NetSpy - Barchart/CBOT ActiveX Controls

[Scott Chicago]

Hello,

On my system, when any of my spyware prevention programs are launched (SpyBot, Spyware Guard, MS Antispyware) something starts the msi installer and tries to connect to http://208.169.221.52/cabs/21/ to install what is says is Barchart/CBOT ActiveX Controls.

That website is actually the Chicago Board of Trade site but I have determined that this is trying to install a version of netspy.

I have looked through every running process and I can't find a single one that is anythign other than I would expect. How can I find out what is trying to launch this installer when I start up these programs?

Scott

[Sweetie(*)(*)]

Hi, have a look at your start list, if theres anything suspicious research it on web.

Process gaurd from DimondCS may be a help Link

You could try running HJT, post log at fourm that accepts logs, Wilders no longer allows it.

[Scott Chicago]

Hi,

Thanks. I have already scoured the HJT logs and startup and I can't find anything out of place.

What I'm trying to learn is exactly how to identify a process that launches the msi installer. Something is monitoring the task list and fires when it is sees a monitored process (ApywareGuard etc) start.

It would be nice to know if there is a way to pinpoint that system call.

I'm afraid that this thing may have replaced a typically normal file with its own which makes identifying it by name go out the door. I have only found one other instance of this reported on the web and it was on this site in May of 2004. That thread ended with no resolution.

Anyway, if anyone can point me to some advanced windows analysis tools I would appreciate it.

--Scott

[Scott Chicago]

Ok, I've made some progress.

I started in safe mode and everything worked fine. Good.
I then started back up as normal and started killing processes to try and see if I could find the one calling the installer. No dice.

I used the console tasklist /svc to expand the services being run by svchost.exe and started knowcking off the unrequired of those. again, no dice.

I pruned the task list and services down to what normally run in safe mode and this stupid thing would still try to install when I open spyware guard etc.

Next I dug through the registry and found a boatload of entries of Barchart, CBOT.ocx and CBOT.msi, many of which included the server information it was trying to connect to. So I nuked all of those.

Under Program files, I found a directory named "barchart" that contained some of the files used by this and I erased all of those.

Now, when I start Spyware Guard or MS Antispyware the installer stills tries to open and immediately closes since the files it is looking for have been deleted by your truly.

The only thing that is still really bugging the heck out of me is what in the world is calling the installer in the first place when I open Spyware Guard?

The files are gone, the reg entries are gone, but ther eis still something tying to do bad things. This is driving me crazy.

Even if you could just reccomend a procedure to isolate this call then that would be cool.

Any ideas?

--Scott

Hi, I am having the same issues. Glad I found your post. I will attempt to make the same changes you did. I'm wondering if this spyware could have come from the CBOT site. Have you used charting at that site? I have.

Bill

[wjkomo]

Okay here is the scoop. The CBOT activex control was needed at one time to view charts at the CBOT website. It is not needed any longer, as they now use java. The activex installation happens to use some file names that are the same names as some well known spyware. However, the CBOT claims that this is just a coincidence, and the software is harmless.

Since the activex is no longer needed, just go into Windows Control Panel, go to "Add or Remove Programs", and uninstall Barchart CBOT Activex controls (that is not the exact wording, but close). It will uninstall and the spyware scans will no longer have an issue.