You have been Updated

Identification

Yup, that’s what’s on screen this morning. I’ve been Updated, and there is this always-on-top message asking me to click on “Update”. Somehow or another, Viewpoint Media Player slipped past a fully-patched Win 2000 Pro setup with blocking in place on the autoplay settings. The product claims to send non-personally-identifiable information back to a server in order to run a toolbar, and online research claims that it hijacks search results. There’s no toolbar here, so I’ll guess I saw the very first message. AdAware and SpybotSD don’t identify it as a threat.

It doesn’t play fair. I can highlight the license agreement, but it won’t let me copy it. Same on a ‘Who is viewpoint?’ entry. Well, I did capture the main window as a jpg. As adware goes (if that’s all it is), it’s pretty tame. I had no trouble removing it by killing the process viewmgr.exe, running the Viewpoint uninstall, and cleaning out two related files from the temporary files folder. I’m curious how it got past my blocks.

Virgin Windows Report–Win XP Home, SP2 OEM

Definitions, Identification

Just finished building a new box for a client. Took the opportunity to grab the task list. The list below is what Windows Task Manager reported as running processes immediately after installation, after hardware detection, but before any drivers were installed. No patches, no antivirus, no software installs of any kind, no exposure to the internet, or even to a CDROM other than Windows itself.

OS version: Windows XP, Service Pack 2, OEM edition
Motherboard: MSI M8M Neo-V, with AMD Sempron 2800+ processor.
Any hardware support below, if any, was autodetected during install–no software or driver installs had been run when this process list was captured:

alg.exe
csr.exe
Explorer.EXE
lsass.EXE
msiexec.exe
services.exe
smss.exe
svchost.exe (5 instances running)
System
System Idle Process
taskmgr.exe
winlogon.exe
wmiprvse.exe
wpabaln.exe
wuaudit.exe

As I (or others), build more systems, we’ll post more of these “Virgin Windows Task Lists”.

I didn’t have a chance to grab a HijackThis log of the box in this condition, but that I will next time, and get a more complete picture of just what is part of the default configuration.

Infection Report

Field Reports

Did another spyware cleanup today. User reported that a spyware cleanup tool appeared immediately after running Windows Update. Guess: the update process changes some Internet Explorer settings back to defaults (known), and at that point, a third-party toolbar sitting in the “c:\winnt\downloaded program files” was able to run a delayed install.

Moral of the story: Empty the downloaded program files before running Windows Update. Easy method: use Drive Cleanup, from My Computer, Control Panel, right-click on the drive, choose Properties, Tools (tab), and Drive Cleanup. Or just navigate to the folder and wipe out the contents manually.