1. /
  2. Security Response/
  3. Adware.SystemProcess

Adware.SystemProcess

Updated:
February 13, 2007 11:46:22 AM
Type:
Adware
Version:
1.0.0.1
Risk Impact:
High
File Names:
ccapp.exe,navshext.dll
Systems Affected:
Windows 2000, Windows 98, Windows CE, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.SystemProcess is executed, it performs the following actions:
  1. Creates the following files:

    • %System%\ccapp.exe
    • %System%\navshext.dll
    • %System%\p.dat
    • %System%\system.dat

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Downloads the following file:

    %System%\ustart.exe (This is detected as Adware.WintaskAd.)

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Startup
    HKEY_LOCAL_MACHINE\SOFTWARE\System Process
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects
    \{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\anrdoezrs.net
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\bfast.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\cc-dt.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\commission-junction.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\dpbolvw.net
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\fastclick.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\fastclick.net
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\jdoqocy.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\kqzyfj.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\linksynergy.com
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\qksrv.net
    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings
    \P3P\History\tkqlhce.com


  4. Adds the value:

    "*.system-processes.com" = ""

    to the registry subkey:

    HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003\Software
    \Microsoft\Internet Explorer\New Windows\Allow

  5. Adds the value:

    "%Windir%\system32\ccapp.exe" = "%Windir%\system32\ccapp.exe:*:Enabled:System Process"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    \SharedAccess\Parameters\FirewallPolicy\StandardProfile
    \AuthorizedApplications\List

  6. Adds the value:

    "System Process Uninstall" = "%Windir%\system32\ccapp.exe UAF"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver