adult content sites. On system startup MoneyTree attempts to connect to an adult content site. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected registry keys/values detected HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32 ThreadingModel Apartment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\ProgID DyFuCA_BH.BHObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\TypeLib {40B1D454-9CA4-43CC-86AA-CB175EAC52FB} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\VersionIndependentProgID DyFuCA_BH.BHObj HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} BHObj Class HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32 D:\WINDOWS\nem220.dll HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\ProgID DyFuCA_BH.BHObj.1 HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\TypeLib {40B1D454-9CA4-43CC-86AA-CB175EAC52FB} HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\VersionIndependentProgID DyFuCA_BH.BHObj HKEY_CLASSES_ROOT\clsid\{00000010-6F7D-442C-93E3-4A4827C2E4C8} BHObj Class HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32 D:\WINDOWS\nem220.dll NCase Browser Modifier more information... Details: NCase is adware that looks for known URLs and keywords in URLs, and displays pop-up advertisements targeted at related Web sites. nCase also periodically opens non-targeted pop-up advertisements while you are using Internet Explorer. Status: Ignored Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Infected files detected d:\temp\salm.exe Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run salm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run salm Twain Tech Adware more information... Details: Twain Tech is an adware based Internet Explorer browser helper object that displays targeted advertisements based on your browsing patterns. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Internet Optimizer IST.XXXToolbar Toolbar more information... Details: XXXToolbar is an adult content adware search toolbar for Internet Explorer. XXXToolbar displays pop-up advertisements. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected d:\program\istsvc\istsvc.exe Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IST Service HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IST Service HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IST Service HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IST Service IST.SideFind Adware more information... Details: SideFind installs an adware Internet Explorer browser helper object that installs some extra buttons. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected d:\program\sidefind\sfbho.dll d:\program\sidefind\sfexd001 d:\program\sidefind\sidefind.dll d:\documents and settings\radmin\temporary internet files\content.ie5\kt1vvs5o\sidefind13[1].dll d:\documents and settings\radmin\temporary internet files\content.ie5\rkt4onf4\sfbho13[1].dll d:\documents and settings\radmin\temporary internet files\content.ie5\rkt4onf4\sidefind[1].exe d:\program\sidefind\update\sidefind.exe d:\windows\temp\sidefind.exe Infected folders detected d:\program\sidefind d:\program\sidefind\update Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_CLASSES_ROOT\SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_CLASSES_ROOT\SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1 HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_CLASSES_ROOT\SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideFind.Finder.1 HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32 D:\Program\SideFind\sidefind.dll HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\ProgID SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\TypeLib {58634367-D62B-4C2C-86BE-5AAC45CDB671} HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\VersionIndependentProgID SideFind.Finder HKEY_CLASSES_ROOT\clsid\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} SideFind HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32 D:\Program\SideFind\sfbho.dll HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32 ThreadingModel Both HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\ProgID BrowserHelperObject.BAHelper.1 HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\TypeLib {D0288A41-9855-4A9B-8316-BABE243648DA} HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\VersionIndependentProgID BrowserHelperObject.BAHelper HKEY_CLASSES_ROOT\clsid\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} BAHelper Class HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} BarSize HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1\CLSID {A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 BAHelper Class HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID {A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper BAHelper Class HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32 D:\Program\SideFind\sidefind.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32 ThreadingModel Apartment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\ProgID SideFind.Finder.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\TypeLib {58634367-D62B-4C2C-86BE-5AAC45CDB671} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\VersionIndependentProgID SideFind.Finder HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} SideFind HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32 D:\Program\SideFind\sfbho.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32 ThreadingModel Both HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\ProgID BrowserHelperObject.BAHelper.1 HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\TypeLib {D0288A41-9855-4A9B-8316-BABE243648DA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\VersionIndependentProgID BrowserHelperObject.BAHelper HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} BAHelper Class HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder.1 HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder.1\CLSID {8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder.1 SideFind HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder\CLSID {8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder\CurVer SideFind.Finder.1 HKEY_LOCAL_MACHINE\Software\Classes\SideFind.Finder SideFind HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} Default Visible Yes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} ButtonText SideFind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} HotIcon D:\Program\SideFind\sidefind.dll,201 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} Icon D:\Program\SideFind\sidefind.dll,201 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} CLSID {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} BandCLSID {8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_LOCAL_MACHINE\Software\Microsoft\SideFind HKEY_LOCAL_MACHINE\Software\Microsoft\SideFind webautosearch true HKEY_LOCAL_MACHINE\Software\Microsoft\SideFind shoppingautosearch true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind DisplayName SideFind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind UninstallString "D:\Program\Sidefind\update\sidefind.exe" /remove HKEY_LOCAL_MACHINE\SOFTWARE\SideFind HKEY_LOCAL_MACHINE\SOFTWARE\SideFind account_id 106 HKEY_LOCAL_MACHINE\SOFTWARE\SideFind PathBHO D:\Program\SideFind\sfbho.dll HKEY_LOCAL_MACHINE\SOFTWARE\SideFind PathDLL D:\Program\SideFind\sidefind.dll HKEY_LOCAL_MACHINE\SOFTWARE\SideFind PathXML D:\Program\SideFind\sfexd001 HKEY_LOCAL_MACHINE\SOFTWARE\SideFind PathEXE D:\Program\Sidefind\update\sidefind.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKEY_LOCAL_MACHINE\SOFTWARE\SideFind InstallDate 2005-04-13 11:33:36 HKEY_LOCAL_MACHINE\SOFTWARE\SideFind SearchSite http://www.sidefind.com/results.php?target=_external& HKEY_LOCAL_MACHINE\SOFTWARE\SideFind update 1113478420 HKEY_LOCAL_MACHINE\SOFTWARE\SideFind ver 1.3 HKEY_LOCAL_MACHINE\SOFTWARE\SideFind IntervalBetweenShows 240 YourSiteBar Spyware more information... Details: YourSiteBar from IST, the makers of numerous spyware threats, is an affiliate based marketing toolbar. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected d:\Program\YourSiteBar\ysb.dll d:\documents and settings\radmin\temporary internet files\content.ie5\rkt4onf4\ysb[1].dll d:\program\yoursitebar\imagemap_normal.bmp d:\program\yoursitebar\version.txt d:\program\yoursitebar\yoursitebar.xml Infected folders detected d:\program\yoursitebar Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}\InprocServer32 D:\Program\YOURSI~1\ysb.dll HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}\ProgID Ysb.YsbObj.1 HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}\TypeLib {86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}\VersionIndependentProgID Ysb.YsbObj HKEY_CLASSES_ROOT\clsid\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} YourSiteBar HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\YourSiteBar HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\YourSiteBar DisplayName YourSiteBar HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\YourSiteBar UninstallString regsvr32 /u /s "D:\Program\YourSiteBar\ysb.dll" HKEY_CLASSES_ROOT\Ysb.YsbObj.1 HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\YourSiteBar Publisher Integrated Seach Technologies HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\YourSiteBar URLInfoAbout http://www.ysbweb.com HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\YourSiteBar HelpLink http://www.ysbweb.com HKEY_LOCAL_MACHINE\Software\YourSiteBar HKEY_LOCAL_MACHINE\Software\YourSiteBar\Historyfiles D:\Program\YOURSI~1\yoursitebar.xml 1 HKEY_LOCAL_MACHINE\Software\YourSiteBar\Historyfiles D:\Program\YOURSI~1\imagemap_normal.bmp 1 HKEY_LOCAL_MACHINE\Software\YourSiteBar\Historyfiles D:\Program\YOURSI~1\version.txt 1 HKEY_LOCAL_MACHINE\Software\YourSiteBar installTitle YourSiteBar HKEY_LOCAL_MACHINE\Software\YourSiteBar serverpath http://www.ysbweb.com/ysb/xml/1000290/ HKEY_LOCAL_MACHINE\Software\YourSiteBar urlAfterInstall http://www.ysbweb.com/install/welcome.html HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysb.YsbObj.1 HKEY_LOCAL_MACHINE\Software\YourSiteBar gUpdate 0 HKEY_LOCAL_MACHINE\Software\YourSiteBar TBRowMode 0 HKEY_LOCAL_MACHINE\Software\YourSiteBar yoursitebar.xml -1743961026 HKEY_LOCAL_MACHINE\Software\YourSiteBar imagemap_normal.bmp -1294052106 HKEY_LOCAL_MACHINE\Software\YourSiteBar showcorrupted 1 HKEY_LOCAL_MACHINE\Software\YourSiteBar updatever HKEY_LOCAL_MACHINE\Software\YourSiteBar refreshscope 1440 HKEY_LOCAL_MACHINE\Software\YourSiteBar allowupdate 0 HKEY_LOCAL_MACHINE\Software\YourSiteBar LastCheckTime 1113391868 HKEY_LOCAL_MACHINE\Software\YourSiteBar version.txt -186917087 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKEY_LOCAL_MACHINE\Software\YourSiteBar UpdateBegin 0 HKEY_CLASSES_ROOT\Ysb.YsbObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysb.YsbObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKEY_CLASSES_ROOT\Ysb.YsbObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysb.YsbObj.1 TargetSaver Trojan Downloader more information... Details: TargetSaver is a process run at Windows startup, which opens pop-ups. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected d:\documents and settings\radmin\temporary internet files\content.ie5\1o4rdwnn\targetsaver[1].exe d:\windows\temp\targetsaver.exe Unclassified.Spyware.47 Spyware more information... Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected d:\windows\system32\hochkaod3.exe d:\windows\system32\qh4mkbv9.dll WindUpdates.MediaAccess Adware more information... Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected registry keys/values detected HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C} HKEY_LOCAL_MACHINE\Software\Media Access track 0 HKEY_LOCAL_MACHINE\Software\Media Access reqcount 6 HKEY_LOCAL_MACHINE\Software\Media Access DownloadPath \temp HKEY_LOCAL_MACHINE\Software\Media Access Language en HKEY_LOCAL_MACHINE\Software\Media Access HKEY_LOCAL_MACHINE\Software\Media Access LastUpdate 1113392172 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Media Access HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Media Access HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Media Access UninstallString D:\Program Files\Media Access\MediaAccess.exe /Remove HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Media Access DisplayName Media Access HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32 D:\PROGRA~1\MEDIAA~1\MEDIAA~2.EXE HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\ProgID MediaAccess.Installer HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\TypeLib {15696AE2-6EA4-47F4-BEA6-A3D32693EFC7} HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\VersionIndependentProgID MediaAccess.Installer HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C} Installer Class HKEY_CLASSES_ROOT\clsid\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C} AppID {735C5A0C-F79F-47A1-8CA1-2A2E482662A8} HKEY_LOCAL_MACHINE\Software\Media Access HKEY_LOCAL_MACHINE\Software\Media Access param ca7502ece0f192d7d470d26a813ed3d012e9961e40fc6237:6233303864386130373065636634663062366430336632386131633766356235 Unclassified.Spyware.57 Spyware more information... Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected d:\windows\reqeei.exe d:\documents and settings\radmin\temporary internet files\content.ie5\kt1vvs5o\istrecover[1].exe Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eWMj HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eWMj HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eWMj AdDestroyer Adware more information... Details: AdDestroyer is promoted as a spyware remover. However, it sets itself to run when you start the computer and remains memory-resident. When it runs, the software periodically attempts to contact a server to download updates and instructions. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected files detected D:\Program\AdDestroyer\AdDestroyer.exe D:\Documents and Settings\radmin\Start-meny\Program\Autostart\AdDestroyer.lnk d:\windows\system32\popoops2.dll d:\windows\system32\popoops.dll d:\program\vbouncer\addestroyerinner.exe" d:\windows\system32\swlad1.dll d:\windows\system32\swlad2.dll d:\program\addestroyer\addestroyer.wav Infected folders detected d:\program\addestroyer Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC} HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC}\InprocServer32 D:\WINDOWS\system32\PopOops2.dll HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC}\ProgID PopOops2.PopOops HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC}\TypeLib {D0C29A75-7146-4737-98EE-BC4D7CF44AF9} HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC}\VERSION 7.0 HKEY_CLASSES_ROOT\clsid\{417386C3-8D4A-4611-9B91-E57E89D603AC} PopOops2.PopOops HKEY_CURRENT_USER\Software\VB and VBA Program Settings\AdDestroyer\Settings HKEY_CURRENT_USER\Software\VB and VBA Program Settings\AdDestroyer\Settings DistID 2706040823 HKEY_CURRENT_USER\Software\VB and VBA Program Settings\AdDestroyer\Settings InDate 2005-04-13 13:36:15 HKEY_CLASSES_ROOT\PopOops2.PopOops HKEY_CURRENT_USER\software\vb and vba program settings\addestroyer HKEY_CURRENT_USER\software\vb and vba program settings\addestroyer\Settings DistID 2706040823 HKEY_CURRENT_USER\software\vb and vba program settings\addestroyer\Settings InDate 2005-04-13 13:36:15 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\addestroyer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\addestroyer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\addestroyer Changed 0 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\addestroyer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\addestroyer DisplayName AdDestroyer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\addestroyer UninstallString D:\Program\AdDestroyer\UNWISE.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopOops2.PopOops HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} HKEY_CLASSES_ROOT\PopOops2.PopOops HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopOops2.PopOops HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B} HKEY_CLASSES_ROOT\SWLAD1.SWLAD HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SWLAD1.SWLAD IST.SlotchBar Toolbar more information... Details: Slotch Bar is an adware toolbar program for affiliates to distribute on sites. Affiliates get paid per install of the toolbar. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTsvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTsvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTsvc Changed 0 IEPlugin Spyware more information... Details: IEPlugin is an Internet Explorer browser helper object that monitors URLs, content entered into forms, and local filenames and displays pops-up advertisements. Status: Ignored High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer. Infected registry keys/values detected HKEY_CURRENT_USER\Software\salm HKEY_CURRENT_USER\Software\salm key_file 480 HKEY_CURRENT_USER\Software\salm kw_last_chunk 1 HKEY_LOCAL_MACHINE\SOFTWARE\salm HKEY_LOCAL_MACHINE\SOFTWARE\salm did 2229 HKEY_LOCAL_MACHINE\SOFTWARE\salm duid 490xrvzmpdgcdgypvrreemofunmgtf HKEY_LOCAL_MACHINE\SOFTWARE\salm partner_id 389089265 HKEY_LOCAL_MACHINE\SOFTWARE\salm product_id 2229 HKEY_LOCAL_MACHINE\SOFTWARE\salm mt1 012C50C52D628126490CDB9CE2A5D486BD687F52E67C216DDEF9295E601A7EC223 HKEY_LOCAL_MACHINE\SOFTWARE\salm mt2 016C0963431C0EACBE83E08F293A4AB1730A6A9806 HKEY_LOCAL_MACHINE\SOFTWARE\salm mt3 01F57C40A59991506ABA1BF3127E6C947EE6843CDF HKEY_CURRENT_USER\Software\salm last_conn_h 29704224 HKEY_LOCAL_MACHINE\SOFTWARE\salm gma 1 HKEY_LOCAL_MACHINE\SOFTWARE\salm gvi 1 HKEY_LOCAL_MACHINE\SOFTWARE\salm gpi 1 HKEY_LOCAL_MACHINE\SOFTWARE\salm boom HKEY_LOCAL_MACHINE\SOFTWARE\salm boom_ver 1 HKEY_CURRENT_USER\Software\salm last_conn_l 639268640 HKEY_CURRENT_USER\Software\salm we 2 HKEY_CURRENT_USER\Software\salm HKEY_CURRENT_USER\Software\salm TimeOffset -25184 HKEY_CURRENT_USER\Software\salm action_url_version 50 HKEY_CURRENT_USER\Software\salm action_url_last_chunk 0 HKEY_CURRENT_USER\Software\salm action_url_last_full_version 50 Virtual Bouncer Adware more information... Details: Virtual Bouncer claims to be a spyware remover, and it actually detects a few. Status: Ignored Moderate threat - Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance. Infected files detected D:\Program\VBouncer\VirtualBouncer.exe d:\program\vbouncer\virtualbounceruninstaller.exe d:\program\vbouncer\instr\21.xml d:\windows\system32\swrt01.dll d:\program\vbouncer\addestroyerinner.exe d:\program\vbouncer\bundleouter.exe d:\program\vbouncer\chilkatzip.dll d:\program\vbouncer\procmanager.exe d:\program\vbouncer\swsettings.xml d:\program\vbouncer\user.xml d:\program\vbouncer\vbouncerinner.exe Infected folders detected d:\program\vbouncer d:\program\vbouncer\instr Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_CLASSES_ROOT\ChilkatZip.ChilkatZipEntry2.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatZip.ChilkatZipEntry2.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8551311D-F3BF-4718-AD66-96E302500735} HKEY_CLASSES_ROOT\ChilkatZip.ChilkatZipEntry.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatZip.ChilkatZipEntry.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CE23505D-68FB-4C49-AE4B-D4F1CF86A2C4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB90DEA9-0897-4B02-9FE0-1E321A22EAB0} HKEY_CLASSES_ROOT\ChilkatZip.ChilkatZip2.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatZip.ChilkatZip2.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB92433D-1902-4789-BAFC-B46B0DCDEBB7} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_CLASSES_ROOT\ChilkatZip.ChilkatZip.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatZip.ChilkatZip.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC352548-52B5-41AC-B8C1-8CB561ECF7AD} HKEY_CLASSES_ROOT\ChilkatZip.ChilkatEnum.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatZip.ChilkatEnum.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings DistID 2706040823 HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings InDate 2005-04-13 13:36:15 HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings DestroyPopups False HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings DestroyActiveXDownloads False HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings PromtForRemovals False HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings SecurityLevel 0 HKEY_CURRENT_USER\Software\VB and VBA Program Settings\VBouncer\Settings ScanFrequency 0 HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings DistID 2706040823 HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings InDate 2005-04-13 13:36:15 HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings DestroyPopups False HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings DestroyActiveXDownloads False HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings PromtForRemovals False HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings SecurityLevel 0 HKEY_CURRENT_USER\software\vb and vba program settings\vbouncer\Settings ScanFrequency 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\virtual bouncer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\virtual bouncer DisplayName Virtual Bouncer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\virtual bouncer UninstallString D:\Program\VBouncer\VirtualBouncerUninstaller.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VBouncer HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} HKEY_CLASSES_ROOT\SWRT01.RT HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SWRT01.RT HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18BBDF4D-611D-41CE-A7E7-B2DD23C250D1} 180search Assistant Adware more information... Details: 180search Assistant displays pop-up advertismenets. Status: Ignored Moderate threat - Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance. Infected files detected d:\windows\uxwjal.exe d:\documents and settings\radmin\temporary internet files\content.ie5\rkt4onf4\ncase_new[1].exe d:\program\180solutions\sais.exe d:\temp\fleok\salm.exe d:\program\180solutions\sais.log Infected folders detected d:\program\180solutions Infected registry keys/values detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uxwjal HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run uxwjal HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm DisplayName Uninstall 180search Assistant HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm UninstallString d:\temp\salm.exe /uninst_simple_init=y HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm DisplayIcon d:\temp\salm.exe,0 Detected Spyware Cookies No spyware cookies were found during this scan.