McAfee > Theat Center > PUP Detail Page

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Installation

Upon execution, the application does not display any EULA or privacy notice. It registers Browser Helper Objects (BHOs) to help display the ad related search results. It silently transmits the search keywords typed in say google.com to its servers that can be powered by other legitimate search engines like Lycos.com or Yahoo.com. After the search is done on a particular search engine it launches (Pops-up) another Internet Explorer window to show different search results. However, it is incapable of any spyware related activities like stealing passwords etc. It adds a check button to the IE toolbar as the browser helper object.

 It has been observed that it contacts following websites

•  www.searchreslt.com

File names often related to adware-sidefind are

• sidefind.exe
• sep.dll
• sidesearch.dll

It registers the DLL as Browser Helper objects to Internet Explorer

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\ProgID\: "Sep.Search.1"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\InprocServer32\: "C:\Program Files\SEP\sep.dll"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\ProgID\: "Sep.Band.1"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\InprocServer32\: "C:\Program Files\SEP\sep.dll"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Uninstall\SEP\UninstallString: "C:\Program Files\SEP\Uninst.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects: "{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}"

It creates following files upon execution and stores them at c:\program files\SEP

• sep.dll ( Size: 184,320 Bytes) – size may vary
• uninst.exe ( Size: 54,842 Bytes) – size may vary

 Symptoms

It shows the search result in a separate popup window and use Lycos search engine to show the results. See the image below.