Content

Adware-Cinmus!l

Type
Program
SubType
Adware
Discovery Date
09/29/2009
Length
Minimum DAT
5756 (09/29/2009)
Updated DAT
6409 (07/16/2011)
Minimum Engine
5.2.00
Description Added
09/29/2009
Description Modified
11/25/2009 10:17 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

Overview -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Adware.Cinmus is an adware program that uses a Browser Helper Object which produces pop-up advertisements at random intervals.

File Information-

    • Size  : 106,266 bytes
    • MD5  : 1908F599CF0C07D8AB1C4DCDA80D7DF8
    • SHA1  : 95503853FCB6F74F9FEE754D757EC569548EFFB2

Aliases-

    • DrWeb  : Adware.BHO.368
    • Ikarus  : Trojan.Win32.Cinmus
    • Kaspersky : Trojan.Win32.BHO.lhc
    • NOD32 : a variant of Win32/Adware.Cinmus

Upon execution, the following registry changes happened to the system

The following files have been added:

    • %CommonAppData% \Microsoft\Media Player\obj\wmpobj.sys
    • %Windir%\system32\ sslsocket.dll

The following registry Keys have been added:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj\Enum

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}]
       "Fid" = "2005"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj]
       Type =0x00000001
       Start = 0x00000002
       ErrorControl= 0x00000001
       "ImagePath" = “%CommonAppData% \Microsoft\Mediaplayer\obj\wmpobj.sys"
       "DisplayName"= "wmpobj"

The following folders have been added to the system

    • %CommonAppData%\Microsoft\Media Player\obj

Symptoms - 

    •  Presence of above mentioned file and registry keys.
    •  Presence of unexpected network connection to the IP address -113.[removed].101

Method of Infection -

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

These are general defaults for typical path variables. (Although they may differ, these examples are common):
%WinDir%      = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME/XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%CommonAppData% = C:\Documents and Settings\All Users\Application Data

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

Overview -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Adware.Cinmus is an adware program that uses a Browser Helper Object which produces pop-up advertisements at random intervals.

File Information-

    • Size  : 106,266 bytes
    • MD5  : 1908F599CF0C07D8AB1C4DCDA80D7DF8
    • SHA1  : 95503853FCB6F74F9FEE754D757EC569548EFFB2

Aliases-

    • DrWeb  : Adware.BHO.368
    • Ikarus  : Trojan.Win32.Cinmus
    • Kaspersky : Trojan.Win32.BHO.lhc
    • NOD32 : a variant of Win32/Adware.Cinmus

Upon execution, the following registry changes happened to the system

The following files have been added:

    • %CommonAppData% \Microsoft\Media Player\obj\wmpobj.sys
    • %Windir%\system32\ sslsocket.dll

The following registry Keys have been added:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj\Enum

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}]
       "Fid" = "2005"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmpobj]
       Type =0x00000001
       Start = 0x00000002
       ErrorControl= 0x00000001
       "ImagePath" = “%CommonAppData% \Microsoft\Mediaplayer\obj\wmpobj.sys"
       "DisplayName"= "wmpobj"

The following folders have been added to the system

    • %CommonAppData%\Microsoft\Media Player\obj

Symptoms - 

    •  Presence of above mentioned file and registry keys.
    •  Presence of unexpected network connection to the IP address -113.[removed].101

Method of Infection -

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

These are general defaults for typical path variables. (Although they may differ, these examples are common):
%WinDir%      = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME/XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%CommonAppData% = C:\Documents and Settings\All Users\Application Data

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A