Security Center / PUA.Imali

PUA.Imali

Updated: June 26, 2015 7:22:39 PM
Type: Potentially Unwanted App
Infection Length: Varies
Risk Impact: Low
Systems Affected: Windows

Behavior

PUA.Imali is a potentially unwanted application that bundles other potentially unwanted applications with it.

Antivirus Protection Dates

Initial Rapid Release version May 27, 2015 revision 008
Latest Rapid Release version September 22, 2016 revision 024
Initial Daily Certified version June 26, 2015
Latest Daily Certified version September 22, 2016 revision 025
Initial Weekly Certified release date July 01, 2015

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: June 26, 2015 7:22:39 PM
Type: Potentially Unwanted App
Infection Length: Varies
Risk Impact: Low
Systems Affected: Windows

When the program is installed, it creates the following files:

%ProgramFiles%\Mozilla Firefox\browser\searchplugins\mystartsearch.xml
%ProgramFiles%\XTab\BrowerWatchCH.dll
%ProgramFiles%\XTab\BrowerWatchFF.dll
%ProgramFiles%\XTab\BrowserAction.dll
%ProgramFiles%\XTab\CmdShell.exe
%ProgramFiles%\XTab\conf
%ProgramFiles%\XTab\ffsearch_toolbar!1.0.0.1031.xpi
%ProgramFiles%\XTab\HPNotify.exe
%ProgramFiles%\XTab\IeWatchDog.dll
%ProgramFiles%\XTab\install.data
%ProgramFiles%\XTab\msvcp110.dll
%ProgramFiles%\XTab\msvcr110.dll
%ProgramFiles%\XTab\ProtectService.exe
%ProgramFiles%\XTab\searchProvider.xml
%ProgramFiles%\XTab\skin\about.png
%ProgramFiles%\XTab\skin\about_bk.png
%ProgramFiles%\XTab\skin\btn.png
%ProgramFiles%\XTab\skin\btn_apply.png
%ProgramFiles%\XTab\skin\close.png
%ProgramFiles%\XTab\skin\conf.xml
%ProgramFiles%\XTab\skin\conf_back.png
%ProgramFiles%\XTab\skin\input_bk.png
%ProgramFiles%\XTab\skin\logo.png
%ProgramFiles%\XTab\skin\main.xml
%ProgramFiles%\XTab\skin\radio_1.png
%ProgramFiles%\XTab\skin\radio_2.png
%ProgramFiles%\XTab\skin\rigth_arrow.png
%ProgramFiles%\XTab\skin\settings.png
%ProgramFiles%\XTab\SupTab.dll
%ProgramFiles%\XTab\uninstall.exe
%ProgramFiles%\XTab\web\data.html
%ProgramFiles%\XTab\web\img\google_trends.png
%ProgramFiles%\XTab\web\img\icon128.png
%ProgramFiles%\XTab\web\img\icon16.png
%ProgramFiles%\XTab\web\img\icon48.png
%ProgramFiles%\XTab\web\img\loading.gif
%ProgramFiles%\XTab\web\img\logo32.ico
%ProgramFiles%\XTab\web\indexIE.html
%ProgramFiles%\XTab\web\indexIE8.html
%ProgramFiles%\XTab\web\js\common.js
%ProgramFiles%\XTab\web\js\ga.js
%ProgramFiles%\XTab\web\js\jquery-1.11.0.min.js
%ProgramFiles%\XTab\web\js\jquery.autocomplete.js
%ProgramFiles%\XTab\web\js\jquery.xdomainrequest.min.js
%ProgramFiles%\XTab\web\js\js.js
%ProgramFiles%\XTab\web\js\library.js
%ProgramFiles%\XTab\web\js\xagainit-ie8.js
%ProgramFiles%\XTab\web\js\xagainit2.0.js
%ProgramFiles%\XTab\web\js\xdomain.min.js
%ProgramFiles%\XTab\web\main.css
%ProgramFiles%\XTab\web\ver.txt
%ProgramFiles%\XTab\web\_locales\en-US\messages.json
%ProgramFiles%\XTab\web\_locales\es-419\messages.json
%ProgramFiles%\XTab\web\_locales\es-ES\messages.json
%ProgramFiles%\XTab\web\_locales\fr-BE\messages.json
%ProgramFiles%\XTab\web\_locales\fr-CA\messages.json
%ProgramFiles%\XTab\web\_locales\fr-CH\messages.json
%ProgramFiles%\XTab\web\_locales\fr-FR\messages.json
%ProgramFiles%\XTab\web\_locales\fr-LU\messages.json
%ProgramFiles%\XTab\web\_locales\it-CH\messages.json
%ProgramFiles%\XTab\web\_locales\it-IT\messages.json
%ProgramFiles%\XTab\web\_locales\pl\messages.json
%ProgramFiles%\XTab\web\_locales\pt\messages.json
%ProgramFiles%\XTab\web\_locales\pt-BR\messages.json
%ProgramFiles%\XTab\web\_locales\ru\messages.json
%ProgramFiles%\XTab\web\_locales\ru-MO\messages.json
%ProgramFiles%\XTab\web\_locales\tr-TR\messages.json
%ProgramFiles%\XTab\web\_locales\vi-VI\messages.json
%ProgramFiles%\XTab\web\_locales\zh-CN\messages.json
%ProgramFiles%\XTab\web\_locales\zh-TW\messages.json
%SystemDrive%\Documents and Settings\All Users\Application Data\IHProtectUpDate\update\conf
%SystemDrive%\Documents and Settings\All Users\Application Data\WindowsMangerProtect\ProtectWindowsManager.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\WindowsMangerProtect\update\conf
%SystemDrive%\Documents and Settings\Administrator\Application Data\4C4C4544-1432875918-3810-8058-C7C04F4D3153\Uninstall.exe
%SystemDrive%\Documents and Settings\Administrator\Application Data\4C4C4544-1432875918-3810-8058-C7C04F4D3153\vnsg20.tmp
%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ydui6lj.default\extensions\searchffv2@gmail.com
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\576.json
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\bg.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\bg1.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\bk_shadow.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\button.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\button1.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\checkbox.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\checkbox_select.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\checked.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\close.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\code1.jpg
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\code2.jpg
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\code3.jpg
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\code4.jpg
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\code5.jpg
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\code6.jpg
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\code\Thumbs.db
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\loading_bg.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\loading_light.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\min.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\scrollbar.bmp
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\Thumbs.db
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\images\unchecked.png
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\MessageBox.xml
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\uninstallDlg2.xml
%SystemDrive%\Documents and Settings\Administrator\Application Data\mystartsearch\UninstallManager.exe
%SystemDrive%\Documents and Settings\Administrator\Application Data\VOPackage\Uninstall.exe
%SystemDrive%\Documents and Settings\Administrator\Application Data\VOPackage\VOPackage.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_64.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_76.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\prog1.exe

The program creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\AIM Toolbar = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\AskPartnerNetwork = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} = LuckyTab Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}\InprocServer32 = %ProgramFiles%\XTab\SupTab.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}\InprocServer32\ThreadingModel = 410070006100720074006D0065006E0074000000
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}\Programmable = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}\TypeLib = {7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F}\Version = 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8} = IIETabPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid = 7B00300030003000320030003400320034002D0030003000300030002D0030003000300030002D00
43003000300030002D003000300030003000300030003000300030003000340036007D000000
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32 = 7B00300030003000320030003400320034002D0030003000300030002D0030003000300030002D00
43003000300030002D003000300030003000300030003000300030003000340036007D000000
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib = {7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib\Version = 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}\1.0 = SupTabLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}\1.0\0\win32 = %ProgramFiles%\XTab\SupTab.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}\1.0\FLAGS = 30000000
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}\1.0\HELPDIR = %ProgramFiles%\XTab
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command = "%ProgramFiles%\Mozilla Firefox\firefox.exe" http://www.mystartsearch.com/?type=sc&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command = %ProgramFiles%\Internet Explorer\iexplore.exe http://www.mystartsearch.com/?type=sc&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\IHProtect\ptid = ima
HKEY_LOCAL_MACHINE\SOFTWARE\Iminent = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\DirectDraw\MostRecentApplication\Name = CrashReport_v6.2.7601.963.exe
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\DirectDraw\MostRecentApplication\ID = 541FEDFA
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\GDIPlus = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\Main\Start Page = http://www.mystartsearch.com/?type=hp&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\Main\Default_Page_URL = http://www.mystartsearch.com/?type=hp&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\Main\Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509&q={searchTerms}
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\Main\Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509&q={searchTerms}
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\Search\CustomizeSearch = http://www.mystartsearch.com/web/?type=ds&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509&q={searchTerms}
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\Search\SearchAssistant = http://www.mystartsearch.com/web/?type=ds&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509&q={searchTerms}
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\SearchScopes\DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName = mystartsearch
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\URL = http://www.mystartsearch.com/web/?type=ds&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509&q={searchTerms}
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0F0000000100000014000000E35EF08D884F0A0ADE2F75E96301CE6230F213A8040000000
100000010000000D474DE575C39B2D39C8583C5C065498A0300000001000000140000005
FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC251D00000001000000100000008F76B981
D528AD4770088245E2031B630B0000000100000012000000440069006700690043006500
720074000000140000000100000014000000B13EC36903F8BF4701D498261A0802EF63642
BC36200000001000000200000007431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00B
A6ABD7806ED3B118CF5300000001000000230000003021301F06096086480186FD6C020
130123010060A2B0601040182373C0101030200C009000000010000003400000030320608
2B0601050507030106082B0601050507030206082B0601050507030406082B06010505070
30306082B06010505070308190000000100000010000000BA4F3972E7AED9DCCDC210DB59
DA13C95C0000000100000004000000000800002000000001000000C9030000308203C5308
202ADA003020102021002AC5C266A0B409B8F0B79F2AE462577300D06092A864886F70D0
101050500306C310B300906035504061302555331153013060355040A130C4469676943657
27420496E6331193017060355040B13107777772E64696769636572742E636F6D312B30290
603550403132244696769436572742048696768204173737572616E636520455620526F6F7
4204341301E170D3036313131303030303030305A170D3331313131303030303030305A306
C310B300906035504061302555331153013060355040A130C446967694365727420496E633
1193017060355040B13107777772E64696769636572742E636F6D312B30290603550403132
244696769436572742048696768204173737572616E636520455620526F6F74204341308201
22300D06092A864886F70D01010105000382010F003082010A0282010100C6CCE573E6FBD4
BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD0
98A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6AB
A65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D
72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656
187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D3
5A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838
AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB0203010001A36
33061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D
0603551D0E04160414B13EC36903F8BF4701D498261A0802EF63642BC3301F0603551D23041
830168014B13EC36903F8BF4701D498261A0802EF63642BC3300D06092A864886F70D01010
5050003820101001C1A0697DCD79C9F3C886606085721DB2147F82A67AABF183276401057C
18AF37AD911658E35FA9EFC45B59ED94C314BB891E8432C8EB378CEDBE3537971D6E521940
1DA55879A2464F68A66CCDE9C37CDA834B1699B23C89E78222B7043E35547316119EF58C5
852F4E30F6A0311623C8E7E2651633CBBF1A1BA03DF8CA5E8B318B6008892D0C065C52B7C
4F90A98D1155F9F12BE7C366338BD44A47FE4262B0AC497690DE98CE2C01057B8C8761291
55F24869D8BC2A025B0F44D42031DBF4BA70265D90609EBC4B17092FB4CB1E4368C90727
C1D25CF7EA21B968129C3C9CBF9EFC805C9B63CDEC47AA252767A037F300827D54D7A9F8E
92E13A377E81F4A
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\SystemCertificates\AuthRoot\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob = 190000000100000010000000BB048F1838395F6FC3A1F3D2B7E9765403000000010000001400
00008F43288AD272F3103B6FB1428485EA3014C0BCFE69000000010000000E000000300C060
A2B0601040182373C03021D0000000100000010000000EEB61628D6A59948D98A184DDD686
1C0140000000100000014000000722D3A02319043B914054EE1EAA7C731D123893462000000
0100000020000000847DF6A78497943F27FC72EB93F9A637320A02B561D0A91B09E87A7807ED
7C610B00000001000000540000004D006900630072006F0073006F0066007400200052006F00
6F00740020004300650072007400690066006900630061007400650020004100750074006800
6F007200690074007900200032003000310031000000040000000100000010000000CE0490D5E
56C34A5AE0BE98BE581185D2000000001000000F1050000308205ED308203D5A003020102021
03F8BC8B5FC9FB29643B569D66C42E144300D06092A864886F70D01010B0500308188310B300
9060355040613025553311330110603550408130A57617368696E67746F6E3110300E06035504
0713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F72617
4696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361
746520417574686F726974792032303131301E170D3131303332323232303532385A170D33363
03332323232313330345A308188310B3009060355040613025553311330110603550408130A5
7617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154
D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F
667420526F6F7420436572746966696361746520417574686F726974792032303131308202223
00D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D1372
3268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025
A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD
80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B0
97C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA
9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD056726
9980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD420
7C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D
6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB01020
0649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA86
1D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64
DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457
188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB
3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B
255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001A351304F300B060355
1D0F040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414722
D3A02319043B914054EE1EAA7C731D1238934301006092B0601040182371501040302010030
0D06092A864886F70D01010B050003820201007F72CF0FB7C515DB9BC049CA265BFE9E13E6D3
F0D2DB975FF24B3F4DB3AE19AEEDD797A0ACEFA93AA3C241B0E5B8919E13812403E609FD3F5
74039212456D1102F4B40A936864BB453579AFBF17E898F11FE186C51AAE8ED0995B5E571C9A
1E98775A6157FC97E37545E7493C5C367CC0D4F6BA8170C6D08927E8BDD81AA2D7021C33D0
614BBBF245EA784D73F0F2122BD4B0006DB971CD85ED4C50B5C876E50A4E8C338A4FBCB2CC
592669B855ECB7A6C937C8029585B57B54069BA0879A66462159D879645B5662320038B1C73
A0D3A27933E0505986DB2FE50225EA732A9F0014C836C7923BE94E00ECD85609B9334912D25
40B01ABAC47B691297D4CB475805201E8CA82F69FCCAC9C8F17EA2F26B0AB72AC0BFE9E511
EC74355674F51B357D6B6ECEE52B73AE94EE1D78188BC4F8E75BB4BA8F035AA26D4676749B27
04C3B93DC1DDF78908672B238A4D1DC924DC958EB2B125CD43BAE8C6BB083E5013FF80932F6
93353422AFDD370D7709802BCD4800F18C9919470501E9D1BFD14ED0E628433799A40A4A08D
99A7173D2AACD31136376A1376F92381E7D123C6632E7CB6DE1FC5289DDCAD666059A9661B
EA228C71CA3A736503C3AA4DF4A6EE6873BCEEBF0E081379D133C528EBDB91D34C61DD50A6
A3D9829708C892AD1AB8210481FDCF4EFA5C5BB551A3863844EB76CAD9554EC6522104917B8
C01EC70FAC5447
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob = 5C000000010000000400000000040000040000000100000010000000CA3DD368F1035CD032FAB
82B59E85ADB140000000100000014000000597912DE6175D66FC423B7771374C796DE6F88720B
000000010000003600000047005400450020004300790062006500720054007200750073007400
200047006C006F00620061006C00200052006F006F007400000009000000010000002A00000030
2806082B0601050507030406082B0601050507030206082B0601050507030106082B0601050507
030303000000010000001400000097817950D81C9670CC34D809CF794431367EF4741900000001
00000010000000B9632F69390C2F2D6B23E01FEC8C73890F0000000100000010000000E1B34A19
374FC710C61667B82E8F1C2C20000000010000005E0200003082025A308201C3020201A5300D0
6092A864886F70D01010405003075310B300906035504061302555331183016060355040A130F4
7544520436F72706F726174696F6E31273025060355040B131E4754452043796265725472757374
20536F6C7574696F6E732C20496E632E312330210603550403131A475445204379626572547275
737420476C6F62616C20526F6F74301E170D3938303831333030323930305A170D31383038313
33233353930305A3075310B300906035504061302555331183016060355040A130F4754452043
6F72706F726174696F6E31273025060355040B131E475445204379626572547275737420536F6C
7574696F6E732C20496E632E312330210603550403131A4754452043796265725472757374204
76C6F62616C20526F6F7430819F300D06092A864886F70D010101050003818D003081890281810
0950FA0B6F0509CE87AC788CDDD170E2EB094D01B3D0EF694C08A94C706C89097C8B8641A7A7E
6C3C53E1372873607FB29753079F53F96D5894D2AF8D6D886780E6EDB295CF7231CAA51C72BA5C
02E76442E7F9A92CD63A0DAC8D42AA240139E69C3F0185570D588745F8D385AA9369268570488
03F1215C779B41F052F3B62990203010001300D06092A864886F70D0101040500038181006DEB1B
09E95ED951DB672261A42A3C4877E3A07CA6DE73A21403853DFBAB0E30C58316338113089E7B3
44EDF40C874D7B97DDCF476557D9B635418E9F0EAF35CB1D98B421EB9C0954EBAFAD5E27CF568
61BF8EEC05975F5BB0D7A38534C424A70D0F9593EFCB94D89E1F9D5C856DC7AAAE4F1F22B5CD
95ADBAA7CCF9AB0B7A7F
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage\HandWritingFiles = 46BD0030
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\IminentToolbar = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\Linkey = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall\DisplayName = 6D00790073007400610072007400730065006100720063006800200075006E0069006E00730074
0061006C006C00000006
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall\UninstallString = 43003A005C0044006F00630075006D0065006E0074007300200061006E00640020005300650074
00740069006E00670073005C00410064006D0069006E006900730074007200610074006F007200
5C004100700070006C00690063006100740069006F006E00200044006100740061005C006D007
900730074006100720074007300650061007200630068005C0055006E0069006E0073007400610
06C006C004D0061006E0061006700650072002E00650078006500200020002D00700074006900
64003D0069006D006100000026
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall\DisplayIcon = C:\Documents and Settings\Administrator\Application Data\mystartsearch\UninstallManager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall\Publisher = mystartsearch
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\SearchProtect = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\Stats = 161
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\DisplayName = Remote Desktop Access (VuuPC)
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\UninstallString = "C:\Documents and Settings\Administrator\Application Data\VOPackage\Uninstall.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\DisplayIcon = "C:\Documents and Settings\Administrator\Application Data\VOPackage\Uninstall.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\Publisher = CMI Limited
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\DisplayVersion = 1.0.0.0
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\VOPackage\Source = MED01
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\Vosteran.com = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\WajIntEnhance = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\Windows\CurrentVersion\Uninstall\{D01A33E2-0A34-4659-82AA-8A90C51C0D21} = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\mystartsearchSoftware\mystartsearchhp\Time = DDEC675500000000
HKEY_LOCAL_MACHINE\SOFTWARE\mystartsearchSoftware\mystartsearchhp\oem = ima
HKEY_LOCAL_MACHINE\SOFTWARE\SearchProtect = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit = created registry key
HKEY_LOCAL_MACHINE\SOFTWARE\SupDp\dir = %ProgramFiles%\XTab
HKEY_LOCAL_MACHINE\SOFTWARE\supTab\ptid = ima
HKEY_LOCAL_MACHINE\SOFTWARE\supWindowsMangerProtect\ptid = ima
HKEY_LOCAL_MACHINE\SOFTWARE\WajIntEnhance = created registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowsMangerProtect\EventMessageFile = %SystemDrive%\Documents and Settings\All Users\Application Da
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowsMangerProtect\TypesSupported = 00000007
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IHProtect Service\Type = 00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IHProtect Service\Start = 00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IHProtect Service\ErrorControl = 00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IHProtect Service\DisplayName = IHProtect Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IHProtect Service\ImagePath = %ProgramFiles%\XTab\ProtectService.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsMangerProtect\Type = 00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsMangerProtect\Start = 00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsMangerProtect\ErrorControl = 00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsMangerProtect\DisplayName = WindowsMangerProtect Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsMangerProtect\ImagePath = %SystemDrive%\Documents and Settings\All Users\Application Data\WindowsMangerProtect\ProtectWindowsManager.exe -serviceuser\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData = C:\WINDOW\system32\config\systemprofile\Application Data
HKEY_CURRENT_USER\Software\AOL = created registry key
HKEY_CURRENT_USER\Software\APN PIP = created registry key
HKEY_CURRENT_USER\Software\HomeTab = created registry key
HKEY_CURRENT_USER\Software\Kromtech = created registry key
HKEY_CURRENT_USER\Software\Linkey = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = http://www.mystartsearch.com/?type=hp&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = http://www.mystartsearch.com/?type=hp&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=ima&utm_campaign=install_ie&utm_content=ds&from=ima&uid=3219913727_3941_7447F509&ts=1432875728&type=default&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = http://www.bing.com/favicon.ico
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURL = http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = C:\Documents and Settings\Administrator\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}\URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=ima&utm_campaign=install_ie&utm_content=ds&from=ima&uid=3219913727_3941_7447F509&ts=1432875728&type=default&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}\DisplayName = 65000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}\FaviconURL = http://www.mystartsearch.com//favicon.ico
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}\FaviconPath = C:\Documents and Settings\Administrator\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName = mystartsearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=ima&utm_campaign=install_ie&utm_content=ds&from=ima&uid=3219913727_3941_7447F509&ts=1432875728&type=default&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\TopResultURL = http://www.mystartsearch.com/web/?type=ds&ts=1432874200&z=063e4065a6abbad4369ee6cgfz1c8o7bdm6zec0wft&from=ima&uid=3219913727_3941_7447F509&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}\URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=ima&utm_campaign=install_ie&utm_content=ds&from=ima&uid=3219913727_3941_7447F509&ts=1432875728&type=default&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}\DisplayName = Google
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}\FaviconURL = http://www.google.com/favicon.ico
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}\TopResultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}\FaviconPath = C:\Documents and Settings\Administrator\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 460000009C000000090000000000000000000000000000000400000000000000205763863899D0
0101000000C0A801F3000000000000000003000000020000000ADBCA6F00000000000000007900
5C004D0061006300680069006E0065005C0053006F006600740077006100720065005C0043006C
00610073007300650073005C0043004C005300490044005C007B00310038004400460030003800
310043002D0045003800410044002D0034003200380033002D0041003500390002000000C0A8E6
0100000000000000003200450042004400430033007D005C0049006E00500072006F00630053006
500720076006500720033003200000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
00000002000000C0A8C501000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000030000000090000000000000000000000000000000400000000000000205763863899D00
101000000C0A801F3000000000000000003000000020000000ADBCA6F000000000000000079005C
004D0061006300680069006E0065005C0053006F006600740077006100720065005C0043006C006
10073007300650073005C0043004C005300490044005C007B003100380044004600300038003100
43002D0045003800410044002D0034003200380033002D0041003500390002000000C0A8E60100
000000000000003200450042004400430033007D005C0049006E00500072006F006300530065007
20076006500720033003200000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
2000000C0A8C5010000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IminentToolbar = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Vosteran.com = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WajIntEnhance = created registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D01A33E2-0A34-4659-82AA-8A90C51C0D21} = created registry key
HKEY_CURRENT_USER\Software\SearchProtectWS = created registry key
HKEY_CURRENT_USER\Software\SimplyTech\HomeTabWajIEnhance = created registry key
HKEY_CURRENT_USER\Software\TNT2\Settings = created registry key
HKEY_CURRENT_USER\Software\TNT2\TNT2Customize = created registry key
HKEY_CURRENT_USER\Software\TNT2\TNT2Data = created registry key
HKEY_CURRENT_USER\Software\TNT2\TNT2Partner = created registry key
HKEY_CURRENT_USER\Software\WajIntEnhance = created registry key
user\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000006000000010000000000000000000000000000000400000000000000009323EE6C17D0
01010000007F000001000000000000000000000000user\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec = 31000000D8

The program bundles third party applications with it during installation.

The program may change the settings for the browser homepage and the default search engine.

The program may redirect users to the following webpages:

www.adservingsolutionsinc.adk2.net
imali.adk2.com

Updated: June 26, 2015 7:22:39 PM
Type: Potentially Unwanted App
Infection Length: Varies
Risk Impact: Low
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

PUA.Imali

Behavior

Antivirus Protection Dates

Information for

Our Offerings

Connect with us

About Symantec

Acquisitions