ThreatExpert Report: Adware.Mostofate!ct, Trojan.ADH.2, not-a-virus:AdWare.Win32.Mostofate.bn..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 19 November 2011, 19:56:08
Processing time: 9 min 16 sec
Submitted sample:

File MD5: 0xCA850C66B61FBB1B2BC5386CBD688E16
File SHA-1: 0xEC3B5CD5CDF4B30CA21729DE33DAF234C3128B00
Filesize: 477,260 bytes
Alias:

Adware.Mostofate!ct [PCTools]
Trojan.ADH.2 [Symantec]
not-a-virus:AdWare.Win32.Mostofate.bn [Kaspersky Lab]
Generic PUP.z [McAfee]
not-a-virus:AdWare.Win32.Mostofate [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\Power Search Tool\alert_plugin.dll	163,840 bytes	MD5: 0x158C277933F08F600C946C45A7AC681C SHA-1: 0x2A93F38EB6B65350B013E54D946B2025E177A8AE	(not available)
2	%ProgramFiles%\Power Search Tool\basis.xml	107,399 bytes	MD5: 0xCB030172B4FC382CFB070753613F819F SHA-1: 0x82302BFC523BF87F5F48FC9A603C4F4AF5041ECB	(not available)
3	%ProgramFiles%\Power Search Tool\ebay.bmp	2,096 bytes	MD5: 0xD406D427E9F2DCBF63587F08AD74D3F5 SHA-1: 0x264742566D772574C125BF24F323C91846E05BE2	(not available)
4	%ProgramFiles%\Power Search Tool\icons.bmp	97,590 bytes	MD5: 0x88DC8A9A7B09D586C28BC2206DF66C76 SHA-1: 0x78FBDA4840D7DFF914ABCC05B9A080C7F254220B	(not available)
5	%ProgramFiles%\Power Search Tool\logo-4.bmp	3,324 bytes	MD5: 0x5F1B51C7A3AD7F1B3250A3D703C9FA6A SHA-1: 0x54AF0A860FFA4820641474A8F0BFC9E83E607C74	(not available)
6	%ProgramFiles%\Power Search Tool\mbback.bmp	2,398 bytes	MD5: 0x553E309D528593633FE2DA8341FBE16F SHA-1: 0xBA76B1F242CF8AEE292CB3E4B6A6C38C966AA65E	(not available)
7	%ProgramFiles%\Power Search Tool\mbbigopen.bmp	4,014 bytes	MD5: 0x75DDE9037D8184B97B003CA689E0CA88 SHA-1: 0x7E2A0696498B79D4621B1154C2B57449D9BC5F9E	(not available)
8	%ProgramFiles%\Power Search Tool\mbclose.bmp	3,294 bytes	MD5: 0x677B91E52A88C3A5BAC734B22D8831B0 SHA-1: 0x6FFFBC494C8D7C5A65E9925486EEA7E94DB37EA0	(not available)
9	%ProgramFiles%\Power Search Tool\mbfwd.bmp	2,398 bytes	MD5: 0x20F115D3560D5F05AB901C5229BF0339 SHA-1: 0x7BDF6E770E78BD653CB3CA4FCC1696640110E762	(not available)
10	%ProgramFiles%\Power Search Tool\mbsep.bmp	414 bytes	MD5: 0x54B0E04BDD8E228519F458C81F70B43D SHA-1: 0xF2A9C26F299A1D610A46FC111291B17B83484819	(not available)
11	%ProgramFiles%\Power Search Tool\nav1c.bmp	894 bytes	MD5: 0x5D003713F982D1B287EB40EDE3DF9DD5 SHA-1: 0x41F4E85C3348EF5CA46C3E6D21EF3E520D2D2B32	(not available)
12	%ProgramFiles%\Power Search Tool\options.html	5,974 bytes	MD5: 0x8392FE54A2718D8E2D22BD6F984A9132 SHA-1: 0x391D8600E328A1308C2110CBFCC833C6B29B8748	(not available)
13	%ProgramFiles%\Power Search Tool\PowerSearchTool4_0.crc	220 bytes	MD5: 0xE65BBA6200C5B1BEEC350845B5D4A81B SHA-1: 0x8B5EEC102D442DA904CB932296354FCE5607DA27	(not available)
14	%ProgramFiles%\Power Search Tool\PowerSearchTool4_0.dll	868,424 bytes	MD5: 0xE3B45272494D6811B6D14FAE053977AD SHA-1: 0x29C5603801FEA93E787FE4A486B9E9709888C3BA	Adware.Mostofate!ct [PCTools] Trojan.ADH.2 [Symantec] not-a-virus:AdWare.Win32.Mostofate.bn [Kaspersky Lab] not-a-virus:AdWare.Win32.Mostofate [Ikarus] Win-Trojan/Mostofate.868424 [AhnLab]
15	%ProgramFiles%\Power Search Tool\version.txt	51 bytes	MD5: 0x7EED939D83042AB4C263FB2777F34B46 SHA-1: 0xCEA784850F85AE429B08FF31F8C9F37F59DFF705	(not available)
16	[file and pathname of the sample #1]	477,260 bytes	MD5: 0xCA850C66B61FBB1B2BC5386CBD688E16 SHA-1: 0xEC3B5CD5CDF4B30CA21729DE33DAF234C3128B00	Adware.Mostofate!ct [PCTools] Trojan.ADH.2 [Symantec] not-a-virus:AdWare.Win32.Mostofate.bn [Kaspersky Lab] Generic PUP.z [McAfee] not-a-virus:AdWare.Win32.Mostofate [Ikarus]

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%ProgramFiles%\Power Search Tool
%ProgramFiles%\Power Search Tool\cache

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970.3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970.3\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBSB08970.TBSB08970Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_CURRENT_USER\Software\TBSB08970
HKEY_CURRENT_USER\Software\TBSB08970\Toolbar
HKEY_CURRENT_USER\Software\TBSB08970\Toolbar\tb_items

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\VersionIndependentProgID]

(Default) = "Toolbar3.TBSB08970"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\TypeLib]

(Default) = "{77AA25E8-6083-4949-A831-9CB11861DC10}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\ProgID]

(Default) = "Toolbar3.TBSB08970.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}\InprocServer32]

(Default) = "C:\PROGRA~1\POWERS~1\POWERS~1.DLL"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}]

(Default) = "TBSB08970 Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\VersionIndependentProgID]

(Default) = "TBSB08970.TBSB08970"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\TypeLib]

(Default) = "{77AA25E8-6083-4949-A831-9CB11861DC10}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\ProgID]

(Default) = "TBSB08970.TBSB08970.3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}\InprocServer32]

(Default) = "%ProgramFiles%\Power Search Tool\PowerSearchTool4_0.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A08C6464-8102-465D-BB4B-3C1458E7F57F}]

(Default) = "Power Search Tool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\TypeLib]

(Default) = "{77AA25E8-6083-4949-A831-9CB11861DC10}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}]

(Default) = "ISoftomateObj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\TypeLib]

(Default) = "{77AA25E8-6083-4949-A831-9CB11861DC10}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}]

(Default) = "IPosBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32]

(Default) = "%ProgramFiles%\Power Search Tool\PowerSearchTool4_0.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\Power Search Tool\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0]

(Default) = "Toolbar3 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar\CurVer]

(Default) = "TBSB08970.IEToolbar.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar\CLSID]

(Default) = "{A08C6464-8102-465D-BB4B-3C1458E7F57F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar]

(Default) = "IE Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar.1\CLSID]

(Default) = "{A08C6464-8102-465D-BB4B-3C1458E7F57F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.IEToolbar.1]

(Default) = "IE Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970\CurVer]

(Default) = "TBSB08970.TBSB08970.3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970\CLSID]

(Default) = "{A08C6464-8102-465D-BB4B-3C1458E7F57F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970]

(Default) = "Power Search Tool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970.3\CLSID]

(Default) = "{A08C6464-8102-465D-BB4B-3C1458E7F57F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBSB08970.TBSB08970.3]

(Default) = "Power Search Tool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970\CurVer]

(Default) = "Toolbar3.TBSB08970.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970\CLSID]

(Default) = "{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970]

(Default) = "TBSB08970 Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970.1\CLSID]

(Default) = "{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08970.1]

(Default) = "TBSB08970 Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{A08C6464-8102-465D-BB4B-3C1458E7F57F} = 00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7}]

(Default) = "TBSB08970"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBSB08970.TBSB08970Toolbar]

DisplayName = "Power Search Tool"
UninstallString = "regsvr32 /u /s "%ProgramFiles%\Power Search Tool\PowerSearchTool4_0.dll" "

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]

iexplore.exe = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

{A08C6464-8102-465D-BB4B-3C1458E7F57F} = 64 64 8C A0 02 81 5D 46 BB 4B 3C 14 58 E7 F5 7F

[HKEY_CURRENT_USER\Software\TBSB08970\Toolbar\tb_items]

tbs_button_0AEWRF = 0x00000001
tbs_combo_023021 = 0x00000001
tbs_button_025592 = 0x00000001
tbs_space_004279 = 0x00000001
tbs_button_001386 = 0x00000001
tbs_space_018666 = 0x00000001
tbs_button_001421 = 0x00000001
tbs_space_022905 = 0x00000001
tbs_button_011849 = 0x00000001
tbs_space_027353 = 0x00000001
tbs_button_028502 = 0x00000001
tbs_space_004188 = 0x00000001
tbs_button_002473 = 0x00000001
tbs_space_007319 = 0x00000001
tbs_button_002728 = 0x00000001
tbs_space_011135 = 0x00000001
tbs_button_019762 = 0x00000001
tbs_space_006973 = 0x00000001
tbs_button_024741 = 0x00000001
tbs_space_015854 = 0x00000001
tbs_button_018765 = 0x00000001
tbs_space_015018 = 0x00000001
tbs_button_016693 = 0x00000001
tbs_menu_029483 = 0x00000001
tbs_item_002981 = 0x00000001
tbs_item_008614 = 0x00000001
tbs_item_005395 = 0x00000001
tbs_item_030183 = 0x00000001
tbs_item_009918 = 0x00000001
tbs_separator_030758 = 0x00000001
tbs_item_019550 = 0x00000001
tbs_menu_006860 = 0x00000001
tbs_item_000036 = 0x00000001
tbs_item_023796 = 0x00000001
tbs_item_028244 = 0x00000001
tbs_item_010975 = 0x00000001
tbs_item_015281 = 0x00000001
tbs_item_028101 = 0x00000001
tbs_separator_021426 = 0x00000001
tbs_item_024956 = 0x00000001
tbs_item_015727 = 0x00000001
tbs_item_016385 = 0x00000001
tbs_item_016586 = 0x00000001
tbs_item_031618 = 0x00000001
tbs_menu_024274 = 0x00000001
tbs_item_004713 = 0x00000001
tbs_item_000812 = 0x00000001
tbs_item_014123 = 0x00000001
tbs_separator_008843 = 0x00000001
tbs_item_018689 = 0x00000001
tbs_menu_022237 = 0x00000001
tbs_item_003596 = 0x00000001
tbs_item_008385 = 0x00000001

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

{0E5CBF21-D15F-11D0-8301-00AA005B4383} =
ITBarLayout =

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
74.125.47.155	80
74.125.47.165	80
74.208.31.229	80

The data identified by the following URLs was then requested from the remote web server:

http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/show_ads_impl.js
http://pagead2.googlesyndication.com/pagead/render_ads.js
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://www.powersearchtool.com/after-install/?pstv=4
http://www.powersearchtool.com/images/power-search-tool-head_02.gif
http://www.powersearchtool.com/images/powersearchtool_10.jpg
http://www.powersearchtool.com/images/powersearchtool_12.gif
http://www.powersearchtool.com/images/search-title-back-g.gif
http://www.powersearchtool.com/images/pst-footer-back_06.gif
http://www.powersearchtool.com/images/search-tool-over_05.gif
http://www.powersearchtool.com/images/pst-top-nav-over_07.gif
http://www.powersearchtool.com/after_install/?pstv=4
http://www.powersearchtool.com/images/pst-top-nav-over_05.gif
http://www.powersearchtool.com/images/pst-top-nav-over_04.gif
http://www.powersearchtool.com/images/get-it-now-over.gif
http://www.powersearchtool.com/images/pst-top-nav-over_06.gif
http://www.powersearchtool.com/Tell_Friends/
http://www.powersearchtool.com/styles/main.css
http://www.powersearchtool.com/images/pst-top-nav_04.gif
http://www.powersearchtool.com/images/pst-top-nav_06.gif
http://www.powersearchtool.com/images/pst-top-nav_05.gif
http://www.powersearchtool.com/images/pst-top-nav_07.gif

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.