PowerStrip

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Vendor Notes:	from the web site: 'The PowerStrip becomes a part of your Internet Explorer browser so you can instantly search, check your email and get up-to-the-minute news headlines no matter where you are on the Web. It's a snap to install and even easier to use and it's free. Here are some of its exciting features: Type-in Search - One click search on Google, the most popular search engine online. Highlight Search - Highlight any text on the page and click "Search". Fast Forms - Fill in forms with one click. Email - Check any web-based email account with one click. News - Access to the top headlines from all over the world. Click on the headline to read the entire story.'
Alias:	Adware/PortalScan [Panda], power strip psocx, TrojanDownloader.Win32.Minstaller [Kaspersky]
Category:	Toolbar: A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects. Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product.
Variants:	PowerStrip/PSOCX PowerStrip/PSSetup
Similar Pests:	Toolbar · Adware
Origins
Group:	thepowerstrip.com
EMail:	help@thepowerstrip.com
URL:	http://www.thepowerstrip.com/
Date of Origin:	Variants from February, 2004 to August, 2004
Distribution
Prevalence:	PowerStrip: 10.3% More Info
Clot Factor:	PowerStrip: 5 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:	PowerStrip: Insufficient data to report growth
Operation
Platform:	Windows 95, 98, ME, NT, 2000, or XP
Storage Required:	PowerStrip: at least 2585 KB
ScreenShot:

PowerStrip Toolbar

Risks
Privacy Policy:	None.
Security Issues:	Yes. Can download and install arbitrary unsigned code, as an update mechanism. Connects to its controlling server at verschk.com to ask for software and target list updates.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Click on the "Start" button on your computer. Click "Settings" Click "Control Panel" Click "Add/Remove Programs" Find the "PowerStrip" and click "Remove"
	Stop Running Processes: Kill these running processes with Task Manager: programfilesdir+\common files\presentia\lsvr.exe programfilesdir+\common files\presentia\ltdmgr.exe programfilesdir+\common files\presentia\pmr.exe programfilesdir+\powerstrip\pslauncher.exe programfilesdir+\powerstrip\pssetup.exe
	Remove AutoRun Reference: Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lsvr, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ltdmgr, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\pmr, delete it and reboot the machine immediately.
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: programfilesdir+\powerstrip\powrstrp.dll systemroot+\omdsn.dll systemroot+\system\powrstrp.dll systemroot+\system32\powrstrp.dll
	Clean Registry: Remove these registry items (if present) with RegEdit: HKEY_CLASSES_ROOT\clsid\{5a66328b-926d-468b-82aa-e1ed55c6c17c} HKEY_CLASSES_ROOT\clsid\{669695bc-a811-4a9d-8cdf-ba8c795f261c} HKEY_CLASSES_ROOT\clsid\{7704d8d8-9efe-4d82-9c89-0ecba8434eee} HKEY_CLASSES_ROOT\interface\{7dfa9a9c-fc9e-4ffc-839b-1f45a26c152e} HKEY_CLASSES_ROOT\kbbar.kbbarband.1\clsid HKEY_CLASSES_ROOT\kbbar.kbbarband\clsid HKEY_CLASSES_ROOT\kbbar.kbbarband\curver HKEY_CLASSES_ROOT\psocx.pssetup HKEY_CLASSES_ROOT\psocx.pssetup.1 HKEY_CLASSES_ROOT\psocx.pssetup\clsid HKEY_CLASSES_ROOT\psocx.pssetup\curver HKEY_CLASSES_ROOT\typelib\{16f079f0-b9d4-4978-add2-a6038927a754} HKEY_CLASSES_ROOT\urlsearch.urlsearch HKEY_CLASSES_ROOT\urlsearch.urlsearch.1\clsid HKEY_LOCAL_MACHINE\software\classes\clsid\{669695bc-a811-4a9d-8cdf-ba8c795f261c} HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{7704d8d8-9efe-4d82-9c89-0ecba8434eee} HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search\search assistant HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{669695bc-a811-4a9d-8cdf-ba8c795f261c} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/psocx.dll\.owner HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/psocx.dll\{7704d8d8-9efe-4d82-9c89-0ecba8434eee} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lsvr HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ltdmgr HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\pmr HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\powerstrip\displayname HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\powerstrip\publisher HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\powerstrip\uninstallstring HKEY_LOCAL_MACHINE\software\presentia\1 HKEY_LOCAL_MACHINE\software\presentia\bundleid HKEY_LOCAL_MACHINE\software\presentia\installid HKEY_LOCAL_MACHINE\software\presentia\lastdownload
	Remove Files: Remove these files (if present) with Windows Explorer: mwsvm.dat pmr.bin pmr.ocx programfilesdir+\common files\presentia\lsvr.bin programfilesdir+\common files\presentia\lsvr.exe programfilesdir+\common files\presentia\ltdmgr.exe programfilesdir+\common files\presentia\pmr.exe programfilesdir+\powerstrip\powrstrp.dll programfilesdir+\powerstrip\pslauncher.exe programfilesdir+\powerstrip\pssetup.exe psi.ocx systemroot+\omdsn.dll systemroot+\system\powrstrp.dll systemroot+\system32\powrstrp.dll urls.bin vs.bin vurls.bin
	Remove Directories: Remove these directories (if present) with Windows Explorer: programfilesdir+\common files\presentia
Research
File Analyses:	PowerStrip: lsvr.exe · ltdmgr.exe · mwsvm.dat · pmr.bin · pmr.exe · pmr.ocx · powrstrp.dll · psi.ocx · pslauncher.exe · pssetup.exe · urls.bin · vs.bin · vurls.bin
More Info:	PowerStrip is an IE toolbar with a search field and link buttons. When you use a targeted merchant site, PowerStrip silently sets the afffiliate ID, so as to steal commission fees from your web shopping. AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	PestPatrol's Pest Research Center
Last Revised:	April 04, 2005