Here’s their press item:
http://www.softwarekb.com/news/2008/12/11/court-halts-bogus-computer-scans/

This group of rogue programs has made this past year interesting for me. I clean up these programs more than any other type of malware, and yes, I get paid. But all in all, I’d rather be upgrading hard drives and building new systems.

Before the install, I ran Hijack This and added everything to the ‘ignore’ list, and ran CCleaner, and accepted every registry issue found–it’s a clean test box, so there wasn’t much.

Started the install:

I chose all the default options:

At the truly arrogant file options, I made no changes–Nero wants to be your program for everything related to content. Apparently it’s more than a DVD burning program, in the opinion of the publisher.

At the install options, I again made no changes. Note the “Nero Scout” item at bottom left, unchecked by default.

The install completed without problems. I restarted the computer, and went looking. No new system tray icon appears, and no indication that I’ve installed anything more than a DVD burner. But wait, there’s something–in the Windows menus, in the Nero group, I see Nero Scout. Ooh, options. Here’s the view–it’s ON by default, and installed without asking:

Ran HijackThis again. There are only two new entries:
O4 – HKLM\..\Run: [NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O23 – Service: NMIndexingService – Nero AG –
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

So my DVD burner software includes a full indexing scan for files, also called ‘desktop search’, on by default, of all types (it’s on that ‘Files’ tab), with no system tray icon, and no obvious place to type in a search. What does this have to do with burning a DVD? (Nero, if you’re reading this, send me an answer–I’ll post it.)

I won’t comment much on the functionality of the product, except for one item: DVD-video functions (Nero Vision and some other areas) work for 30 days, then display an expired message. OK, I have no problem with a vendor trying to upsell, but announce that the product is half real and half 30-day trial in advance, and give me an option to uninstall the dead software chunks–I don’t need all this clutter.

Uninstalled. No error messages. Restarted the PC. Ran HijackThis a third time, and both autostart entries have been removed–good so far. Under C:\Program Files, there’s a leftover folder “Nero” containing 4 files and 2 more folders. Sloppy, but not unusually so. There’s a file left in the c:\WinNT folder, “NeroDigital.ini”.

Ran CCleaner, and checked the registry. Remember, I cleaned it before the install. There are now 380 registry errors. These are in the categories of:

‘Unused File Extension’ mostly for graphics still formats,

‘ActiveX/COM Issue’ for ‘AppCore.MediaSource,

‘Invalid or empty file class’ for CDmaker, and

several hundred “Open with Application Issue’ entries, pointing to “HKCR\NeroExpress.Files7…”

Overall results:
Is it startupware? Absolutely. It adds two autoplay entries, one totally unrelated to the program’s function, doesn’t ask permission before adding the unrelated functions, and turns on a processor-intensive application by silent default.

Recommendations–

First, don’t install with the defaults. Uncheck every file format on ALL the pages in the install options, except those that you’ll really use the program for. If in doubt, uncheck it.

Second, check off that box: “Configure Nero Scout on first usage” and then disable it.

Or find the autoplay entry for Nero Scout, it’s in Control Panel, Administrative Tools, Services, NMIndexingService–choose stop, and disable. Then find and delete the file:
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

And finally, consider some other program. This install doesn’t inspire trust.

The about.htm page asked me to install the Chinese Language Pack. Answered OK, it wanted the CD. I don’t get out of my chair that easily… clicked cancel. (Remember, I test like novices surf…) It took me back to the English about.htm page.

Found the how-to-use page, and let it install the Chinese keywords utility. The Install and Run warning, was properly signed by VeriSign, but the message was mostly bad font blocks. (No Chinese font loaded, as above.) Next, had a pop-up box all in Chinese, with one button. Clicked that, it went away. Nothing else happened. Restarted IE, nothing.

Restarted Win XP Home, and IE. There are 5 new icons in the tool bar, all Yahoo-related. Some Chinese characters appear in the right-end of the address bar.

All this was added to the autoplays, as reported by HijackThis:

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wpabaln.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
O2 – BHO: IE – {D157330A-9EF3-49F8-9A67-4141AC41ADD4} – C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 – HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 – HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O8 – Extra context menu item: Quick Search (Yisou.com) – res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 – Extra button: Short Message – {00000000-0000-0001-0001-596BAEDD1289} – http://sms.3721.com/ie/index.htm (file missing)
O9 – Extra button: Yahoo 1G mail – {507F9113-CD77-4866-BA92-0E86DA3D0B97} – http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 – Extra button: E bazar – {59BC54A2-56B3-44a0-93E5-432D58746E26} – http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*
http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 – Extra button: 3721 Assistant – {5D73EE86-05F1-49ed-B850-E423120EC338} –
http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 – Extra button: Instant Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 – Extra button: (no name) – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Repair Browser – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721(DOT)com/security1.htm?fb=Cns (file missing)
O9 – Extra button: (no name) – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Clean Internet access record – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721(DOT)com/clean1.htm?fb=Cns (file missing)
O11 – Options group: [!CNS] Chinese keywords

UNINSTALL–There was an entry in the add/remove list for Chinese keywords. Ran it. The uninstall was perfect. That’s rare–it put the autoplays back exactly as they were.

Overall, the install is sloppy–note the (file missing) on some of the items above. The uninstall was good. Clearly not a drive-by download. I saw no extra popups at the site, before or after installing the plug-in, or after removing it.

While the site is on the SpybotSD list of sites that it adds to the restricted sites list in IE, my test, as of Sept 8, 2005, didn’t show anything more suspicious than an overly-invasive toolbar with a sloppy install.

I’d like anyone who can read Chinese to repeat the test–I could easily have missed installing a optional portion of the toolbar.

Test run Aug 25th, 2005, clean Win XP Home, no patches, not activated, no drivers except automatically-installed items from the Windows installation. Items listed as detected by HijackThis.

Installing the Crawler toolbar added these items to the system settings:
Running processes:
C:\Program Files\Crawler\CToolbar.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – URLSearchHook: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O2 – BHO: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O3 – Toolbar: &Crawler Toolbar – {4B3803EA-5230-4DC3-A7FC-33638F3D3542} – C:\PROGRA~1\Crawler\ctbr.dll
O8 – Extra context menu item: Crawler Search – tbr:iemenu
O18 – Protocol: tbr – {4D25FB7A-8902-4291-960E-9ADA051CFBBF} – C:\PROGRA~1\Crawler\ctbr.dll

When Internet Explorer is NOT running, CToolbar continues to run, and it autoplays with the system.

Uninstall results–this item not removed–it’s the IE home page:
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002

Overall: The main executable runs when it shouldn’t, for no stated purpose. Uninstall doesn’t restore home page but does restore all other settings. Search results from toolbar show pay-for-display ads first, clearly labeled, before showing true search results which may or may not be on the first page of results.

Summary: I wouldn’t automatically delete this one if the user finds it helpful–doesn’t appear to do anything disruptive. The publisher should fix the way it runs ctoolbar, so that it starts with IE, and doesn’t run all the time.

Test run July 20, 2005, default settings on clean install of Windows XP Home, OEM edition. Unpatched, no service packs, antivirus, or blocking software. Hardware firewall was the only security in place.

Version tested: Listed in ‘About’ box as “Yahoo! Messenger 6.0.0.1922 and MyYahoo Module 6.0.0.600, (C)1997-2004.”

Summary: Not evil, and not adware. Not harmless, either–it’s a massive set of changes to the system. Uninstallation is massively incomplete. Utility and value are dubious.

Recommendation, Business systems: Unwarrantied product with invasive settings. Prohibit all installations. Should be removed without option as part of all standard maintenance on corporate PCs.

Recommendation, Personal systems: Advise removal–there are too many autoplays and performance hits. Yahoo mail customers are vastly better off getting their emails from the ‘MyYahoo’ service, which requires no software installation. Could be left behind on non-networked systems with only one educated user, if adequate system speed is available to counter the slowdown caused by the software.

LICENSE
=======

The license agreement was the usual bizare set of disclaimers, not as bad as most, not as fair as it could be. There was one term that was interesting–note the absolute lack of notice when they decide to convert the service into anything else. There are no limits, and no notice, and no recourse.

“13. MODIFICATIONS TO SERVICE
Yahoo! reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Service (or any part thereof), with or without notice. You agree that Yahoo! shall not be liable to you or to any third party for any modifcation, suspension or discontinuance of the Service.”

INSTALLATION
============

The installation ran smoothly. It’s the type that does the download during the install (5.37 Mb), but does calculate and display the time needed. For the test, I chose the defaults for everything. The ‘Anti-Spy’ button on the toolbar, on first press, offers to download and install, and has its own license agreement. There is a default checkbox on the Anti-Spy product that changes Yahoo! to the default search engine.

Misleading: One program install results in three entries under Add/Remove programs, for Yahoo! extras, Yahoo! Messenger, and Yahoo! Toolbar. The ‘Yahoo! Anti-Spy’ product has its own Add/Remove entry, matching the install.

Added to running files:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe

System settings changes, according to HijackThis:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*

http://www.yahoo.com/search/ie.html

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*

http://www.yahoo.com

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*

http://www.yahoo.com

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*

http://www.yahoo.com/ext/search/search.html

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*

http://www.yahoo.com

R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

O2 – BHO: Yahoo! Companion BHO – {02478D38-C3F9-4efb-9B51-7695ECA05670} –
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll

O3 – Toolbar: &Yahoo! Companion – {EF99BD32-C1FB-11D2-892F-0090271D4F88} –
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll

O4 – HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O8 – Extra context menu item: &Yahoo! Search – file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 – Extra context menu item: Yahoo! &Dictionary – file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 – Extra context menu item: Yahoo! &Maps – file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} –
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

UNINSTALL
=========

All FOUR uninstall programs completed without failures or warnings.

These three settings were left behind:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*

http://www.yahoo.com/ext/search/search.html

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*

http://www.yahoo.com/ext/search/search.html

R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*

http://www.yahoo.com

Yahoo shortcuts were left behind, in Favorites and in Links.
In the read-only folder “C:\Program Files\Yahoo!” 221 files and 20 folders were left behind, total 12.4 Mb.

In the read-only folder “C:\Program Files\Internet Explorer\SIGNUP\Yahoo” 8 files were left behind, total 168 Kb.

REINSTALL TEST
==============
On a second installation after removal, the Yahoo Messenger install program advised me that it was already installed–was I sure that I wanted to install it anyway? My interpretation–even Yahoo’s software detects that their uninstall is incomplete.

POST-MORTEM
===========

Interesting follow-up, post-test: Yahoo sent an email message to confirm that I had activated the toolbar, and mention their use of email bugs (which they call ‘web beacons’) to confirm that I had read it. The email did NOT include any removal instructions for either the email message or the toolbar itself.

From their privacy information, linked in the email: “Web pages may contain an electronic file called a web beacon, that allows a web site to count users who have visited that page or to access certain cookies.”

The email claims that the toolbar provides these benefits, among others (not tested):
“Protect your PC with powerful anti-spy technology…”
“…Eliminate annoying pop-up ads with Pop-Up Blocker.”

From the email itself: “You may have noticed a powerful tool from Yahoo! that resides on your browser. It’s called the Yahoo! Toolbar and it was voted CNET Editors’ Choice in November 2004.
So what’s that mean for you?
It means you have more control over your web browsing experience. And since the Yahoo! Toolbar is customizable, you get quick and easy access to all the things that interest you the most…”
“…This is a service email related to your use of the Yahoo! Toolbar. Please do not respond to this email. To learn more about Yahoo!’s use of personal information, including the use of web beacons in HTML-based email, please read our Privacy Policy. Yahoo! is located at 701 First Avenue, Sunnyvale, CA 94089.”

Version tested: Listed in folder names as 4.6.1.0/
‘Click here’ on main Hotbar page gave no option, but started the “Take control of email” installation, despite listing several other products.

Redirects searches to resultsmaster.com/SmartOffers

Summary: A kinder, gentler product than the last time I looked at Hotbar, circa 2003. Still doesn’t do anything useful, but no longer appears to take over the system.

Recommendation, Business systems: Remove. Serves no business purpose.

Recommendation, Personal systems: Remove. Redirects web searches.

LICENSE
=======

First license I’ve seen that regulates emotional content–’desire’ is apparently now a legal term:

“(b) You shall receive, and desire to so receive, various products/services, marketing ads, and campaigns of third parties through the appearance of links, menus, pop-ups, and other methods on and/or in connection with the Service and the Software (all of the foregoing “Third Party Promotions”).”

INSTALLATION
============

End of first installation caused spontaneous reboot, followed by standard Windows file check of drives. Corrupted file c:\windows\system32\config\software.log. On a second reboot, no Hotbar product appeared to have been installed, although one new entry showed up in HijackThis:

Added to running files:
C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe
C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe
C:\Program Files\Hotbar\Bin\4.6.1.0\HbSrv.exe

System settings changes, according to HijackThis:

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm

O2 – BHO: ShprRprts – {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} – C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll

O2 – BHO: Hotbar – {B195B3B3-8A05-11D3-97A4-0004ACA6948E} – C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll

O3 – Toolbar: Hotbar – {B195B3B3-8A05-11D3-97A4-0004ACA6948E} – C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll

O4 – HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe

O4 – HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe

O4 – HKLM\..\Run: [wzalvupo] C:\WINDOWS\System32\bkteqtfq.exe

O9 – Extra button: ShopperReports – Compare travel rates – {946B3E9E-E21A-49c8-9F63-900533FAFE14} – C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll

O9 – Extra button: ShopperReports – Compare product prices – {E77EDA01-3C56-4a96-8D08-02B42891C169} – C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll

O16 – DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) – http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab

UNINSTALL
=========

Misleading: Separate uninstalls for Hotbar Outlook Tools, Hotbar Web Tools, and Shopper Reports by Hotbar, resulting from one install program of Outlook Tools. Each of these ended the install process with a visit to a web page asking for feedback on the uninstallation. Reboot was required after the last of the uninstalls.

Left behind two empty readonly folders in c:\Program Files, for Hotbar and ShopperReports.

These settings were left behind:
O16 – DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) – http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab

No shortcuts were left behind.

Test run July 21, 2005, default settings on clean install of Windows XP Home, OEM edition. Unpatched, no service packs, antivirus, or blocking software. Hardware firewall was the only security in place.

Version tested: No version number, but copyright date in the license is June 1, 2005. Also known as FunWebProducts.

Summary: Claims not to be adware or spyware, and I saw no indications to indicate that this is anything more than some cute buttons and icons, plus lots of settings changes relating to search functions. The apparent revenue model for the free product is that it directs your searches to AskJeeves.com, where they make money on sponsored ads.

Recommendation, Business systems: Remove–serves no business purpose, has no warranty, and may add to network traffic.

Recommendation, Personal systems: Mostly harmless.

LICENSE
=======
Under section 2, License conditions–the program phones home for updates:

“We may require the updating of the Software on your computer when we release a new version of the Software, or when we make new features available. This update may occur automatically or through other means and may occur all at once or over multiple sessions.”

INSTALLATION
============

Added to running files:
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

System settings changes, according to HijackThis:

R3 – URLSearchHook: (no name) – {00A6FAF6-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 – BHO: mwsBar BHO – {07B18EA1-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 – HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 – HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 – Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 – Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 – Extra context menu item: &Search – http://bar.mywebsearch.com/menusearch.html?p=ZNxdm824YYUS

O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab

UNINSTALL
=========

Listed in Add/Remove programs as “My Web Search (SmileyCentral). Uninstall requires reboot.

These settings were left behind:

O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab

Left behind read-only folder C:\Program Files\FunWebProducts, containing 2 files, 3 folders. The custom icon selected as a cursor was also left behind.

No shortcuts were left behind.

REINSTALL TEST
==============

No problems. Worked same as the first install. The second uninstall failed at reboot, with a ‘RUNDLL’ error box: “Error loading C:\PROGRA~1\UNINST~1.DLL. The specified module could not be found.” Message did not appear on subsequent reboot.

POST-MORTEM
===========

Surprise, surprise. There are so many ads for this product that I just expected the worst. But it’s clearly not that. Definitely a lightweight, and some home users may enjoy it.

It doesn’t play fair. I can highlight the license agreement, but it won’t let me copy it. Same on a ‘Who is viewpoint?’ entry. Well, I did capture the main window as a jpg. As adware goes (if that’s all it is), it’s pretty tame. I had no trouble removing it by killing the process viewmgr.exe, running the Viewpoint uninstall, and cleaning out two related files from the temporary files folder. I’m curious how it got past my blocks.

OS version: Windows XP, Service Pack 2, OEM edition
Motherboard: MSI M8M Neo-V, with AMD Sempron 2800+ processor.
Any hardware support below, if any, was autodetected during install–no software or driver installs had been run when this process list was captured:

alg.exe
csr.exe
Explorer.EXE
lsass.EXE
msiexec.exe
services.exe
smss.exe
svchost.exe (5 instances running)
System
System Idle Process
taskmgr.exe
winlogon.exe
wmiprvse.exe
wpabaln.exe
wuaudit.exe

As I (or others), build more systems, we’ll post more of these “Virgin Windows Task Lists”.

I didn’t have a chance to grab a HijackThis log of the box in this condition, but that I will next time, and get a more complete picture of just what is part of the default configuration.