|
Posted by -Karl on August 13, 2005, 11:02 am
If you were Registered and logged in, you could reply and use other advanced thread options
Not sure where the official group is to post this so I apologize in
advance.
I have the latest version of your spyware tool and while it's nice, it
could really use some work on a few things.
The biggest issue is that it isn't designed to prompt you that there is
a application trying to run (much like a firewall prompts you when an
app tries to access the internet). This is a critical piece of
information that we need to see. No application should be allowed to
execute w/o being known about and allowed/denied. I have proven that
your software doesn't work with all the known spyware that it can catch
(odd isn't it?). I had the pleasure of d/l a trojan app (not virus,
just loaded with spyware) and while some of the spyware was detected
and stopped, I had to go back and rerun my tools several times to stop
the rest (log below). Please make it so that there is a DB that we can
use to allow / deny applications from running BEFORE they can run!!!
The second piece to my dilema is that your tool doesn't lock down the
folders / files / registry entries to prevent future issues! I finally
had to make a app to do just that! I remove ALL the entries in the
registry, empty out the folders on my PC, delete the files in my
windows folder and replace them with a text file that has the same name
then go back and change NTFS/registry permissions. I remove every
account so NOTHING/NOONE has any ability to them. Only issue I see is
when they become smart enough to change the OWNERSHIP themselves.
Sadly, these tools are in your own applications / support tools so I
can only imagine these bastards are looking at the tools now!
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Here is my log of known spyware that your tool DID NOT STOP when the
trojan app ran.
ShopAtHome Spyware more information...
Details: ShopAtHome installs an agent in the Winsock layer of your
computer. This redirects your Web browser to merchant sites affiliated
with ShopAtHome rather than the Web sites you type in or click.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.
Infected files detected
E:\WINDOWS\shop1004.exe
s:\user\shop1004.exe
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent EulaDate 2005-08-12
21:25:09
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent EulaStatus Displayed4002b
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent InstallLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent InstPath arcadecash/
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BundleKey
arcadecash1005.sah
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BundlePackage setup4021.cab
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PrefsServer
www.shopathomeselect.com
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PrefsPath agent3/
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent iniName setup4021.ini
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PackageLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PackageName
agent/realtimeSetup.cab
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PrefsXML
agent3/agentprefs3.sah
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent CookieUserAgent iexplorer
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BrowserType Bundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BundleProgress 0
HKEY_LOCAL_MACHINE\software\vgroup
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent KeyExistNai Y
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent DllName
S:\User\N4IU6NQT.dll
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent HtmlName
S:\User\HGFGUK2O.html
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent EulaDate 2005-08-12
21:25:09
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent EulaStatus Displayed4002b
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent InstallLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent InstPath arcadecash/
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BundleKey
arcadecash1005.sah
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BundlePackage setup4021.cab
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PrefsServer
www.shopathomeselect.com
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PrefsPath agent3/
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent iniName setup4021.ini
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PackageLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PackageName
agent/realtimeSetup.cab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PrefsXML
agent3/agentprefs3.sah
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent CookieUserAgent iexplorer
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BrowserType Bundle
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BundleProgress 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent KeyExistNai Y
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent DllName
S:\User\N4IU6NQT.dll
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent HtmlName
S:\User\HGFGUK2O.html
AvenueMedia.DyFuCA Browser Plug-in more information...
Details: AvenueMedia DyFuCA Internet Optimizer is adware that changes
your browser error page. It periodically displays pop-up advertisements
from its remote sites and may update itself.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.
Infected files detected
E:\Program Files\Internet Optimizer\optimize.exe
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5pkn8hip\optimize314[1].exe
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kni345it\nem220[1].dll
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kpu96pyh\tct101[1].dll
e:\program files\internet optimizer\update\optimize314.exe
e:\windows\nem220.dll
e:\windows\optimize.exe
e:\windows\tct101.dll
Infected folders detected
e:\program files\internet optimizer
e:\program files\internet optimizer\update
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 TimeStamp 20041116000000
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 Version 2.2.0
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper Version 2.2.0
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper ModuleFileName E:\WINDOWS\nem220.dll
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper Options 1,URL Search Optimization,1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000001-C003-4A2F-9142-7CB1D78D=
E6C1}
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2 DiffAll Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2 Version 1.0.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 RawData
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 Data
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 DiffAll Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 TimeStamp 20050223154843
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 Version 1.0.1
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
Version 1.0.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
ModuleFileName E:\WINDOWS\tct101.dll
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RCCurrent
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RLast 1123896314
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RI2479 1123896314
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RLimit
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer TargetDir
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer CLS wsi14
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer RID c01
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer Version
3=2E1.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH_Bucket.Bucket.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer TAC Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer
ServerVisited 29728677,3588602608
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer
UpdateInterval 21600
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer ID
1-723526d35ffaa4207d201ab2
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer InstallT
1123895800
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer
remember[LLT] 1123895800
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer Conn 1047,4
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 403 1024
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 404 1024
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 410 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 500 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 BHObj Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer
DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj BHObj Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dyfu=
ca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\inte=
rnet
optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\inte=
rnet
optimizer DisplayIcon E:\Program Files\Internet Optimizer\optimize.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\inte=
rnet
optimizer DisplayName Internet Optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\inte=
rnet
optimizer UninstallString "E:\Program Files\Internet
Optimizer\optimize.exe" /u
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapa=
bout
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapa=
bout
Comment
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapa=
bout
DComment YES
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1\CLSID
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1 BHObj Class
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj\CLSID
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj\CurVer DyFuCA_BH.BHObj.1
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj BHObj Class
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1\CLSID
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1 Bucket Class
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket\CLSID
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket\CurVer
DyFuCA_BH_Bucket.Bucket.1
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket Bucket Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_CLASSES_ROOT\interface\
HKEY_CLASSES_ROOT\interface\\ProxyStu=
bClsid
HKEY_CLASSES_ROOT\interface\\ProxyStu=
bClsid32
HKEY_CLASSES_ROOT\interface\\TypeLib
HKEY_CLASSES_ROOT\interface\\TypeLib
Version 1.0
HKEY_CLASSES_ROOT\interface\
IBHObj
HKEY_CLASSES_ROOT\typelib\
HKEY_CLASSES_ROOT\typelib\.0\win32
E:\WINDOWS\nem220.dll
HKEY_CLASSES_ROOT\typelib\.0\FLAGS
0
HKEY_CLASSES_ROOT\typelib\.0\HELPDIR
E:\WINDOWS\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_CLASSES_ROOT\typelib\.0
DyFuCA_BH 1.0 Type Library
HKEY_CURRENT_USER\Software\Avenue Media
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 RawData
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Data
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 TimeStamp 20041116000000
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper ModuleFileName E:\WINDOWS\nem220.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Options 1,URL Search Optimization,1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 RawData
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Data
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 TimeStamp 20041116000000
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper ModuleFileName E:\WINDOWS\nem220.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Options 1,URL Search Optimization,1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 RawData
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 Data
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 TimeStamp 20050223154843
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
ModuleFileName E:\WINDOWS\tct101.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RCCurrent
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RLast 1123896314
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RI2479 1123896314
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer TargetDir
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer CLS wsi14
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer RID c01
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer Version
3=2E1.4
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer TAC Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
ServerVisited 29728677,3588602608
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
UpdateInterval 21600
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer ID
1-723526d35ffaa4207d201ab2
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer InstallT
1123895800
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
remember[LLT] 1123895800
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer Conn 1047,4
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 403 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 404 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 410 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 500 1024
HKEY_LOCAL_MACHINE\software\avenue media
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 RawData
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 Data
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 DiffAll Yes
MoneyTree Dialer more information...
Details: MoneyTree is an ActiveX installer control that downloads
premium-rate dialers, primarily for adult content sites. On system
startup MoneyTree attempts to connect to an adult content site.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}\InprocServer32
ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}\ProgID
DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}\VersionIndependentProgID
DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}
BHObj Class
HKEY_CLASSES_ROOT\clsid\\InprocServer=
32
E:\WINDOWS\nem220.dll
HKEY_CLASSES_ROOT\clsid\\InprocServer=
32
ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\\ProgID
DyFuCA_BH.BHObj.1
HKEY_CLASSES_ROOT\clsid\\TypeLib
HKEY_CLASSES_ROOT\clsid\\VersionIndep=
endentProgID
DyFuCA_BH.BHObj
HKEY_CLASSES_ROOT\clsid\ BHObj
Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2=
E4C8}\InprocServer32
E:\WINDOWS\nem220.dll
Transponder.ABetterInternet Adware more information...
Details: ABetterInternet displays advertisements based on the Web sites
you visit.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kni345it\abiuninst[1].exe
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
UninstallString E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\abiuninst.htm
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
DisplayName The ABI Network- A Division of Direct Revenue
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
URLInfoAbout http://www.abetterinternet.com
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
Publisher ABI Network-A Division of Direct Revenue
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
HelpLink http://www.mypctuneup.com
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
Contact admin@mypctuneup.com
180Solutions.SearchAssistant Adware more information...
Details: 180Solutions.SearchAssistant displays pop-up advertisments
based on your browsing activity.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\downloaded program files\clientax.dll
Topconverting.Crazywinnings Adware more information...
Details: Topconverting Crazywinnings installs via online games through
ActiveX drive-by-download.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TPUSN
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TPUSN TPUSN_once 1
SearchMiracle.EliteBar Browser Plug-in more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to
Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\elitefjt32.exe
e:\documents and settings\karl\favorites\casino & carrers\computer
training.url
e:\documents and settings\karl\favorites\casino & carrers\education.url
e:\documents and settings\karl\favorites\casino & carrers\horse
racing.url
e:\documents and settings\karl\favorites\casino & carrers\management
training.url
e:\documents and settings\karl\favorites\casino & carrers\mcse.url
e:\documents and settings\karl\favorites\casino & carrers\nba.url
e:\documents and settings\karl\favorites\casino & carrers\online
betting.url
e:\documents and settings\karl\favorites\casino & carrers\online
casinos.url
e:\documents and settings\karl\favorites\casino & carrers\online
gaming.url
e:\documents and settings\karl\favorites\casino & carrers\online
training.url
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kpu96pyh\protector[1].exe
e:\documents and settings\karl\favorites\casino & carrers\poker.url
e:\documents and settings\karl\favorites\casino & carrers\roulette.url
e:\documents and settings\karl\favorites\casino & carrers\slot
machines.url
e:\documents and settings\karl\favorites\casino & carrers\sport
betting.url
e:\documents and settings\karl\favorites\casino &
carrers\sportsbooks.url
e:\documents and settings\karl\favorites\casino & carrers\start a
business.url
e:\documents and settings\karl\favorites\casino & carrers\work at
home.url
e:\documents and settings\karl\favorites\finances &
business\advertising.url
e:\documents and settings\karl\favorites\finances & business\asset
protection.url
e:\documents and settings\karl\favorites\finances & business\bad
credit.url
e:\windows\system32\temperror32.dat
e:\documents and settings\karl\favorites\finances &
business\bankruptcy.url
e:\documents and settings\karl\favorites\finances & business\business
opportunity.url
e:\documents and settings\karl\favorites\finances &
business\business.url
e:\documents and settings\karl\favorites\finances & business\cash
advance.url
e:\documents and settings\karl\favorites\finances & business\credit
reports.url
e:\documents and settings\karl\favorites\finances & business\credit.url
e:\documents and settings\karl\favorites\finances & business\debt
consolidation.url
e:\documents and settings\karl\favorites\finances & business\debt
relief.url
e:\documents and settings\karl\favorites\finances & business\e
commerce.url
e:\documents and settings\karl\favorites\finances & business\home
mortgages.url
e:\documents and settings\karl\favorites\casino & carrers\baccarat.url
e:\documents and settings\karl\favorites\finances & business\human
resources.url
e:\documents and settings\karl\favorites\finances &
business\insurance.url
e:\documents and settings\karl\favorites\finances & business\loans.url
e:\documents and settings\karl\favorites\finances &
business\marketing.url
e:\documents and settings\karl\favorites\finances & business\project
management.url
e:\documents and settings\karl\favorites\finances &
business\refinance.url
e:\documents and settings\karl\favorites\finances & business\small
business.url
e:\documents and settings\karl\favorites\finances & business\work at
home.url
e:\documents and settings\karl\favorites\health & insurance\adipex.url
e:\documents and settings\karl\favorites\health & insurance\auto
insurance.url
e:\documents and settings\karl\favorites\casino & carrers\betting.url
e:\documents and settings\karl\favorites\health & insurance\business
insurance.url
e:\documents and settings\karl\favorites\health & insurance\dental
insurance.url
e:\documents and settings\karl\favorites\health & insurance\diet
pills.url
e:\documents and settings\karl\favorites\health & insurance\hair
loss.url
e:\documents and settings\karl\favorites\health & insurance\health
insurance.url
e:\documents and settings\karl\favorites\health & insurance\home
insurance.url
e:\documents and settings\karl\favorites\health &
insurance\insurance.url
e:\documents and settings\karl\favorites\health & insurance\life
insurance.url
e:\documents and settings\karl\favorites\health &
insurance\nutrition.url
e:\documents and settings\karl\favorites\health & insurance\penis
enlargement.url
e:\documents and settings\karl\favorites\casino & carrers\bingo.url
e:\documents and settings\karl\favorites\health &
insurance\phentermine.url
e:\documents and settings\karl\favorites\health & insurance\prozac.url
e:\documents and settings\karl\favorites\health & insurance\quit
smoking.url
e:\documents and settings\karl\favorites\health & insurance\term life
insurance.url
e:\documents and settings\karl\favorites\health & insurance\term
life.url
e:\documents and settings\karl\favorites\health & insurance\travel
insurance.url
e:\documents and settings\karl\favorites\health & insurance\valtrex.url
e:\documents and settings\karl\favorites\health & insurance\viagra.url
e:\documents and settings\karl\favorites\health & insurance\weight
loss.url
e:\documents and settings\karl\favorites\health & insurance\xenical.url
e:\documents and settings\karl\favorites\casino & carrers\blackjack.url
e:\documents and settings\karl\favorites\homelife & travel\adventure
travel.url
e:\documents and settings\karl\favorites\homelife & travel\air
conditioning.url
e:\documents and settings\karl\favorites\homelife & travel\air
purifiers.url
e:\documents and settings\karl\favorites\homelife & travel\air
travel.url
e:\documents and settings\karl\favorites\homelife & travel\blinds.url
e:\documents and settings\karl\favorites\homelife & travel\celebrity
cruises.url
e:\documents and settings\karl\favorites\homelife & travel\cheap
hotels.url
e:\documents and settings\karl\favorites\homelife & travel\hawaii
travel.url
e:\documents and settings\karl\favorites\homelife & travel\home equity
loans.url
e:\documents and settings\karl\favorites\homelife & travel\home
mortgages.url
e:\documents and settings\karl\favorites\casino & carrers\business
schools.url
e:\documents and settings\karl\favorites\homelife &
travel\international travel.url
e:\documents and settings\karl\favorites\homelife & travel\las vegas
hotels.url
e:\documents and settings\karl\favorites\homelife & travel\lighting.url
e:\documents and settings\karl\favorites\homelife & travel\mattress.url
e:\documents and settings\karl\favorites\homelife & travel\moving.url
e:\documents and settings\karl\favorites\homelife &
travel\refinance.url
e:\documents and settings\karl\favorites\homelife &
travel\relocation.url
e:\documents and settings\karl\favorites\homelife & travel\travel
agents.url
e:\documents and settings\karl\favorites\homelife & travel\travel
insurance.url
e:\documents and settings\karl\favorites\homelife & travel\travel.url
e:\documents and settings\karl\favorites\casino & carrers\careers.url
e:\windows\elitetoolbar\xml\adult.tbr
e:\windows\elitetoolbar\xml\default.tbr
e:\windows\elitetoolbar\xml\images\casino.bmp
e:\windows\elitetoolbar\xml\images\dating.bmp
e:\windows\elitetoolbar\xml\images\drugs.bmp
e:\windows\elitetoolbar\xml\images\fav.bmp
e:\windows\elitetoolbar\xml\images\findemails.bmp
e:\windows\elitetoolbar\xml\images\searchpeople.bmp
e:\windows\elitetoolbar\xml\images\virus.bmp
e:\windows\elitetoolbar\xml\search.mnu
Infected folders detected
e:\documents and settings\karl\favorites\casino & carrers
e:\documents and settings\karl\favorites\finances & business
e:\documents and settings\karl\favorites\health & insurance
e:\documents and settings\karl\favorites\homelife & travel
e:\windows\elitetoolbar
e:\windows\elitetoolbar\xml
e:\windows\elitetoolbar\xml\categories
e:\windows\elitetoolbar\xml\images
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checkrun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checkrun
HKEY_CURRENT_USER\Software\LQ
HKEY_CURRENT_USER\Software\LQ TM 10
HKEY_CURRENT_USER\Software\LQ AT 300
HKEY_CURRENT_USER\Software\LQ AC 30
HKEY_CURRENT_USER\Software\LQ AD 0
HKEY_CURRENT_USER\Software\LQ AM 5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checkrun
eXact.CashBack Adware more information...
Details: CashBack is part of BargainBuddy adware that displays pop-up
advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil PartnerID 441
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil NewPartnerName SIAC
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil System 1
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil CCODE 227
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil BuildNumber 8041
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil FirstHitUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&sys=3D%s&type=3Dfirst_hit
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil UninstallUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&sys=3D%d&survey=3D%s&type=3Duninstall
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil UniqueKeyUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&sys=3D%s&type=3Dpartner_query
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil UtilFolder E:\WINDOWS\system32
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil InstallOccurUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&sys=3D%s&type=3Dinstall_occur
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil AlreadyInstalledUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&expid=3D%s&type=3Dalready_installed&sys=3D%s
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil ETServer www.xctrk.com
eXact.BullseyeNetwork Adware more information...
Details: eXact.BullseyeNetwork displays pop-up advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\program files\bullseye network\bin\adv.exe
e:\program files\bullseye network\bin\adx.exe
e:\program files\bullseye network\ad.dat
e:\program files\bullseye network\index.dat
e:\program files\bullseye network\ub.dat
e:\program files\bullseye network\uninstall.exe
e:\program files\bullseye network\bin\bargains.exe
Infected folders detected
e:\program files\bullseye network
e:\program files\bullseye network\bin
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BullsEye Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BullsEye Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BullsEye Network
eXact.Downloader Trojan Downloader more information...
Details: eXact Downloader is a Trojan used by eXact Bargain Buddy and
Cash Back to download and install additional components.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\javexulm.vxd
e:\windows\system32\mqexdlm.srg
e:\windows\installer_siac.exe
e:\windows\system32\exclean.exe
e:\windows\system32\exul.exe
e:\windows\system32\exul1.exe
e:\windows\system32\msbe.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1\CLSID
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1 ADP UrlCatcher Class
HKEY_CLASSES_ROOT\ADP.UrlCatcher
HKEY_CLASSES_ROOT\ADP.UrlCatcher\CLSID
HKEY_CLASSES_ROOT\ADP.UrlCatcher ADP UrlCatcher Class
SurfSideKick Settings Modifier more information...
Details: SurfSideKick downloads and displays advertisements
Status: Quarantined
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\documents and settings\karl\application data\sskknwrd.dll
e:\windows\ssk3_b5.exe
e:\program files\surfsidekick 3\ssk.exe
e:\program files\surfsidekick 3\sskbho.dll
e:\program files\surfsidekick 3\sskcore.dll
Infected folders detected
e:\program files\surfsidekick 3
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_CURRENT_USER\Software\SurfSideKick3\Internet Explorer Timer
HKEY_CURRENT_USER\Software\SurfSideKick3\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_LOCAL_MACHINE\Software\SurfSideKick3
HKEY_LOCAL_MACHINE\Software\SurfSideKick3\Internet Explorer PInfo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02EE5B04-F144-47BB-83FB-A60BD91B=
74A9}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKEY_CLASSES_ROOT\clsid\
HKEY_CLASSES_ROOT\clsid\\InprocServer=
32
ThreadingModel Both
HKEY_CLASSES_ROOT\clsid\\InprocServer=
32
E:\Program Files\SurfSideKick 3\SskBho.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_CURRENT_USER\Software\SurfSideKick3
Transponder.ABetterInternet.Aurora Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\abiuninst.htm
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUT3i5m7eOfSFinalAd
0|0|1123896257|0|0|0|0|1123896366|0|
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd
'=9B-,=C0=C0=CD=90=8E=88=CC=90=8E=88=90"=98=C1=81=9D-=C0=83=DD=BE=9D=89=DC=
=9C=9B=9C
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode US
HKEY_CURRENT_USER\Software\aurora AUP3D5om
=B7=89,,-=88=80'=86",=8B=88=9F=9D=CC'=8D=9F
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora AUI3n5ProgSCab 0
HKEY_CURRENT_USER\Software\aurora AUI3n5ProgSEx 0
HKEY_CURRENT_USER\Software\aurora AUI3n5ProgSLstest 0
HKEY_CURRENT_USER\Software\aurora AUI3d5OfSDist
114|1|0|0|THIN-114-1-X-X.EXE
HKEY_CURRENT_USER\Software\aurora AUB3D5om
=9B=8D=87=86=8E=8A=90=9B"=9B=87=80"=8A-=DC=99=80=8F=8E=99=83=8B=99=89=C1=8D=
=80=B7
HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 15427
HKEY_CURRENT_USER\Software\aurora AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 41
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S
lflshdt%3D1123895808%26capdatedy%3D0812%26capdate%3D1221%26lstlogdt%3D20050=
812%26capcntdy%3D2%260%3D%26cntp%3D%26capcnt%3D2%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S
0%3D%26fstcidt%3D1123895808317%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky3S
1-1123896366-13051:432000:6381:191-
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-6542:3:224.393
HKEY_CURRENT_USER\Software\aurora AUC1o3d5eOfSFinalAd 8
Transponder.ABetterInternet.DrPMon Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\drpmon.dll
eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that watches the pages
your browser requests and the terms you enter into a search engine web
form. If a term matches a preset list of sites or keywords,
BargainBuddy will display an ad.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\msbe.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}
HKEY_LOCAL_MACHINE\software\bargains
HKEY_LOCAL_MACHINE\software\bargains MainDir E:\Program Files\BullsEye
Network
HKEY_LOCAL_MACHINE\software\bargains Binary bin
HKEY_LOCAL_MACHINE\software\bargains ConfigUpdateQueryUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&type=3Dconfig&sys=3D%d
HKEY_LOCAL_MACHINE\software\bargains ADDataUpdateQueryUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&type=3Ddata&checksum=3D%s&sys=3D%d
HKEY_LOCAL_MACHINE\software\bargains SoftwareUpdateQueryUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=
=3D%d&pid=3D%s&type=3Dsoftware&sys=3D%d
HKEY_LOCAL_MACHINE\software\bargains ServerName
service.bargain-buddy.net
HKEY_LOCAL_MACHINE\software\bargains ServerPath
/scripts/adpopper/webservice.main?type=3Dupload
HKEY_LOCAL_MACHINE\software\bargains SliderLegalText Bullseye Network
Offer
HKEY_LOCAL_MACHINE\software\bargains ServerPort 80
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\software\bargains UpdateQueryDuration 86400
HKEY_LOCAL_MACHINE\software\bargains UpdateQueryFailedDuration 1200
HKEY_LOCAL_MACHINE\software\bargains BuildNumber 8041
HKEY_LOCAL_MACHINE\software\bargains AdvDelaySec 30
HKEY_LOCAL_MACHINE\software\bargains TrackingFileFlag 1
HKEY_LOCAL_MACHINE\software\bargains RestartADPDuration 7200
HKEY_LOCAL_MACHINE\software\bargains TimeOutInterval 10000
HKEY_LOCAL_MACHINE\software\bargains FirstHit 0
HKEY_LOCAL_MACHINE\software\bargains LastADPRestart 1123896310
HKEY_LOCAL_MACHINE\software\bargains PartnerName SIAC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\software\bargains PartnerID 441
HKEY_LOCAL_MACHINE\software\bargains SystemInstallTime 1123896310
HKEY_LOCAL_MACHINE\software\bargains ADDataVersion 1123830656
HKEY_LOCAL_MACHINE\software\bargains LastQueryTime 1123896342
HKEY_LOCAL_MACHINE\software\bargains TempUniqueKey 1123896316:000025425
HKEY_LOCAL_MACHINE\software\bargains UniqueKey 16040177:14392:8041:1
HKEY_LOCAL_MACHINE\software\bargains IdleMinutesThreshold 1
HKEY_LOCAL_MACHINE\software\bargains MinMinutesBetweenTwoADs 1
HKEY_LOCAL_MACHINE\software\bargains MaxDomainCap 2
HKEY_LOCAL_MACHINE\software\bargains MinCountOfUrlsBetweenTwoADs 1
HKEY_CLASSES_ROOT\clsid\
HKEY_LOCAL_MACHINE\software\bargains MaxDailyCapPerUSer 50
HKEY_LOCAL_MACHINE\software\bargains ConfigVersion 10
HKEY_LOCAL_MACHINE\software\bargains TimeStamp 1123830698
HKEY_LOCAL_MACHINE\software\bargains DataType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1 ADP UrlCatcher
Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher ADP UrlCatcher Class
HKEY_CLASSES_ROOT\clsid\\InprocServer=
32
E:\WINDOWS\system32\msbe.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
DisplayName The BullsEye Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
UninstallString E:\Program Files\BullsEye Network\Uninstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
Publisher eXact Advertising
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
URLInfoAbout http://www.exactadvertising.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
DisplayVersion 8.0.4.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
DisplayIcon E:\Program Files\BullsEye Network\bin\bargains.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
NoModify 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Barg=
ainBuddy
NoRepair 1
HKEY_CLASSES_ROOT\clsid\\InprocServer=
32
ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\\ProgID
ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\clsid\\VersionIndep=
endentProgID
ADP.UrlCatcher
HKEY_CLASSES_ROOT\clsid\ ADP
UrlCatcher Class
eXact.SearchBar Browser Plug-in more information...
Details: eXactSearchBar is an Internet Explorer toolbar with standard
search features that performs targeted advertising based on the
computer usage and the URLs associated with Web pages.
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm.
Users should review such programs and remove them if unwanted.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}\InprocServer32
E:\WINDOWS\system32\msbe.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}\InprocServer32
ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}\ProgID
ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}\VersionIndependentProgID
ADP.UrlCatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD=
66DA}
ADP UrlCatcher Class
|
|
Posted by Mike Hall \(MS-MVP\) on August 13, 2005, 11:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
Karl
None of the spyware busters catch everything, which is why we have to run
more than one.. the spyware authors are continually altering the way that
there 'product' works, and the best that the anti-spyware people can do is
play catch-up..
Of course, we can help ourselves a little here by being careful about where
we surf and what we download.. maybe it shouldn't be that way, but it is,
and it is difficult to catch the perpetrators, just like it is difficult to
completely remove the criminal element from society..
--
Mike Hall
MVP - Windows Shell/User
Not sure where the official group is to post this so I apologize in
advance.
I have the latest version of your spyware tool and while it's nice, it
could really use some work on a few things.
The biggest issue is that it isn't designed to prompt you that there is
a application trying to run (much like a firewall prompts you when an
app tries to access the internet). This is a critical piece of
information that we need to see. No application should be allowed to
execute w/o being known about and allowed/denied. I have proven that
your software doesn't work with all the known spyware that it can catch
(odd isn't it?). I had the pleasure of d/l a trojan app (not virus,
just loaded with spyware) and while some of the spyware was detected
and stopped, I had to go back and rerun my tools several times to stop
the rest (log below). Please make it so that there is a DB that we can
use to allow / deny applications from running BEFORE they can run!!!
The second piece to my dilema is that your tool doesn't lock down the
folders / files / registry entries to prevent future issues! I finally
had to make a app to do just that! I remove ALL the entries in the
registry, empty out the folders on my PC, delete the files in my
windows folder and replace them with a text file that has the same name
then go back and change NTFS/registry permissions. I remove every
account so NOTHING/NOONE has any ability to them. Only issue I see is
when they become smart enough to change the OWNERSHIP themselves.
Sadly, these tools are in your own applications / support tools so I
can only imagine these bastards are looking at the tools now!
========================================================================
Here is my log of known spyware that your tool DID NOT STOP when the
trojan app ran.
ShopAtHome Spyware more information...
Details: ShopAtHome installs an agent in the Winsock layer of your
computer. This redirects your Web browser to merchant sites affiliated
with ShopAtHome rather than the Web sites you type in or click.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.
Infected files detected
E:\WINDOWS\shop1004.exe
s:\user\shop1004.exe
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent EulaDate 2005-08-12
21:25:09
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent EulaStatus Displayed4002b
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent InstallLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent InstPath arcadecash/
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BundleKey
arcadecash1005.sah
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BundlePackage setup4021.cab
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PrefsServer
www.shopathomeselect.com
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PrefsPath agent3/
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent iniName setup4021.ini
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PackageLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PackageName
agent/realtimeSetup.cab
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent PrefsXML
agent3/agentprefs3.sah
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent CookieUserAgent iexplorer
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BrowserType Bundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent BundleProgress 0
HKEY_LOCAL_MACHINE\software\vgroup
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent KeyExistNai Y
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent DllName
S:\User\N4IU6NQT.dll
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent HtmlName
S:\User\HGFGUK2O.html
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent EulaDate 2005-08-12
21:25:09
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent EulaStatus Displayed4002b
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent InstallLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent InstPath arcadecash/
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BundleKey
arcadecash1005.sah
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BundlePackage setup4021.cab
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PrefsServer
www.shopathomeselect.com
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PrefsPath agent3/
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent iniName setup4021.ini
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PackageLocation
downloads.shopathomeselect.com
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PackageName
agent/realtimeSetup.cab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent PrefsXML
agent3/agentprefs3.sah
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent CookieUserAgent iexplorer
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BrowserType Bundle
HKEY_LOCAL_MACHINE\software\vgroup\SAHAgent BundleProgress 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent KeyExistNai Y
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent DllName
S:\User\N4IU6NQT.dll
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup\SAHAgent HtmlName
S:\User\HGFGUK2O.html
AvenueMedia.DyFuCA Browser Plug-in more information...
Details: AvenueMedia DyFuCA Internet Optimizer is adware that changes
your browser error page. It periodically displays pop-up advertisements
from its remote sites and may update itself.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.
Infected files detected
E:\Program Files\Internet Optimizer\optimize.exe
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5pkn8hip\optimize314[1].exe
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kni345it\nem220[1].dll
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kpu96pyh\tct101[1].dll
e:\program files\internet optimizer\update\optimize314.exe
e:\windows\nem220.dll
e:\windows\optimize.exe
e:\windows\tct101.dll
Infected folders detected
e:\program files\internet optimizer
e:\program files\internet optimizer\update
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 TimeStamp 20041116000000
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 Version 2.2.0
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper Version 2.2.0
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper ModuleFileName E:\WINDOWS\nem220.dll
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper Options 1,URL Search Optimization,1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf1 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2 DiffAll Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf2 Version 1.0.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 RawData
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 Data
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 DiffAll Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 TimeStamp 20050223154843
HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\TContext\cf3 Version 1.0.1
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
Version 1.0.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
ModuleFileName E:\WINDOWS\tct101.dll
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RCCurrent
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RLast 1123896314
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RI2479 1123896314
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\TContext
RLimit
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer TargetDir
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer CLS wsi14
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer RID c01
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer Version
3.1.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH_Bucket.Bucket.1
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer TAC Yes
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer
ServerVisited 29728677,3588602608
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer
UpdateInterval 21600
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer ID
1-723526d35ffaa4207d201ab2
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer InstallT
1123895800
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer
remember[LLT] 1123895800
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer Conn 1047,4
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 403 1024
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 404 1024
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 410 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer 500 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 BHObj Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer
DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj BHObj Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dyfuca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet
optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet
optimizer DisplayIcon E:\Program Files\Internet Optimizer\optimize.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet
optimizer DisplayName Internet Optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet
optimizer UninstallString "E:\Program Files\Internet
Optimizer\optimize.exe" /u
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapabout
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapabout
Comment
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Kapabout
DComment YES
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1\CLSID
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1 BHObj Class
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj\CLSID
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj\CurVer DyFuCA_BH.BHObj.1
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj BHObj Class
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1\CLSID
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket.1 Bucket Class
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket\CLSID
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket\CurVer
DyFuCA_BH_Bucket.Bucket.1
HKEY_CLASSES_ROOT\DyFuCA_BH_Bucket.Bucket Bucket Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_CLASSES_ROOT\interface\
HKEY_CLASSES_ROOT\interface\\ProxyStubClsid
HKEY_CLASSES_ROOT\interface\\ProxyStubClsid32
HKEY_CLASSES_ROOT\interface\\TypeLib
HKEY_CLASSES_ROOT\interface\\TypeLib
Version 1.0
HKEY_CLASSES_ROOT\interface\
IBHObj
HKEY_CLASSES_ROOT\typelib\
HKEY_CLASSES_ROOT\typelib\.0\win32
E:\WINDOWS\nem220.dll
HKEY_CLASSES_ROOT\typelib\.0\FLAGS
0
HKEY_CLASSES_ROOT\typelib\.0\HELPDIR
E:\WINDOWS\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_CLASSES_ROOT\typelib\.0
DyFuCA_BH 1.0 Type Library
HKEY_CURRENT_USER\Software\Avenue Media
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 RawData
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Data
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 TimeStamp 20041116000000
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper ModuleFileName E:\WINDOWS\nem220.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Options 1,URL Search Optimization,1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 RawData
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Data
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 TimeStamp 20041116000000
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper\cf1 Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Version 2.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper ModuleFileName E:\WINDOWS\nem220.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\Browser
Helper Options 1,URL Search Optimization,1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf1 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2 TimeStamp 20050520102214
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf2 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 RawData
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 Data
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 DiffAll Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 TimeStamp 20050223154843
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\TContext\cf3 Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
Version 1.0.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
ModuleFileName E:\WINDOWS\tct101.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RCCurrent
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RLast 1123896314
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RI2479 1123896314
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer\TContext
RLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer TargetDir
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer CLS wsi14
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer RID c01
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer Version
3.1.4
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer TAC Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
ServerVisited 29728677,3588602608
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
UpdateInterval 21600
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer ID
1-723526d35ffaa4207d201ab2
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer InstallT
1123895800
HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer
remember[LLT] 1123895800
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer Conn 1047,4
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 403 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 404 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 410 1024
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer 500 1024
HKEY_LOCAL_MACHINE\software\avenue media
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 RawData
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 Data
HKEY_LOCAL_MACHINE\software\avenue media\Internet Optimizer\Browser
Helper\cf1 DiffAll Yes
MoneyTree Dialer more information...
Details: MoneyTree is an ActiveX installer control that downloads
premium-rate dialers, primarily for adult content sites. On system
startup MoneyTree attempts to connect to an adult content site.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\InprocServer32
ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\ProgID
DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\VersionIndependentProgID
DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
BHObj Class
HKEY_CLASSES_ROOT\clsid\\InprocServer32
E:\WINDOWS\nem220.dll
HKEY_CLASSES_ROOT\clsid\\InprocServer32
ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\\ProgID
DyFuCA_BH.BHObj.1
HKEY_CLASSES_ROOT\clsid\\TypeLib
HKEY_CLASSES_ROOT\clsid\\VersionIndependentProgID
DyFuCA_BH.BHObj
HKEY_CLASSES_ROOT\clsid\ BHObj
Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\InprocServer32
E:\WINDOWS\nem220.dll
Transponder.ABetterInternet Adware more information...
Details: ABetterInternet displays advertisements based on the Web sites
you visit.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kni345it\abiuninst[1].exe
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
UninstallString E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\abiuninst.htm
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
DisplayName The ABI Network- A Division of Direct Revenue
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
URLInfoAbout http://www.abetterinternet.com
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
Publisher ABI Network-A Division of Direct Revenue
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
HelpLink http://www.mypctuneup.com
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\abi-1
Contact admin@mypctuneup.com
180Solutions.SearchAssistant Adware more information...
Details: 180Solutions.SearchAssistant displays pop-up advertisments
based on your browsing activity.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\downloaded program files\clientax.dll
Topconverting.Crazywinnings Adware more information...
Details: Topconverting Crazywinnings installs via online games through
ActiveX drive-by-download.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TPUSN
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TPUSN TPUSN_once 1
SearchMiracle.EliteBar Browser Plug-in more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to
Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\elitefjt32.exe
e:\documents and settings\karl\favorites\casino & carrers\computer
training.url
e:\documents and settings\karl\favorites\casino & carrers\education.url
e:\documents and settings\karl\favorites\casino & carrers\horse
racing.url
e:\documents and settings\karl\favorites\casino & carrers\management
training.url
e:\documents and settings\karl\favorites\casino & carrers\mcse.url
e:\documents and settings\karl\favorites\casino & carrers\nba.url
e:\documents and settings\karl\favorites\casino & carrers\online
betting.url
e:\documents and settings\karl\favorites\casino & carrers\online
casinos.url
e:\documents and settings\karl\favorites\casino & carrers\online
gaming.url
e:\documents and settings\karl\favorites\casino & carrers\online
training.url
e:\documents and settings\karl\local settings\temporary internet
files\content.ie5\kpu96pyh\protector[1].exe
e:\documents and settings\karl\favorites\casino & carrers\poker.url
e:\documents and settings\karl\favorites\casino & carrers\roulette.url
e:\documents and settings\karl\favorites\casino & carrers\slot
machines.url
e:\documents and settings\karl\favorites\casino & carrers\sport
betting.url
e:\documents and settings\karl\favorites\casino &
carrers\sportsbooks.url
e:\documents and settings\karl\favorites\casino & carrers\start a
business.url
e:\documents and settings\karl\favorites\casino & carrers\work at
home.url
e:\documents and settings\karl\favorites\finances &
business\advertising.url
e:\documents and settings\karl\favorites\finances & business\asset
protection.url
e:\documents and settings\karl\favorites\finances & business\bad
credit.url
e:\windows\system32\temperror32.dat
e:\documents and settings\karl\favorites\finances &
business\bankruptcy.url
e:\documents and settings\karl\favorites\finances & business\business
opportunity.url
e:\documents and settings\karl\favorites\finances &
business\business.url
e:\documents and settings\karl\favorites\finances & business\cash
advance.url
e:\documents and settings\karl\favorites\finances & business\credit
reports.url
e:\documents and settings\karl\favorites\finances & business\credit.url
e:\documents and settings\karl\favorites\finances & business\debt
consolidation.url
e:\documents and settings\karl\favorites\finances & business\debt
relief.url
e:\documents and settings\karl\favorites\finances & business\e
commerce.url
e:\documents and settings\karl\favorites\finances & business\home
mortgages.url
e:\documents and settings\karl\favorites\casino & carrers\baccarat.url
e:\documents and settings\karl\favorites\finances & business\human
resources.url
e:\documents and settings\karl\favorites\finances &
business\insurance.url
e:\documents and settings\karl\favorites\finances & business\loans.url
e:\documents and settings\karl\favorites\finances &
business\marketing.url
e:\documents and settings\karl\favorites\finances & business\project
management.url
e:\documents and settings\karl\favorites\finances &
business\refinance.url
e:\documents and settings\karl\favorites\finances & business\small
business.url
e:\documents and settings\karl\favorites\finances & business\work at
home.url
e:\documents and settings\karl\favorites\health & insurance\adipex.url
e:\documents and settings\karl\favorites\health & insurance\auto
insurance.url
e:\documents and settings\karl\favorites\casino & carrers\betting.url
e:\documents and settings\karl\favorites\health & insurance\business
insurance.url
e:\documents and settings\karl\favorites\health & insurance\dental
insurance.url
e:\documents and settings\karl\favorites\health & insurance\diet
pills.url
e:\documents and settings\karl\favorites\health & insurance\hair
loss.url
e:\documents and settings\karl\favorites\health & insurance\health
insurance.url
e:\documents and settings\karl\favorites\health & insurance\home
insurance.url
e:\documents and settings\karl\favorites\health &
insurance\insurance.url
e:\documents and settings\karl\favorites\health & insurance\life
insurance.url
e:\documents and settings\karl\favorites\health &
insurance\nutrition.url
e:\documents and settings\karl\favorites\health & insurance\penis
enlargement.url
e:\documents and settings\karl\favorites\casino & carrers\bingo.url
e:\documents and settings\karl\favorites\health &
insurance\phentermine.url
e:\documents and settings\karl\favorites\health & insurance\prozac.url
e:\documents and settings\karl\favorites\health & insurance\quit
smoking.url
e:\documents and settings\karl\favorites\health & insurance\term life
insurance.url
e:\documents and settings\karl\favorites\health & insurance\term
life.url
e:\documents and settings\karl\favorites\health & insurance\travel
insurance.url
e:\documents and settings\karl\favorites\health & insurance\valtrex.url
e:\documents and settings\karl\favorites\health & insurance\viagra.url
e:\documents and settings\karl\favorites\health & insurance\weight
loss.url
e:\documents and settings\karl\favorites\health & insurance\xenical.url
e:\documents and settings\karl\favorites\casino & carrers\blackjack.url
e:\documents and settings\karl\favorites\homelife & travel\adventure
travel.url
e:\documents and settings\karl\favorites\homelife & travel\air
conditioning.url
e:\documents and settings\karl\favorites\homelife & travel\air
purifiers.url
e:\documents and settings\karl\favorites\homelife & travel\air
travel.url
e:\documents and settings\karl\favorites\homelife & travel\blinds.url
e:\documents and settings\karl\favorites\homelife & travel\celebrity
cruises.url
e:\documents and settings\karl\favorites\homelife & travel\cheap
hotels.url
e:\documents and settings\karl\favorites\homelife & travel\hawaii
travel.url
e:\documents and settings\karl\favorites\homelife & travel\home equity
loans.url
e:\documents and settings\karl\favorites\homelife & travel\home
mortgages.url
e:\documents and settings\karl\favorites\casino & carrers\business
schools.url
e:\documents and settings\karl\favorites\homelife &
travel\international travel.url
e:\documents and settings\karl\favorites\homelife & travel\las vegas
hotels.url
e:\documents and settings\karl\favorites\homelife & travel\lighting.url
e:\documents and settings\karl\favorites\homelife & travel\mattress.url
e:\documents and settings\karl\favorites\homelife & travel\moving.url
e:\documents and settings\karl\favorites\homelife &
travel\refinance.url
e:\documents and settings\karl\favorites\homelife &
travel\relocation.url
e:\documents and settings\karl\favorites\homelife & travel\travel
agents.url
e:\documents and settings\karl\favorites\homelife & travel\travel
insurance.url
e:\documents and settings\karl\favorites\homelife & travel\travel.url
e:\documents and settings\karl\favorites\casino & carrers\careers.url
e:\windows\elitetoolbar\xml\adult.tbr
e:\windows\elitetoolbar\xml\default.tbr
e:\windows\elitetoolbar\xml\images\casino.bmp
e:\windows\elitetoolbar\xml\images\dating.bmp
e:\windows\elitetoolbar\xml\images\drugs.bmp
e:\windows\elitetoolbar\xml\images\fav.bmp
e:\windows\elitetoolbar\xml\images\findemails.bmp
e:\windows\elitetoolbar\xml\images\searchpeople.bmp
e:\windows\elitetoolbar\xml\images\virus.bmp
e:\windows\elitetoolbar\xml\search.mnu
Infected folders detected
e:\documents and settings\karl\favorites\casino & carrers
e:\documents and settings\karl\favorites\finances & business
e:\documents and settings\karl\favorites\health & insurance
e:\documents and settings\karl\favorites\homelife & travel
e:\windows\elitetoolbar
e:\windows\elitetoolbar\xml
e:\windows\elitetoolbar\xml\categories
e:\windows\elitetoolbar\xml\images
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checkrun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checkrun
HKEY_CURRENT_USER\Software\LQ
HKEY_CURRENT_USER\Software\LQ TM 10
HKEY_CURRENT_USER\Software\LQ AT 300
HKEY_CURRENT_USER\Software\LQ AC 30
HKEY_CURRENT_USER\Software\LQ AD 0
HKEY_CURRENT_USER\Software\LQ AM 5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
checkrun
eXact.CashBack Adware more information...
Details: CashBack is part of BargainBuddy adware that displays pop-up
advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil PartnerID 441
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil NewPartnerName SIAC
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil System 1
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil CCODE 227
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil BuildNumber 8041
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil FirstHitUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&sys=%s&type=first_hit
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil UninstallUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&sys=%d&survey=%s&type=uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil UniqueKeyUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&sys=%s&type=partner_query
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil UtilFolder E:\WINDOWS\system32
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil InstallOccurUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&sys=%s&type=install_occur
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil AlreadyInstalledUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&expid=%s&type=already_installed&sys=%s
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil ETServer www.xctrk.com
eXact.BullseyeNetwork Adware more information...
Details: eXact.BullseyeNetwork displays pop-up advertisements.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\program files\bullseye network\bin\adv.exe
e:\program files\bullseye network\bin\adx.exe
e:\program files\bullseye network\ad.dat
e:\program files\bullseye network\index.dat
e:\program files\bullseye network\ub.dat
e:\program files\bullseye network\uninstall.exe
e:\program files\bullseye network\bin\bargains.exe
Infected folders detected
e:\program files\bullseye network
e:\program files\bullseye network\bin
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BullsEye Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BullsEye Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BullsEye Network
eXact.Downloader Trojan Downloader more information...
Details: eXact Downloader is a Trojan used by eXact Bargain Buddy and
Cash Back to download and install additional components.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\javexulm.vxd
e:\windows\system32\mqexdlm.srg
e:\windows\installer_siac.exe
e:\windows\system32\exclean.exe
e:\windows\system32\exul.exe
e:\windows\system32\exul1.exe
e:\windows\system32\msbe.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1\CLSID
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1 ADP UrlCatcher Class
HKEY_CLASSES_ROOT\ADP.UrlCatcher
HKEY_CLASSES_ROOT\ADP.UrlCatcher\CLSID
HKEY_CLASSES_ROOT\ADP.UrlCatcher ADP UrlCatcher Class
SurfSideKick Settings Modifier more information...
Details: SurfSideKick downloads and displays advertisements
Status: Quarantined
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\documents and settings\karl\application data\sskknwrd.dll
e:\windows\ssk3_b5.exe
e:\program files\surfsidekick 3\ssk.exe
e:\program files\surfsidekick 3\sskbho.dll
e:\program files\surfsidekick 3\sskcore.dll
Infected folders detected
e:\program files\surfsidekick 3
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_CURRENT_USER\Software\SurfSideKick3\Internet Explorer Timer
HKEY_CURRENT_USER\Software\SurfSideKick3\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_LOCAL_MACHINE\Software\SurfSideKick3
HKEY_LOCAL_MACHINE\Software\SurfSideKick3\Internet Explorer PInfo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKEY_CLASSES_ROOT\clsid\
HKEY_CLASSES_ROOT\clsid\\InprocServer32
ThreadingModel Both
HKEY_CLASSES_ROOT\clsid\\InprocServer32
E:\Program Files\SurfSideKick 3\SskBho.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SurfSideKick 3
HKEY_CURRENT_USER\Software\SurfSideKick3
Transponder.ABetterInternet.Aurora Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\abiuninst.htm
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUT3i5m7eOfSFinalAd
0|0|1123896257|0|0|0|0|1123896366|0|
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd
'>-,͐Z^̐Z^"~-fݾ?o>o
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode US
HKEY_CURRENT_USER\Software\aurora AUP3D5om
?,,-^?'?",<^Y'Y
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora AUI3n5ProgSCab 0
HKEY_CURRENT_USER\Software\aurora AUI3n5ProgSEx 0
HKEY_CURRENT_USER\Software\aurora AUI3n5ProgSLstest 0
HKEY_CURRENT_USER\Software\aurora AUI3d5OfSDist
114|1|0|0|THIN-114-1-X-X.EXE
HKEY_CURRENT_USER\Software\aurora AUB3D5om
>??ZS>">??"S-T?ZTf HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 15427
HKEY_CURRENT_USER\Software\aurora AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 41
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S
lflshdt%3D1123895808%26capdatedy%3D0812%26capdate%3D1221%26lstlogdt%3D20050812%26capcntdy%3D2%260%3D%26cntp%3D%26capcnt%3D2%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S
0%3D%26fstcidt%3D1123895808317%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky3S
1-1123896366-13051:432000:6381:191-
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-6542:3:224.393
HKEY_CURRENT_USER\Software\aurora AUC1o3d5eOfSFinalAd 8
Transponder.ABetterInternet.DrPMon Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\drpmon.dll
eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that watches the pages
your browser requests and the terms you enter into a search engine web
form. If a term matches a preset list of sites or keywords,
BargainBuddy will display an ad.
Status: Removed
High threat - High-risk items have a large potential for harm, such as
loss of computer control, and should be removed unless knowingly
installed.
Infected files detected
e:\windows\system32\msbe.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_LOCAL_MACHINE\software\bargains
HKEY_LOCAL_MACHINE\software\bargains MainDir E:\Program Files\BullsEye
Network
HKEY_LOCAL_MACHINE\software\bargains Binary bin
HKEY_LOCAL_MACHINE\software\bargains ConfigUpdateQueryUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&type=config&sys=%d
HKEY_LOCAL_MACHINE\software\bargains ADDataUpdateQueryUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&type=data&checksum=%s&sys=%d
HKEY_LOCAL_MACHINE\software\bargains SoftwareUpdateQueryUrl
http://service.bargain-buddy.net/scripts/adpopper/webservice.main?version=%d&pid=%s&type=software&sys=%d
HKEY_LOCAL_MACHINE\software\bargains ServerName
service.bargain-buddy.net
HKEY_LOCAL_MACHINE\software\bargains ServerPath
/scripts/adpopper/webservice.main?type=upload
HKEY_LOCAL_MACHINE\software\bargains SliderLegalText Bullseye Network
Offer
HKEY_LOCAL_MACHINE\software\bargains ServerPort 80
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\software\bargains UpdateQueryDuration 86400
HKEY_LOCAL_MACHINE\software\bargains UpdateQueryFailedDuration 1200
HKEY_LOCAL_MACHINE\software\bargains BuildNumber 8041
HKEY_LOCAL_MACHINE\software\bargains AdvDelaySec 30
HKEY_LOCAL_MACHINE\software\bargains TrackingFileFlag 1
HKEY_LOCAL_MACHINE\software\bargains RestartADPDuration 7200
HKEY_LOCAL_MACHINE\software\bargains TimeOutInterval 10000
HKEY_LOCAL_MACHINE\software\bargains FirstHit 0
HKEY_LOCAL_MACHINE\software\bargains LastADPRestart 1123896310
HKEY_LOCAL_MACHINE\software\bargains PartnerName SIAC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\software\bargains PartnerID 441
HKEY_LOCAL_MACHINE\software\bargains SystemInstallTime 1123896310
HKEY_LOCAL_MACHINE\software\bargains ADDataVersion 1123830656
HKEY_LOCAL_MACHINE\software\bargains LastQueryTime 1123896342
HKEY_LOCAL_MACHINE\software\bargains TempUniqueKey 1123896316:000025425
HKEY_LOCAL_MACHINE\software\bargains UniqueKey 16040177:14392:8041:1
HKEY_LOCAL_MACHINE\software\bargains IdleMinutesThreshold 1
HKEY_LOCAL_MACHINE\software\bargains MinMinutesBetweenTwoADs 1
HKEY_LOCAL_MACHINE\software\bargains MaxDomainCap 2
HKEY_LOCAL_MACHINE\software\bargains MinCountOfUrlsBetweenTwoADs 1
HKEY_CLASSES_ROOT\clsid\
HKEY_LOCAL_MACHINE\software\bargains MaxDailyCapPerUSer 50
HKEY_LOCAL_MACHINE\software\bargains ConfigVersion 10
HKEY_LOCAL_MACHINE\software\bargains TimeStamp 1123830698
HKEY_LOCAL_MACHINE\software\bargains DataType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1 ADP UrlCatcher
Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher ADP UrlCatcher Class
HKEY_CLASSES_ROOT\clsid\\InprocServer32
E:\WINDOWS\system32\msbe.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
DisplayName The BullsEye Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
UninstallString E:\Program Files\BullsEye Network\Uninstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
Publisher eXact Advertising
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
URLInfoAbout http://www.exactadvertising.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
DisplayVersion 8.0.4.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
DisplayIcon E:\Program Files\BullsEye Network\bin\bargains.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
NoModify 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
NoRepair 1
HKEY_CLASSES_ROOT\clsid\\InprocServer32
ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\\ProgID
ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\clsid\\VersionIndependentProgID
ADP.UrlCatcher
HKEY_CLASSES_ROOT\clsid\ ADP
UrlCatcher Class
eXact.SearchBar Browser Plug-in more information...
Details: eXactSearchBar is an Internet Explorer toolbar with standard
search features that performs targeted advertising based on the
computer usage and the URLs associated with Web pages.
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm.
Users should review such programs and remove them if unwanted.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\InprocServer32
E:\WINDOWS\system32\msbe.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\InprocServer32
ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\ProgID
ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\VersionIndependentProgID
ADP.UrlCatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
ADP UrlCatcher Class
|
|
Posted by -Karl on August 14, 2005, 8:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
change information and security on known spyware locations.
Is there any way to scan files much like a anti-virus app to actually
see if there is a spyware app installed?
|
|
Posted by Mike Hall \(MS-MVP\) on August 15, 2005, 10:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
Adaware and Spybot S&D will give you this kind of info..
http://www.safer-networking.org/en/index.html
http://www.lavasoftusa.com/software/adaware/
To list all of the sites from which spyware emanates would take forever and
is ever changing.. one just has to be vigilant and careful.. the spyware
authors are adapting very quickly to the way that the spyware busters work,
and it will become ever more difficult to defend against..
Re. info given on what the ant-spyware programs are doing and how, the
majority of users are not concerned with this.. they just want the crap off
of their systems regardless of how it is done..
As easy as the spyware removers are to operate, there are still people out
there who are not sure how to work them.. I think that it is also best that
the interface is kept simple..
--
Mike Hall
MVP - Windows Shell/User
> I'm not asking to catch all the spyware, just a little more system
> change information and security on known spyware locations.
>
> Is there any way to scan files much like a anti-virus app to actually
> see if there is a spyware app installed?
>
|
| Similar Threads | Posted | | antispyware-beta | July 26, 2005, 12:52 pm |
| Microsoft AntiSpyware | January 25, 2006, 2:58 pm |
| Antispyware software | March 18, 2008, 5:50 am |
| microsoft antispyware beta 1 | July 23, 2005, 10:59 pm |
| microsoft antispyware beta 1 | July 26, 2005, 1:03 pm |
| Microsoft Antispyware (Beta) | August 13, 2005, 4:07 am |
| microsoft antispyware beta | October 11, 2005, 7:13 am |
| MS Antispyware updates work !!! | December 12, 2005, 1:44 pm |
| Antispyware Notices upon login | January 25, 2006, 3:21 pm |
| News Group for MS Antispyware | January 26, 2006, 7:20 am |
|
XML site map