TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
ADW_CASHFIESTA.A
Overview
Solution

QUICK LINKS  

Download the latest scan engine

In the wild: No

Reported detections:

 Low
 

Description:

Alias: APP:Adware-CashFiesta (NAI)

Threat Type: Adware

Systems Affected: Windows 95, 98, ME, NT, 2000, XP

Installer Name: CashFiesta.exe

Publisher: Cashfiesta.com

Donwload URL: www.cashfiesta.com

This adware program may be downloaded from Internet by unsuspecting users.

Upon execution, it creates a shortcut on affected machines’ desktop. It then drops the folder DataColl in the following path

    C:\WINDOWS\PCHEALTH\HELPCTR

The aforementioned folder contains gathered information, such as system property, in .XML (Extensible Mark Language) format.

This adware program is also capable of displaying pop-up advertisements on affected machines’ Internet Explorer browsers.

Solution:

TREND MICRO SOLUTION

  • Minimum scan engine version needed: 7.100
      TMAPTN version needed: 202.03
  • DCE version needed: 3.8

MANUAL REMOVAL INSTRUCTIONS

Identifying the Grayware Program

Download the latest grayware pattern file and scan your system. Note all files detected as ADW_ CASHFIESTA.A.

Removing Added Entries from the Registry

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_USERS>S-1-5-21-1275210071-1303643608-682003330-1117>
    Software>CashFiesta>CashFiesta>Install
  3. In the right panel, locate and delete the entry:
    DesktopShortcut = "TRUE"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>WindowsUpdate>Auto Update
  5. In the right panel, locate and delete the entry:
    AUState = “dword:00000001”
  6. Close Registry Editor.
NOTE: If you were not able to terminate the grayware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Download and unzip the latest grayware pattern file and scan your system. Then, delete all files detected as ADW_ CASHFIESTA.A.

Details:

This adware program adds the following registry entries as part of its installation routine:

HKEY_USERS\S-1-5-21-1275210071-1303643608-682003330-
1117\Software\CashFiesta\CashFiesta\Install
DesktopShortcut ="TRUE"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\WindowsUpdate\Auto Update
AUState = “dword:00000001”
Analysis by: Michelle Parona

For additional information about this threat, see:
Solution

Description created: Mar 22, 2005




Tell us how we did. Take our quick survey.