Spyware investigation

ByMike McBride Reading Time: 2 minutes

Some interesting stuff, but no closer to a final conclusion of how it got there. The installer ran an XML file to get it’s updates. The XML file instructed it to download 4 files from download.statblaster.com. Those files were MemoryWatcher-b.exe, all_files9.exe, tracker.exe and FixIt.exe. Those in turn come bundled with their own “extras” and in the end we wound up with something like 15 programs getting installed within an hour. I think the instructions to do this came from a file named WinWildApp.exe, which in turn got it’s instructions from a randomly named .exe, which was also placed in the registry as a startup. That’s the file that started all this, but I don’t know where it came from. I know what time it hit the machine, and I know what site this person was on at that time, but the site, aside from annoying flashing ads and a few popups, seems to be clean. I don’t think that site is the source of the problem, but perhaps a popup was. The question is, did the popup originate from that site or was it a popunder from a previously-visited site?

By the way, there’s absolutely no evidence that the actual “statblaster” program was installed at all, but all of the “partners” listed on their website sure where, and from their servers. This leads me to believe that it was not a user who agreed to the wrong thing, since the original program that they are trying to get you to install from that site was never installed! (And yes the site he was on was a fantasy sports site, but a reputable one, and one of a few he had visited in the minutes previous to this.)

The only other evidence that sticks out is a program and a help file (both the .exe and .chm) called “HP2” that was in the Temporary Internet Files and time-stamped the same time as the random file in the Temp folder that started all this. I don’t know what they are at this time.

Anyone have any more clues about the nature of this stuff?

Update: HP2.exe is definitely the program that started this whole mess. I ran it on a computer that was not hooked up to the internet and it spawned a randomly named file and process that tried to then connect to internet servers to download files. Now the $64,000 question is, where did this file come from and how did it get executed?

Share with your friends!
LinkedInBlueskyMastodonThreadsRedditBuffer

Similar Posts

  • XP SP2

    ByMike McBride Reading Time: 1 minute

    There’s a new channel9 video covering some of the new security features and what the user experience is going to be like. By the way, I agree with what Scott says about it. It is going to be harder for casual end users, because they are going to be expected to think. I have been…

  • The arms race continues

    ByMike McBride Reading Time: 1 minute

    There are a number of arms races going on, hackers, spammers, etc. This one’s about popups. Some folks figured out how to use Flash to get around Firefox’s pop-up blocker, and thanks to a post on Steve Holden’s blog, I see that someone had figured out a config change to combat that. Sheesh next thing…

  • Must read later

    ByMike McBride Reading Time: 1 minute

    Note to self: Later, read through all the responses to this slashdot thread about what you would include in an IT toolkit. Looks like there are some pretty good tools and ideas running around in there, but I need to do some work and can’t really look at them all right now. (link via nf0)…

  • Getting back on track

    ByMike McBride Reading Time: 1 minute

    OK, now that I’ve finally gotten work caught up, maybe now I can stand to look at a computer screen when I go home and get some other projects done! I tried last night, and actually did get some work done as far as getting some resumes out to various places, and grabbing a couple…

  • Is it really Monday again?

    ByMike McBride Reading Time: 2 minutes

    Anyway, the search for blogs to link to the Child Abuse blog continues, I added a couple today, but it doesn’t seem like blogging the details of everyday life for abuse survivors or people dealing with depression or other obstacles has caught on quite the way I would have thought. Submissions are always welcome, and…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)