Adware.SystemProcess

Printer Friendly Page

Updated: February 13, 2007 11:46:22 AM

Type: Adware

Version: 1.0.0.1

Risk Impact: High

File Names: ccapp.exe,navshext.dll

Systems Affected: Windows 2000, Windows 98, Windows CE, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.SystemProcess is executed, it performs the following actions:

Creates the following files:
- %System%\ccapp.exe
- %System%\navshext.dll
- %System%\p.dat
- %System%\system.dat
  
  Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Downloads the following file:

%System%\ustart.exe (This is detected as Adware.WintaskAd.)
Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\Startup HKEY_LOCAL_MACHINE\SOFTWARE\System Process HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects \{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\anrdoezrs.net HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\bfast.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\cc-dt.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\commission-junction.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\dpbolvw.net HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\fastclick.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\fastclick.net HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\jdoqocy.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\kqzyfj.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\linksynergy.com HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\qksrv.net HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003 \Software\Microsoft\Windows\CurrentVersion\Internet Settings \P3P\History\tkqlhce.com
Adds the value:

"*.system-processes.com" = ""

to the registry subkey:

HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003\Software \Microsoft\Internet Explorer\New Windows\Allow
Adds the value:

"%Windir%\system32\ccapp.exe" = "%Windir%\system32\ccapp.exe:*:Enabled:System Process"
to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \SharedAccess\Parameters\FirewallPolicy\StandardProfile \AuthorizedApplications\List
Adds the value:"System Process Uninstall" = "%Windir%\system32\ccapp.exe UAF"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}