|
Lately, there have been many similar infections occurring that
place multiple warning messages on a user’s computer—on
the wallpaper, the internet browser’s homepage, and/or in
the system tray bar.
Wallpaper / Desktop hijack:
warnhp.html: “Warning! Your computer might be infected with
spyware or adware !!!”
“Warning! Spyware detected on your computer!”
screen.html: “Warning! You’re in danger!”
popup.html / desktop.html: “Danger: Spyware”
Internet Explorer homepage hijack:
www.securityprecaution.net: “Warning! Spyware detected. Your
private info is collected by W32.Sinnaka.A@mm”
System tray icons:
intell32.exe: “Your computer is infected!”
soft26.exe: “Your computer is infected! Windows has detected
spyware infection! Click here to protect your computer from Spyware!”
mswinb32.exe: “!Warning! Potential Spyware operation! Your
computer is making unauthorized copies of your system and Internet
log files.”
These infections can be quite annoying as they take over your wallpaper
and change your desktop settings. It may become extremely difficult
to get those changes manually reversed. Users may find themselves
unable to set their preferred wallpaper and in many cases, setting
the wallpaper or viewing the desktop properties becomes disabled.
Luckily, Spyware Nuker XT can remove these infections and has a
“Reset Desktop Settings” feature that can restore the
desktop settings to a default state. Thus, allowing users to manually
set the wallpaper and desktop settings to their preference.
In numerous cases, immediately following these types of infections
would be the automatic installation of “the removal solution”.
An Anti-Spyware software would miraculously appear, begin scanning
the computer, and detect the infection that caused all the warning
messages to show up. But detection is all that happens. In order
to remove the traces detected by the Anti-Spyware software, the
user must buy it. Seems like a deceitful tactic to get unsuspecting
users to purchase their “helpful” software. I have come
across a handful of “Anti-Spyware” applications that
have been installed immediately after the installation of hijackers,
downloaders, and/or trojans. Some share close similarities and may
just be clones of one another but still implement the same tactics
to entice purchases. Here are a few of the handful:
AlfaCleaner
Files:
Directory of C:\Documents and Settings\Administrator\Application
Data\AlfaCleaner
config.dat
update.info
Directory of C:\Documents and Settings\Administrator\Application
Data\Skinux
Directory of C:\Documents and Settings\Administrator\Application
Data\Skinux\AlfaCleaner
Directory of C:\Documents and Settings\LocalService\Application
Data\AlfaCleaner
Directory of C:\Program Files\AlfaCleaner
02/02/2006 10:41 PM 274,432 ACServer.exe
02/02/2006 10:41 PM 11,264 AlfaCleaner.exe
02/02/2006 10:24 PM 1,406 AlfaCleaner.ico
02/02/2006 10:41 PM 872,448 Engine.dll
02/02/2006 10:41 PM 26,016 hesvc.sys
02/10/2006 09:46 AM 0 install.info
02/02/2006 10:25 PM 22,486 key.ico
11/26/2005 08:51 PM 241,664 log4cplusu.dll
02/02/2006 10:41 PM 29,184 logger.dll
04/07/2003 04:00 PM 499,712 msvcp71.dll
04/07/2003 04:00 PM 348,160 msvcr71.dll
02/02/2006 10:41 PM 495,616 PopUp.exe
02/02/2006 10:24 PM 67,089 splash.png
02/02/2006 10:41 PM 131,072 Threats.dll
02/02/2006 10:41 PM 2,494,464 UI.dll
02/10/2006 09:46 AM 28,270 unins000.dat
02/10/2006 09:46 AM 673,546 unins000.exe
02/02/2006 10:41 PM 69,632 Updater.exe
Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlfaCleaner"="C:\\Program Files\\AlfaCleaner\\AlfaCleaner.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\AlfaCleaner.com_is1]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AlfaCleanerService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Eventlog\System\AlfaCleanerService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AlfaCleanerService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\System\AlfaCleanerService]
RazeSpyware
Files:
Directory of C:\
ntpnt.exe
Directory of C:\Documents and Settings\benino\Desktop\
RazeSpyware.lnk
Directory of C:\Documents and Settings\benino\Start Menu\Programs\RazeSpyware
Directory of C:\Program Files\RazeSpyware\
12/06/2005 11:02 a 239321 database.dat
12/12/2005 10:23 a 2927104 RazeSpyware.dll
12/13/2005 10:41 a 939008 RazeSpyware.exe
12/12/2005 07:57 a 295936 RazeSpyware_monitor.dll
12/12/2005 08:06 a 456192 RazeSpyware_monitor.exe
01/12/2006 13:41 a 632 scan.log
01/12/2006 13:41 a 113048 Uninstall.exe
02/03/2000 12:00 a 116224 UnzDll.dll
Directory of C:\WINDOWS\
adw.htm
Directory of C:\WINDOWS\system32\
intxt.exe
mswinb32.dll
mswinb32.exe
mswinf32.dll
mswinf32.exe
mswinup32.dll
mswinxml.dll
page.htm
r.exe
shell386.exe
winapi32.dll
winlfl32.dll
xxxdialer.exe
Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{7A533235-A128-434B-9F8A-9300A544D191}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{A94FD42A-E405-4CD9-9486-3A341310EE2F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{FF71228A-0D58-4E50-B592-36551F1ACC01}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{018080B0-D90D-46F8-86D1-4CF8CE6E8686}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{9BD2B2BC-D289-4FCE-B734-E4D6ACBBAB7D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{ADE60563-5AD0-4832-A1E7-0E3A428C43C4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{B7DFABBF-F985-4A67-8D72-EA0D9FC7C429}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winapi32.Intelinks]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winapi32.MyBaner]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winapi32.MyBHO]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{7A533235-A128-434B-9F8A-9300A544D191}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Universal Porn Dialer"="C:\WINDOWS\System32\xxxdialer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\RazeSpyware]
[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\
Software\Borland\Locales]
"C:\Program Files\RazeSpyware\RazeSpyware.exe"="DLL"
"C:\Program Files\RazeSpyware\RazeSpyware_Monitor.exe"="DLL"
[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\
Software\Microsoft\Internet Explorer\Desktop\General]
"Wallpaper"="%SystemRoot%\adw.htm"
[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"RazeSpyware"="C:\Program Files\RazeSpyware\RazeSpyware.exe"
"RazeSpyware Monitor"="C:\Program Files\RazeSpyware\RazeSpyware_monitor.exe"
[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\RazeSpyware]
SpywareStrike
Files:
Directory of C:\Program Files\SpywareStrike
07/26/2005 04:14 PM 499,712 msvcp71.dll
07/26/2005 04:14 PM 348,160 msvcr71.dll
01/09/2006 08:33 AM 994,136 signatures.ref
01/05/2006 07:10 AM 1,409,024 SpywareStrike.exe
01/12/2006 08:56 AM 325 spywarestrike.ini
01/12/2006 08:55 AM 54 SpywareStrike.url
01/12/2006 08:55 AM 35,084 uninst.exe
Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SpywareStrike.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\
{70F17C8C-1744-41B6-9D07-575DB448DCC5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{0F25878F-F8AE-5D5D-2BB7-31B5F803290D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{2C15CDEA-3EF4-4405-90B0-19A1389B36ED}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{3115A433-3FA0-483B-AB01-2A61C951FE58}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{51FEFA9C-1D5A-41C4-81FE-8C0FBE9254F0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{5CCC8D01-9F75-4F07-9ACF-DEB314176C79}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{5E7BF614-960B-4A1F-9236-9EC01AC4C5E2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{66F0AC1C-DED5-4965-9E31-39788DF1B264}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{849E056A-D67A-431E-9370-2275F26D39B5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{8B7AFBFD-631C-45BA-9145-F059EB58DD73}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{AFEB8519-0B8B-4023-8C15-FFB17D5225F9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{BA9CC151-4581-438E-94AF-4C703201B7CA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{BC74C336-FF2C-40C9-AD4E-3772C208406B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{BDF00F24-A571-4392-95EC-04FDFF82A82C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{C4E953E6-770E-4F59-A5E3-43E9F0D682E2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{E0105E7C-D0C4-4DEA-AA21-B02F2960ECAF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{ED39CB7C-1BF6-429B-A275-F183B4A3EFCB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{F23AA637-31D5-4526-B5C6-9FF89E16202C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\SpywareStrike.exe]
@="C:\\Program Files\\SpywareStrike\\SpywareStrike.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareStrike"="C:\\Program Files\\SpywareStrike\\SpywareStrike.exe
/h"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\SpywareStrike]
[HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStrike]
SpywareFalcon
Files:
Directory of C:\Program Files\SpyFalcon
01/25/2006 09:50 AM 50,527 blacklist.txt
07/26/2005 04:14 PM 499,712 msvcp71.dll
07/26/2005 04:14 PM 348,160 msvcr71.dll
02/09/2006 05:09 AM 1,744,896 SpyFalcon.exe
02/15/2006 10:06 AM 50 SpyFalcon.url
02/07/2006 11:24 PM 1,074,008 syg.db
02/15/2006 10:06 AM 41,436 uninst.exe
Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{330A77C2-C15A-43B5-055C-B4E35EAED279}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{001501E7-C970-4CB1-9740-E055BF3DDFD6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{163469FD-6009-48E2-AD8C-47BB2E0D88BE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{20C59F9F-33CB-4B1B-AFB6-B710DB845709}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{255CDDA3-576B-44C9-B944-46EAC18D5D6F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{3261F690-1CA4-4839-928B-F4F898B74EB7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{37B9988B-1997-41F4-A832-DAE42CC3F7C2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{6876543E-DA55-4F90-9CD2-5ED380D9516C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{850300D6-D53B-4720-9372-6D31B85537E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{8C803228-BD61-4744-8B79-949E3F512DDC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{B7C685F0-1804-4382-A8EF-17D33DF97069}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{244B730E-D899-4E38-9428-03D1143242E0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\SpyFalcon.exe]
@="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyFalcon"="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe
/h"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon]
[HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon]
Internet users need to be aware that some “security”
software companies may use deceitful tactics to lure unsuspecting
users into purchasing their software. With over 8.5 million users
and growing, Spyware Nuker is a name that the public can trust and
count on to remove Spyware.
|
