Spyware.PCAcme

Printer Friendly Page

Updated: February 13, 2007 11:35:36 AM
Type: Spyware
Publisher: Raytown Corp.
Risk Impact: High
File Names: Varies
Systems Affected: Windows

Behavior


Spyware.PCAcme captures keystrokes, chat sessions, and mouse clicks. It is intended as a monitoring tool, but can be used for malicious purposes as well.

Symptoms


The files are detected as Spyware.PCAcme.

Transmission


Available from its publisher. Must be installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version November 10, 2003
  • Latest Daily Certified version January 17, 2008 revision 033
  • Initial Weekly Certified release date November 12, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:35:36 AM
Type: Spyware
Publisher: Raytown Corp.
Risk Impact: High
File Names: Varies
Systems Affected: Windows


Spyware.PCAcme is intended to run in stealth mode. Installation folders are configurable and file names are random.

When Spyware.PCAcme is installed, it performs the following actions:

  1. Prompts you to select the language.

  2. Prompts you with "You are about to install PC Acme. Do you wish to continue?"

  3. If you choose to continue, it displays an End User License Agreement (EULA).

  4. If the EULA is accepted, it requests that you select an access password.

  5. By default, it creates Program Files\PCACME to which it installs the files. This folder is configurable. Two detected files in this folder are Control.exe and View.exe.

  6. Adds files to %System% folder. There are a total of nine files created, but only two have constant names. The file names are:
    • aastor.dat
    • aastor.key


      Note: %System% is a variable. The spyware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  7. Creates seven files with random file names, such as jqyeipeh. Four of the file names use the same random character name. These are:
    • <filename>.exe
    • <filename>.cfg
    • <filename>.dll
    • <filename>.key

      There are also three randomly named .vxd files, which use their own unique strings.

  8. Creates a value that refers to the random file name of <filename.exe> in the registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    An example of this is:

    "jqiyhdsh" = %sysdir%\jqiyhdsh.exe /setuser

This spyware has an uninstall feature, but it requires the access password, which is set when the spyware is installed.


Updated: February 13, 2007 11:35:36 AM
Type: Spyware
Publisher: Raytown Corp.
Risk Impact: High
File Names: Varies
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Uninstall Spyware.PCAcme using the Add/Remove Programs utility.
  3. Run a full system scan and delete all the files detected as Spyware.PCAcme.
  4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Uninstalling the Adware
  1. If you know the password, do one of the following:
    • On the Windows 98 taskbar:
      1. Click Start > Settings > Control Panel.
      2. In the Control Panel window, double-click Add/Remove Programs.

    • On the Windows Me taskbar:
      1. Click Start > Settings > Control Panel.
      2. In the Control Panel window, double-click Add/Remove Programs.
        If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."

    • On the Windows 2000 taskbar:
      By default, Windows 2000 is set up the same as Windows 98. In that case, follow the instructions for Windows 98. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.

    • On the Windows XP taskbar:
      1. Click Start > Control Panel.
      2. In the Control Panel window, double-click Add or Remove Programs.

  2. Click "PC Activity Monitor (uninstall only)."


    Note: You may need to use the scroll bar to view the whole list.

  3. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

3. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Spyware.PCAcme, click Delete.


    Note: If you ran the Add/Remove programs applet as described in the previous section, it is possible that all the files were removed, and thus, none of them will not be detected.


4. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.


Note: This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the random file name value, for example:

    "jqieypih"="%sysdir%\jqieypih.exe /setuser"

  5. On Windows 95/98/Me computers, navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

  6. In the right pane, delete the random file name value, for example:

    "jqieypih"="%sysdir%\jqieypih.exe"

  7. Exit the Registry Editor.