ThreatExpert Report: Adware.WhenU_SaveNow, not-a-virus:AdTool.Win32.WhenU.a

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 17 May 2008, 05:42:56
Processing time: 3 min 36 sec
Submitted sample:

File MD5: 0x6661719644B940B34694D4FA6A4ED0DC
File SHA-1: 0x53587DC8F9608E10744E0F84B091678B4C478E15
Filesize: 928,256 bytes
Alias:

Adware.WhenU_SaveNow [PCTools]
not-a-virus:AdTool.Win32.WhenU.a [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Adware.Component.WhenU	Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonDesktopDir%\DAEMON Tools SearchBar.lnk	1,582 bytes	MD5: 0xE8EC99D7B5E09453CD7B6CF84C5A036F SHA-1: 0x2E5A0CFEF9299871FC1898E220FFAC4BF5F5A80F	(not available)
2	%AppData%\WhenU\dtStore.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%Programs%\DAEMON Tools\DAEMON Tools SearchBar.lnk	1,574 bytes	MD5: 0x5A1BEFA6E4FE9E0FF585C03334ACBEC4 SHA-1: 0xAD0BDD3BB34B47C29A4C89B8BFC495BE58BD1E85	(not available)
4	%ProgramFiles%\Common Files\WhenU\DTAdapter.exe	186,752 bytes	MD5: 0xF92D0E9199B9156871F0E91BD77EDC7E SHA-1: 0xE7F712B82D0A064906CB1B89E04239ED564F8C2B	(not available)
5	%ProgramFiles%\Common Files\WhenU\DTPlugin.dll	127,352 bytes	MD5: 0x4B91BB49D57E6EB2153C536D85D7A5CC SHA-1: 0xD9D66B56B60730ACFDFDC6417924A74E041A42A7	Adware.WhenU_SaveNow [PCTools]
6	%ProgramFiles%\DAEMON Tools SearchBar\Content\css\dialog.css %ProgramFiles%\DAEMON Tools SearchBar\Content\dialog.css	281 bytes	MD5: 0x8A90D2F28CC73639E226AC210FC38F90 SHA-1: 0x3DE0003C5A61D9A425922B4EB66E171ABE9C5A83	(not available)
7	%ProgramFiles%\DAEMON Tools SearchBar\Content\css\menu.css %ProgramFiles%\DAEMON Tools SearchBar\Content\menu.css	290 bytes	MD5: 0xC626B168378E6246BBB4A603C688BE0F SHA-1: 0xD606202876F6849897C2FC62B4018615FA672084	(not available)
8	%ProgramFiles%\DAEMON Tools SearchBar\Content\css\module_weather.css %ProgramFiles%\DAEMON Tools SearchBar\Content\module_weather.css	229 bytes	MD5: 0xB6229ECB43DBBCA46BD617B0D9F1A86D SHA-1: 0x8DC3E0BCD9452A73B9F8C177B0CFF41FEDADC1EE	(not available)
9	%ProgramFiles%\DAEMON Tools SearchBar\Content\css\module_weather_dialog.css %ProgramFiles%\DAEMON Tools SearchBar\Content\module_weather_dialog.css	163 bytes	MD5: 0x06B1EB04A6CB3A6516C778EF41967761 SHA-1: 0xE154AA1C0C652A5DF7E0C631D6CE56F75D84EE03	(not available)
10	%ProgramFiles%\DAEMON Tools SearchBar\Content\css\quick.css %ProgramFiles%\DAEMON Tools SearchBar\Content\quick.css	313 bytes	MD5: 0x3E10777092741664DF092824F8CAE152 SHA-1: 0x0F3C1939E3946D806E69B43DB3296293E75FD365	(not available)
11	%ProgramFiles%\DAEMON Tools SearchBar\Content\customize.html	9,066 bytes	MD5: 0x27D69C3D32D7C7A89EEF476FCCA3B1D5 SHA-1: 0x99A93FA3D75F7D293E63B7941096BF15D8D29002	(not available)
12	%ProgramFiles%\DAEMON Tools SearchBar\Content\daemon.ico %ProgramFiles%\DAEMON Tools SearchBar\Content\uninst.ico	7,406 bytes	MD5: 0xFCB2BEC30B724BC1FA73D324ECCFF0BD SHA-1: 0x9C62467E37F1CB1B7BA1D981B13BBC74E10D5593	(not available)
13	%ProgramFiles%\DAEMON Tools SearchBar\Content\emu_menu.html	13,744 bytes	MD5: 0x96A7D261ED21CE53CE9F8D438A5B089E SHA-1: 0xD59405D56C948FD78B488D4DD7A4D41EA8DE99CE	(not available)
14	%ProgramFiles%\DAEMON Tools SearchBar\Content\global.js	752 bytes	MD5: 0xBA31C8BD5F2000403BDC75D88E17E892 SHA-1: 0x1CFAE97D012D7E2398D2A7B0995D96DA5B57AB18	(not available)
15	%ProgramFiles%\DAEMON Tools SearchBar\Content\help_menu.html	11,880 bytes	MD5: 0xCADD6D89FDA72B9BFE5D8014C65BD4FD SHA-1: 0x72BB722CEB95B18C839020EE192D06CD7D27B954	(not available)
16	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\65_wtext.gif	1,717 bytes	MD5: 0xDFEE4DF1E6C64F904FA6BC891F154084 SHA-1: 0xA6D77CF7FEF47F7628C93416659BC17265612564	(not available)
17	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\65_wtext_sm.gif %ProgramFiles%\DAEMON Tools SearchBar\Content\images\85_wtext_sm.gif	592 bytes	MD5: 0xD122CFD2E269D45FA7A486E50E04649E SHA-1: 0x09A75EEDF1188B31559B13011ED100FE042FAA48	(not available)
18	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\66_wtext.gif	1,191 bytes	MD5: 0x5128078D920DDF5C4C2799D352714389 SHA-1: 0x4361B728829E1F9701AECADA19BC90F3F0C9AF53	(not available)
19	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\66_wtext_sm.gif	359 bytes	MD5: 0x18EC6550A4FDACBEC2D9CDFD67FA1F5A SHA-1: 0x4FB6CABBDC18677A37DAD606DE4D4AB4F990321E	(not available)
20	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\67_wtext.gif	1,144 bytes	MD5: 0xC0A1AC5EDB7530AC63170B4E8401E40C SHA-1: 0x84AE3308DEAC21148FEB34C0D63B31DCE0B1ED55	(not available)
21	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\67_wtext_sm.gif	308 bytes	MD5: 0x4CBFAA62B01BD5ED9BC27E32E6E6C16F SHA-1: 0x77758BD3EC2404885DEF039CF3E3CB7D003D159D	(not available)
22	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\68_wtext.gif	3,382 bytes	MD5: 0x7E58880FA73F801F663FD8FFF12FEA33 SHA-1: 0xF6B999713095429F7A58B84C11F2E98601639312	(not available)
23	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\68_wtext_sm.gif	398 bytes	MD5: 0x4771E53D0A3C44452E6E626B944533D8 SHA-1: 0x70B7803BACE230BFC9123A18C2E8FF7BFC9CB614	(not available)
24	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\69_wtext.gif	1,585 bytes	MD5: 0xB8B00BEBDAA04465064D7D86889AE6F3 SHA-1: 0x4843E58FD1E26CAD14901A458C72EE9A44954FA4	(not available)
25	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\69_wtext_sm.gif	600 bytes	MD5: 0xA8E08B95AA2181C86B9BB392344A9D59 SHA-1: 0x98141530DD24657270B326E7FF512B0F9D49409F	(not available)
26	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\70_wtext.gif	2,301 bytes	MD5: 0x2E25DBA3962CF684E22DB3A3E8E24999 SHA-1: 0x4F2C49E44A4DBC21A06FB611E6EC3370B03A54F5	(not available)
27	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\70_wtext_sm.gif	370 bytes	MD5: 0x72C11F4647921159888C67BEA1D9E01D SHA-1: 0xF4BB5B334C76E0C0ACBE11F90B52DF3D42EC3533	(not available)
28	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\71_wtext.gif	1,853 bytes	MD5: 0x705A93DA3ECB6CD4CC11969DF35582B1 SHA-1: 0xA18674065FE94C67AD1D7AC225DDC83E20C2E35A	(not available)
29	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\71_wtext_sm.gif	616 bytes	MD5: 0xC1137240BE5D971F419B48038A3C80D2 SHA-1: 0x2A85FFBA4BDDBAD17EEFCC6F51D8CB81323BD08C	(not available)
30	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\72_wtext.gif	2,431 bytes	MD5: 0xFF8404369F986FBB18633E29BE3BFF68 SHA-1: 0xFB0914E196D5FCF664B6A9FA94976362E209D449	(not available)
31	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\72_wtext_sm.gif	616 bytes	MD5: 0xFD3E6D506C735F7774EBFB8B9CFC0D94 SHA-1: 0xA6059C6E2D1192C59039D5F87F89D95E2567589A	(not available)
32	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\73_wtext.gif	1,316 bytes	MD5: 0x5FD3D48397314C19560CCD28EB1F5C5C SHA-1: 0x387443B63C6FE8A4837105C876B61667E9BCEEFA	(not available)
33	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\73_wtext_sm.gif	579 bytes	MD5: 0x13D14497E02C43C07F274D47014CEC04 SHA-1: 0xAE6C444A28A1A4C0CD82219B26534B2C112CAD42	(not available)
34	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\74_wtext.gif	1,199 bytes	MD5: 0x7F753C69421C55D84F247DCB309C33D1 SHA-1: 0x99507A9C1E63D67449339129622CCBA63F51C215	(not available)
35	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\74_wtext_sm.gif	379 bytes	MD5: 0x9281D40C444DCFA4615D4DA3F65C5B8A SHA-1: 0xD31903843D53BA09588B94EE99129070C8CC763A	(not available)
36	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\75_wtext.gif	2,235 bytes	MD5: 0x273569FAF07D070F1896948415B5A9F5 SHA-1: 0x693C730A68CC19BC1CB325BC9286B9BCACD6741E	(not available)
37	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\75_wtext_sm.gif	385 bytes	MD5: 0xADC29055B80BDB4EDE2E2AB8FB7288C5 SHA-1: 0xD0DC5FB1C8BED4C27784D00C73685AC387046B5C	(not available)
38	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\76_wtext.gif	1,052 bytes	MD5: 0xE205A1AF3F8CF7B8E09E78DC9B88943C SHA-1: 0xA464E353F16230EB89857EF75B1D37F3EECD0F86	(not available)
39	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\76_wtext_sm.gif	366 bytes	MD5: 0xE661936324BF845D04C89E2E87911B2F SHA-1: 0x0545E4249B08B316D918A95C3602E854A43E3AC6	(not available)
40	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\77_wtext.gif	1,464 bytes	MD5: 0x57EF725F6C935EC974DCC034E8F5CC65 SHA-1: 0x6BB9FF031D2F9E903311C35DF10037B61CF0A0DB	(not available)
41	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\77_wtext_sm.gif	579 bytes	MD5: 0xB0FB52A2F87F3C4F76B400E0BC68389E SHA-1: 0x4023D62B9B263D26BE8DA5522752FDB5073FB034	(not available)
42	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\78_wtext.gif	1,360 bytes	MD5: 0x58DBC3275A2D3F50B7DE04FDA43DAB08 SHA-1: 0x6EFD040E70D919D7F41C8F1332DA567C47B69EBA	(not available)
43	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\78_wtext_sm.gif	550 bytes	MD5: 0x84725117133425D7970EA3DC2305671C SHA-1: 0x361855EE614700E3910512CC83C098E8B7995021	(not available)
44	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\79_wtext.gif	1,437 bytes	MD5: 0xC077F8103D2E2A3C0395E045A0BA158E SHA-1: 0xE2F1BE450E17393C9FE03C6139DA73B409B6F787	(not available)
45	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\79_wtext_sm.gif	352 bytes	MD5: 0xE190C8AD707CCE44DB70C173573D23C7 SHA-1: 0x9ED29938E01902C08FFBD2FC1B44AFE9DBAB151D	(not available)
46	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\80_wtext.gif	2,459 bytes	MD5: 0xC294376D8CB5F64AEAF0A174D0A4C832 SHA-1: 0xA8F031D44EF8DBFFE293A75C1F070BA003674EE2	(not available)
47	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\80_wtext_sm.gif	614 bytes	MD5: 0xB148D9DC6910F4B6F78FDBDED8F710FC SHA-1: 0x0AED54C9BC8DD623EC646D66D6DA2396DAF414B9	(not available)
48	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\81_wtext.gif	1,791 bytes	MD5: 0xA081C3E4BF648654BA0948B504C2DC4D SHA-1: 0xD45912CF784C6A0B32813AA01E0ACB8BCA57EC14	(not available)
49	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\81_wtext_sm.gif	597 bytes	MD5: 0x42535693BB97A16F81C7E59114A610D5 SHA-1: 0xD7C9446A93F1660762881E3173E976E345E4B375	(not available)
50	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\82_wtext.gif	1,124 bytes	MD5: 0x51D7049B586A37D5FC5765BCF9824CEC SHA-1: 0x4B4DEFB004126FCD2EB8BFA2E916F4A91397B1AD	(not available)
51	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\82_wtext_sm.gif	378 bytes	MD5: 0x10B48E3CBC24689CC0C9EB8434CC3DE9 SHA-1: 0xBA650822B5C4C966ADB53880ACB6784B93871326	(not available)
52	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\83_wtext.gif	1,565 bytes	MD5: 0xC85902CEB0B5C108C001BA9250F84F19 SHA-1: 0xEAED6CB0602D345DD3FC3094110DE7204C0FC576	(not available)
53	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\83_wtext_sm.gif	396 bytes	MD5: 0xBED664118DB9724148A8686B47F6DA8A SHA-1: 0x306C1C7E31568DAF58CF909FE97D23E8FDB48D80	(not available)
54	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\84_wtext.gif	1,629 bytes	MD5: 0xC5E9F2FCF01F1BAC72239E9DF82A7CF8 SHA-1: 0xB10B5557E15822BA5D9E24CF2C11E70443917DA8	(not available)
55	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\84_wtext_sm.gif	570 bytes	MD5: 0x951655D7799B0414988905107DC4C1DD SHA-1: 0xF1A226D50EE1A62CEA0E19005A4F9D4620C3039D	(not available)
56	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\85_wtext.gif	2,451 bytes	MD5: 0x463B1B5DE0B6005D776A50DA4B820E39 SHA-1: 0x1834B6D7A3978A6F178AB104A366D2E49BF2E756	(not available)
57	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\87_wtext.gif	1,134 bytes	MD5: 0x5209C6636DA4AB5F3718616B43039FA6 SHA-1: 0xABC80B8C251D4D66D04C3F64D0AC319D94671DF5	(not available)
58	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\87_wtext_sm.gif	364 bytes	MD5: 0xD90B863621F5DEE66342C48E0D805B53 SHA-1: 0x291C342D0F1021EB5C5E517406B8C008C70696F7	(not available)
59	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\88_wtext.gif	1,391 bytes	MD5: 0x1B81A3AC1EA1F91326C72FAE6E498F0F SHA-1: 0x5AAFD7CBB82525B26D37C30FB382A9888A7332BA	(not available)
60	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\88_wtext_sm.gif	370 bytes	MD5: 0x67C0E37345E3CE5C300424F489D37F73 SHA-1: 0xD2541D098A35C45076568B6CC3E09DB93EE2E475	(not available)
61	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\89_wtext.gif	1,164 bytes	MD5: 0xB519C3B3DA0079A9AE4B7FB0BB41F427 SHA-1: 0xCBF53EFE0A112473E262220713DD311424914DC8	(not available)
62	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\89_wtext_sm.gif	591 bytes	MD5: 0xB124BEDDEF4B89B07A24DB98E0308C2E SHA-1: 0x1FF94E6125536D6827E5F44B40D9BE228105D402	(not available)
63	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\90_wtext.gif	1,438 bytes	MD5: 0xABEE984F8E18F16FD19E10A097C94BE5 SHA-1: 0xD05144300143FBDF30CF3BF975F396CAD6A1C958	(not available)
64	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\90_wtext_sm.gif	543 bytes	MD5: 0x315C6C8B02BE3F7A0D837388DC4FED6A SHA-1: 0x0A86DCE3E4428B6E3969D6797697F411EABB0482	(not available)
65	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\91_wtext.gif	2,084 bytes	MD5: 0x7C1051F58B33EDA4C4518F815CC07A98 SHA-1: 0xCEC5FE115C0BC39478D9721A1937B5C0B9B97163	(not available)
66	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\91_wtext_sm.gif	585 bytes	MD5: 0x68329D4F850F74E719FA401B6FEC3EEC SHA-1: 0x2485069F8C70B1BA8EE90ED564CF3D34B968A1CF	(not available)
67	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\92_wtext.gif	1,981 bytes	MD5: 0x96FB8AE85C191E815A29E1473510B1BF SHA-1: 0x951453AA42720E8F31B9D178006FC69C37CBA56B	(not available)
68	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\92_wtext_sm.gif	585 bytes	MD5: 0xC88D7FBA5E6A51774D161BCAE3880154 SHA-1: 0xEBDD26CECA907D9E8C241C4B23023595F2DE27DF	(not available)
69	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\93_wtext.gif	1,987 bytes	MD5: 0xDBFF5622E26BF601C96B6126FDC4F1BA SHA-1: 0x48CDBCDE01BC9B7C65974DA6A2CA1B4094BE8288	(not available)
70	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\93_wtext_sm.gif	591 bytes	MD5: 0xFC972E7526A8CD38A1E76D1B83DDAA0B SHA-1: 0x74E1E3F4D606399DD8FDB9D9DF4F83EFC9F98E36	(not available)
71	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\94_wtext.gif	2,130 bytes	MD5: 0x4FF98605E9F7C3F4BBE51A2A208F29D7 SHA-1: 0x7D6319F52FE695931D6A8BED8A9C7A0DC2178821	(not available)
72	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\94_wtext_sm.gif	587 bytes	MD5: 0xFCE6D9AD9A133FD01B862CFF265BDF55 SHA-1: 0x58D4311F0B34D9C762EE92BD66FDD4DF08003EA0	(not available)
73	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\add_image.gif	594 bytes	MD5: 0xD05838A9AE3BDA05331E526BDE1D23A5 SHA-1: 0x1ACEB6792DD7583F9BB8411145877F4C20E293CB	(not available)
74	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\add_image_down.gif	660 bytes	MD5: 0x4FCB577A05DEFFB9781725748B4CDB80 SHA-1: 0x65882E732555196BE9F17B732E2CFC5A3961587A	(not available)
75	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\add_image_on.gif	650 bytes	MD5: 0xBF5D1EBBB90E6C9656F3927D7DC947E5 SHA-1: 0xA164DE8137E0E3693544D1A5F0F2F80EB6C2E670	(not available)
76	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\arrow_down.gif	57 bytes	MD5: 0xC277E23BD0F33DC213225C78667672D9 SHA-1: 0x1035CDF257B6AA057AE0DD328934C779F395631B	(not available)
77	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\arrow_down_on.gif	57 bytes	MD5: 0xE2EC9F890919D8AA6BEFEE41ADD06DFF SHA-1: 0x421FF3C013531E0E69071A21C238240BDA8A5919	(not available)
78	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\arrow_right.gif	49 bytes	MD5: 0xCA6D95529642EDC719777C379A6AA31B SHA-1: 0x4410F2EBBF030E368D913814921D79BE229A39A1	(not available)
79	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\arrow_right_on.gif	49 bytes	MD5: 0xEB85B250D7B668708A081530FC1978D0 SHA-1: 0x7729B9990853A5D20DA9DA194360C0B521C4409E	(not available)
80	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_arrow_down.gif	208 bytes	MD5: 0x2F6698206B2AFEA1C9B8C748BDEAE597 SHA-1: 0xAE51187087EF540B56128BD21FF9ECAB2B1D3172	(not available)
81	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_arrow_off.gif	209 bytes	MD5: 0xB5D857C3E48EF8CDF88318603161BB25 SHA-1: 0xB92B3A8BC5E361212B659F2912E9FD38B653072E	(not available)
82	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_arrow_on.gif	210 bytes	MD5: 0x3C7FAE1BE9EFB4EC07BF62CEBB3D9FBB SHA-1: 0x00563D954BAFBA1DA29FF13E09CD083A17879FEC	(not available)
83	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_go.gif	481 bytes	MD5: 0xEC245516947A1E0FB022C49EAE13C6ED SHA-1: 0x0432F758915F5434EB0238F20A310434CF876B53	(not available)
84	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_go_down.gif	499 bytes	MD5: 0xBFC9DEB2EE717F8F4EC13DF77D44B236 SHA-1: 0x3CA6E19EF845590F03DEFD4B3485BADFF55D8532	(not available)
85	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_go_on.gif	482 bytes	MD5: 0x335DCEBE683EB0B509FB3CCED82CEF26 SHA-1: 0x093128945073BD6CBA90525D7928C9F663E8163D	(not available)
86	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_pop.gif %ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_pop_ups_allowed.gif	880 bytes	MD5: 0x480A8D403B87CEC8131068D3F5ED7B50 SHA-1: 0xB52ABD6EC32B059C4327428F52604961B70AAA79	(not available)
87	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_pop_ups_blocked.gif	1,342 bytes	MD5: 0x9EC9512C103D780F16769FF0004B8736 SHA-1: 0xB26F529C1DAAC627764E0814B0825637BA9CA4CF	(not available)
88	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_pop_ups_blocked_anim.gif	2,154 bytes	MD5: 0x53F9CC4EBE6CDFFAD4C57E45E3AF195C SHA-1: 0x0FCDB94CBEEA0FFB4A7B30A0EC73047DF30B55FE	(not available)
89	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_pop_ups_blocked_down.gif	1,334 bytes	MD5: 0xAA7A6FB449E2B3789A441C745F52B039 SHA-1: 0x88F9F915407B235D046D409120CD804CE77E9CAA	(not available)
90	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_pop_ups_blocked_on.gif	1,342 bytes	MD5: 0x6076B06B8F2D3DBF26DDF02288B3FC2A SHA-1: 0xAE10CD5F06AF6F90C9EBF28DAE498EF229EC1C8F	(not available)
91	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_search_down.gif	324 bytes	MD5: 0xD47013ABB7C6C41AEB7312127EB83AA9 SHA-1: 0x3A9FE28E78F1759A4E205C317BE51EF52BD2388D	(not available)
92	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_search_off.gif	320 bytes	MD5: 0x8047292DC5C15DC746DF819F10792202 SHA-1: 0x30464E4F3B0E4EC6B565E30F803A8E4A19093AF5	(not available)
93	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_search_on.gif	323 bytes	MD5: 0xE3AC0C1B9BF22258710CD1ADC1DD6095 SHA-1: 0x73A2E739C90EBF8BE7E735509CA52055561C481C	(not available)
94	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_search_sm_down.gif	214 bytes	MD5: 0x1919A010FAE007961DC07AE61EE2D2DE SHA-1: 0xE9BEBA351944DA57D66BDD23A49F2B421081B914	(not available)
95	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_search_sm_off.gif	214 bytes	MD5: 0x93B93EE4D90AF78813A2DFA62B189EE7 SHA-1: 0x23F27C0F7A0970426B75016B6C585F73B75885A7	(not available)
96	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_search_sm_on.gif	216 bytes	MD5: 0x0F0B285C88DA8E12F15A2018DFA1DD91 SHA-1: 0x01C82BEA8528AF7E72CF4AF25FB5386C4C0CDE41	(not available)
97	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_specials_on.gif	1,773 bytes	MD5: 0xD602B0311F7AF065B58759461A4F4312 SHA-1: 0xC8F08B3D4372E971E80BCC9AD168418027F120B6	(not available)
98	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_ucontrol_down.gif	469 bytes	MD5: 0x501007DD4765BB9128CE4810FE6F2EE5 SHA-1: 0x8CA46513905D76C9B29BADC739B020FB7AE00868	(not available)
99	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_ucontrol_off.gif	462 bytes	MD5: 0x72961665ADA7542FB88D1CADF49344A3 SHA-1: 0xA0006A3F43B521124EF74FC5EE6F466F15E32FCE	(not available)
100	%ProgramFiles%\DAEMON Tools SearchBar\Content\images\button_ucontrol_on.gif	468 bytes	MD5: 0x5EC2C83862395E4EEAB74912B77B668B SHA-1: 0xA9B572FCF64DEE9190333F8B9F5798607F95AE53	(not available)

Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\WhenU
%Programs%\DAEMON Tools
%ProgramFiles%\Common Files\WhenU
%ProgramFiles%\DAEMON Tools SearchBar
%ProgramFiles%\DAEMON Tools SearchBar\Content
%ProgramFiles%\DAEMON Tools SearchBar\Content\css
%ProgramFiles%\DAEMON Tools SearchBar\Content\images

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
Search.exe	%ProgramFiles%\daemon tools searchbar\search.exe	315,392 bytes
whse.exe	%ProgramFiles%\daemon tools searchbar\whse.exe	188,416 bytes
DTAdapter.exe	%ProgramFiles%\Common Files\WhenU\DTAdapter.exe	196,608 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	946,176 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
DTPlugin.dll	%ProgramFiles%\Common Files\WhenU\DTPlugin.dll	Process name: whse.exe Process filename: %ProgramFiles%\daemon tools searchbar\whse.exe Address space: 0x2460000 - 0x2480000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dtPlugin.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WUSE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch\Partners
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch\Partners\desktop
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch\WHSE

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dtPlugin.DLL]

AppID = "{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}]

(Default) = "dtPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\VersionIndependentProgID]

(Default) = "DTPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\TypeLib]

(Default) = "{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\ProgID]

(Default) = "DTPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\InprocServer32]

(Default) = "%ProgramFiles%\Common Files\WhenU\DTPlugin.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}]

(Default) = "DTPlugin Class"
AppID = "{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\VersionIndependentProgID]

(Default) = "DTAdapter.DTAdapter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\TypeLib]

(Default) = "{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\ProgID]

(Default) = "DTAdapter.DTAdapter.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\LocalServer32]

(Default) = ""%ProgramFiles%\Common Files\WhenU\DTAdapter.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}]

(Default) = "DTAdapter Class"
AppID = "{B9FE7DA5-2800-4EA9-AAFE-97984407CE47}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}\LocalServer32]

(Default) = "%ProgramFiles%\DAEMON Tools SearchBar\Search.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}\InprocServer32]

(Default) = "%ProgramFiles%\DAEMON Tools SearchBar\search.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}]

(Default) = "WhenUSearch Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib]

(Default) = "{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}]

(Default) = "IDTAdapter"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\TypeLib]

(Default) = "{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}]

(Default) = "IDTPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\0\win32]

(Default) = "%ProgramFiles%\Common Files\WhenU\DTAdapter.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\HELPDIR]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0]

(Default) = "dtAdapterLib"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\0\win32]

(Default) = "%ProgramFiles%\Common Files\WhenU\DTPlugin.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\Common Files\WhenU\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0]

(Default) = "DTPlugin 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter\CurVer]

(Default) = "DtAdapter.DTAdapter.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter\CLSID]

(Default) = "{293238AB-B0E2-4357-8548-E5167317CBCC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter]

(Default) = "DTAdapter Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1\CLSID]

(Default) = "{293238AB-B0E2-4357-8548-E5167317CBCC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1]

(Default) = "DTAdapter Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin\CurVer]

(Default) = "DTPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin\CLSID]

(Default) = "{1D5B201A-7942-401A-B801-3EAF98F6B8BD}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin]

(Default) = "DTPlugin Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin.1\CLSID]

(Default) = "{1D5B201A-7942-401A-B801-3EAF98F6B8BD}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DTPlugin.1]

(Default) = "DTPlugin Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WUSE.1]

WUSE_Id = 2C 2C 94 DF C3 0D 90 4F AF 13 73 82 91 C9 20 6E

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

WhenUSearch = ""%ProgramFiles%\DAEMON Tools SearchBar\Search.exe""
WhenUSearchWHSE = ""%ProgramFiles%\DAEMON Tools SearchBar\whse.exe""

so that Search.exe runs every time Windows starts

so that whse.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch]

DisplayIcon = "%ProgramFiles%\DAEMON Tools SearchBar\Content\daemon.ico"
DisplayName = "DAEMON Tools SearchBar"
DisplayVersion = "2.30"
HelpLink = "http://www.whenu.com/products/searchbar/mini/DaemonTools/"
Publisher = "WhenU.com"
UninstallString = "%ProgramFiles%\DAEMON Tools SearchBar\Uninst.exe /tWHSE"
UrlInfoAbout = "http://www.whenu.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch\Partners\desktop]

LastPartner = "WHSE9999"
SetupCmdLine = "http://app.whenu.com/AppInstall"
Partner = "WHSE9999"
InstallTime = "20080107151459"
PartnerDesc = "Desktop Toolbar [WhenUSearch]"
uitoken = "sb.daemon1"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch\WHSE]

Installed_rs = "Y"
uiver_rs = "22"
exitsurvey_url = "http://web.whenu.com/uninstall_search.html"
Partner = "WHSE9999"
LastPartner = "WHSE9999"
InstallTime = "20080107151459"
SetupCmdLine = "http://app.whenu.com/AppInstall?app=desktop"
showSplash = "0"
uitoken = "sb.daemon1"
init_check = "294852"
show_emulation = "Y"
show_manage = "Y"
blockCount = "0"
weather_units = "u"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSearch]

InstallDir = "%ProgramFiles%\DAEMON Tools SearchBar"
Version = "2.30"
pats_url = "http://akapp.whenu.com/SearchDB"
pat_chunks_url = "http://akapp.whenu.com/SearchChunks"
update_url = "http://www.whenusearch.com/searchupdate.exe"
ziptomsa_url = "http://spapp.whenu.com/ziptomsa"
iptomsa_url = "http://app.whenu.com/Location"
coupondataurl = "http://spweb.whenu.com/pop_up/"
InstallTime = "20080107151459"
zip = ""
newuser_rs = "Y"
startTime_rs = "20080107151630"
db_script_update = "1002200106"
IPToMsaTime_rs = "20080107231510"

Other details

To mark the presence in the system, the following Mutex objects were created:

WhenU_DesktopToolbar_SharedMutex
WhenUSearch_UI_Mutex/WHSE
WhenU_WhenUSearch_SharedMutex

The following ports were open in the system:

Port	Protocol	Process
1038	UDP	whse.exe (%ProgramFiles%\DAEMON Tools SearchBar\whse.exe)
1041	UDP	Search.exe (%ProgramFiles%\DAEMON Tools SearchBar\Search.exe)
1046	UDP	whse.exe (%ProgramFiles%\DAEMON Tools SearchBar\whse.exe)
1048	TCP	Search.exe (%ProgramFiles%\DAEMON Tools SearchBar\Search.exe)
1049	UDP	Search.exe (%ProgramFiles%\DAEMON Tools SearchBar\Search.exe)

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
spweather.whenu.com	80	(null)	(null)
akapp.whenu.com	80	(null)	(null)
app.whenu.com	80	(null)	(null)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.