McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary

This is not a virus or a Trojan. It is an adware downloader. On executing this application, it makes multiple internet connections with "cache.sidefind.com", "surfaccuracy.com", "cdn.climaxbuks.com", "ysbweb.com", "internet-optimizer.com", "xxxtoolbar.com", "slotch.com" etc and downloads lots of adware related contents. It creates few BHO entries for the Internet Explorer and generates extra pop-up ads while browsing the Internet.

Privacy

No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application. No privacy policy related to the software could be found.

System Changes

File Name : f3njwll.exe
MD5Hash : 697577d165fc803408729952c8e607fc

Upon execution, this application changes the search page of the Internet Explorer to “yoogee.com” and installs a toolbar:

Following entry is added under Start Menu\Programs:

• Power Scan

Following directories are added:

• %Program Files%\Common Files\zwku
• %Program Files%\Common Files\zwku\zwkud
• %Program Files%\Internet Optimizer
• %Program Files%\ISTbar
• %Program Files%\ISTsvc
• %Program Files%\Power Scan
• %Program Files%\SAcc
• %Program Files%\SideFind
• %Program Files%\SideFind\update
• %Windows%\zwku

Following files are added:

• etfmslr.exe
• glf7glf7.exe
• istrecover.exe
• istsvc.exe
• optimize.exe
• power_remove.exe
• powerscan.exe
• SAcc.exe
• sidefind.exe
• targetsaver.exe
• tsinstall_4_0_3_8_b17.exe
• tsuninst.exe
• tsupdate_4_0_3_9_b2.exe
• zwkua.exe
• zwkul.exe
• zwkum.exe
• zwkup.exe
• cmctl.dll
• istbarcm.dll
• nem220.dll
• sfbho.dll
• sidefind13.dll
• sidefind.dll
• zwkuc.dll

Following registry entries are added:

• HKEY_CURRENT_USER\Software\Avenue Media
• HKEY_CURRENT_USER\Software\IST
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
  ExplorerBars \{8CBA1B49-8144-4721-A7B1-64C578C9EED7}
• HKEY_CURRENT_USER\Software\Policies\Avenue Media
• HKEY_CURRENT_USER\Software\PowerScan
• HKEY_CURRENT_USER\Software\tsl2
• HKEY_CURRENT_USER\Software\zwku
• HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper
• HKEY_CLASSES_ROOT\BrowserHelperObject.BAHelper.1
• HKEY_CLASSES_ROOT\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
• HKEY_CLASSES_ROOT\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}
• HKEY_CLASSES_ROOT\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}
• HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}
• HKEY_CLASSES_ROOT\CLSID\{FAA356E4-D317-42a6-AB41-A3021C6E7D52}
• HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj
• HKEY_CLASSES_ROOT\DyFuCA_BH.BHObj.1
• HKEY_CLASSES_ROOT\Interface\{0E704BA4-C517-4BE7-A1CD-C3FFDA1E1FFE}
• HKEY_CLASSES_ROOT\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}
• HKEY_CLASSES_ROOT\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}
• HKEY_CLASSES_ROOT\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}
• HKEY_CLASSES_ROOT\ISTbar.BarObj
• HKEY_CLASSES_ROOT\SideFind.Finder
• HKEY_CLASSES_ROOT\SideFind.Finder.1
• HKEY_CLASSES_ROOT\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}
• HKEY_CLASSES_ROOT\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671}
• HKEY_CLASSES_ROOT\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA}
• HKEY_CLASSES_ROOT\TypeLib\{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF}
• HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media
• HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar
• HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideFind
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  DyFuCA
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  Internet Optimizer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  ISTbar
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  ISTsvc
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  Power Scan
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  SideFind
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  TSA
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  TSL Installer
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media
• HKEY_LOCAL_MACHINE\SOFTWARE\SAcc
• HKEY_LOCAL_MACHINE\SOFTWARE\SideFind
• HKEY_LOCAL_MACHINE\SOFTWARE\TSA
• HKEY_LOCAL_MACHINE\SOFTWARE\TSA\update
• HKEY_LOCAL_MACHINE\SOFTWARE\zwku
• HKEY_LOCAL_MACHINE\SOFTWARE\zwku\update
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run | "zwku"
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
  Toolbar\WebBrowser | "{FAA356E4-D317-42A6-AB41-A3021C6E7D52}"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run | "AkOaO"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run | "Internet Optimizer"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run | "IST Service"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run | "Power Scan"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run | "SAcc"

Network Impact

Additional overhead in bandwidth due to download of content.

Removal

Aliases

Aliases

• Adware.Istbar : Symantec
• Adware/IST.ISTBar : Panda Antivirus
• Trojan-Downloader.Win32.INService.je : Kaspersky L