J
JohnF.
Investigation Report - MSAS beta 1.0.501
Platform:
HP Vectra VL PIII 600mHz 128MB ram
OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges
Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8
I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk
I then uninstalled all these applications using the control panel Add/Remove
Applet.
I visited a cracks/serial numbers webpage and was invited to install a
component that would give me "Unlimited downloads" capability.
After I installed this control, the following showed up in my Add/Remove
list:
- Media Pass
- CTXPLS
- Internet Optimizer
- ShopAtHomeSelect Cashback
- The Bullseye Network
CERES and Spyspotter were already in my Add/Remove list even though I had
uninstalled applications.
I then installed MSAS beta 1.0, answered yes to the realtime controls and
Spynet Network, and select to run later. I went to the FIle menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.
I then selected to run the scan in full mode with all options checked.
Results:
31 Spyware threats detected
9 memory processes infected
99 files infected
435 registry keys infected
the 31 threats were as follows: (REMOVE recommended unless noted otherwise)
1. VX2.ABetterInternet.Transponder.Ceres
2. AproposMedia
3. AvenueMedia.DyFuCA
4. PeopleOnPage
5. eXact.bullseyeNetwork
6. InstaFinder
7. eXact.ISEXEng
8. WindUpdates
9. eXact.Downloader
10. eXact.BargainBuddy
11. VX2.Transponder
12. My Search Bar
13. SearchEnhancement (Quarantine Recommended)
14. Claria.GAIN
15. Comet Systems
16. Twain Tech
17. KaZaA (Quarantine Recommended - In the "MY SHARED FOLDER" a copy of the
install was found, no wonder this folder gets deleted!)
18. WinPup
19. AltNet
20. MoneyTree
21. Windows AdTools
22. Claria
23. CoolWebSearch
24. The Money Toolbar
25. eXact.SearchBar
26. eXact.Cashback
27. Claria.DashBar
28. IST.ISTbar
29. ALTnet P2P
30. ShopAtHome
31. Unclassified.Spyware.39
I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.
The hijack restore feature was offered, I clicked yes and accepted the
defaults although my home page was never changed by any spyware.
A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack
The Tasklist shows:
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back
Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
gah95on6 - c:\winnt\system32\gah95on6.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe
SpySpotter - c:\Program Files\SPYSPOTTER\SpySpotter.exe
Rebooted back to Normal Mode again for another quick review.
- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals no new RUN line items
I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list
ShopAtHomeSelect Cashback - uses a match the number process as well, must be
to defeat automated spyware tools.
Recommends reboot, so I do.
- Tasklist now appears clean
- Add/Remove list appears clean
- Registry "RUN" is clean EXCEPT for SPYSPOTTER
Ran a Full Scan again with all options selected:
1. WindUpdates (a vxd file was found)
Selected to Remove.
Spyspotter removed from Registry manually. Rebooted.
Summary:
Except for Spyspotter which installed with the SpiderPilot Toolbar,
everything was removed by Add/Remove and MSAS in one FULL SCAN pass. The
second pass picked up an errant vxd file which probably couldn't be deleted
until the process owner was gone.
I had to remove Spyspotter manually, even though I had uninstalled it by the
Add/Remove applet. According to Spyware Warrior, it is an Adaware Knock-off,
so I'm not sure what kind of trouble it was going to cause but i didn't want
to go long term on this run.
I think that people are having trouble with these programs not going away
because of the addition of trojan software that is taking advantage of
exploits in IE or the OS that they have not patched yet and do not protect
themselves from with a regulary updated antivirus program.
I welcome comments and questions! Now for MSAS v. 1.0.509...
Thanks for reading!!!
JohnF.
Platform:
HP Vectra VL PIII 600mHz 128MB ram
OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges
Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8
I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk
I then uninstalled all these applications using the control panel Add/Remove
Applet.
I visited a cracks/serial numbers webpage and was invited to install a
component that would give me "Unlimited downloads" capability.
After I installed this control, the following showed up in my Add/Remove
list:
- Media Pass
- CTXPLS
- Internet Optimizer
- ShopAtHomeSelect Cashback
- The Bullseye Network
CERES and Spyspotter were already in my Add/Remove list even though I had
uninstalled applications.
I then installed MSAS beta 1.0, answered yes to the realtime controls and
Spynet Network, and select to run later. I went to the FIle menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.
I then selected to run the scan in full mode with all options checked.
Results:
31 Spyware threats detected
9 memory processes infected
99 files infected
435 registry keys infected
the 31 threats were as follows: (REMOVE recommended unless noted otherwise)
1. VX2.ABetterInternet.Transponder.Ceres
2. AproposMedia
3. AvenueMedia.DyFuCA
4. PeopleOnPage
5. eXact.bullseyeNetwork
6. InstaFinder
7. eXact.ISEXEng
8. WindUpdates
9. eXact.Downloader
10. eXact.BargainBuddy
11. VX2.Transponder
12. My Search Bar
13. SearchEnhancement (Quarantine Recommended)
14. Claria.GAIN
15. Comet Systems
16. Twain Tech
17. KaZaA (Quarantine Recommended - In the "MY SHARED FOLDER" a copy of the
install was found, no wonder this folder gets deleted!)
18. WinPup
19. AltNet
20. MoneyTree
21. Windows AdTools
22. Claria
23. CoolWebSearch
24. The Money Toolbar
25. eXact.SearchBar
26. eXact.Cashback
27. Claria.DashBar
28. IST.ISTbar
29. ALTnet P2P
30. ShopAtHome
31. Unclassified.Spyware.39
I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.
The hijack restore feature was offered, I clicked yes and accepted the
defaults although my home page was never changed by any spyware.
A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack
The Tasklist shows:
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back
Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
gah95on6 - c:\winnt\system32\gah95on6.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe
SpySpotter - c:\Program Files\SPYSPOTTER\SpySpotter.exe
Rebooted back to Normal Mode again for another quick review.
- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals no new RUN line items
I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list
ShopAtHomeSelect Cashback - uses a match the number process as well, must be
to defeat automated spyware tools.
Recommends reboot, so I do.
- Tasklist now appears clean
- Add/Remove list appears clean
- Registry "RUN" is clean EXCEPT for SPYSPOTTER
Ran a Full Scan again with all options selected:
1. WindUpdates (a vxd file was found)
Selected to Remove.
Spyspotter removed from Registry manually. Rebooted.
Summary:
Except for Spyspotter which installed with the SpiderPilot Toolbar,
everything was removed by Add/Remove and MSAS in one FULL SCAN pass. The
second pass picked up an errant vxd file which probably couldn't be deleted
until the process owner was gone.
I had to remove Spyspotter manually, even though I had uninstalled it by the
Add/Remove applet. According to Spyware Warrior, it is an Adaware Knock-off,
so I'm not sure what kind of trouble it was going to cause but i didn't want
to go long term on this run.
I think that people are having trouble with these programs not going away
because of the addition of trojan software that is taking advantage of
exploits in IE or the OS that they have not patched yet and do not protect
themselves from with a regulary updated antivirus program.
I welcome comments and questions! Now for MSAS v. 1.0.509...
Thanks for reading!!!
JohnF.