Content

Adware-SpyShield

Type
Program
SubType
Adware
Discovery Date
03/11/2006
Minimum DAT
4717 (03/13/2006)
Updated DAT
5241 (02/28/2008)
Minimum Engine
5.1.00
Description Added
03/11/2006
Description Modified
03/11/2006 2:56 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is a direct-marketing software bundle that employs adware (such as Adware-BestOffers ) to generate contextual pop-up advertisements while browsing the web.

A user interface is presented when launching the installer and a license agreement is displayed during installation. It includes references to the BestOffers software, along with the possibility of installation of additional third party components.

Privacy

A privacy policy is not displayed during installation. A policy is available at http://www.spy-shield.com/web3/privacy.php, but it appears to cover only the website itself, and does not reference the SpyShield software.

Upon completion of the installation, the following web page is displayed. A privacy link on that page points to http://www.spy-shield.com/privacy.php However, the page appears unavailable.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • Installer: shield-setup.exe (3815 KB)
    MD5: 6CA474A11D7B1303F3B4229BBB5070FD
  • %ProgramFiles%\spy-shield\uninst.exe (40 KB)
    MD5: 983A622076BE1EAF51B1C2563C3F16FE
  • %ProgramFiles%\spy-shield\tips.txt (12 KB)
  • %ProgramFiles%\spy-shield\spywareinfo.db (77 KB)
  • %ProgramFiles%\spy-shield\spy-shield.url (1 KB)
  • %ProgramFiles%\spy-shield\spy-shield.exe (1644 KB)
    MD5: D60559C6B0B2E26711E12146E6A01C70
  • %ProgramFiles%\spy-shield\spamblocker.dll (568 KB)
    MD5: 4EB4A41C2D94C7AE1BE7E447861A0174
  • %ProgramFiles%\spy-shield\settings.ini (1 KB)
  • %ProgramFiles%\spy-shield\sdebug.log (1 KB)
  • %ProgramFiles%\spy-shield\regsvr32.exe* (10 KB)
  • %ProgramFiles%\spy-shield\registry.db (162 KB)
  • %ProgramFiles%\spy-shield\quarantine\
  • %ProgramFiles%\spy-shield\plugins\startupeditor\startupeditor.dll (828 KB)
    MD5: E3BA3EF1C453015073C0FE2868254D93
  • %ProgramFiles%\spy-shield\plugins\startupeditor\languages\spanish.ini (1 KB)
  • %ProgramFiles%\spy-shield\plugins\startupeditor\languages\english.ini (1 KB)
  • %ProgramFiles%\spy-shield\plugins\messengercontrol\messengercontrol.dll (268 KB)
    MD5: 9E9066FB0CBB0F4DBAC09EAEAB7022AB
  • %ProgramFiles%\spy-shield\plugins\messengercontrol\languages\spanish.ini (1 KB)
  • %ProgramFiles%\spy-shield\plugins\messengercontrol\languages\english.ini (1 KB)
  • %ProgramFiles%\spy-shield\plugins\desktopmanager\desktopmanager.dll (276 KB)
    MD5: 2AFD660A557537B268F75F920C284642
  • %ProgramFiles%\spy-shield\plugins\desktopmanager\languages\spanish.ini (1 KB)
  • %ProgramFiles%\spy-shield\plugins\desktopmanager\languages\english.ini (1 KB)
  • %ProgramFiles%\spy-shield\msvcr71.dll* (340 KB)
  • %ProgramFiles%\spy-shield\msvcp71.dll* (488 KB)
  • %ProgramFiles%\spy-shield\md5.db (566 KB)
  • %ProgramFiles%\spy-shield\logs\
  • %ProgramFiles%\spy-shield\languages\
  • %ProgramFiles%\spy-shield\languages\english.ini (36 KB)
  • %ProgramFiles%\spy-shield\knownlocations.db (36 KB)
  • %ProgramFiles%\spy-shield\hosts.db (4 KB)
  • %ProgramFiles%\spy-shield\filesnames.db (72 KB)
  • %ProgramFiles%\spy-shield\dbghelp.dll* (620 KB)
  • %ProgramFiles%\spy-shield\cookies.db (4 KB)
  • %ProgramFiles%\spy-shield\blacklist.db (15 KB)
  • %ProgramFiles%\spy-shield\bestoffers.exe (126 KB)
    MD5: 66A2B696A52952430833E69C72A97C50
  • c:\documents and settings\(username)\start menu\spy-shield v4.1.lnk (1 KB)
  • c:\documents and settings\(username)\start menu\programs\spy-shield\spy-shield v4.1.lnk (1 KB)
  • c:\documents and settings\(username)\start menu\programs\spy-shield\spy-shield v4.1 website.lnk (1 KB)
  • c:\documents and settings\(username)\start menu\programs\spy-shield\spy-shield v4.1 un-installer.lnk (1 KB)
  • c:\documents and settings\(username)\desktop\spy-shield v4.1.lnk (1 KB)
  • c:\documents and settings\(username)\application data\microsoft\internet explorer\quick launch\spy-shield v4.1.lnk (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\SpyShield
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Spy-Shield
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Spy-Shield"="C:\Program Files\Spy-Shield\Spy-Shield.exe /s"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \App Paths\Spy-Shield.exe
    "default"="C:\Program Files\Spy-Shield\Spy-Shield.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \App Paths\Spy-Shield.exe
  • HKEY_CURRENT_USER\Software\tbon
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Applets\Regedit
    "t1"="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Applets\Regedit
    "one"="10/03/2006"
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\Spy-Shield.Addin.1
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Enable Browser Extensions"="yes"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
    "Cache"="(hex data)"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
    "Factor"="20"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
    "InitHits"="100"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
    "Size"="10"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
    "Enable"="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
  • HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}
  • HKEY_CLASSES_ROOT\TypeLib\{4C824D74-1DF5-4058-BD78-203774F09930}
  • HKEY_CLASSES_ROOT\Spy-Shield.Addin.1
  • HKEY_CLASSES_ROOT\Spy-Shield.Addin
  • HKEY_CLASSES_ROOT\spamdet.SpamDetector.1
  • HKEY_CLASSES_ROOT\spamdet.SpamDetector
  • HKEY_CLASSES_ROOT\Interface\{F82FD7D4-2EC8-40B3-A141-DE051C98DCE9}
  • HKEY_CLASSES_ROOT\Interface\{BEB656B1-CAC1-4591-B4EA-66793D53961B}
  • HKEY_CLASSES_ROOT\Interface\{8A5E6109-376F-46A7-AE78-714BF8F611DC}
  • HKEY_CLASSES_ROOT\Interface\{2BDBDE40-A3A5-4888-8569-656AE250326C}
  • HKEY_CLASSES_ROOT\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
  • HKEY_CLASSES_ROOT\CLSID\{EE58659D-4AF6-407E-8C88-2F1F45FF8CBD}
  • HKEY_CLASSES_ROOT\CLSID\{DF831C0C-F9BC-4E43-8CF4-538F8230E337}
  • HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}
  • HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}
  • HKEY_CLASSES_ROOT\CLSID\{8A5E6109-376F-46A7-AE78-714BF8F611DC}
  • HKEY_CLASSES_ROOT\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}
  • HKEY_CLASSES_ROOT\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
  • HKEY_CLASSES_ROOT\AppID\spamdet.DLL
  • HKEY_CLASSES_ROOT\AppID\ad-protect.EXE
  • HKEY_CLASSES_ROOT\Ad-Protect.Server.1
  • HKEY_CLASSES_ROOT\Ad-Protect.Server

Network Impact

Additional overhead in bandwidth due to download of advertising content.

Aliases

Aliases

    N/A