Detailed Report - Self inflicted infestation and MSAS 1.0.509

  • Thread starter Thread starter JohnF.
  • Start date Start date
J

JohnF.

Investigation Report - MSAS beta 1.0.501

Platform:
HP Vectra VL PIII 600mHz 128MB ram

OS:
Windows 2000 Pro SP4 plus Sec/Crit updates as of MAR 01 2005
- logged in with local admin privileges

Software:
Office 97 Pro
Symantec Corporate Antivirus 9
- Program v. 9.0.0.338
- Scan Engine v. 1.4.1.12
- def file v. 03/01/05 rev. 8

I installed the following:
1. Atomic Clock Sync
2. SpiderPilot Toolbar
3. Kazaa 3.0
4. Comet Cursor Plus with Starware Adzapper
5. MySearch Toolbar
6. FlashTalk

I then uninstalled all these applications using the control panel Add/Remove
Applet.

I visited a cracks/serial numbers webpage and was invited to install a
component that would give me

"Unlimited downloads" capability. After I installed this control, the
following showed up in my Add/Remove list:

Media Pass
CTXPLS
Internet Optimizer
ShopAtHomeSelect Cashback
The Bullseye Network

CERES was already in my Add/Remove list even though I had uninstalled
applications.

I then installed MSAS beta 1.0.509. While installing, it signalled that
VX2.Transponder was trying to load,
do you wish to remove. I said yes. Then it said CoolWebSearch was trying
to load, do you wish to Remove, I said Yes. I went to the File menu and
selected Check for Updates. Spyware definitions were updated from 5678 to
5693 successfully.

I then selected to run the scan in full mode with all options checked.

Results:
26 Spyware threats detected
5 memory processes infected
137 files infected
614 registry keys infected


The 26 threats were as follows: (REMOVE recommended unless noted otherwise)

1. VX2.ABetterInternet.Transponder.Ceres -
2. AproposMedia -
3. AvenueMedia.DyFuCA -
4. PeopleOnPage -
5. eXact.bullseyeNetwork -
6. InstaFinder -
7. eXact.ISEXEng -
8. WindUpdates -
9. eXact.Downloader -
10. eXact.BargainBuddy -
11. My Search Bar -
12. Claria.GAIN -
13. Comet Systems -
14. Twain Tech -
15. KaZaA (quarantine) -
16. WinPup -
17. AltNet -
18. Windows AdTools -
19. Claria -
20. eXact.SearchBar -
21. eXact.Cashback -
22. Claria.DashBar -
23. IST.ISTbar -
24. ALTnet P2P -
25. ShopAtHome -
26. Unclassified.Spyware.39 -

Claria.Gain tried to install while reviewing and I selected to Remove from
the Toast Prompt.

I clicked on CONTINUE and checked SEND TO SPYNET, files were reported, the
removal/quarantine process ran.

A review of the Add/Remove list reveals the following still listed:
CERES
Media Pass
ShopAtHomeSelect CashBack

The Tasklist shows:
dmontvol.exe
fcctr.exe
MediaPass.exe
MediaPassK.exe
ShopAtHomeSelect Cash Back

Regedit HKEY_Local_Machine/Software/Microsoft/Windows/Run reveals:
ap9h4qmo - c:\winnt\system32\ap9h4qmo.exe
w79f34O - fcctr.exe
Media Pass - c:\Program Files\Media Pass\MediaPass.exe

Rebooted into Normal Mode for another quick review. Don't want to boot to
SAFE MODE unless necessary.

Upon reboot, Error: could not locate INF file 'C:\WINNT\inf\CC_43.inf'.

- Tasklist reveals no new LISTED processes
- Add/Remove list reveals no new apps
- Registry reveals ap9hqmo is gone and gah95on6 is now present


I go to Add/Remove to uninstall these still present items:
CERES - a web assisted delete process with "match the Number" process -
CERES leaves the list
Media Pass - Removed from list ShopAtHomeSelect Cashback - uses a match the
number process as well, must be to defeat automated spyware tools.

Recommends reboot, I do.
- No INF error this time.
- Tasklist shows fcctr.exe still running
- Add/Remove list appears clean
- Registry "RUN" still shows W79f34O

Ran a Full Scan again with all options selected:
1. Does not pickup fcctr.exe as a bug
2. WindUpdates (a vxd file was found)

Selected to Remove.

W79f34O removed from Registry manually. Rebooted.
- Task Manager List is now clean
- Registry RUN list is clean

fcctr.exe found in system32 folder, 240KB file no ownership info - compiled
but some text reveals multiple languages supported, registry info mentioning
winnint.ini and session manager.


Summary:

Spyspotter was not installed this time, maybe it was one of the numerous
popups CERES was throwing up last time that I clicked on to get rid of. The
second pass picked up an errant vxd file which probably couldn't be deleted
until the process owner was gone.

Meanwhile, I don't know what W79f34O alias fcctr.exe is or what put it
there. Aagh! - more detailed testing... If I see it again, i will run it
under scrutiny.

Again, the temp locations are harboring the install files still and this
time I looked under windows and found atomic.exe still in the folder. Well
this test was done merely by uninstalling MSAS 501 and then getting infected
and then installing 509 - not exactly a pristine test bed for 509 but I'll
do that next time - I still need to find a homepage hijacker.





I welcome comments and questions!

Thanks for reading!!!
 
John,
You are having too much fun. :) I toasted a machine myself the other day,
also in the interest of science.

Good report!

Ron Chamberlin
MS-MVP
 
I'm kicking myself now because I should have ghosted a clean load to ensure
a clean start every time. Now my data is tainted. Shoot - where is the
Norton disk...

JohnF.
 
Ouch. I burned a clean image before I started.


JohnF. said:
I'm kicking myself now because I should have ghosted a clean load to
ensure a clean start every time. Now my data is tainted. Shoot - where is
the Norton disk...

JohnF.
 
Back
Top