Some interesting stuff, but no closer to a final conclusion of how it got there. The installer ran an XML file to get it’s updates. The XML file instructed it to download 4 files from download.statblaster.com. Those files were MemoryWatcher-b.exe, all_files9.exe, tracker.exe and FixIt.exe. Those in turn come bundled with their own “extras” and in the end we wound up with something like 15 programs getting installed within an hour. I think the instructions to do this came from a file named WinWildApp.exe, which in turn got it’s instructions from a randomly named .exe, which was also placed in the registry as a startup. That’s the file that started all this, but I don’t know where it came from. I know what time it hit the machine, and I know what site this person was on at that time, but the site, aside from annoying flashing ads and a few popups, seems to be clean. I don’t think that site is the source of the problem, but perhaps a popup was. The question is, did the popup originate from that site or was it a popunder from a previously-visited site?
By the way, there’s absolutely no evidence that the actual “statblaster” program was installed at all, but all of the “partners” listed on their website sure where, and from their servers. This leads me to believe that it was not a user who agreed to the wrong thing, since the original program that they are trying to get you to install from that site was never installed! (And yes the site he was on was a fantasy sports site, but a reputable one, and one of a few he had visited in the minutes previous to this.)
The only other evidence that sticks out is a program and a help file (both the .exe and .chm) called “HP2″ that was in the Temporary Internet Files and time-stamped the same time as the random file in the Temp folder that started all this. I don’t know what they are at this time.
Anyone have any more clues about the nature of this stuff?
Update: HP2.exe is definitely the program that started this whole mess. I ran it on a computer that was not hooked up to the internet and it spawned a randomly named file and process that tried to then connect to internet servers to download files. Now the $64,000 question is, where did this file come from and how did it get executed?