Spyware investigation

ByMike McBride Reading Time: 2 minutes

Some interesting stuff, but no closer to a final conclusion of how it got there. The installer ran an XML file to get it’s updates. The XML file instructed it to download 4 files from download.statblaster.com. Those files were MemoryWatcher-b.exe, all_files9.exe, tracker.exe and FixIt.exe. Those in turn come bundled with their own “extras” and in the end we wound up with something like 15 programs getting installed within an hour. I think the instructions to do this came from a file named WinWildApp.exe, which in turn got it’s instructions from a randomly named .exe, which was also placed in the registry as a startup. That’s the file that started all this, but I don’t know where it came from. I know what time it hit the machine, and I know what site this person was on at that time, but the site, aside from annoying flashing ads and a few popups, seems to be clean. I don’t think that site is the source of the problem, but perhaps a popup was. The question is, did the popup originate from that site or was it a popunder from a previously-visited site?

By the way, there’s absolutely no evidence that the actual “statblaster” program was installed at all, but all of the “partners” listed on their website sure where, and from their servers. This leads me to believe that it was not a user who agreed to the wrong thing, since the original program that they are trying to get you to install from that site was never installed! (And yes the site he was on was a fantasy sports site, but a reputable one, and one of a few he had visited in the minutes previous to this.)

The only other evidence that sticks out is a program and a help file (both the .exe and .chm) called “HP2” that was in the Temporary Internet Files and time-stamped the same time as the random file in the Temp folder that started all this. I don’t know what they are at this time.

Anyone have any more clues about the nature of this stuff?

Update: HP2.exe is definitely the program that started this whole mess. I ran it on a computer that was not hooked up to the internet and it spawned a randomly named file and process that tried to then connect to internet servers to download files. Now the $64,000 question is, where did this file come from and how did it get executed?

Share with your friends!
LinkedInBlueskyMastodonThreadsRedditBuffer

Similar Posts

  • OneNote Service Pack

    ByMike McBride Reading Time: 1 minute

    Well, apparently it’s wrapped and it should be available in a few weeks. Looking over Chris’ list of new features and cool things about this service pack, I must say I’m excited to see the finished product. I’ve avoided doing any beta testing on it when the beta was released, mostly because of my own…

  • |

    How would you explain it?

    ByMike McBride Reading Time: 1 minute

    OK so it’s a simple concept to most of you guys, but obviously, our various users don’t quite grasp this, and I’m wondering what the best way to explain it is. Here’s the scenario: User needs data copied to a laptop from the network so he can work on it offline from some other location…

  • Morning News:

    ByMike McBride Reading Time: 2 minutes

    Looking at a rather busy day today, I have to run out of the office to testify at a hearing later, so that takes a big chunk out of my work day. (No I really can’t discuss the hearing other than to say that I am just a witness, it’s not a hearing that directly…

  • Off to a rocking start

    ByMike McBride Reading Time: 1 minute

    This week is shaping up to be as good as last week. Our Positni filters redirected hundreds of copies of the Sober virus into our quarantine over the weekend. I’m glad they all got detected and redirected but all of those emails in the quarantine means it takes me longer to go through and make…

  • FiT happenings

    ByMike McBride Reading Time: 1 minute

    Just a couple of notes about things going on at Friends in Tech. First, Douglas Welch, host of Career Opportunities, one of my favorite podcasts, got himself on local TV out in L.A. this week. You can download a clip of him explaining the technology behind podcasting here. Secondly, George Starcher has done a fine job of…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)