I checked a Windows XP Professional Service Pack 3 system, J, with CA Anti-Spyware 2008 LE. That version is free and will detect malware, but not remove it. You can purchase a license to have the software remove any malware it finds.
[ More Info ]
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
[ More Info ]
I did not find any rootkit software on the system with any of the 3 rootkit revealers I used.
[ More Info ]
Virantix and other malware on September 9 (see
Infection by Virantix -
braviax.exe).
[ More Info ]
[ More Info ]
Scan Results
Select an action to apply:
1 items detected
Name Alert level Action Status SettingsModifier:Win32/PossibleHostsFileHijack Medium Clean Category Settings Modifier
Description:
This program has potentially unwanted behavior
Advice: Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider, blocking or removing the software.
Resources: file: C:\WINDOWS\system32\drivers\etc\hosts
View more information about this item online
Also Known As:
Trojan.Win32.Qhost (Kaspersky)
Qhosts.apd (McAfee)Summary
A detection of Win32/PossibleHostsFileHijack is an indicator that your HOSTS file may have been modified by malicious or potentially unwanted software. Modifications to the HOSTS file can cause access to certain Internet domains to be redirected or denied. This may prevent the computer from connecting to certain Web sites.
Symptoms
Situations such as the following may be signs that your HOSTS file has been modified without your consent:
- You are unable to access a certain Web site that you believe is in operation, such as a site that provides programs to help keep your computer secure.
- Your browser connects to a Web site that does not appear to be appropriate, given the Web address you entered.
The hosts file is at c:\windows\system32\drivers\etc\hosts.
In this case Windows Defender is flagging it because it has been modified.
Typically, it doesn't have much more in it than a reference to the
loopback address,
i.e. 127.0.0.1 localhost.
In the case of this laptop, Spy Sweeper added entries such as the following:
127.0.0.1 localhost
127.0.0.1 1.httpdads.com #SpySweeperCASS
127.0.0.1 207-87-18-203.wsmg.digex.net #SpySweeperCASS
127.0.0.1 a.mktw.net #SpySweeperCASS
127.0.0.1 a.tribalfusion.com #SpySweeperCASS
Many antispyware programs, such as Spy Sweeper or
Spybot Search & Destroy, will
add entries to the hosts file,
pointing the address to malicious sites or those that distribute adware/spyware
to the loopback address, 127.0.0.1, instead. That ensures that if
the the system attempts to contact one of those sites, such as
httpdads.com , which is listed by SpySweeper, which is antispyware
software produced by
Webroot Software, Inc., that instead of
going to the website distributing the malware, the system instead is directed
to the local loopback address on the system itself, preventing the system
from contacting the actual website.
So, in this case, I can consider the report a "false positive" and instruct Windows Defender to ignore it.
Spyware.Destart.A in Restart.exe, which was in
the directory C:\Windows\System32\Tools. I submitted the file to
VirusTotal for analysis and also
to Jotti's Online Malware Scan.
Other antimalware software used by those sites also reported the file
as malware. However, after further checking, I believe that the file
is actually innocuous.
[ More Info ]
FunWeb
FunWebProducts
MyWay.MyWebSearch
MyWebSearch
TagASaurus
Zlob.VideoAccessActiveXObject
I also found that the popup ad was appearing whenever Internet Explorer was opened. When Interenet Explorer was opened it would go immediately to http://aprotectservice.com/, which would result in a dubious W32.Myzor.FK@yf virus warning appearing.
[ More Info ]
Error updating database. Could not save the new database on the hard drive.
An error occurred when trying to open the file for writing.
Filename: 'system\bazooka_db.bdb'
Current Working Directory: C:\Program Files\Security\Spyware\Bazooka Scanner\
System error message: Access is denied.
C++ exception: ios::failbit set
Could not update the database. Please check the following:
1. Are you connected to the Internet?
2. Maybe it was a temporary error. Please try again later.
You can also update the database manually. Would you like to have instructions
how to update it manually?
When I checked the properties of the Bazooka database, bazooka_db.bdb, which is under the system directory of the Bazooka installation folder, by right-clicking on the file and selecting Properties, I found it was marked as "read-only". I unchecked the read-only option and then was able to update the database.
The problem can be fixed with Resource Hacker.
[ More Info ]
The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" from the Windows Control Panel to remove entries named "Surf Sidekick", "ItalMgr", "Command", "RelevantKnowledge" and "MarketScore" before going through the manual uninstall instructions. However, none of those existed.
The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware.
%ProgramsDir%\Msnmaker\
%ProgramsDir%\Quick Links\
%ProgramsDir%\InetGet\
%ProgramsDir%\FREEPR~1\
%ProgramsDir%\Freeprod Toolbar\
%ProgramsDir%\Cas\
%ProgramsDir%\CasStub\
%ProgramsDir%\CMSystem\
%ProgramsDir%\System Files\System.exe
%ProgramsDir%\System Files\plugin.dll
%ProgramsDir%\Yazzle Sudoku\
%WinDir%\etb\pokapoka73.exe
%WinDir%\etb\pokapoka75.exe
%WinDir%\exe82.exe
%WinDir%\bsx32\
%WinDir%\etb\
%WinDir%\jptc.dat
%WinDir%\offun.exe
%WinDir%\rk.exe
%WinDir%\rlvknlg.exe
%SystemDir%\PSof1.exe
%SystemDir%\exp.exe
%SystemDir%\wintask.exe
%SystemDir%\adcomplusanalytic.exe
%SystemDir%\ichckupd.exe
%SystemDir%\bho.dll
%SystemDir%\nsb12.dll
%SystemDir%\APD123.exe
%SystemDir%\wuauclt.dll
%SystemDir%\202_app13.exe
%SystemDir%\APD123.exe
%SystemDir%\MTE2ODM6ODoxNg.exe
%SystemDir%\PopOops.dll
%SystemDir%\PopOops.dll
%SystemDir%\SI.exe
%SystemDir%\SWLAD1.dll
%SystemDir%\SWLAD1.dll
%SystemDir%\atmtd.dll
%SystemDir%\atmtd.dll._
%SystemDir%\dist001.exe
%SystemDir%\installer216.exe
%SystemDir%\nstD.dll
%SystemDir%\uc.exe
%SystemDir%\wuauclt.dll
%SystemDir%\AOP2.exe
%SystemDir%\repairs302972979.dll
%WinDir% is a
variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or
C:\WINNT (Windows NT/2000).
%SystemDir% is a
variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramsDir% is a
variable. By default, this is C:\Program Files.
I created a batch file, pacerd_bundle-files.bat to search for any intances of the above files or directories on the system. None were found.
I then checked the registry for the presence of any of the registry keys the Kephyr webpage listed as being associated with the malware. I found only one of the listed registry keys. The one I found was associated with a Windows startup entry for winsync.
C:\>reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /
v winsync
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsync REG_SZ C:\WINDOWS\System32\kdkgpx.exe reg_run
However, I did not see that file on the system, even when I booted into safe mode. And none of the listed files were found on the system when I checked under safe mode, also.
I deleted the registry key with the reg delete command.
C:\Documents and Settings\Administrator\My Documents>reg delete HKEY_LOCAL_MACHI
NE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winsync
Delete the registry value winsync (Y/N)? y
The operation completed successfully
When I scanned the system again with Bazooka, it did not report the presence of Pacerd.bundle. The registry key it found previously was likely a remnant of spyware previously removed by another antispyware program on the system.
References:
