IF YOU THINK IT`S SAFE GO HERE

[DREW]

http://www3.ca.com/securityadvisor/pest/pestscan.aspx?
scan=true

AND RUN THIS , FOR A FEW DAYS ,I WILL BET AFTER A WHILE
MICROSOFT WILL TELL YOU "YOUR CLEAN" AND THIS WILL NOT
TELL YOU THAT,, AND IT CAN BE PROVED,, JUST FOLLOW THE
ADDRESS

 

[JohnF.]

You are probably right for the following reasons:

1. This is beat software and as such, is not kept as current as other
programs.
2. This software company uses a different set of rules for determining what
qualifies as spyware, adware, or malware.
3. This version of software does not concern itself with cookies or data
miners since that is an issue of privacy, not actual spyware. THey may add
a cookie tool of sorts later if they determine it is needed or wanted
legitimately.
4. No one program can protect you from any problem we face in this world,
technological or otherwise.

JohnF.

 

[Bill Sanderson]

I did this.

On my system, with Microsoft Antispyware running, it detected 25 items.

23 were cookies, which Microsoft Antispyware doesn't scan for, and which
don't bother me.

2 were commercial RAT's--VNC variants which I have knowingly installed, and
have Microsoft Antispyware set to always ignore.

And, the last, was SearchSquire--I believe this is the same false positive
that has so incensed folks when Microsoft Antispyware detects it.

Nothing surprising seen here.

 

[Rob]

Does it tell you how to take your caps lock off?

 

[Bill Sanderson]

After some more careful checking--the entity detected as "Xupiter
SearchSquire - Hijacker"
is:

E:\WINDOWS\system32\search~1.dll

This expands (on my system) to:

04/21/2001 09:01 AM 106,496 SEARCH~1.DLL SearchWorks2-6.dll

Although the shortname of this piece of code might be identical to a
shortname of a piece of SearchSquire, this file isn't listed in CA's
description of the bug:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074898

Digging through the registry, it appears to me that this file is a
legitimate part of the Google Toolbar--(which I'll freely admit is spyware
of a sort.)

So this looks like a false positive to me. Disabling or removing that file
will probably change the functionality of the Google toolbar, which would be
bad.

I've reported it via the reporting form reached via Contact at the bottom of
the page, but since that appears to be a generic report for the whole
website, and not specific to the PestScan, I'm not sure the feedback will
reach the right folks.

So--to recap my experience with this scanner: It found 23 cookies which I
know are not scanned for by Microsoft Antispyware, and which I don't worry
about.

It found 2 commercial RATS (VNC variants) which I have knowingly installed.

And, it found a legitimate piece of the Google toolbar, and labelled it as
Xupiter SearchSquire. Had it removed or quarantined this piece of code,
functionality of the Google toolbar would have been impacted.

I'm not finding anything here to either worry me or excite me.

 

[drew]

and of all the things i mentioned , examine the one area
that your little mind ,chose to FOCUS ON?

 

[DREW]

Maybe , i came off a little strong , here , but in my
original post "PISSED OFF" I showed a familiarity , with
this software,, before Microsoft got it, and if the
signatures for finding certain spyware, and malware,,,no
mention of cookies(for i would have gotten "ADAWARE
SE"which is all thats good for) is already incorporated
into the software, it should still keep finding that
issue and i use my pc no less than 14 hrs per day
,i ran this piece of software ,no less than twice per
day.Something is very CONSPIRATORIAL HERE.

 

[DREW]

I AM EVER SOO HAPPY FOR YOU,,, JUST STAY ON TOP OF IT
FROM TIME TO TIME,,,, IN 3 WEEKS ,,YOU MAY BE ,BUT I HOPE
NOT,,,MY ECHO.

 

[JohnF.]

If you OWNED the software before MS bought it, MS advises you continue to
use THAT one because MS is making changes and beta testing those changes
now. However you mentioned you were only using it as a trial, no purchase.
If you had NO familiarity with Giant and never used their software or never
heard of them, your conspiracy claim MIGHT be taken a little more calmly but
since you were using it, it comes off as childish and stupid, throwing your
tantrum over a utility not doing a few things you want and you didn't even
pay for.

My computer runs 24 hours a day and sometimes I'm often using it that long
so welcome to the club.

I could care less about cookies - only the ones I want get on my machine
anyway.

JohnF.

 

[Bill Sanderson]

Drew--if I hear you correctly, you believe that Microsoft has turned off
detection for some items which the predecessor Giant product detected.

You believe this because these items are present on your system, and are
detected by this online scanner?

Are you absolutely certain you never chose Ignore Always for these items?

If you uninstall Microsoft Antispyware, and blow away the contents of the
directory in which it was installed, and then Reinstall Microsoft
Antispyware-are these items still not detected?

 

[DREW]

DO NOT,,, REALLY WANT TO BE HERE IN A PISSING CONTEST
SO,THANK YOU SOO MUCH FOR HEARING THRU MY ANGER AND
DISSAPOINTMENT IN THE SOFTWARE.
THEY ,MICROSOFT HAD THESE THINGS TURNED ON FOR SOME
TIME,AFTER THE TAKE OVER , AND IT FUNCTIONED BEAUTIFULLY,
I BEGAN TO NOTICE EARLY LAST WEEK THAT BEARSHARE, AND
GNUTELLA , AND 2 OTHER ITEMS I TOLD IT TO IGNORE,
WERE ,NOT SHOWING UP IN MY TWICE DAILY SCANS, THEY
WERE,HOWEVER , STILL ON MY MACHINE, (I`VE STAYED ON TOP
OF MONITORING THEM WITH SCANS,OFTEN, FOR ,I`VE FOUND ,
THEY BRING FRIENDS AND FAMILY TO THE PICNIC.)
I UNINSTALLED THE SOFTWARE,,THRU AD REMOVE, THEN USED
REGEDIT AND SCOURED THE REGISTRY FOR ANY INSTANCES OF IT,
SEARCHING FOR GIANT AND MICROS ANTI. SPY, THEN DID A
CHECK FOR SHARED DLL`S,, SOME DLL`S WOULD NOT MOVE ,I
THEN USED "GIPO@MOVEONBOOT" TO REMOVE THEM,,,,,THEN
REINSTALLED,,, I WAS PRAYING IT WOULD THEN FIND WHAT I
KNEW WAS THERE,,,IT DID NOT,,,,,,AND THATS WHEN I GOT
PISSED OFF, FOR I WOULD HAVE BOUGHT THE DAMNED PROGRAM,,
A SOLID PROGRAM IN 2 DAYS,,AS OF THE TAKE OVER POINT AND
WOULD HAVE BEEN IN UNDER THE WIRE.
AND NOW IN MY OPINON,, I HAVE A "DELIBERATE" BULLSHIT
PACKAGED SOFTWARE..
,,, AND HAVE TO START , RESEARCH FOR ANOTHER SOLID
ANTISPYWARE REMOVER.

 

[Bill Sanderson]

I downloaded bearshare from a gnutella link. It made it abundantly clear up front, both in displayed information screens and in the EULA, that ads were involved, and that it bundled WhenU's software. There was a separate EULA for WhenU displayed. On the install, I got an alert from Microsoft Antispyware that WhenU's Save???was being installed with an allow/block choice. I allowed. I'm running a scan, and the scan has spotted WhenU's WeatherCast, so far.

OK - scan completed, and here's what was found:

The list includes three WhenU entries, and Bearshare.

Seems to work for me--these are still detected.

Spyware Scan Details
Start Date: 2/26/2005 9:35:24 PM
End Date: 2/26/2005 9:47:59 PM
Total Time: 12 mins 35 secs

Detected Threats

WhenU.SaveNow Adware more information...
Details: WhenU SaveNow displays pop-up advertisements.
Status: Ignored
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\wusn.1
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} ILoader
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_CLASSES_ROOT\wusn.1 WUSN_Id
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver RunMSC.Loader.1
HKEY_LOCAL_MACHINE\software\classes\wusn.1
HKEY_LOCAL_MACHINE\software\classes\wusn.1 WUSN_Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WhenUSave
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg DisplayName Save!
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg DisplayIcon E:\PROGRA~1\Save\save.exe,3
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg DisplayVersion 2.64
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg HelpLink http://www.whenu.com
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg UrlInfoAbout http://www.whenu.com
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg Publisher WhenU.com, Inc.
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\WhenUSaveMsg UninstallString "E:\PROGRA~1\Save\SaveUninst.exe" /w /d"Save!"
HKEY_LOCAL_MACHINE\software\whenusave
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST Partner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST InstallTime 20050226213530
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST PartnerDesc WeatherCast
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST PartnerFile E:\Program Files\WeatherCast\Weather.exe
HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE Partner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE InstallTime 20050226213529
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 d:\Program Files\BearShare\RunMSC.dll
HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE PartnerDesc BearShare
HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE PartnerFile d:\Program Files\BearShare\BearShare.exe
HKEY_LOCAL_MACHINE\software\whenusave db_script_update 1002500609
HKEY_LOCAL_MACHINE\software\whenusave InstallDir E:\PROGRA~1\Save
HKEY_LOCAL_MACHINE\software\whenusave pats_url http://akapp.whenu.com/OffersDataGZ
HKEY_LOCAL_MACHINE\software\whenusave pat_chunks_url http://akapp.whenu.com/DataChunksGZ
HKEY_LOCAL_MACHINE\software\whenusave script_url http://akdwl.whenu.com/offscript2.html
HKEY_LOCAL_MACHINE\software\whenusave update_url http://akdwl.whenu.com/saveupdate.exe
HKEY_LOCAL_MACHINE\software\whenusave ver_url http://www.whenu.com/versions.html
HKEY_LOCAL_MACHINE\software\whenusave extra_url http://spweb.whenu.com/extra.exe
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\software\whenusave extraver_url http://spweb.whenu.com/extraver.html
HKEY_LOCAL_MACHINE\software\whenusave ziptomsa_url http://spapp.whenu.com/ziptomsa
HKEY_LOCAL_MACHINE\software\whenusave InstallTime 20050226213529
HKEY_LOCAL_MACHINE\software\whenusave LastPartner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave SetupCmdLine http://web.whenu.com/clientupdate?app=whenusave&oldv=2.63&cpartners=2
HKEY_LOCAL_MACHINE\software\whenusave TotalPartner 2
HKEY_LOCAL_MACHINE\software\whenusave newuser_rs Y
HKEY_LOCAL_MACHINE\software\whenusave Partner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave PartnerB EEPE
HKEY_LOCAL_MACHINE\software\whenusave PartnerDesc BearShare
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1
HKEY_LOCAL_MACHINE\software\whenusave FullDBTime N
HKEY_LOCAL_MACHINE\software\whenusave HeartbeatTime 1109472406538
HKEY_LOCAL_MACHINE\software\whenusave brandskin_url http://spweb.whenu.com/skin/
HKEY_LOCAL_MACHINE\software\whenusave brandstrip_rs 24
HKEY_LOCAL_MACHINE\software\whenusave brandstrip_url http://spweb.whenu.com/save_brand3.html
HKEY_LOCAL_MACHINE\software\whenusave himp_url http://spweb.whenu.com/himp/himp.db
HKEY_LOCAL_MACHINE\software\whenusave iptomsa_url http://app.whenu.com/Location
HKEY_LOCAL_MACHINE\software\whenusave maxPopups_rs 2
HKEY_LOCAL_MACHINE\software\whenusave timedDBUpdate_rs Y
HKEY_LOCAL_MACHINE\software\whenusave uninstalltag_rs Y
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_LOCAL_MACHINE\software\whenusave db_stamp_rs 20050226.chkgz1
HKEY_LOCAL_MACHINE\software\whenusave db_server_update 20050226.chkgz2
HKEY_LOCAL_MACHINE\software\whenusave IPToMsaTime_rs 20050227024653
HKEY_LOCAL_MACHINE\software\whenusave IPToMsaFail_rs 20050227024653
HKEY_LOCAL_MACHINE\software\whenusave db_local_update 20050227024657
HKEY_LOCAL_MACHINE\software\whenusave Version 2.64
HKEY_LOCAL_MACHINE\software\whenusave UpdateTime 20050226214700
HKEY_LOCAL_MACHINE\software\whenusave SetupCount 2
HKEY_LOCAL_MACHINE\software\whenusave TotalPopup 1;18491207
HKEY_LOCAL_MACHINE\software\whenusave UrlChangeCount 1
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader
HKEY_LOCAL_MACHINE\software\whenusave db_incomplete C
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class


WhenU.WeatherCast Software Bundler more information...
Details: WhenU WeatherCast is adware supported software that displays pop-up advertisements.
Status: Ignored
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
E:\Program Files\VVSN\VVSN.exe
e:\documents and settings\bills\start menu\programs\weathercast
e:\program files\weathercast\uninst.exe
e:\program files\weathercast\weather.exe
e:\documents and settings\bills\start menu\programs\weathercast\weathercast.lnk

Infected folders detected
e:\documents and settings\bills\start menu\programs\weathercast
e:\program files\weathercast

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VVSN
HKEY_CURRENT_USER\software\whenu\Weather checkver_url http://spapp.whenu.com/WeatherDB
HKEY_CURRENT_USER\software\whenu\Weather update_url http://akdwl.whenu.com/weatherupdate.exe
HKEY_CURRENT_USER\software\whenu\Weather exitsurvey_url http://web.whenu.com/uninstall_weather.html
HKEY_CURRENT_USER\software\whenu\Weather nagSequence 5;5|;2;3;4
HKEY_CURRENT_USER\software\whenu\Weather nag1_url http://app.whenu.com/WthrPrefs?mode=nt&nid=1
HKEY_CURRENT_USER\software\whenu\Weather nag2_url http://app.whenu.com/WthrPrefs?mode=nt&nid=2
HKEY_CURRENT_USER\software\whenu\Weather nag3_url http://app.whenu.com/WthrPrefs?mode=nt&nid=3
HKEY_CURRENT_USER\software\whenu\Weather nag4_url http://app.whenu.com/WthrPrefs?mode=nt&nid=4
HKEY_CURRENT_USER\software\whenu\Weather nag5_url http://app.whenu.com/WthrPrefs?mode=nt&nid=5
HKEY_CURRENT_USER\software\whenu\Weather nag6_url http://app.whenu.com/WthrPrefs?mode=nt&nid=6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VVSN
HKEY_CURRENT_USER\software\whenu\Weather Partner EEPE0404
HKEY_CURRENT_USER\software\whenu\Weather LastPartner EEPE0404
HKEY_CURRENT_USER\software\whenu\Weather InstallTime 20050226213529
HKEY_CURRENT_USER\software\whenu\Weather userFontStyle 0
HKEY_CURRENT_USER\software\whenu\Weather timeHeartbeat 20050227023627
HKEY_CURRENT_USER\software\whenu\Weather prefs_url http://app.whenu.com/WthrPrefs
HKEY_CURRENT_USER\software\whenu\Weather nagCount 1
HKEY_CURRENT_USER\software\whenu\Weather timeLastNag 20050226213627
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast DisplayIcon E:\Program Files\WeatherCast\Weather.exe,-0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WeatherCast
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast DisplayName WeatherCast
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast DisplayVersion 1.52
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast HelpLink www.whenu.com/about_weather.html
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast Publisher WhenU.com, Inc.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast UninstallString "E:\Program Files\WeatherCast\Weather.exe" /u
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\weathercast UrlInfoAbout http://www.whenu.com/about_weather.html
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WeatherCast
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run WeatherCast
HKEY_CURRENT_USER\software\whenu
HKEY_CURRENT_USER\software\whenu\Weather InstallDir E:\Program Files\WeatherCast
HKEY_CURRENT_USER\software\whenu\Weather Version 1.52
HKEY_CURRENT_USER\software\whenu\Weather about_url http://spweb.whenu.com/about_weather.html


WhenU.WhenUSearch Adware more information...
Details: WhenUSearch displays advertisements in pop-up windows.
Status: Ignored
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\WhenU\Weather
HKEY_CURRENT_USER\Software\WhenU\Weather nag2_url http://app.whenu.com/WthrPrefs?mode=nt&nid=2
HKEY_CURRENT_USER\Software\WhenU\Weather nag3_url http://app.whenu.com/WthrPrefs?mode=nt&nid=3
HKEY_CURRENT_USER\Software\WhenU\Weather nag4_url http://app.whenu.com/WthrPrefs?mode=nt&nid=4
HKEY_CURRENT_USER\Software\WhenU\Weather nag5_url http://app.whenu.com/WthrPrefs?mode=nt&nid=5
HKEY_CURRENT_USER\Software\WhenU\Weather nag6_url http://app.whenu.com/WthrPrefs?mode=nt&nid=6
HKEY_CURRENT_USER\Software\WhenU\Weather Partner EEPE0404
HKEY_CURRENT_USER\Software\WhenU\Weather LastPartner EEPE0404
HKEY_CURRENT_USER\Software\WhenU\Weather InstallTime 20050226213529
HKEY_CURRENT_USER\Software\WhenU\Weather userFontStyle 0
HKEY_CURRENT_USER\Software\WhenU\Weather timeHeartbeat 20050227023627
HKEY_CURRENT_USER\Software\WhenU\Weather InstallDir E:\Program Files\WeatherCast
HKEY_CURRENT_USER\Software\WhenU\Weather prefs_url http://app.whenu.com/WthrPrefs
HKEY_CURRENT_USER\Software\WhenU\Weather nagCount 1
HKEY_CURRENT_USER\Software\WhenU\Weather timeLastNag 20050226213627
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST Partner EEPE0404
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST InstallTime 20050226213530
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST PartnerDesc WeatherCast
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST PartnerFile E:\Program Files\WeatherCast\Weather.exe
HKEY_CURRENT_USER\Software\WhenU\Weather Version 1.52
HKEY_CURRENT_USER\Software\WhenU\Weather about_url http://spweb.whenu.com/about_weather.html
HKEY_CURRENT_USER\Software\WhenU\Weather checkver_url http://spapp.whenu.com/WeatherDB
HKEY_CURRENT_USER\Software\WhenU\Weather update_url http://akdwl.whenu.com/weatherupdate.exe
HKEY_CURRENT_USER\Software\WhenU\Weather exitsurvey_url http://web.whenu.com/uninstall_weather.html
HKEY_CURRENT_USER\Software\WhenU\Weather nagSequence 5;5|;2;3;4
HKEY_CURRENT_USER\Software\WhenU\Weather nag1_url http://app.whenu.com/WthrPrefs?mode=nt&nid=1


BearShare Software Bundler more information...
Details: BearShare is a file sharing network. The free version installs a number of known spyware and adware.
Status: Ignored
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_CLASSES_ROOT\gnufile gnutella
HKEY_CLASSES_ROOT\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\gnufile EditFlags 65536
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 d:\Program Files\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR d:\Program Files\BearShare\
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 d:\Program Files\BearShare\RunMSC.dll
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Program Files\BearShare\sounds\notify.wav
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare BearShare
HKEY_LOCAL_MACHINE\software\bearshare
HKEY_LOCAL_MACHINE\software\bearshare InstallDir d:\Program Files\BearShare
HKEY_LOCAL_MACHINE\software\classes\gnufile
HKEY_LOCAL_MACHINE\software\classes\gnufile\shell\open\command "d:\Program Files\BearShare\BearShare.exe" "%1"
HKEY_LOCAL_MACHINE\software\classes\gnufile gnutella
HKEY_LOCAL_MACHINE\software\classes\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\software\classes\gnufile EditFlags 65536
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 d:\Program Files\BearShare\RunMSC.dll
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR d:\Program Files\BearShare\
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayName BearShare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare UninstallString D:\PROGRA~1\BEARSH~1\UNWISE.EXE D:\PROGRA~1\BEARSH~1\INSTALL.LOG
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayVersion 4.6.2.3
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare HelpLink http://bearshare.com/help.htm
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare Publisher Free Peers, Inc.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare URLInfoAbout http://www.freepeers.com
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayIcon d:\Program Files\BearShare\BearShare.exe,-128
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_USERS\.default\appevents\schemes\apps\bearshare
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Program Files\BearShare\sounds\notify.wav
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_USERS\.default\appevents\schemes\apps\bearshare BearShare
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_USERS\s-1-5-18\appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\s-1-5-18\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Program Files\BearShare\sounds\notify.wav
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare BearShare
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class
HKEY_CLASSES_ROOT\gnufile
HKEY_CLASSES_ROOT\gnufile\shell\open\command "d:\Program Files\BearShare\BearShare.exe" "%1"


Detected Spyware Cookies
No spyware cookies were found during this scan.

 

[DREW]

NOW I FEEL STUPID, FOR IT APPEARS TO BE MY MACHINE.THANK
YOU SOO MUCH FOR ENTERTAINING ME AND WHAT I SAID,, AND
NOT THE MANNER , IN WHICH I SAID IT.
WELL AWARE OF THE EULA , AND WHAT I WERE GETTING, WHEN I
GOT IT.WAS THAT CONFIDENT IN THE SOFTWARE,,AT THAT
POINT,,NOW, WITH YOUR LAST INPUT, WELL AWARE,,NOT A
CONSPIRACY,,BUT , A BETA THAT ONE OF THESE SPYWARE
THINGS, SOMEWHAT DISARMED,,ISOLATED TO MY MACHINE,,EVEN
THOUGH I WENT THROUGH THE PAINS TO UNINS. AND
REINSTALL.BACK TO FIGURING OUT WHY AND HOW.THANKS.

-----Original Message-----
I downloaded bearshare from a gnutella link. It made it

abundantly clear up front, both in displayed information
screens and in the EULA, that ads were involved, and that
it bundled WhenU's software. There was a separate EULA
for WhenU displayed. On the install, I got an alert from
Microsoft Antispyware that WhenU's Save???was being
installed with an allow/block choice. I allowed. I'm
running a scan, and the scan has spotted WhenU's
WeatherCast, so far.

OK - scan completed, and here's what was found:

The list includes three WhenU entries, and Bearshare.

Seems to work for me--these are still detected.

Spyware Scan Details
Start Date: 2/26/2005 9:35:24 PM
End Date: 2/26/2005 9:47:59 PM
Total Time: 12 mins 35 secs

Detected Threats

WhenU.SaveNow Adware more information...
Details: WhenU SaveNow displays pop-up advertisements.
Status: Ignored
Moderate threat - Moderate-risk items have some

potential for harm, but may be part of a wanted service.
Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\wusn.1
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d- 43a2-4aef-83fb-bf280e660a97}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-

43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-
0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-

43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-
0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-

43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-
853C-54A12A745905}

HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-

43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0

HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-

43a2-4aef-83fb-bf280e660a97} ILoader

HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1 \clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1

\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}

HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_CLASSES_ROOT\wusn.1 WUSN_Id
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver RunMSC.Loader.1
HKEY_LOCAL_MACHINE\software\classes\wusn.1
HKEY_LOCAL_MACHINE\software\classes\wusn.1 WUSN_Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Run WhenUSave
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers ion\uninstall\WhenUSaveMsg
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg DisplayName Save!

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg DisplayIcon E:\PROGRA~1
\Save\save.exe,3

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg DisplayVersion 2.64

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg HelpLink http://www.whenu.com

HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62- 4214-a4b4-caa6738d4c07}
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg UrlInfoAbout
http://www.whenu.com

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg Publisher WhenU.com, Inc.

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentvers

ion\uninstall\WhenUSaveMsg UninstallString "E:\PROGRA~1
\Save\SaveUninst.exe" /w /d"Save!"

HKEY_LOCAL_MACHINE\software\whenusave
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST Partner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST InstallTime 20050226213530
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST PartnerDesc WeatherCast
HKEY_LOCAL_MACHINE\software\whenusave\Partners\CAST

PartnerFile E:\Program Files\WeatherCast\Weather.exe

HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE Partner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE InstallTime 20050226213529
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-

4214-a4b4-caa6738d4c07}\InprocServer32 d:\Program
Files\BearShare\RunMSC.dll

HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE PartnerDesc BearShare
HKEY_LOCAL_MACHINE\software\whenusave\Partners\EEPE

PartnerFile d:\Program Files\BearShare\BearShare.exe

HKEY_LOCAL_MACHINE\software\whenusave db_script_update 1002500609
HKEY_LOCAL_MACHINE\software\whenusave InstallDir E:\PROGRA~1\Save
HKEY_LOCAL_MACHINE\software\whenusave pats_url http://akapp.whenu.com/OffersDataGZ
HKEY_LOCAL_MACHINE\software\whenusave pat_chunks_url http://akapp.whenu.com/DataChunksGZ
HKEY_LOCAL_MACHINE\software\whenusave script_url http://akdwl.whenu.com/offscript2.html
HKEY_LOCAL_MACHINE\software\whenusave update_url http://akdwl.whenu.com/saveupdate.exe
HKEY_LOCAL_MACHINE\software\whenusave ver_url http://www.whenu.com/versions.html
HKEY_LOCAL_MACHINE\software\whenusave extra_url http://spweb.whenu.com/extra.exe
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-

4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel
Apartment

HKEY_LOCAL_MACHINE\software\whenusave extraver_url http://spweb.whenu.com/extraver.html
HKEY_LOCAL_MACHINE\software\whenusave ziptomsa_url http://spapp.whenu.com/ziptomsa
HKEY_LOCAL_MACHINE\software\whenusave InstallTime 20050226213529
HKEY_LOCAL_MACHINE\software\whenusave LastPartner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave SetupCmdLine http://web.whenu.com/clientupdate?
app=whenusave&oldv=2.63&cpartners=2
HKEY_LOCAL_MACHINE\software\whenusave TotalPartner 2
HKEY_LOCAL_MACHINE\software\whenusave newuser_rs Y
HKEY_LOCAL_MACHINE\software\whenusave Partner EEPE0404
HKEY_LOCAL_MACHINE\software\whenusave PartnerB EEPE
HKEY_LOCAL_MACHINE\software\whenusave PartnerDesc BearShare
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-

4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1

HKEY_LOCAL_MACHINE\software\whenusave FullDBTime N
HKEY_LOCAL_MACHINE\software\whenusave HeartbeatTime 1109472406538
HKEY_LOCAL_MACHINE\software\whenusave brandskin_url http://spweb.whenu.com/skin/
HKEY_LOCAL_MACHINE\software\whenusave brandstrip_rs 24
HKEY_LOCAL_MACHINE\software\whenusave brandstrip_url http://spweb.whenu.com/save_brand3.html
HKEY_LOCAL_MACHINE\software\whenusave himp_url http://spweb.whenu.com/himp/himp.db
HKEY_LOCAL_MACHINE\software\whenusave iptomsa_url http://app.whenu.com/Location
HKEY_LOCAL_MACHINE\software\whenusave maxPopups_rs 2
HKEY_LOCAL_MACHINE\software\whenusave timedDBUpdate_rs Y
HKEY_LOCAL_MACHINE\software\whenusave uninstalltag_rs Y
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-

4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-
54A12A745905}

HKEY_LOCAL_MACHINE\software\whenusave db_stamp_rs 20050226.chkgz1
HKEY_LOCAL_MACHINE\software\whenusave db_server_update 20050226.chkgz2
HKEY_LOCAL_MACHINE\software\whenusave IPToMsaTime_rs 20050227024653
HKEY_LOCAL_MACHINE\software\whenusave IPToMsaFail_rs 20050227024653
HKEY_LOCAL_MACHINE\software\whenusave db_local_update 20050227024657
HKEY_LOCAL_MACHINE\software\whenusave Version 2.64
HKEY_LOCAL_MACHINE\software\whenusave UpdateTime 20050226214700
HKEY_LOCAL_MACHINE\software\whenusave SetupCount 2
HKEY_LOCAL_MACHINE\software\whenusave TotalPopup 1;18491207
HKEY_LOCAL_MACHINE\software\whenusave UrlChangeCount 1
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62- 4214-a4b4-caa6738d4c07}\VersionIndependentProgID
RunMSC.Loader
HKEY_LOCAL_MACHINE\software\whenusave db_incomplete C
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-

4214-a4b4-caa6738d4c07} Loader Class

WhenU.WeatherCast Software Bundler more information...
Details: WhenU WeatherCast is adware supported software

that displays pop-up advertisements.

Status: Ignored
Moderate threat - Moderate-risk items have some

potential for harm, but may be part of a wanted service.
Users may decide to ignore such programs after review.

Infected files detected
E:\Program Files\VVSN\VVSN.exe
e:\documents and settings\bills\start menu\programs\weathercast
e:\program files\weathercast\uninst.exe
e:\program files\weathercast\weather.exe
e:\documents and settings\bills\start menu\programs\weathercast\weathercast.lnk

Infected folders detected
e:\documents and settings\bills\start menu\programs\weathercast
e:\program files\weathercast

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Run VVSN
HKEY_CURRENT_USER\software\whenu\Weather checkver_url http://spapp.whenu.com/WeatherDB
HKEY_CURRENT_USER\software\whenu\Weather update_url http://akdwl.whenu.com/weatherupdate.exe
HKEY_CURRENT_USER\software\whenu\Weather exitsurvey_url http://web.whenu.com/uninstall_weather.html
HKEY_CURRENT_USER\software\whenu\Weather nagSequence 5;5|;2;3;4
HKEY_CURRENT_USER\software\whenu\Weather nag1_url http://app.whenu.com/WthrPrefs?mode=nt&nid=1
HKEY_CURRENT_USER\software\whenu\Weather nag2_url http://app.whenu.com/WthrPrefs?mode=nt&nid=2
HKEY_CURRENT_USER\software\whenu\Weather nag3_url http://app.whenu.com/WthrPrefs?mode=nt&nid=3
HKEY_CURRENT_USER\software\whenu\Weather nag4_url http://app.whenu.com/WthrPrefs?mode=nt&nid=4
HKEY_CURRENT_USER\software\whenu\Weather nag5_url http://app.whenu.com/WthrPrefs?mode=nt&nid=5
HKEY_CURRENT_USER\software\whenu\Weather nag6_url http://app.whenu.com/WthrPrefs?mode=nt&nid=6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Run VVSN
HKEY_CURRENT_USER\software\whenu\Weather Partner EEPE0404
HKEY_CURRENT_USER\software\whenu\Weather LastPartner EEPE0404
HKEY_CURRENT_USER\software\whenu\Weather InstallTime 20050226213529
HKEY_CURRENT_USER\software\whenu\Weather userFontStyle 0
HKEY_CURRENT_USER\software\whenu\Weather timeHeartbeat 20050227023627
HKEY_CURRENT_USER\software\whenu\Weather prefs_url http://app.whenu.com/WthrPrefs
HKEY_CURRENT_USER\software\whenu\Weather nagCount 1
HKEY_CURRENT_USER\software\whenu\Weather timeLastNag 20050226213627
ion\uninstall\weathercast
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast DisplayIcon E:\Program
Files\WeatherCast\Weather.exe,-0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi on\Run WeatherCast
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast DisplayName WeatherCast

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast DisplayVersion 1.52

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast HelpLink
www.whenu.com/about_weather.html

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast Publisher WhenU.com, Inc.

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast UninstallString "E:\Program
Files\WeatherCast\Weather.exe" /u

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\weathercast UrlInfoAbout
http://www.whenu.com/about_weather.html

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi on\Run WeatherCast
HKEY_CURRENT_USER\software\microsoft\windows\currentversi on\run WeatherCast
HKEY_CURRENT_USER\software\whenu
HKEY_CURRENT_USER\software\whenu\Weather InstallDir E:\Program Files\WeatherCast
HKEY_CURRENT_USER\software\whenu\Weather Version 1.52
HKEY_CURRENT_USER\software\whenu\Weather about_url http://spweb.whenu.com/about_weather.html


WhenU.WhenUSearch Adware more information...
Details: WhenUSearch displays advertisements in pop-up windows.
Status: Ignored
Moderate threat - Moderate-risk items have some

potential for harm, but may be part of a wanted service.
Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\WhenU\Weather
HKEY_CURRENT_USER\Software\WhenU\Weather nag2_url http://app.whenu.com/WthrPrefs?mode=nt&nid=2
HKEY_CURRENT_USER\Software\WhenU\Weather nag3_url http://app.whenu.com/WthrPrefs?mode=nt&nid=3
HKEY_CURRENT_USER\Software\WhenU\Weather nag4_url http://app.whenu.com/WthrPrefs?mode=nt&nid=4
HKEY_CURRENT_USER\Software\WhenU\Weather nag5_url http://app.whenu.com/WthrPrefs?mode=nt&nid=5
HKEY_CURRENT_USER\Software\WhenU\Weather nag6_url http://app.whenu.com/WthrPrefs?mode=nt&nid=6
HKEY_CURRENT_USER\Software\WhenU\Weather Partner EEPE0404
HKEY_CURRENT_USER\Software\WhenU\Weather LastPartner EEPE0404
HKEY_CURRENT_USER\Software\WhenU\Weather InstallTime 20050226213529
HKEY_CURRENT_USER\Software\WhenU\Weather userFontStyle 0
HKEY_CURRENT_USER\Software\WhenU\Weather timeHeartbeat 20050227023627
HKEY_CURRENT_USER\Software\WhenU\Weather InstallDir E:\Program Files\WeatherCast
HKEY_CURRENT_USER\Software\WhenU\Weather prefs_url http://app.whenu.com/WthrPrefs
HKEY_CURRENT_USER\Software\WhenU\Weather nagCount 1
HKEY_CURRENT_USER\Software\WhenU\Weather timeLastNag 20050226213627
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST Partner EEPE0404
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST InstallTime 20050226213530
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST PartnerDesc WeatherCast
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST

PartnerFile E:\Program Files\WeatherCast\Weather.exe

HKEY_CURRENT_USER\Software\WhenU\Weather Version 1.52
HKEY_CURRENT_USER\Software\WhenU\Weather about_url http://spweb.whenu.com/about_weather.html
HKEY_CURRENT_USER\Software\WhenU\Weather checkver_url http://spapp.whenu.com/WeatherDB
HKEY_CURRENT_USER\Software\WhenU\Weather update_url http://akdwl.whenu.com/weatherupdate.exe
HKEY_CURRENT_USER\Software\WhenU\Weather exitsurvey_url http://web.whenu.com/uninstall_weather.html
HKEY_CURRENT_USER\Software\WhenU\Weather nagSequence 5;5|;2;3;4
HKEY_CURRENT_USER\Software\WhenU\Weather nag1_url http://app.whenu.com/WthrPrefs?mode=nt&nid=1


BearShare Software Bundler more information...
Details: BearShare is a file sharing network. The free

version installs a number of known spyware and adware.

Status: Ignored
Moderate threat - Moderate-risk items have some

potential for harm, but may be part of a wanted service.
Users may decide to ignore such programs after review.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4- caa6738d4c07}
HKEY_CLASSES_ROOT\gnufile gnutella
HKEY_CLASSES_ROOT\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\gnufile EditFlags 65536
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c- 54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-

54a12a745905}\1.0\0\win32 d:\Program
Files\BearShare\RunMSC.dll

HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c- 54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-

54a12a745905}\1.0\HELPDIR d:\Program Files\BearShare\

HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-

54a12a745905}\1.0 RunMSC 1.0 Type Library

HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnoti fymsg
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnoti fymsg Chat Message Waiting
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-

caa6738d4c07}\InprocServer32 d:\Program
Files\BearShare\RunMSC.dll

HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearSh

areChatNotifyMsg\.Current d:\Program
Files\BearShare\sounds\notify.wav

HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearSh areChatNotifyMsg
BearShare
HKEY_LOCAL_MACHINE\software\bearshare
HKEY_LOCAL_MACHINE\software\bearshare InstallDir d:\Program Files\BearShare
HKEY_LOCAL_MACHINE\software\classes\gnufile
HKEY_LOCAL_MACHINE\software\classes\gnufile\shell\open\co

mmand "d:\Program Files\BearShare\BearShare.exe" "%1"

HKEY_LOCAL_MACHINE\software\classes\gnufile gnutella
HKEY_LOCAL_MACHINE\software\classes\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-

caa6738d4c07}\InprocServer32 ThreadingModel Apartment

HKEY_LOCAL_MACHINE\software\classes\gnufile EditFlags 65536
3a0a-4d94-853c-54a12a745905}
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-

3a0a-4d94-853c-54a12a745905}\1.0\0\win32 d:\Program
Files\BearShare\RunMSC.dll

HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-

3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0

HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-

3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR d:\Program
Files\BearShare\

HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-

3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers ion\uninstall\bearshare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare DisplayName BearShare

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare UninstallString D:\PROGRA~1
\BEARSH~1\UNWISE.EXE D:\PROGRA~1\BEARSH~1\INSTALL.LOG

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare DisplayVersion 4.6.2.3

HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-

caa6738d4c07}\ProgID RunMSC.Loader.1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare HelpLink
http://bearshare.com/help.htm

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare Publisher Free Peers, Inc.

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare URLInfoAbout
http://www.freepeers.com

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers

ion\uninstall\bearshare DisplayIcon d:\Program
Files\BearShare\BearShare.exe,-128

HKEY_USERS\.default\appevents\eventlabels\bearsharechatno tifymsg
HKEY_USERS\.default\appevents\eventlabels\bearsharechatno tifymsg Chat Message Waiting
HKEY_USERS\.default\appevents\schemes\apps\bearshare
HKEY_USERS\.default\appevents\schemes\apps\bearshare\Bear

ShareChatNotifyMsg\.Current d:\Program
Files\BearShare\sounds\notify.wav

HKEY_USERS\.default\appevents\schemes\apps\bearshare\Bear ShareChatNotifyMsg
BearShare
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-

caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-
54A12A745905}

HKEY_USERS\s-1-5-18 \appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\s-1-5-18

\appevents\eventlabels\bearsharechatnotifymsg Chat
Message Waiting

HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare
HKEY_USERS\s-1-5-18

\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.
Current d:\Program Files\BearShare\sounds\notify.wav

HKEY_USERS\s-1-5-18 \appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
BearShare
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-

caa6738d4c07}\VersionIndependentProgID RunMSC.Loader

HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4- caa6738d4c07} Loader Class
HKEY_CLASSES_ROOT\gnufile
HKEY_CLASSES_ROOT\gnufile\shell\open\command "d:\Program

Files\BearShare\BearShare.exe" "%1"

Detected Spyware Cookies
No spyware cookies were found during this scan.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"DREW" <[email protected]> wrote in

message news:[email protected]...

 

[Bill Sanderson]

The steps you took in terms of uninstalling and reinstalling and cleaning up
sounded like the right things to do-to me. That's why I took the time to
try to replicate--it seemed to me that maybe the detections had actually
changed.

However, at least for Bearshare and WhenU, all looks fine at the moment.

 

[Bill Sanderson]

bad math--must 'a been 22 cookies!