CA Anti-Spyware Scan of J on 2008-09-15

A user of a Windows XP Professional Service Pack 3 system, J, reported that sometimes the taskbar disappears and the system is still freezing occasionally. I checked the system on September 15, 2008 with RUBotted. It reported "no bots found." Windows Defender, which is free antispyware software from Microsoft, is configured on the system to run every day at about 2:00 in the morning. I checked its results for today. It reported "No unwanted or harmful software detected. You computer is running normally."

Windows Defender Summary
Last scan: Today at 2:16 AM. (Full system scan).

Scan schedule: Daily around 2:00 AM.

Real-time protection: On

Definition version: 1.43.309.0 created on 9/11/2008 at 1:38 AM.

Windows Defender Summary
Last scan:	Today at 2:16 AM. (Full system scan).
Scan schedule:	Daily around 2:00 AM.
Real-time protection:	On
Definition version:	1.43.309.0 created on 9/11/2008 at 1:38 AM.

I downloaded and isntalled CA Anti-Spyware 2008 LE. The Free CA Anti-Spyware 2008 LE trial only detects spyware threats; it does not remove them. To remove threats, full version activation is required. CA Anti-Spyware 2008 currently costs $39.99 for a 3-user download. Alterntatively you can buy CA's Internet Security Suite, which contains the anti-spyware software for $49.99.

CA Anti-Spyware 2008 found the following malware:

CouponBar Spyware Location

Cutwail GF Spyware Location

Busky DQ Spyware Location

Cutwail NN Spyware Location: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run cpl32ver

CA Anti-Spyware Detected

CouponBar

CA Anti-Spyware detected the following registry keys associated with CouponBar:

Type	Location
Key	HKEY_CLASSES_ROOT\cpbrkpie.Coupon6ctrl.1
Key	HKEY_CLASSES_ROOT\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key	HKEY_CLASSES_ROOT\TypeLib\{87255C51-CD7D-4506-B9AD-97606DAF53F3}
Key	HKEY_CLASSES_ROOT\Interface\{A138BE8B-F051-4802-9A3F-A750A6D862D4}
Key	HKEY_CLASSES_ROOT\Interface\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}
Key	HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}

I deleted all of those keys.

Cutwail GF

CA Anti-Spyware detected the registry key hkey_local_machine\system\currentcontrolset\services\tcpsr for Cutwail GF. The file C:\WINDOWS\System32\drivers\tcpsr.sys was listed in the registry under that subkey, but I didn't see the file in that directory. I deleted the tcpsr registry key.

Type    Location
key     hkey_local_machine\system\currentcontrolset\services\tcpsr

Value name: Imagepath
Value data: \??\C:\WINDOWS\System32\drivers\tcpsr.sys

Busky DQ

CA Anti-Spyware detected the registry key HKEY_USERS\S-1-5-21-1922275950-1779413670-3725303808-1144\Software\wkey. I deleted the key.

Cutwail NN

CA Anti-Spyware detected the following in HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run:

Type    Location
key     hkey_local_machine\software\microsoft\windows\currentversion\run

Value name: Cpl32ver
Value data: C:\WINDOWS\System32\Cpl32ver.exe

Cpl32ver.exe Properties

I found the file on the system, but it was zero bytes in size. I deleted the registry entry and the file.

On September 16, I performed a Google search. I noticed that, when I clicked on links provided by Google, the first time I clicked on the links they did not take me to the relevant webpage, but would take me to another page. The system was running Internet Explorer 6. I upgraded it to Internet Explorer 7, but after the upgrade saw the same behavior.

CouponBar	Spyware Location
Cutwail GF	Spyware Location
Busky DQ	Spyware Location
Cutwail NN	Spyware Location: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run cpl32ver