BlockChecker , ccapp.exe , ustart.exe , block-checker.exe , navshext1.dll

BlockChecker , ccapp.exe , ustart.exe , block-checker.exe

* Counterspy/Vipre

Details: Adware.navshext lowers Internet security settings, adds itself to firewall exclusion policies and downloads a number of adware programs.

Infected files detected
c:\windows\system32\ustart.exe

Registry

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Startup
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Startup DisplayName System Process
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Startup UninstallString C:\WINDOWS\System32\ccapp.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockChecker

SYSTEM\CurrentControlSet\Services\SQFLKUEY\

Sends one of the following messages to the contacts of Microsoft Messenger, Yahoo Instant Messenger and AOL Instant Messenger:

* Find out who's blocking you on MSN, Download it free from [http://]www.block-checker[REMOVED].com
* Did you know you can find out who blocked you on MSN? Check it out, it's free [http://]www.block-checker[REMOVED].com

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL

* http://www.symantec.com

---

* HijackThis

O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\System32\navshext1.dll
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe

* Escan

C:\WINDOWS\System32\ccapp.exe tagged as not-a-virus:AdWare.Win32.Chiem.a. No Action Taken.
C:\WINDOWS\System32\navshext.dll tagged as not-a-virus:AdWare.Win32.Chiem.a. No Action Taken.
C:\WINDOWS\System32\navshext1.dll tagged as not-a-virus:AdWare.Win32.Chiem.a. No Action Taken.
C:\Program Files\Block Checker\BLOCK-~1.EXE infected by "IM-Worm.Win32.Chiem.a"
c:\program files\block checker\block checker.exe (704 KB)
C:\Program Files\Block Checker\csrss.exe infected by "Trojan.Win32.Starter.e"

* %SystemDir%\ccapp.exe (16 KB)
* c:\program files\block checker\uninstall.exe (63 KB)
* c:\program files\block checker\setup_finish.exe (16 KB)
* c:\program files\block checker\setup.log (2 KB)
* c:\program files\block checker\csrss.exe (28 KB)
* c:\program files\block checker\block-checker.exe (48 KB)
* c:\program files\block checker\block checker.exe (704 KB)
* c:\documents and settings\all users\start menu\programs\block checker\block checker\block checker.lnk (1 KB)
* c:\documents and settings\administrator\ application data\microsoft\internet explorer\quick launch\block checker.lnk (1 KB)

Registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BlockChecker"=- [-HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}] [-HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}] [-HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Block Checker] [-HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN] [-HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL] [-HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo] ---------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\ C:\Program Files\Block Checker\block-checker.exe: 0x00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\System Process\ModId: "3" HKEY_LOCAL_MACHINE\SOFTWARE\System Process\Started: 0x00000001 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ c:\windows\system32\ccapp.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ c:\windows\system32\ccapp.exe HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.system-processes.com: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ "Startup" "UninstallString\ C:\WINDOWS\System32\ccapp.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ "Startup" DisplayName"="System Process" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ "Block Checker" "DisplayName"="Block Checker 1.0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs "C:\Program Files\Block Checker\block-checker.exe"="1"