Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.PCAcme.B

Spyware.PCAcme.B

Updated:
13 February 2007
Version:
6.3
Publisher:
Raytown Corporation
Risk Impact:
High
File Names:
pcacme.exe,control.exe,view.exe,.exe
Systems Affected:
Windows

Behavior


Spyware.PCAcme.B is a program that logs keystrokes, program usage, and Internet activity on your computer.

Symptoms


The existence of files that are detected as Spyware.PCAcme.B is an indication of infection.

Behavior


Spyware.PCAcme.B must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 23 March 2017 revision 037
  • Initial Daily Certified version 11 July 2004
  • Latest Daily Certified version 23 March 2017 revision 041
  • Initial Weekly Certified release date 14 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

There are three versions of Spyware.PCAcme.B:
  • Personal
  • NET
  • PRO

All of these versions create the same files and make the same registry changes.

Depending on the version, the spyware can keep logs of the following:
  • Keystrokes: Personal, NET, PRO
  • Mouse clicks: Personal, NET, PRO
  • Program usage: Personal, NET, PRO
  • Passwords: Personal, NET, PRO
  • URLs: Personal, NET, PRO
  • Email: NET, PRO
  • Viewing: Personal, NET, PRO
  • Analyzing tool usage: PRO

When Spyware.PCAcme.B is installed, it does the following:
  1. Allows the person installing it to select the language.

  2. Displays the license agreement.

  3. Allows the choice of installation:
    • Full
    • Custom: Allows selection from Spy Agent, Control Center, Log Viewer, Uninstall, and Create shortcuts

  4. Allows the choice of the installation folder. The default installation folder is %ProgramFiles%\PC Acme.

    Note:
    %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.

  5. Allows the creation of a password for the spyware.

  6. Creates the following folders and files:
    • %ProgramFiles%\PC Acme\control.exe: The Control Center of the Spyware. Detected as Spyware.PCAcme.B.
    • %ProgramFiles%\PC Acme\pcacme.chm: Help file.
    • %ProgramFiles%\PC Acme\uninst.exe: Uninstaller.
    • %ProgramFiles%\PC Acme\view.exe: The log viewer. Detected as Spyware.PCAcme.B.
    • %ProgramFiles%\PC Acme\instlng: Installation language.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\Control Center.lnk: Start menu link.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\Help.lnk: Start menu link.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\View Log.lnk: Start menu link.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\Uninstall PC Acme components.lnk: Start menu link.
    • C:\WINNT\System32\aastor.dat: Configuration.
    • C:\WINNT\System32\aastor.key: Configuration key.
    • C:\WINNT\System32\<random name>.exe: Main logger. Detected as Spyware.PCAcme.B.
    • C:\WINNT\System32\<random name>.dll: The logger uses this DLL.
    • C:\WINNT\System32\<random name>.cfg: Configuration.
    • C:\WINNT\System32\<random name>.key: Configuration key.
    • C:\WINNT\System32\<random name>.hiv: Log file.
    • Three additional .sys files with randomly generated names.

  7. Adds the value:

    "<random name>" = "C:\WINNT\System32\<random name>.exe /setuser"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the Spyware runs when you start Windows.

  8. Adds the subkey:

    PC Acme uninstall

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

    and then adds these values to that subkey:

    "DisplayName" = "PC Acme (uninstall only)"
    "UninstallString" = "%ProgramFiles%\PC Acme\uninst.exe -p"%ProgramFiles%\PC Acme""

  9. Adds a service with the following attributes:

    Note:
    The Spyware adds a service with the display name as another service's Display Name, appended with " service."

    For example, if a service with the display name "Security Accounts Manager" exists, the Spyware may add itself with the display name equal to "Security Accounts Manager service."
    • Service name: "<random name>"
    • Display name: "<Existing Service Name> service"
    • Path to executable: "C:\WINNT\system32\<random name>.exe"
    • Startup type: "Automatic"



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

Note:
There is an uninstaller, but the Spyware's access password protects it.
  1. Update the definitions.
  2. Disable the service running Spyware.PCAcme.B (Windows 2000/XP).
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Spyware.PCAcme.B.
  5. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To find and disable the service (Windows 2000/XP only)
  1. Click Start > Run.
  2. Type services.msc, and then click OK.
  3. Locate and select the service "<Some Existing Service Name> service".
  4. Click Action > Properties.
  5. Click Stop.
  6. Change Startup Type to Disabled.
  7. Click OK, and then close the Services window.
  8. Restart the computer.

3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode . "

4. To scan for and delete the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Spyware.PCAcme.B, click Delete.

    Note:
    If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.

5. To delete the value from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  4. In the right plane, delete the value:

    "<random name>" = "C:\WINNT\System32\<random name>.exe /setuser"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

  6. In the left plane, delete the subkey:

    PC Acme uninstall

  7. Exit the Registry Editor.
  8. Restart the computer in Normal mode.