ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 5 August 2012, 18:10:28
Processing time: 10 min 56 sec
Submitted sample:

File MD5: 0xE12CDC3C2842840E23DA37878C161E12
File SHA-1: 0x859B8D65300551D6722DB3DC296A33D9FDEA272A
Filesize: 1,608,000 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\nsd9.tmp\Time.dll %Temp%\nsm5.tmp\Time.dll	10,752 bytes	MD5: 0x38977533750FE69979B2C2AC801F96E6 SHA-1: 0x74643C30CDA909E649722ED0C7F267903558E92A
2	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbar.crx	189,491 bytes	MD5: 0x22DB3583396C7BA1DC349BF60503F8AA SHA-1: 0x3E8FFBBC8782286984ABAE13A3CA744A224ED637
3	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarApp.dll	364,648 bytes	MD5: 0xAFFD51DE3C3DA607536EB5389D24ECFD SHA-1: 0xB8B0944FF65ADF5CF81C64EB5A3F7D602D63A0F3
4	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarEng.dll	578,152 bytes	MD5: 0x6592FC12A442063DDE762D85991896BC SHA-1: 0xB64B74D06E6D41E8FCA66C1D49E3D918BFF9D2F2
5	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarsrv.exe	370,280 bytes	MD5: 0x86B59A1F639C1333D0DBDDCA3438039C SHA-1: 0x45C85C29BA021B74AA8EDBB58A3B950E7C6F93B9
6	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarTlbr.dll	293,480 bytes	MD5: 0x7A8214D1CEB6E553373EB44800718416 SHA-1: 0x22AB331E6C9C7A86AFA541831C54791C1F8ABC27
7	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\bh\alnaddyToolbar.dll	268,904 bytes	MD5: 0xFD3872E6F1E7C3AD4074D6BB1897734A SHA-1: 0x9409510C7237540AD9DADE0F6C3111D134EAAB43
8	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\escortShld.dll	58,880 bytes	MD5: 0xB1A6C2DD585DB70760B42E2B4C01C6EC SHA-1: 0xD8364EE59D73B294E640582BE522DD1B3A6A0BCF
9	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\uninstall.exe	223,449 bytes	MD5: 0xC446BEA79C944A83C9F62154BA07BA00 SHA-1: 0x80D60E9964DC6F912B4BE6B10AE8D45B7274657A
10	c:\user.js	56 bytes	MD5: 0x34F4745BDC99F6ECF96A5F2B1EDCFE27 SHA-1: 0xDBB21462104F17AFD8A3BB6ABDADAD0BABC7CE8C
11	[file and pathname of the sample #1]	1,608,000 bytes	MD5: 0xE12CDC3C2842840E23DA37878C161E12 SHA-1: 0x859B8D65300551D6722DB3DC296A33D9FDEA272A

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\Alnaddy.com
%AppData%\Alnaddy.com\alnaddyToolbar
%Temp%\mt_ffx
%Temp%\mt_ffx\Alnaddy.com
%Temp%\mt_ffx\Alnaddy.com\alnaddyToolbar
%Temp%\mt_ffx\Alnaddy.com\alnaddyToolbar\1.6.4.0
%Temp%\nsd9.tmp
%Temp%\nsm5.tmp
%ProgramFiles%\Alnaddy.com
%ProgramFiles%\Alnaddy.com\alnaddyToolbar
%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0
%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\bh
%ProgramFiles%\dimds
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\searchplugins

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
alnaddyToolbarsrv.exe	%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarsrv.exe	389,120 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	266,240 bytes
12.exe	%ProgramFiles%\dimds\12.exe	335,872 bytes
alnaddyToolbar4ie.exe	%Temp%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbar4ie.exe	335,872 bytes
alnaddyToolbar4ffx.exe	%Temp%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbar4ffx.exe	339,968 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AFE75FBA-AF4F-4F93-BE4E-9B58EDF370BF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D651E893-3D08-458D-A242-0E6B862E6507}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D651E893-3D08-458D-A242-0E6B862E6507}\Instl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D651E893-3D08-458D-A242-0E6B862E6507}\Instl\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D651E893-3D08-458D-A242-0E6B862E6507}\Instl\dfltLng
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDCF34FD-97CD-4707-9266-1DC19A9EF01D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDCF34FD-97CD-4707-9266-1DC19A9EF01D}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDCF34FD-97CD-4707-9266-1DC19A9EF01D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDCF34FD-97CD-4707-9266-1DC19A9EF01D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CFC4F268-E789-42E1-B255-FDFAE36C547F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CFC4F268-E789-42E1-B255-FDFAE36C547F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CFC4F268-E789-42E1-B255-FDFAE36C547F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CFC4F268-E789-42E1-B255-FDFAE36C547F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E55E0B19-457D-4ED3-B589-0103D41C83EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E55E0B19-457D-4ED3-B589-0103D41C83EC}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E55E0B19-457D-4ED3-B589-0103D41C83EC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E55E0B19-457D-4ED3-B589-0103D41C83EC}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3E11C16-FC77-47EB-9314-931BEB9C5C55}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3E11C16-FC77-47EB-9314-931BEB9C5C55}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3E11C16-FC77-47EB-9314-931BEB9C5C55}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3E11C16-FC77-47EB-9314-931BEB9C5C55}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F7F4F65C-DA43-486C-92F4-5D35ACB81D11}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F7F4F65C-DA43-486C-92F4-5D35ACB81D11}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F7F4F65C-DA43-486C-92F4-5D35ACB81D11}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F7F4F65C-DA43-486C-92F4-5D35ACB81D11}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEDFBB0E-4889-47EE-90E6-F88BFD927629}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEDFBB0E-4889-47EE-90E6-F88BFD927629}\ProxyStubClsid

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL]

AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL]

AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL]

AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL]

AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE]

AppID = "{AFE75FBA-AF4F-4F93-BE4E-9B58EDF370BF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]

(Default) = "escort"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]

(Default) = "escorTlbr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AFE75FBA-AF4F-4F93-BE4E-9B58EDF370BF}]

(Default) = "esrv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]

(Default) = "escortEng"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D651E893-3D08-458D-A242-0E6B862E6507}\Instl\dfltLng]

dfltLng = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D651E893-3D08-458D-A242-0E6B862E6507}\Instl\Data]

hrdId = "00cd1a40000000000000000000000000"
instlDay = 0x00003CC6
vrsni = "1.6.4.0"
afltId = "dsnr"
aflt = "dsnr"
smplGrp = "none"
tlbrId = "alnaddy1"
instlRef = ""
vrsnTs = "1.6.4.018:10:34"
tlbrSrchUrl = "http://www.alnaddy.com/search/?q="
uninstallAll = "false"
autoRvrt = "false"
admin = "false"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]

(Default) = "escortApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\VersionIndependentProgID]

(Default) = "alnaddy.alnaddyToolbarappCore"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\TypeLib]

(Default) = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\ProgID]

(Default) = "alnaddy.alnaddyToolbarappCore.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}\InprocServer32]

(Default) = "%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarApp.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0367444F-D6D9-4F8B-9323-BD44CC862221}]

(Default) = "appCore Object"
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\VersionIndependentProgID]

(Default) = "esrv.alnaddyToolbarESrvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\TypeLib]

(Default) = "{AFE75FBA-AF4F-4F93-BE4E-9B58EDF370BF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\ProgID]

(Default) = "esrv.alnaddyToolbarESrvc.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}\LocalServer32]

(Default) = ""%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarsrv.exe""
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{064BE2C6-2B35-4976-A13C-753C133105C7}]

(Default) = "escrtSrvc Object"
AppID = "{AFE75FBA-AF4F-4F93-BE4E-9B58EDF370BF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\VersionIndependentProgID]

(Default) = "a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\TypeLib]

(Default) = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\ProgID]

(Default) = "a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}\InprocServer32]

(Default) = "%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarEng.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{226EDA32-AC74-4FEB-913E-A299631E45E2}]

(Default) = "escrtAx Object"
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\VersionIndependentProgID]

(Default) = "alnaddy.alnaddyToolbarHlpr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\TypeLib]

(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\ProgID]

(Default) = "alnaddy.alnaddyToolbarHlpr.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}\InprocServer32]

(Default) = "%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\bh\alnaddyToolbar.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55928DD2-8878-4275-AAB3-B3A09A67A1EB}]

(Default) = "Alnaddy.com Helper Object"
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\VersionIndependentProgID]

(Default) = "alnaddy.alnaddyToolbardskBnd"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\TypeLib]

(Default) = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\ProgID]

(Default) = "alnaddy.alnaddyToolbardskBnd.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}\InprocServer32]

(Default) = "%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\alnaddyToolbarTlbr.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3AED25-23AB-4543-B915-159449C37197}]

(Default) = "Alnaddy.com Toolbar"
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\VersionIndependentProgID]

(Default) = "escort.escortIEPane"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\TypeLib]

(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\ProgID]

(Default) = "escort.escortIEPane.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}\InprocServer32]

(Default) = "%ProgramFiles%\Alnaddy.com\alnaddyToolbar\1.6.4.0\bh\alnaddyToolbar.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE20B4F0-A56F-41CE-BFFC-FB7389CCB627}]

(Default) = "escortIEPane Object"
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{063922B3-931A-481A-A55E-4EB198BD9DFE}]

(Default) = "IXmlCnfg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1088C560-0B2F-48A8-A449-3DB6D53FF8BA}]

(Default) = "IXtrnlBsc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1A897D73-1756-4251-B841-D633A63BA73F}]

(Default) = "IEscortFctry"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E0C19C-6650-4788-88BB-71979CC3263F}]

(Default) = "IappCore"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{35039355-8B79-4EA2-8175-F18BAFC5E685}]

(Default) = "Ixtrnlmain"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA2C329-0D0F-40D0-AD69-4DDFF81D849F}]

(Default) = "IwebAtrbts"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}\TypeLib]

(Default) = "{E4A96F75-2664-427C-A921-EB652CFF4787}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B119FBCC-0FFA-4C0F-AEA6-2FCE4A3D3E12}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

SearchAssistant =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

Israel

To mark the presence in the system, the following Mutex objects were created:

_SHuassist.mtx
CritOpMutex
_!SHMSFTHISTORY!_

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
aff.dimds.com	80	(null)	(null)
www.alnaddy.com	80	(null)	(null)
reports.montiera.com	80	(null)	(null)

The following GET requests were made:

reports/jsRprt.srf?rid=nsis&nsisState=0&prdct=alnaddyToolbar&tlbrId=alnaddy1&aflt=dsnr&vrsn=1.6.4.0&instlRef=&hardId=00cd1a40000000000000000000000000&hostApp=IE&smplGrp=none&bho=0&tlbr=0&ie=6.0.2900.2180&ffx=&os=5.1&hp=+IE&ds=+IE&nt=&
tool/thanks-dnsr.php
?afltid=dsnr
index.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.