Spyware investigation

ByMike McBride Reading Time: 2 minutes

Some interesting stuff, but no closer to a final conclusion of how it got there. The installer ran an XML file to get it’s updates. The XML file instructed it to download 4 files from download.statblaster.com. Those files were MemoryWatcher-b.exe, all_files9.exe, tracker.exe and FixIt.exe. Those in turn come bundled with their own “extras” and in the end we wound up with something like 15 programs getting installed within an hour. I think the instructions to do this came from a file named WinWildApp.exe, which in turn got it’s instructions from a randomly named .exe, which was also placed in the registry as a startup. That’s the file that started all this, but I don’t know where it came from. I know what time it hit the machine, and I know what site this person was on at that time, but the site, aside from annoying flashing ads and a few popups, seems to be clean. I don’t think that site is the source of the problem, but perhaps a popup was. The question is, did the popup originate from that site or was it a popunder from a previously-visited site?

By the way, there’s absolutely no evidence that the actual “statblaster” program was installed at all, but all of the “partners” listed on their website sure where, and from their servers. This leads me to believe that it was not a user who agreed to the wrong thing, since the original program that they are trying to get you to install from that site was never installed! (And yes the site he was on was a fantasy sports site, but a reputable one, and one of a few he had visited in the minutes previous to this.)

The only other evidence that sticks out is a program and a help file (both the .exe and .chm) called “HP2” that was in the Temporary Internet Files and time-stamped the same time as the random file in the Temp folder that started all this. I don’t know what they are at this time.

Anyone have any more clues about the nature of this stuff?

Update: HP2.exe is definitely the program that started this whole mess. I ran it on a computer that was not hooked up to the internet and it spawned a randomly named file and process that tried to then connect to internet servers to download files. Now the $64,000 question is, where did this file come from and how did it get executed?

Share with your friends!
LinkedInBlueskyMastodonThreadsRedditBuffer

Similar Posts

  • Christmas week

    ByMike McBride Reading Time: 1 minute

    Does anyone, in a typical business setting, get any work done during this week? I’m thinking not so much, because while there are only a few more people out of the office than an ordinary week, the number of support questions I get during this week tends to be about zero. That, to me, hints…

  • |

    Ohio Linuxfest

    ByMike McBride Reading Time: 1 minute

    Macy was kind enough to send me an email about a local event coming up here in Columbus on Oct. 2, Ohio Linux Fest. I might have to check that out. If you’re in the area, you might want to think about it too! Follow these topics: Linux, Uncategorized

  • Busy..

    ByMike McBride Reading Time: 1 minute

    Been busy this morning with a bad Symantec Corporate Edition client. One of the PC’s had a problem getting the updated definitions file, such a bad problem that the AV just stopped working, throwing up “bad environment” errors at startup. Since the AV wouldn’t run, it couldn’t communicate with the server it’s supposed to be…

  • Method to the ESBN Madness

    ByMike McBride Reading Time: 2 minutes

    Some of you, obviously, noticed that little “ignore this” post last night. Here’s some of what I’m thinking on ESBN‘s. I think there may be a place where this can be useful. I’ve seen folks complain about the fact that their full-post RSS feeds are repurposed on sites that exist only to serve Google Ads….

  • Giving You More of what You already Think

    ByMike McBride Reading Time: 2 minutes

    I was watching this video of a Google Talk by Max Stossel recently. It’s a bit long by internet standards, and his poetic style might take a minute to get used to, but it’s well worth thinking about. Even if you only watch the first ten minutes, do it. (But really, set some time aside…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)