Spyware investigation

ByMike McBride Reading Time: 2 minutes

Some interesting stuff, but no closer to a final conclusion of how it got there. The installer ran an XML file to get it’s updates. The XML file instructed it to download 4 files from download.statblaster.com. Those files were MemoryWatcher-b.exe, all_files9.exe, tracker.exe and FixIt.exe. Those in turn come bundled with their own “extras” and in the end we wound up with something like 15 programs getting installed within an hour. I think the instructions to do this came from a file named WinWildApp.exe, which in turn got it’s instructions from a randomly named .exe, which was also placed in the registry as a startup. That’s the file that started all this, but I don’t know where it came from. I know what time it hit the machine, and I know what site this person was on at that time, but the site, aside from annoying flashing ads and a few popups, seems to be clean. I don’t think that site is the source of the problem, but perhaps a popup was. The question is, did the popup originate from that site or was it a popunder from a previously-visited site?

By the way, there’s absolutely no evidence that the actual “statblaster” program was installed at all, but all of the “partners” listed on their website sure where, and from their servers. This leads me to believe that it was not a user who agreed to the wrong thing, since the original program that they are trying to get you to install from that site was never installed! (And yes the site he was on was a fantasy sports site, but a reputable one, and one of a few he had visited in the minutes previous to this.)

The only other evidence that sticks out is a program and a help file (both the .exe and .chm) called “HP2” that was in the Temporary Internet Files and time-stamped the same time as the random file in the Temp folder that started all this. I don’t know what they are at this time.

Anyone have any more clues about the nature of this stuff?

Update: HP2.exe is definitely the program that started this whole mess. I ran it on a computer that was not hooked up to the internet and it spawned a randomly named file and process that tried to then connect to internet servers to download files. Now the $64,000 question is, where did this file come from and how did it get executed?

Share with your friends!
LinkedInBlueskyMastodonThreadsRedditBuffer

Similar Posts

  • | |

    Cognitive Dissonance and Frequency

    ByMike McBride Reading Time: 4 minutes

    As I was sitting in the airport yesterday, I started to notice the number of people complaining about various things about air travel, and thinking to myself that yes, there are plenty of things to complain about, but some of what was being said just really wasn’t accurate. It seems to me that there are…

  • Trillian Pro

    ByMike McBride Reading Time: 1 minute

    Trillian has released Pro version 1.0. For a paltry $25 you get Trillian, but you also get added plugin capabilities, like an RSS aggregator, a POP3 mail-checker, a Winamp playlist builder, Stock checker, weather, etc. All of this right in your IM environment. It sounds pretty neat, I may just have to fork out the…

  • Turbo Tax problems

    ByMike McBride Reading Time: 1 minute

    I’ve seen a few of these but not really had time to get into all the details until this morning. Here’s the scenario, Intuit is bundling a program called SafeCast from Macrovision with the latest release of TurboTax, according to this article Intuit is quoted as saying: “It is not spyware, as some on the…

  • When did this become a community?

    ByMike McBride Reading Time: 4 minutes

    Mike Sanders, blogging’s philosopher in residence, has been having cross-blog conversations about “community”. Being in that same thoughtful mode I was yesterday, (What can I say, my work is lacking in the intellectual challenge department right now!) I would like to add my thoughts on community: When I first discovered the idea of “blogging”, it…

  • Linux

    ByMike McBride Reading Time: 1 minute

    It seems that my latest webcam pic, which was taken after a successful install of Red Hat 7.1 as a “play and learn” installation, has gotten the attention of non other than Lockergnome’s head Penguin himself, Tony Steidler-Dennison. Like I said in Tony’s comments, I’m still getting paid to be a Windows guy but what’s…

  • The Hive

    ByMike McBride Reading Time: 1 minute

    I originally applied for membership in the Hive back in June, just out of curiousity. I got an email sying that I didn’t qualify, which I didn’t really understand, but since they were looking mostly for folks who ran community-type sites I figured that even though I thought this site qualified, didn’t mean that everyone…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)