Topic: Adware PortalScan

[Clive]

Network Associates
Tue Dec 16 18:17:00 UTC 2003

This is not a virus or trojan.

This kind of application generally comes bundled with another program, which usually discloses the fact that it is ad-supported. Users agree to have the Adware installed in the license agreement, although they may not realise at first that this file was packaged with the product they installed.

This adware tries to connect to random ports and so creates security issues as outsiders are given access to internal files.

It may also degrade network performance of an organisation and use large amounts of storage.

The following Registry values are added to hook system at every startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ?absr?
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ?Mwsvm?
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ?slmss?
Other Registry values are created:

HKEY_LOCAL_MACHINE\Software\Mwsvm
HKEY_LOCAL_MACHINE\Software\slmss
This adware uses Microsoft's AdRotator package, so some users may observe an increase in pop-up ads.

Users who would like to check for the presence of potentially unwanted programs on their system should run the command line scanner with the /PROGRAM switch.

Symptoms  
Presence of the Registry keys listed above
 

 http://vil.nai.com/vil/content/v_100889.htm

Hopefully Ad-aware and Spybot will release updates for this very soon if they have not already done so.
 

 
 

[shootingshark]

Can simply deleting -Mwsvm and -slmss which follows Software after Hkey_Local_Machine cure this problem or make it worse?

[Adept]

Delving into the registry is always fraught with danger unless you have very good backups and know what you are doing Shootingshark. Best use Adaware or Spybot S&D to get rid of it for you.

Oh and BTW