Content

Adware-Cinmus!m

Type
Program
SubType
Adware
Discovery Date
10/29/2009
Length
Minimum DAT
5786 (10/29/2009)
Updated DAT
6409 (07/16/2011)
Minimum Engine
5.2.00
Description Added
10/29/2009
Description Modified
11/25/2009 10:10 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Adware.Cinmus is an adware program that uses a Browser Helper Object which produces pop-up advertisements at random intervals.

File Information -

    • Size : 200,730 bytes
    • MD5 : DFA4064559609F0DB125C354D2473347
    • SHA1 : EBC4A86831AED1A15D54BC6ED045ADF6D2A33E42

Aliases-
    • DrWeb : Trojan.DownLoader.origin
    • F-Secure : Dropped:Generic.Adw.Cinmus.4.B076B563
    • Ikarus : Trojan.Win32.Cinmus
    • Microsoft : Trojan:Win32/Cinmus.K

Upon execution, the following registry changes happened to the system

The following files have been added to the system:
    • %Temp%\dosss11.dll [Detected as Adware-Cinmus!m ]
    • %Temp%\hcpidesk.sys [Detected as Adware-Cinmus!sys]
    • %Temp%\~my42.tmp [Detected as Adware-Cinmus.gen.i]
    • %Windir%\System32\drivers\hcpidesk.sys [Detected as Adware-Cinmus!sys]

The following registry Keys have been added:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcpidesk
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcpidesk\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcpidesk\Enum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP

The following registry Values have been added:

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hcpidesk]
      "Type" = 0x00000001
      "Start" = 0x00000002
      "ErrorControl" = 0x00000001
      "ImagePath" = "%Windir%\System32\drivers\hcpidesk.sys"
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      ProxyEnable = 0x00000000

Symptoms -
    • Presence of above mentioned file and registry keys.
    • Presence of unexpected network connection to the IP address - 60.[Removed].40

Method of Infection -

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

These are general defaults for typical path variables. (Although they may differ, these examples are common):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME/XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Adware.Cinmus is an adware program that uses a Browser Helper Object which produces pop-up advertisements at random intervals.

File Information -

    • Size : 200,730 bytes
    • MD5 : DFA4064559609F0DB125C354D2473347
    • SHA1 : EBC4A86831AED1A15D54BC6ED045ADF6D2A33E42

Aliases-
    • DrWeb : Trojan.DownLoader.origin
    • F-Secure : Dropped:Generic.Adw.Cinmus.4.B076B563
    • Ikarus : Trojan.Win32.Cinmus
    • Microsoft : Trojan:Win32/Cinmus.K

Upon execution, the following registry changes happened to the system

The following files have been added to the system:
    • %Temp%\dosss11.dll [Detected as Adware-Cinmus!m ]
    • %Temp%\hcpidesk.sys [Detected as Adware-Cinmus!sys]
    • %Temp%\~my42.tmp [Detected as Adware-Cinmus.gen.i]
    • %Windir%\System32\drivers\hcpidesk.sys [Detected as Adware-Cinmus!sys]

The following registry Keys have been added:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcpidesk
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcpidesk\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcpidesk\Enum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP

The following registry Values have been added:

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hcpidesk]
      "Type" = 0x00000001
      "Start" = 0x00000002
      "ErrorControl" = 0x00000001
      "ImagePath" = "%Windir%\System32\drivers\hcpidesk.sys"
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      ProxyEnable = 0x00000000

Symptoms -
    • Presence of above mentioned file and registry keys.
    • Presence of unexpected network connection to the IP address - 60.[Removed].40

Method of Infection -

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

These are general defaults for typical path variables. (Although they may differ, these examples are common):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME/XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A