J
JohnF.
Investigation Report - MSAS beta 1.0.501
Platform:
HP Vectra VL PIII 600mHz 128MB ram
OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges
Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8
I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk
I then uninstalled all these applications using the control panel Add/Remove
Applet.
I visited a cracks/serial numbers webpage and was invited to install a
component that would give me
"Unlimited downloads" capability. After I installed this control, the
following showed up in my Add/Remove list:
Media Pass
CTXPLS
Internet Optimizer
ShopAtHomeSelect Cashback
The Bullseye Network
CERES was already in my Add/Remove list even though I had uninstalled
applications.
I then installed MSAS beta 1.0.509. While installing, it signalled that
VX2.Transponder was trying to load,
do you wish to remove. I said yes. Then it said CoolWebSearch was trying
to load, do you wish to Remove, I said Yes. I went to the File menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.
I then selected to run the scan in full mode with all options checked.
Results:
26 Spyware threats detected
5 memory processes infected
137 files infected
614 registry keys infected
The 26 threats were as follows: (REMOVE recommended unless noted otherwise)
1. VX2.ABetterInternet.Transponder.Ceres -
2. AproposMedia -
3. AvenueMedia.DyFuCA -
4. PeopleOnPage -
5. eXact.bullseyeNetwork -
6. InstaFinder -
7. eXact.ISEXEng -
8. WindUpdates -
9. eXact.Downloader -
10. eXact.BargainBuddy -
11. My Search Bar -
12. Claria.GAIN -
13. Comet Systems -
14. Twain Tech -
15. KaZaA (quarantine) -
16. WinPup -
17. AltNet -
18. Windows AdTools -
19. Claria -
20. eXact.SearchBar -
21. eXact.Cashback -
22. Claria.DashBar -
23. IST.ISTbar -
24. ALTnet P2P -
25. ShopAtHome -
26. Unclassified.Spyware.39 -
Claria.Gain tried to install while reviewing and I selected to Remove from
the Toast Prompt.
I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.
A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack
The Tasklist shows:
dmontvol.exe
fcctr.exe
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back
Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
ap9h4qmo - c:\winnt\system32\ap9h4qmo.exe
w79f34O - fcctr.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe
Rebooted into Normal Mode for another quick review. Don't want to boot to
SAFE MODE unless necessary.
Upon reboot, Error: could not locate INF file 'C:\WINNT\inf\CC_43.inf'.
- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals ap9hqmo is gone and gah95on6 is now present
I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list ShopAtHomeSelect Cashback - uses a match the
number process as well, must be to defeat automated spyware tools.
Recommends reboot, I do.
- No INF error this time.
- Tasklist shows fcctr.exe still running
- Add/Remove list appears clean
- Registry "RUN" still shows W79f34O
Ran a Full Scan again with all options selected:
1. Does not pickup fcctr.exe as a bug
2. WindUpdates (a vxd file was found)
Selected to Remove.
W79f34O removed from Registry manually. Rebooted.
- Task Manager List is now clean
- Registry RUN list is clean
fcctr.exe found in system32 folder, 240KB file no ownership info - compiled
but some text reveals multiple languages supported, registry info mentioning
winnint.ini and session manager.
Summary:
Spyspotter was not installed this time, maybe it was one of the numerous
popups CERES was throwing up last time that I clicked on to get rid of. The
second pass picked up an errant vxd file which probably couldn't be deleted
until the process owner was gone.
Meanwhile, I don't know what W79f34O alias fcctr.exe is or what put it
there. Aagh! - more detailed testing... If I see it again, i will run it
under scrutiny.
Again, the temp locations are harboring the install files still and this
time I looked under windows and found atomic.exe still in the folder. Well
this test was done merely by uninstalling MSAS 501 and then getting infected
and then installing 509 - not exactly a pristine test bed for 509 but I'll
do that next time - I still need to find a homepage hijacker.
I welcome comments and questions!
Thanks for reading!!!
Platform:
HP Vectra VL PIII 600mHz 128MB ram
OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges
Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8
I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk
I then uninstalled all these applications using the control panel Add/Remove
Applet.
I visited a cracks/serial numbers webpage and was invited to install a
component that would give me
"Unlimited downloads" capability. After I installed this control, the
following showed up in my Add/Remove list:
Media Pass
CTXPLS
Internet Optimizer
ShopAtHomeSelect Cashback
The Bullseye Network
CERES was already in my Add/Remove list even though I had uninstalled
applications.
I then installed MSAS beta 1.0.509. While installing, it signalled that
VX2.Transponder was trying to load,
do you wish to remove. I said yes. Then it said CoolWebSearch was trying
to load, do you wish to Remove, I said Yes. I went to the File menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.
I then selected to run the scan in full mode with all options checked.
Results:
26 Spyware threats detected
5 memory processes infected
137 files infected
614 registry keys infected
The 26 threats were as follows: (REMOVE recommended unless noted otherwise)
1. VX2.ABetterInternet.Transponder.Ceres -
2. AproposMedia -
3. AvenueMedia.DyFuCA -
4. PeopleOnPage -
5. eXact.bullseyeNetwork -
6. InstaFinder -
7. eXact.ISEXEng -
8. WindUpdates -
9. eXact.Downloader -
10. eXact.BargainBuddy -
11. My Search Bar -
12. Claria.GAIN -
13. Comet Systems -
14. Twain Tech -
15. KaZaA (quarantine) -
16. WinPup -
17. AltNet -
18. Windows AdTools -
19. Claria -
20. eXact.SearchBar -
21. eXact.Cashback -
22. Claria.DashBar -
23. IST.ISTbar -
24. ALTnet P2P -
25. ShopAtHome -
26. Unclassified.Spyware.39 -
Claria.Gain tried to install while reviewing and I selected to Remove from
the Toast Prompt.
I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.
A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack
The Tasklist shows:
dmontvol.exe
fcctr.exe
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back
Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
ap9h4qmo - c:\winnt\system32\ap9h4qmo.exe
w79f34O - fcctr.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe
Rebooted into Normal Mode for another quick review. Don't want to boot to
SAFE MODE unless necessary.
Upon reboot, Error: could not locate INF file 'C:\WINNT\inf\CC_43.inf'.
- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals ap9hqmo is gone and gah95on6 is now present
I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list ShopAtHomeSelect Cashback - uses a match the
number process as well, must be to defeat automated spyware tools.
Recommends reboot, I do.
- No INF error this time.
- Tasklist shows fcctr.exe still running
- Add/Remove list appears clean
- Registry "RUN" still shows W79f34O
Ran a Full Scan again with all options selected:
1. Does not pickup fcctr.exe as a bug
2. WindUpdates (a vxd file was found)
Selected to Remove.
W79f34O removed from Registry manually. Rebooted.
- Task Manager List is now clean
- Registry RUN list is clean
fcctr.exe found in system32 folder, 240KB file no ownership info - compiled
but some text reveals multiple languages supported, registry info mentioning
winnint.ini and session manager.
Summary:
Spyspotter was not installed this time, maybe it was one of the numerous
popups CERES was throwing up last time that I clicked on to get rid of. The
second pass picked up an errant vxd file which probably couldn't be deleted
until the process owner was gone.
Meanwhile, I don't know what W79f34O alias fcctr.exe is or what put it
there. Aagh! - more detailed testing... If I see it again, i will run it
under scrutiny.
Again, the temp locations are harboring the install files still and this
time I looked under windows and found atomic.exe still in the folder. Well
this test was done merely by uninstalling MSAS 501 and then getting infected
and then installing 509 - not exactly a pristine test bed for 509 but I'll
do that next time - I still need to find a homepage hijacker.
I welcome comments and questions!
Thanks for reading!!!
I toasted a machine myself the other day,