Detailed Report - Self-inflicted Infestation and MSAS 1.0.501

[JohnF.]

Investigation Report - MSAS beta 1.0.501

Platform:
HP Vectra VL PIII 600mHz 128MB ram

OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges

Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8

I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk

I then uninstalled all these applications using the control panel Add/Remove
Applet.
I visited a cracks/serial numbers webpage and was invited to install a
component that would give me "Unlimited downloads" capability.

After I installed this control, the following showed up in my Add/Remove
list:
- Media Pass
- CTXPLS
- Internet Optimizer
- ShopAtHomeSelect Cashback
- The Bullseye Network

CERES and Spyspotter were already in my Add/Remove list even though I had
uninstalled applications.

I then installed MSAS beta 1.0, answered yes to the realtime controls and
Spynet Network, and select to run later. I went to the FIle menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.

I then selected to run the scan in full mode with all options checked.

Results:
31 Spyware threats detected
9 memory processes infected
99 files infected
435 registry keys infected


the 31 threats were as follows: (REMOVE recommended unless noted otherwise)

1. VX2.ABetterInternet.Transponder.Ceres
2. AproposMedia
3. AvenueMedia.DyFuCA
4. PeopleOnPage
5. eXact.bullseyeNetwork
6. InstaFinder
7. eXact.ISEXEng
8. WindUpdates
9. eXact.Downloader
10. eXact.BargainBuddy
11. VX2.Transponder
12. My Search Bar
13. SearchEnhancement (Quarantine Recommended)
14. Claria.GAIN
15. Comet Systems
16. Twain Tech
17. KaZaA (Quarantine Recommended - In the "MY SHARED FOLDER" a copy of the
install was found, no wonder this folder gets deleted!)
18. WinPup
19. AltNet
20. MoneyTree
21. Windows AdTools
22. Claria
23. CoolWebSearch
24. The Money Toolbar
25. eXact.SearchBar
26. eXact.Cashback
27. Claria.DashBar
28. IST.ISTbar
29. ALTnet P2P
30. ShopAtHome
31. Unclassified.Spyware.39

I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.
The hijack restore feature was offered, I clicked yes and accepted the
defaults although my home page was never changed by any spyware.

A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack

The Tasklist shows:
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back

Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
gah95on6 - c:\winnt\system32\gah95on6.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe
SpySpotter - c:\Program Files\SPYSPOTTER\SpySpotter.exe

Rebooted back to Normal Mode again for another quick review.
- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals no new RUN line items

I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list
ShopAtHomeSelect Cashback - uses a match the number process as well, must be
to defeat automated spyware tools.

Recommends reboot, so I do.
- Tasklist now appears clean
- Add/Remove list appears clean
- Registry "RUN" is clean EXCEPT for SPYSPOTTER

Ran a Full Scan again with all options selected:
1. WindUpdates (a vxd file was found)

Selected to Remove.

Spyspotter removed from Registry manually. Rebooted.

Summary:

Except for Spyspotter which installed with the SpiderPilot Toolbar,
everything was removed by Add/Remove and MSAS in one FULL SCAN pass. The
second pass picked up an errant vxd file which probably couldn't be deleted
until the process owner was gone.

I had to remove Spyspotter manually, even though I had uninstalled it by the
Add/Remove applet. According to Spyware Warrior, it is an Adaware Knock-off,
so I'm not sure what kind of trouble it was going to cause but i didn't want
to go long term on this run.

I think that people are having trouble with these programs not going away
because of the addition of trojan software that is taking advantage of
exploits in IE or the OS that they have not patched yet and do not protect
themselves from with a regulary updated antivirus program.

I welcome comments and questions! Now for MSAS v. 1.0.509...

Thanks for reading!!!

JohnF.

 

[Bill Sanderson]

Investigation Report - MSAS beta 1.0.501

Platform:
HP Vectra VL PIII 600mHz 128MB ram

OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges

Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8

I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk

I then uninstalled all these applications using the control panel
Add/Remove Applet.
I visited a cracks/serial numbers webpage and was invited to install a
component that would give me "Unlimited downloads" capability.

After I installed this control, the following showed up in my Add/Remove
list:
- Media Pass
- CTXPLS
- Internet Optimizer
- ShopAtHomeSelect Cashback
- The Bullseye Network

CERES and Spyspotter were already in my Add/Remove list even though I had
uninstalled applications.

I then installed MSAS beta 1.0, answered yes to the realtime controls and
Spynet Network, and select to run later. I went to the FIle menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.

I then selected to run the scan in full mode with all options checked.

Results:
31 Spyware threats detected
9 memory processes infected
99 files infected
435 registry keys infected


the 31 threats were as follows: (REMOVE recommended unless noted
otherwise)

1. VX2.ABetterInternet.Transponder.Ceres
2. AproposMedia
3. AvenueMedia.DyFuCA
4. PeopleOnPage
5. eXact.bullseyeNetwork
6. InstaFinder
7. eXact.ISEXEng
8. WindUpdates
9. eXact.Downloader
10. eXact.BargainBuddy
11. VX2.Transponder
12. My Search Bar
13. SearchEnhancement (Quarantine Recommended)
14. Claria.GAIN
15. Comet Systems
16. Twain Tech
17. KaZaA (Quarantine Recommended - In the "MY SHARED FOLDER" a copy of
the install was found, no wonder this folder gets deleted!)
18. WinPup
19. AltNet
20. MoneyTree
21. Windows AdTools
22. Claria
23. CoolWebSearch
24. The Money Toolbar
25. eXact.SearchBar
26. eXact.Cashback
27. Claria.DashBar
28. IST.ISTbar
29. ALTnet P2P
30. ShopAtHome
31. Unclassified.Spyware.39

I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.
The hijack restore feature was offered, I clicked yes and accepted the
defaults although my home page was never changed by any spyware.

A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack

The Tasklist shows:
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back

Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
gah95on6 - c:\winnt\system32\gah95on6.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe
SpySpotter - c:\Program Files\SPYSPOTTER\SpySpotter.exe

Rebooted back to Normal Mode again for another quick review.
- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals no new RUN line items

I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list
ShopAtHomeSelect Cashback - uses a match the number process as well, must
be to defeat automated spyware tools.

Recommends reboot, so I do.
- Tasklist now appears clean
- Add/Remove list appears clean
- Registry "RUN" is clean EXCEPT for SPYSPOTTER

Ran a Full Scan again with all options selected:
1. WindUpdates (a vxd file was found)

Selected to Remove.

Spyspotter removed from Registry manually. Rebooted.

Summary:

Except for Spyspotter which installed with the SpiderPilot Toolbar,
everything was removed by Add/Remove and MSAS in one FULL SCAN pass. The
second pass picked up an errant vxd file which probably couldn't be
deleted until the process owner was gone.

I had to remove Spyspotter manually, even though I had uninstalled it by
the Add/Remove applet. According to Spyware Warrior, it is an Adaware
Knock-off, so I'm not sure what kind of trouble it was going to cause but
i didn't want to go long term on this run.

I think that people are having trouble with these programs not going away
because of the addition of trojan software that is taking advantage of
exploits in IE or the OS that they have not patched yet and do not protect
themselves from with a regulary updated antivirus program.

I welcome comments and questions! Now for MSAS v. 1.0.509...

Thanks for reading!!!

JohnF.

Wow--thanks for that excellent report! One thing that I spotted is that
you've helped make a case for a second scan (i.e. scan until one comes
through clean)--in your case it would have been three scans.

 

[plun]

Investigation Report - MSAS beta 1.0.501
I welcome comments and questions! Now for MSAS v. 1.0.509...

Hi

Really great !

Interresting study about Internets dark side.

Can you post your Spynet reg number ?

 

[plun]

Wow--thanks for that excellent report! One thing that I spotted is that
you've helped make a case for a second scan (i.e. scan until one comes
through clean)--in your case it would have been three scans.

Well, MSAS must be able to do this in a better way.

Perhaps to have a automatic process to restart in safe mode and
then restart to normal mode.

Otherwise we will have new jokes about MS and "scannings".

"Scan your PC to death" or what i will be ?

" I cant use my PC, I must scan" Aha ... Windows !?

 

[Bill Sanderson]

I'm not sure we'll be able to eliminate the repeated scanning. at least it
is a lot quicker than an equivalent antivirus scan.

 

[Bill Sanderson]

Can you post your Spynet reg number ?


Thanks Plun---I forgot that. and I hope John didn't--'cause it disappears
if you don't make a note of it-and I don't know any way to recover it except
to do another report.

 

[JohnF.]

Interestingly enough, I did not need to use SAFE MODE. I'm eager to see how
509 works out because as i think about it, there shouldn't really be a
difference in the effectiveness between 501 and 509 except for the spyware
definitions version.

JohnF.

 

[JohnF.]

Ooops

Thanks Plun---I forgot that. and I hope John didn't--'cause it disappears
if you don't make a note of it-and I don't know any way to recover it
except to do another report.

 

[plun]

I'm not sure we'll be able to eliminate the repeated scanning. at least it
is a lot quicker than an equivalent antivirus scan.

Maybe it is so. If we compare with Adaware so are you prompted
that restart is needed for one more scan beacuse of running
processes.

-----------------------------------------------------------

To John F if he read this.

Can you prep your PC again with your "ref list" and
try them with TrendMicros housecall ?

They have a new Spyware/security check.

http://housecall.trendmicro.com/

 

[plun]

Thanks Plun---I forgot that. and I hope John didn't--'cause it disappears
if you don't make a note of it-and I don't know any way to recover it except
to do another report.

This number must be transferred to MSAS log file.

Who can remember this.


Maybe John can get it from IE:s "junkbox"......

 

[JohnF.]

I'll do that right after the 509 test.

JohnF.

Maybe it is so. If we compare with Adaware so are you prompted
that restart is needed for one more scan beacuse of running processes.

-----------------------------------------------------------

To John F if he read this.

Can you prep your PC again with your "ref list" and
try them with TrendMicros housecall ?

They have a new Spyware/security check.

http://housecall.trendmicro.com/

 

[JohnF.]

Where does that normally appear? First I've heard of it actually.

JohnF.

 

[Bob Dietz]

Excellent! Thank you for the time and effort you expended on this useful
experiment.

 

[plun]

Where does that normally appear? First I've heard of it actually.

Within MSAS folder you have a XML file MSSSRT.xml
which creates this, I have wrong language version for this.
Maybe its stored if you run this script.

And as I understand this script auto opens IE and
show reg number after sending a report.

Maybe you have something stored in
IEs cache ? (junkbox)

 

[Bill Sanderson]

You aren't running with the same set of definitions?

 

[Bill Sanderson]

When you do a suspected spyware report, and it goes through, you get back a
URL, which looks like this:

https://www.spynet.com/spywarescan_results.aspx?ScanID=1c6808c2-f258-4c03-8871-a6d560941d7c


If we can get a set of before and after reports with URL's to Steve Dodson,
they can easily look at what is going on

Note--there may concievably be confidentiality issues with the content of
these reports. I've looked mine over and didn't see anything that concerned
me--as I recall you can tell who my ISP is, and maybe some other details
like that--but we probably shouldn't be posting them as a rule--bad example
to set.

However, getting a set of before and afters from both builds might be very
useful.

 

[JohnF.]

Yes, I am but what i was saying is that i don't think the difference is with
the 501 versus the 509 - the difference should be 5678 versus 5693
regardless of the app version.

JohnF.

 

[plun]

Note--there may concievably be confidentiality issues with the content of
these reports. I've looked mine over and didn't see anything that concerned
me--as I recall you can tell who my ISP is, and maybe some other details
like that--but we probably shouldn't be posting them as a rule--bad example
to set.

There is no secrets in this if you look around in other
forums, BUT maybe
there is no need to show IP adress ? This adress can be
tracked and more
people have their own IP adresses instead of dynamic.

I can see your ISP/IP adress inside your "header" and then
use any "Whois".

Important that users knows this, no secrets


http://www.kloth.net/services/


Verizon Internet Services VIS-141-149 (NET-141-149-0-0-1)
141.149.0.0 - 141.158.255.255
Verizon Internet Services VZ-DSLDIAL-PHLAPA-12
(NET-141-158-224-0-1)
141.158.224.0 -
141.158.253.255

# ARIN WHOIS database, last updated 2005-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS
database.


Mine is:

inetnum: 85.224.0.0 - 85.231.255.255
netname: SE-CYBER-20041217
descr: Bredbandsbolaget AB
country: SE
org: ORG-BA31-RIPE
admin-c: BR3045-RIPE
tech-c: BR3045-RIPE
notify: registry at bredband.com
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: B2-MNT
mnt-routes: B2-MNT
mnt-domains: B2-MNT
changed: hostmaster at ripe.net 20041217
source: RIPE

 

[Bill Sanderson]

It should be, yes, but that's the question!

 

[Bill Sanderson]

Well - I was way off on my geographic guessing! My IP is dynamic, although
I'll admit to having been hit by two viruses today in the TIF--an unusual
level of activity, and I'd like to know why and how they are getting there.
Neither was anything dangerous or unusual, and I did spend 1/2 hour
listening to a Quicktime video from a local news site, so there may be
something happening with that site.