Adobe Gamma Loader.exe

[RogueSpear]

This morning I noticed an IE popup for something having to do with the IRS and taxes. I had only booted the computer and signed in, nothing but services and my usual startup things running. So I closed it and sure enough it came back up. Now when I booted up MS AntiSpyware asked me whether or not I wanted to permit Adobe Gamma Loader to execute from StartUp. I blocked it since I hadn't installed any Adobe products except for Adobe Reader. So I looked in my Start Menu and there it was, Adobe Gamma Loader.exe (not a shortcut) in the StartUp folder of my personal StartMenu. I archived it for later inspection, but I'm wondering if anyone has run into this one before?

[LLXX]

I've seen probably the real version of this file, after install the Adobe Acrobat (full version), but it doesn't seems to affect anything besides freeing up memory and disk space if I delete it. My recommendation is to not even have normally considered "harmless" items in the startup, as you seen, when something goes wrong it's difficult to figure out which item it is.

[TravisO]

I don't recall getting the gamma util when installing Acrobat reader. I do run Photoshop and Acrobat Pro (aka Acrobat Writer) and I know Photoshop will push the gamma thing. Personally I find it suspicious and I would question if that really is the gamma util or some sneaky spyware.

But you are running MS AS which does a really awesome job of catching spyware so maybe it is real.

Sounds like I need to create an XP setup in Virtual PC and run some tests on the matter... one day.

I don't run the gamma util, the only reason one would want to is because you use Photoshop and need to match your screen output to your printer output, hence why I find in VERY suspicious that Acrobat reader would actually push it, but hey anything is possible.

[TravisO]

FYI the "Adobe Gamma Loader.exe" that I have in my

C:\Program Files\Common Files\Adobe\Calibration\

is exactly 113,664 bytes created Jan 5, 2005 and it's version 1.0.0.1

I have the following Adobe products installed in order (latest on top)

Acrobat Reader 7.05

Photoshop CS2

Acrobat Reader 5.x

Acrobat Reader 6.x

Acrobat Pro 6

Photoshop 7

I'll swear Adobe never hard copies (entire EXE) into your startup folder.

Edited February 8, 2006 by travisowens

[RogueSpear]

The file I came across is like 25kb. I use Photoshop CS2, but not on the computer in question, so I am at least somewhat familiar with Adobe Gamme Loader. One of problems I've had in researching this is that when you put "Adobe Gamma Loader" into Google, all you get is hits regarding the real McCoy. I did save the file. Actually I 7-Zipped it and I was going to attach it to my first post, but I wasn't sure if that would run afoul of MSFN rules - posting potential malware. The file does seem faily harmless and I think I'm going to do some testing from within VMware using TCPView and some other tools to see if it's contacting anything. The thing that kills me is that I always have the MS AntiSpyware real time protection running and as well I always keep up on the innoculating registry entries from SpywareBlaster, Spywareguide.com, etc. I disable all non-essential services and for the last month I've even taken to running Maxthon in a "low rights" mode courtesy of SysInternals PsExec. I'm a network engineer with over 20 years experience and as you can imagine, all forms of malware have become practically a full time job for me over the last five years. This is why I'm so PO'd about this. It's like a slap in the face.

If there's anyone who has the knowledge to decompile this thing and is interested, let me know and I'll fire it off to you.

Edited February 8, 2006 by RogueSpear

[LLXX]

If there's anyone who has the knowledge to decompile this thing and is interested, let me know and I'll fire it off to you.

Sure... PM me a link to it and I'll take a look.

[RogueSpear]

Here you go... AdobeGammaLoader.7z

[Siginet]

Hmmm... I would get rid of it Rogue. I have the original Adobe Gamma on my computer and it is much different than this one. For one. Mine is file version 1.0.0.1. Yours is 1.00. Plus almost all of the version info is different.

Including the copyright info. Mine says copyright 1998 yours is blank. Mine does not have an icon... yours does. Very weird file.

The original Adobe Gamma is only needed for changing the visual settings on your monitor. If your monitor looks fine... you don't need it anyways. If you're not using photoshop or any picture editing software.. you don't need it. Better to be safe than sorry.

[RogueSpear]

Yea I pretty much concluded it's bogus. I compared it to the real file on another of my computers. At this point I'd just like to find out where it came from and how it got there. As a matter of interest I suppose I wouldn't mind knowing what crazy things it does too.

[LLXX]

As a matter of interest I suppose I wouldn't mind knowing what crazy things it does too.

It doesn't seem to do much...

The first 1750 bytes of the file. Appears to have been compiled with Microsoft Visual Basic v6.0 - notes importance the MSVBVM60.DLL occurrence:

Sees "http", "WebBrowser" and "SHDocVwCtl" here, most likely it accesses the Internet. Also notice the name of the user account that created this, as well as the entire path to the VB file, is visible:

Finds clearly the URL embeds within. It is quite obvious that this program was written to "click" an affiliate link (?a=1 parameter of PHP script).

Notices the fake property items before icon in this resources area near end of the file:

All it does is produce regular HTTP requests to the URL shown in the above diagram. Not particularly harmful, but can produce excessive network traffic and congest. It seems to not attempt to install itself in any startup locations nor infect any files in the system.

I have confirmed this, by starting the process, observing its behavior, and ending it with the Task Manager. It did not add itself to any startups nor attempt to persist and infect.

This can be considered to be of Low Severity.

Edited February 10, 2006 by LLXX

[Siginet]

Nice confirmation LLXX!

[RogueSpear]

Like child's play when you know what you're doing Thanks for taking the time to look into it. That was really cool of you. So if I'm reading all this right it would seem as though this "program" is attempting make someone money by registering hits on an online ad. Now what I need to do is to try and find out where I got this thing from.