Report New Spyware Here

I legitimately tried to download a game demo from http://www.trygames.com. This gave me a setup file called MBGSetup-dm.exe (for Magic the Gathering Battlegrounds) which is a 168K executeable that tries to download the next 500M of the game. Offer's a little feature to retry on startup too you have to click or it tries.

This seemed ok until I decided not to bother and delete the .exe file. It comes up with a warning that the file is in use by another process! That's cool, so I thought I'd poke around a bit and this is what I found...

The executeable itself is quite dumb. It is really one dialog the calls windows showdocv.dll (forget not, but the normal windows html view dll that comes with windows) and loads a special page (with javascript) that is saved in the .exe.

The page doesn't look bad. Seems to think of itself as 'Trymedia', and lots of stuff in there for affiliate tracking, and ability to buy after the trial ends (code is not obfuscated, and I just browsed to make this conclusion). My guess would be their business model is to give you the demo, and ask you to buy at the end of the trial. I assume the installer normally cleans up after itself to avoid my problem.

So what was my problem again? Locked file. Ok, did a reboot, killed processes etc, and registry scan for references, but no luck. Not in any of the usual places.

Did handles dump and found the process... explorer.exe! No shit! It's not registered as a BHO, and killing explorer.exe (taking taskbar with it), I find that every time explorer loads, it still accesses that file!

Checking trygames.com support site, I could not find any help on the issue. There was a related problem that suggested that if you virus scanner or firewall detects it as a virus, then to exclude their product with no other explaination.

I guess I should blame myself somewhat as I would have treated this like any other installer and let it compromise my system with admin rights. My next step will be to nuke the locked file forcibly and hopefully not break explorer.exe.

Has anyone else encountered this problem? I will attempt to do further investigation to try and isolate a floor in my analysis. What to I need to do to have this assesed as a legitimate risk or considered to by spyware? (as this seems to be rather tame except for the explorer thing which is down-right scarey!)

Hi caution,

If you are running an NT based version of Windows you can unload dll´s from explorer using this program: http://www.diamondcs.com.au/index.php?page=apm

Example on how to proceed: http://www.diamondcs.com.au/index.php?page=apm-features

Regards,

Pieter

Good and bad news.

Good news was that I was able to remove it, bad news is that I have been able to replicate the problem.

The removal was a strange task. I first replaced the file with the inuse program replacing it with just an text file containing one full-stop. After successive reboots, explorer still maintained a handle to the .exe file. Placing the apm.exe on the desktop with the suspect .exe did not produce the same effect??? So that is pretty suspicious in itself.

Once I discovered that, the removal involved kill the handle off in process explorer and killing from the command prompt (as every time the desktop where the file lived was viewed, it would lock it again). So no real problems there and it proved that explorer.exe was locking it.

The real bad news was that I attempt to repeat the incident. I tried several times to do it, but couldn't find what I did to cause the initial locking to occur.

So sorry for the false alarm, I hope the results have been interesting and mind boggling for you as they have been for me. Thanks for all the help!