Last night I found on a P2P network an exe file that was supposed to be a screensaver. Well…yes I did double click! It gave me a usual “do you want to proceed with the installation?” window and I said yes! Well… that was it! It finished the installation, but I could not find any new screen saver on the control panel or anywhere else. Weird isn’t it?
Now, I downloaded a trial version of Ashampoo Uninstaller platinum to see the changes the installation made to my system. I installed Ashampoo and run the “screensaver” installer again. This time I noticed that somewhere in the text of the terms and conditions a company named “ADVERTISMEN.COM” appeared. Tried to google it but wasn’t lucky. I also did a DSN lookup of the url and found out that the domain name was registered on the 5th of April of 2006. Is it a new spyware?
Well, after the installation was finished, Ashampoo generated a log file, which showed that the install.exe had installed two files in the windows/system32 folder. The files were called pushow67.dll and pushow55.dll. I used DLL Export Viewer to find out that they exposed one interface called “Uninstall”. It also created a registry key under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ called “UninstallString” with value: rundll32.exe C:\WINNT\system32\pushow55.dll Uninstall
It also created another key under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows called AppInit_DLLs. The value was pushow55.dll.
All this is weird! I deleted the files and the registry entries, run ad-aware and spybot and they didn’t find anything. Finally I logged to my online banking system (didn’t enter my real credentials though) running Etheral. After inspecting the packets I didn’t find anything alarming.
Well… I am not sure if it is a new spyware, Trojan or something, but I know I should have thought twice before running that bloody exe file. Now I just hope I have cleaned my system from whatever it was!