J
Jonathan Holmes
StartNow Hyperbar is detected based on the presence of this CLSID in the
registry:
3F2BBC05-40DF-11D2-9455-00104BC936FF
Unfortunately, this CLSID is used in some sample source code found here:
http://members.shaw.ca/iedelphi/downloads/source/IEDocHostUIHandler.pas
Any application vendor utilising this sample source code without
intentionally modifying it to prevent this will inadvertently use the same
CLSID. This means that inferring the presence of spyware based on the
existence of this CLSID in the registry is not a reliable or sound thing to
do.
Below my signature is the result of a scan falsely detecting the presence of
this spyware in an application I wrote.
Jonathan Holmes
Details: StartNow Hyperbar redirects Internet Explorer search and homepage
URLs.
Status: Ignored
High threat - High risk threats typically are remotely exploitable
vulnerabilities, which can lead to system compromise. Successful
exploitation does not normally require any interaction. May open up
communication ports, use polymorphic tactics, stealth installations, and/or
anti-spy counter measures. May us a security flaw in the operating system to
gain access to your computer.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
C:\PROGRA~1\ZONEOR~1\ZONEOR~1.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
ZoneOrchestrator.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Implements DocHostUIHandler
registry:
3F2BBC05-40DF-11D2-9455-00104BC936FF
Unfortunately, this CLSID is used in some sample source code found here:
http://members.shaw.ca/iedelphi/downloads/source/IEDocHostUIHandler.pas
Any application vendor utilising this sample source code without
intentionally modifying it to prevent this will inadvertently use the same
CLSID. This means that inferring the presence of spyware based on the
existence of this CLSID in the registry is not a reliable or sound thing to
do.
Below my signature is the result of a scan falsely detecting the presence of
this spyware in an application I wrote.
Jonathan Holmes
Details: StartNow Hyperbar redirects Internet Explorer search and homepage
URLs.
Status: Ignored
High threat - High risk threats typically are remotely exploitable
vulnerabilities, which can lead to system compromise. Successful
exploitation does not normally require any interaction. May open up
communication ports, use polymorphic tactics, stealth installations, and/or
anti-spy counter measures. May us a security flaw in the operating system to
gain access to your computer.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
C:\PROGRA~1\ZONEOR~1\ZONEOR~1.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
ZoneOrchestrator.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Implements DocHostUIHandler