HUNTER'S LOG
home | requirements | help | contact | scan now  
 
Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.


Archive

- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20060228 182205

 

Lately, there have been many similar infections occurring that place multiple warning messages on a user’s computer—on the wallpaper, the internet browser’s homepage, and/or in the system tray bar.

Wallpaper / Desktop hijack:

warnhp.html: “Warning! Your computer might be infected with spyware or adware !!!”

“Warning! Spyware detected on your computer!”

screen.html: “Warning! You’re in danger!”

popup.html / desktop.html: “Danger: Spyware”


Internet Explorer homepage hijack:

www.securityprecaution.net: “Warning! Spyware detected. Your private info is collected by W32.Sinnaka.A@mm”


System tray icons:

intell32.exe: “Your computer is infected!”

soft26.exe: “Your computer is infected! Windows has detected spyware infection! Click here to protect your computer from Spyware!”


mswinb32.exe: “!Warning! Potential Spyware operation! Your computer is making unauthorized copies of your system and Internet log files.”


These infections can be quite annoying as they take over your wallpaper and change your desktop settings. It may become extremely difficult to get those changes manually reversed. Users may find themselves unable to set their preferred wallpaper and in many cases, setting the wallpaper or viewing the desktop properties becomes disabled. Luckily, Spyware Nuker XT can remove these infections and has a “Reset Desktop Settings” feature that can restore the desktop settings to a default state. Thus, allowing users to manually set the wallpaper and desktop settings to their preference.

In numerous cases, immediately following these types of infections would be the automatic installation of “the removal solution”. An Anti-Spyware software would miraculously appear, begin scanning the computer, and detect the infection that caused all the warning messages to show up. But detection is all that happens. In order to remove the traces detected by the Anti-Spyware software, the user must buy it. Seems like a deceitful tactic to get unsuspecting users to purchase their “helpful” software. I have come across a handful of “Anti-Spyware” applications that have been installed immediately after the installation of hijackers, downloaders, and/or trojans. Some share close similarities and may just be clones of one another but still implement the same tactics to entice purchases. Here are a few of the handful:

AlfaCleaner

Files:

Directory of C:\Documents and Settings\Administrator\Application Data\AlfaCleaner
config.dat
update.info

Directory of C:\Documents and Settings\Administrator\Application Data\Skinux

Directory of C:\Documents and Settings\Administrator\Application Data\Skinux\AlfaCleaner

Directory of C:\Documents and Settings\LocalService\Application Data\AlfaCleaner

Directory of C:\Program Files\AlfaCleaner
02/02/2006 10:41 PM 274,432 ACServer.exe
02/02/2006 10:41 PM 11,264 AlfaCleaner.exe
02/02/2006 10:24 PM 1,406 AlfaCleaner.ico
02/02/2006 10:41 PM 872,448 Engine.dll
02/02/2006 10:41 PM 26,016 hesvc.sys
02/10/2006 09:46 AM 0 install.info
02/02/2006 10:25 PM 22,486 key.ico
11/26/2005 08:51 PM 241,664 log4cplusu.dll
02/02/2006 10:41 PM 29,184 logger.dll
04/07/2003 04:00 PM 499,712 msvcp71.dll
04/07/2003 04:00 PM 348,160 msvcr71.dll
02/02/2006 10:41 PM 495,616 PopUp.exe
02/02/2006 10:24 PM 67,089 splash.png
02/02/2006 10:41 PM 131,072 Threats.dll
02/02/2006 10:41 PM 2,494,464 UI.dll
02/10/2006 09:46 AM 28,270 unins000.dat
02/10/2006 09:46 AM 673,546 unins000.exe
02/02/2006 10:41 PM 69,632 Updater.exe

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlfaCleaner"="C:\\Program Files\\AlfaCleaner\\AlfaCleaner.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\AlfaCleaner.com_is1]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AlfaCleanerService]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Eventlog\System\AlfaCleanerService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AlfaCleanerService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\System\AlfaCleanerService]


RazeSpyware

Files:

Directory of C:\
ntpnt.exe

Directory of C:\Documents and Settings\benino\Desktop\
RazeSpyware.lnk

Directory of C:\Documents and Settings\benino\Start Menu\Programs\RazeSpyware

Directory of C:\Program Files\RazeSpyware\
12/06/2005 11:02 a 239321 database.dat
12/12/2005 10:23 a 2927104 RazeSpyware.dll
12/13/2005 10:41 a 939008 RazeSpyware.exe
12/12/2005 07:57 a 295936 RazeSpyware_monitor.dll
12/12/2005 08:06 a 456192 RazeSpyware_monitor.exe
01/12/2006 13:41 a 632 scan.log
01/12/2006 13:41 a 113048 Uninstall.exe
02/03/2000 12:00 a 116224 UnzDll.dll

Directory of C:\WINDOWS\
adw.htm


Directory of C:\WINDOWS\system32\
intxt.exe
mswinb32.dll
mswinb32.exe
mswinf32.dll
mswinf32.exe
mswinup32.dll
mswinxml.dll
page.htm
r.exe
shell386.exe
winapi32.dll
winlfl32.dll
xxxdialer.exe

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{7A533235-A128-434B-9F8A-9300A544D191}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{A94FD42A-E405-4CD9-9486-3A341310EE2F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{FF71228A-0D58-4E50-B592-36551F1ACC01}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{018080B0-D90D-46F8-86D1-4CF8CE6E8686}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{9BD2B2BC-D289-4FCE-B734-E4D6ACBBAB7D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{ADE60563-5AD0-4832-A1E7-0E3A428C43C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{B7DFABBF-F985-4A67-8D72-EA0D9FC7C429}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winapi32.Intelinks]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winapi32.MyBaner]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winapi32.MyBHO]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A533235-A128-434B-9F8A-9300A544D191}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Universal Porn Dialer"="C:\WINDOWS\System32\xxxdialer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\RazeSpyware]

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\
Software\Borland\Locales]
"C:\Program Files\RazeSpyware\RazeSpyware.exe"="DLL"
"C:\Program Files\RazeSpyware\RazeSpyware_Monitor.exe"="DLL"

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\
Software\Microsoft\Internet Explorer\Desktop\General]
"Wallpaper"="%SystemRoot%\adw.htm"

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"RazeSpyware"="C:\Program Files\RazeSpyware\RazeSpyware.exe"
"RazeSpyware Monitor"="C:\Program Files\RazeSpyware\RazeSpyware_monitor.exe"

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\RazeSpyware]


SpywareStrike

Files:

Directory of C:\Program Files\SpywareStrike
07/26/2005 04:14 PM 499,712 msvcp71.dll
07/26/2005 04:14 PM 348,160 msvcr71.dll
01/09/2006 08:33 AM 994,136 signatures.ref
01/05/2006 07:10 AM 1,409,024 SpywareStrike.exe
01/12/2006 08:56 AM 325 spywarestrike.ini
01/12/2006 08:55 AM 54 SpywareStrike.url
01/12/2006 08:55 AM 35,084 uninst.exe

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SpywareStrike.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\
{70F17C8C-1744-41B6-9D07-575DB448DCC5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{0F25878F-F8AE-5D5D-2BB7-31B5F803290D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{2C15CDEA-3EF4-4405-90B0-19A1389B36ED}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{3115A433-3FA0-483B-AB01-2A61C951FE58}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{51FEFA9C-1D5A-41C4-81FE-8C0FBE9254F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{5CCC8D01-9F75-4F07-9ACF-DEB314176C79}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{5E7BF614-960B-4A1F-9236-9EC01AC4C5E2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{66F0AC1C-DED5-4965-9E31-39788DF1B264}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{849E056A-D67A-431E-9370-2275F26D39B5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{8B7AFBFD-631C-45BA-9145-F059EB58DD73}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{AFEB8519-0B8B-4023-8C15-FFB17D5225F9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{BA9CC151-4581-438E-94AF-4C703201B7CA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{BC74C336-FF2C-40C9-AD4E-3772C208406B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{BDF00F24-A571-4392-95EC-04FDFF82A82C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{C4E953E6-770E-4F59-A5E3-43E9F0D682E2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{E0105E7C-D0C4-4DEA-AA21-B02F2960ECAF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{ED39CB7C-1BF6-429B-A275-F183B4A3EFCB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{F23AA637-31D5-4526-B5C6-9FF89E16202C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareStrike.exe]
@="C:\\Program Files\\SpywareStrike\\SpywareStrike.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareStrike"="C:\\Program Files\\SpywareStrike\\SpywareStrike.exe /h"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\SpywareStrike]

[HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStrike]


SpywareFalcon

Files:

Directory of C:\Program Files\SpyFalcon
01/25/2006 09:50 AM 50,527 blacklist.txt
07/26/2005 04:14 PM 499,712 msvcp71.dll
07/26/2005 04:14 PM 348,160 msvcr71.dll
02/09/2006 05:09 AM 1,744,896 SpyFalcon.exe
02/15/2006 10:06 AM 50 SpyFalcon.url
02/07/2006 11:24 PM 1,074,008 syg.db
02/15/2006 10:06 AM 41,436 uninst.exe

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{330A77C2-C15A-43B5-055C-B4E35EAED279}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{001501E7-C970-4CB1-9740-E055BF3DDFD6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{163469FD-6009-48E2-AD8C-47BB2E0D88BE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{20C59F9F-33CB-4B1B-AFB6-B710DB845709}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{255CDDA3-576B-44C9-B944-46EAC18D5D6F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{3261F690-1CA4-4839-928B-F4F898B74EB7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{37B9988B-1997-41F4-A832-DAE42CC3F7C2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{6876543E-DA55-4F90-9CD2-5ED380D9516C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{850300D6-D53B-4720-9372-6D31B85537E1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{8C803228-BD61-4744-8B79-949E3F512DDC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{B7C685F0-1804-4382-A8EF-17D33DF97069}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{244B730E-D899-4E38-9428-03D1143242E0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyFalcon.exe]
@="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyFalcon"="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe /h"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon]

Internet users need to be aware that some “security” software companies may use deceitful tactics to lure unsuspecting users into purchasing their software. With over 8.5 million users and growing, Spyware Nuker is a name that the public can trust and count on to remove Spyware.


End of Entry
 Download | Order Now | Partners | Index | Hunter's Log | EULA | Privacy Policy   © 2002-2007 TrekBlue, Inc.