Indy Sabre
Sabre Rider From Indianapolis
join:2003-10-02
| reply to Indy Sabre
Re: SAV 10 just started flagging MVPS hosts entires
Well i may have been wrong. It kept flagging so i did a full scan and SAV found this -
Adware.SystemProcess
Updated: February 13, 2007 11:46:22 AM
Type: Adware
Version: 1.0.0.1
Risk Impact: High
File Names: ccapp.exe,navshext.dll
Systems Affected: Windows 2000, Windows 98, Windows CE, Windows Me, Windows NT, Windows Server 2003, Windows XP
It was weird that i got hit with this since I surf XP in alimited account with Sav 10, Windows Defender, spywareblaster and MVPS hosts running realtime. I use Fire Fox with no script.
Tech details form SAV -
When Adware.SystemProcess is executed, it performs the following actions:
Creates the following files:
%System%\ccapp.exe
%System%\navshext.dll
%System%\p.dat
%System%\system.dat
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Downloads the following file:
%System%\ustart.exe (This is detected as Adware.WintaskAd.)
Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\System Process
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects
\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\anrdoezrs.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\bfast.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\cc-dt.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\commission-junction.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\dpbolvw.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\fastclick.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\fastclick.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\jdoqocy.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\kqzyfj.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\linksynergy.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\qksrv.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\tkqlhce.com
Adds the value:
"*.system-processes.com" = ""
to the registry subkey:
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003\Software
\Microsoft\Internet Explorer\New Windows\Allow
Adds the value:
"%Windir%\system32\ccapp.exe" = "%Windir%\system32\ccapp.exe:*:Enabled:System Process"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List
Adds the value:
"System Process Uninstall" = "%Windir%\system32\ccapp.exe UAF"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
**********
Doing adaware and defender scans now. |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
 ·AT&T Midwest
·AT&T Midwest
| Welcome to the club. 
»Norton and SpywareBlaster updates causing FP (likely)
»CCleaner now installs with adware?
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
Indy Sabre
Sabre Rider From Indianapolis
join:2003-10-02
3 edits | Re: SAV 10 just started flagging hosts entires
I just checked my spywareblaster and I have 6 entires now disabled in IE protection like mentioned in the other thread.
Defender and Adware came back clean.
Looks like SAV FP seeing Spywareblastrer entries........sorry I jumped the gun thinking it was MVPS Hosts. |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
1 edit | Re: SAV 10 just started flagging MVPS hosts entires
Yes we have been having this discussion all day here in the security forum.My opinion is it is a FP that will hopefully be corrected soon by Norton.
Amysheehan has submitted the above threads to Symantec should have answers tomorrow.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| said by MagMan  :Yes we have been having this discussion all day here in the security forum.My opinion is it is a FP that will hopefully be corrected soon by Norton. Amysheehan has submitted the above threads to Symantec should have answers tomorrow. Yes, I have sent this topic over to Symantec for resolution.
[ This reminder - my contact probably won't get the info until early Monday morning east coast time ]
Thanks for your patience.
-amy-
--
DSLR Phishtracker |
|
mrsplants
join:2005-10-27
East Falmouth, MA | I got this too on one of my pcs its in quarantine right now I didnt know what to do about it. I don't have spyblaster installed on this pc. I do have Spybot S&D and I ran that its ok but it didnt pick this up. |
|
