|
|||||||
| Other Tech News The latest community based technology news from across the globe. (If you aren't a community newsposter then use the "Submit News" section.) |
 |
|
|
Thread Tools |
Apr 19, 2004, 07:44 PM
|
#1 |
|
HardwareHeaven Extreme Member
|
UPDATE: Adspy-Virus that Norton 2004, Adaware & Spybot can not remove
I've come across the ugliest spyware to date. This thing will just not go away by normal means. Adaware, Spybot, nothing will remove it at this time.
I've been working on removing this spyware infection on a customer's computer for 2 days now. Adaware has an update to find the infection but what happens is that it can not be removed. Spybot doesn't detect it either. What happens is that Adaware finds this and says it will have to reboot, even in safe mode, and when the computer restarts, this spyware kills Adaware from starting up at startup. This spyware also connects to the internet and installs other spyware. Not only that but it digs itself into the Winlogon.exe file. You do NOT want this thing on your computer. The only way to remove this thing right now is by reinstalling windows and possibly by other complicated methods. Norton Antivirus 2004 did not detect it. Now this thing is called: VX2.BetterInternet The file is ausmsext.cpy.dll located in your system32 folder. This thing uses different DLL files and makes copies. There is also a registry entry going into Hkey_Local_Machine/Software/Microsoft/Windows NT/winlogon/notify/guardian Adaware classifies this thing as a Data Miner. Now there are ways to remove this but none of them are 100% and it finds ways of getting back. So the only sure way of removing this is a format and reinstall of Windows. Adaware finds it but can not fully remove it. You can see how ugly this thing can be at the Adaware forums Here. To help you avoid getting this thing, avoid the sites listed at: PCSympathy.com This seems to be the only working method for removing this thing. It did not work for me but has worked for many others if you have this thing on your computer. Read the instructions Here There is some good news in all of this. Spyware Blaster blocks this from ever installing on your system. You can download it from Javacoolsoftware. Remember to update after installing it. Also make sure you enable all of the protection. These types of infections are only going to get worse. Laws need to be put into place to punish companies that do this. UPDATE: I noticed this and it should tell you a lot about this VX2 stuff. Companies name was VX2 based out of the U.K. Read about it here: ZDnet |
|
|
|
Apr 19, 2004, 08:38 PM
|
#2 |
|
DriverHeaven Extreme Member
Join Date: Jun 2002
Posts: 12,940
Rep Power: 0  |
Thanks for this, my friend's PC had this crap on there.
|
|
|
|
|
Apr 19, 2004, 08:49 PM
|
#3 |
|
HardwareHeaven News Mod
|
i already have this installed from this morning.surprised how much i had to remove after 3 days after transferring to cable broadband access.
|
|
|
|
|
Apr 19, 2004, 08:51 PM
|
Thread Starter
#4
|
|
HardwareHeaven Extreme Member
|
This stuff is just getting worse and worse. I had another computer that had a search bar that actually sat right above the taskbar and this thing would not let me install Adaware. It would kill the process before the dialoge came up. This stuff ...... Adspy-Viruses is what I will call them. They are nothing but viruses that spy. This Adspy-virus and what it did is only the beginning. Will not be long and the only thing a computer will be good for is visitting DH. No more browsing.
|
|
|
|
|
Apr 19, 2004, 08:55 PM
|
#5 |
|
Sweetness
Join Date: May 2002
Posts: 1,835
Rep Power: 0 |
I don't think I have gotten that. Thanks for the info zerodamage. I will be looking out for it. I have adaware installed on my system, it hasn't picked up anything like that though.
__________________
[color=Indigo]Joe "Roadee" Dawson R.I.P my friend. You will be missed [/color] If we keep doing what we've always done, we'll keep getting what we've always got. |
|
|
|
|
Apr 19, 2004, 09:46 PM
|
#6 |
|
Back in London
Join Date: Jul 2003
Location: London
Posts: 1,797
Rep Power: 0 
|
wait.... if u dont use ie and dont click install crap on my computer you wont get this?! yes....... no problem then... just like I dont have an AV program and no virus for over 2 years... sad for the average user though
__________________
/|\ Asus P5W DH Deluxe, Intel C2D E6600, 2GB Corsair XMS2-6400C4 DDR2, E-VGA GeForce 7800 GT, Creative X-Fi Extreme Music, 500GB Seagate 7200.10 SATA, Lian Li PC-V1100 Aluminum Case Black, etc. http://germanjulian.com /|\ |
|
|
|
|
Apr 19, 2004, 09:48 PM
|
Thread Starter
#7
|
|
HardwareHeaven Extreme Member
|
You do NOT have to authorize for it to install. MOST spyware installs without you knowing about it or without asking you. It just installs, plain and simple.
|
|
|
|
|
Apr 19, 2004, 09:53 PM
|
#8 |
|
Still watching...
Join Date: Nov 2002
Location: Orihuela (Spain)
Posts: 1,560
Rep Power: 0
|
I use firefox, am i safe?
__________________
 "They who dream by day are cognizant of many things which escape those who dream only by night."
|
|
|
|
|
Apr 19, 2004, 11:08 PM
|
#9 |
|
DriverHeaven Lover
Join Date: Mar 2003
Location: Silver Spring, MD
Posts: 136
Rep Power: 0 |
Yeah, a friend of mine has some monster of a thing on her computer that is constantly trying to mail itself to many addresses. Always trying to send emails about viagra and stuff. She's not tech savvy enough to remove it herself so the only way I could try and get rid of it was using XP's remote assistance to try and do as much as I could. At the time the combination of spyware software and virus scanning wasn't enough to get rid of it. Probably only way to totally deal with it is a reformat when she is back in town. Just sad in the fact that this stuff will end up causing people to lose so much time.
|
|
|
|
|
Apr 19, 2004, 11:09 PM
|
#10 |
|
DriverHeaven Junior Member
Join Date: Nov 2003
Posts: 27
Rep Power: 0 |
So is this thing showing up as a process? And does anyone know what method the sites use to install this thing?
I'm probably covered and I can always reinstall but it doesn't hurt to check for it. |
|
|
|
|
Apr 19, 2004, 11:17 PM
|
#11 |
|
Gadget Life Owner
Join Date: May 2002
Location: East TN
Posts: 139
Rep Power: 0 |
I've visited some interesting sites recently, don't remember any URLS right now... IE 6 from SP2 pops up a "This site attempted to install software on your computer" notice. I'll start scribbling down URLs and trying to find what those sites have been trying to install...
__________________
[color=navy]404_Error, Signature not found[/color] [color=black][color=black]AMD AthlonXP 2500 @ 11x200[/color] - [color=navy]DFI LanParty nForce2 Ultra Rev. B[/color] - [color=black]Thermalright SLK-900A w/ Thermaltake SmartFan[/color] - [color=navy]Corsair TwinX1024 3200XLL[/color] - [color=black]FIC Radeon 9800 Pro[/color] - [color=navy]Hitachi Deskstar 7K250 SATA[/color] - [color=black]WD Raptor 36GB[/color] - [color=navy]LiteOn SOHW-832S[/color] - [color=black]PC Power and Cooling 510W Deluxe[/color] - [color=navy]CoolerMaster CMStacker Case[/color][/color] |
|
|
|
|
Apr 19, 2004, 11:30 PM
|
#12 |
|
Mostly lurking lately....
Join Date: Jun 2002
Location: U.S.A.
Posts: 2,160
Rep Power: 71  |
Luckily, I have SpywareBlaster installed (as well as Ad-aware and Spybot), I should be OK. Besides, I never went to any of the sites listed anyway.
You know, they should chop the hands off and gouge out the eyes of the people that create these things when they find them......I just don't understand what kind of sick pleasure those people get out of doing this stuff. 
|
|
|
|
|
Apr 19, 2004, 11:31 PM
|
#13 | |
|
DriverHeaven Junior Member
Join Date: Jul 2002
Location: Kalamata, Greece
Posts: 91
Rep Power: 0 |
I have in my pc at work (sadly i am not the only one to use it) a trojan that Mcaffee found (while Norton wasn't able to find
 ) named Coreflood.dllQuote:
 You might say "Why do you write all these stuff?" I write them because the way that this adspy virus acts the same way that coreflood.dll does (which was first noticed @2001) The McAffee link that reports coreflood.dll can be found here Any help or suggestion would be appreciated 
__________________
I Am The One, Orgasmatron... |
|
|
|
|
|
Apr 19, 2004, 11:39 PM
|
Thread Starter
#14
|
|
|
HardwareHeaven Extreme Member
|
Quote:
I wonder how many corporations out there have spyware riddled workstations and not even know it. |
|
|
|
|
|
Apr 19, 2004, 11:43 PM
|
Thread Starter
#15
|
|
HardwareHeaven Extreme Member
|
What do you all think should be the name of these things? Spyware doesn't sound appropriate enough. I am currently using Adspy-Virus but thought maybe Adspirus or Adspyrus or something like that would be better suiting to these things. They are worse than viruses. I do not know of many viruses that can't be removed with some sort of tool or virus program. But these adspy-viruses are now to the point where you need to format and reinstall or jump through hoops with 4 different 3rd party programs, registry edits, etc. It's to the point where regular joe schmoe can't remove adspy-viruses anymore.
|
|
|
|
|
Apr 19, 2004, 11:43 PM
|
#16 |
|
HardwareHeaven Senior Member
Join Date: Jul 2002
Location: Iraq
Posts: 1,535
Rep Power: 64 |
Man this sounds like work... these people where I work... I feel so sorry for them... man we have tried everything to get rid of this crap... I think that a joint lawsuit against all of the major spy/hijacking program makers should do it.. I have tried to convince the place I work to switch to firefox, but I don't know if they will they are stuck on MS too freakin hard....
Oh well ... everyone I talk to I tell about Firefox.. and they use it. The real problem is that this crap installs without you asking.. well only with IE though... thats the real problem. They (MS) are trying to fix this with sp2, but its too little too late. Sue the companies that make this and it will go away. |
|
|
|
|
Apr 19, 2004, 11:45 PM
|
Thread Starter
#17
|
|
HardwareHeaven Extreme Member
|
Firefox is just as open to adspy-virus cookies as IE. Spyware Blaster blocks adspy-virus cookies for mozilla and firefox as well. I highly recommend it. Actually, that is the FIRST program I install now with a fresh install of Windows.
|
|
|
|
|
Apr 20, 2004, 12:27 AM
|
#18 |
|
DH's Unofficial Hero
![jsx[ifl]'s Avatar](http://www.hardwareheaven.com/customavatars/avatar48831_1.gif){kind=avatar}
Join Date: Nov 2003
Location: Montreal
Posts: 650
Rep Power: 0 |
i reinstalled windows last week and formatted, as i do every so often and almost instantly i received this crap. i dont feel like reinstalling and going through the process again its so ridiculous. ill try some of the other methods b4 i reinstall again/
|
|
|
|
|
Apr 20, 2004, 12:32 AM
|
Thread Starter
#19
|
|
HardwareHeaven Extreme Member
|
If you have that junk I posted about here, then you will most likely have to format and reinstall. I tried EVERYTHING suggested in every forum I could find a link to via a google search and nothing.
|
|
|
|
|
Apr 20, 2004, 12:41 AM
|
#20 |
|
DH's Unofficial Hero
Join Date: Nov 2003
Location: Montreal
Posts: 650
Rep Power: 0 |
well im gonna have to reinstall/format and the likes YET AGAIN. Id love to meet the people who make these things and knock their brains out allover the sidewalk.
|
|
|
|
|
Apr 20, 2004, 01:42 AM
|
#21 |
|
DriverHeaven Senior Member
Join Date: Dec 2002
Posts: 558
Rep Power: 0 |
I,ve got this damn thing on my xp home. Is this why it pauses at welcome screen for a minute or two. Also is there anyway I can get rid of this since I have xp home or am i going to have to reformat?
|
|
|
|
|
Apr 20, 2004, 01:53 AM
|
Thread Starter
#22
|
|
HardwareHeaven Extreme Member
|
If you have it, you will NEED to format and reinstall if the method shown in my original post doesn't work. The thing to do is follow it to a "T" and then restart and check again in an updated Adaware. If it isn't there, restart and try one more time to make sure. If it comes back then, then you will need to format and reinstall. Keep in mind it did not work for me but may work for you.
And yes, that is why the welcome screen takes a LONG time to load. Did it to me as well. Remember, it has integrated itself into Winlogon.exe. |
|
|
|
|
Apr 20, 2004, 02:01 AM
|
#23 |
|
DriverHeaven Senior Member
Join Date: Dec 2002
Posts: 558
Rep Power: 0 |
Thanks for the quick reply. The instuction for removal is for pro version correct? How do i do it for home version
|
|
|
|
|
Apr 20, 2004, 02:07 AM
|
#24 |
|
Styleless Wonder
Join Date: Jun 2002
Location: Ottawa, Ontario
Posts: 6,034
Rep Power: 0 |
My Story
This weekend I decided to reformat my laptop. Unfortunately, I thought it would be safe to go online and get updates. I was sorely wrong. Instantly, I got a variant of the gaobot virus and and RPC shutdown. This thing was awful. It was detected by NAV, but I couldn't remove it unless I was in safe mode. But even then, It came back! I tried doing some windows updates, but it refused to install them. Everything was solved after going into Safe Mode with Networking and installing the updates manually. What's worse was that it left permanant "damage" on the laptop. I can't access anything on the symantec site or do any LiveUpdates either.
Now I'm doing an offline reformat and update. 
__________________
|
|
|
|
|
Apr 20, 2004, 02:44 AM
|
#25 |
|
Gadget Life Owner
Join Date: May 2002
Location: East TN
Posts: 139
Rep Power: 0 |
Hrm... Adspy-Virus is a little long to handle.... How about Virad?
I've got McAffee Enterprise set to detect spyware and joke programs now, plus Spyware Blaster and Ad-Aware. IE6 SP2 seems to work well too. Here's hoping...
__________________
[color=navy]404_Error, Signature not found[/color] [color=black][color=black]AMD AthlonXP 2500 @ 11x200[/color] - [color=navy]DFI LanParty nForce2 Ultra Rev. B[/color] - [color=black]Thermalright SLK-900A w/ Thermaltake SmartFan[/color] - [color=navy]Corsair TwinX1024 3200XLL[/color] - [color=black]FIC Radeon 9800 Pro[/color] - [color=navy]Hitachi Deskstar 7K250 SATA[/color] - [color=black]WD Raptor 36GB[/color] - [color=navy]LiteOn SOHW-832S[/color] - [color=black]PC Power and Cooling 510W Deluxe[/color] - [color=navy]CoolerMaster CMStacker Case[/color][/color] |
|
|
|
|
Apr 20, 2004, 03:00 AM
|
Thread Starter
#26
|
|
|
HardwareHeaven Extreme Member
|
Quote:
As for the virus getting on the laptop, that is what hapens when DCOM and Messenger services are running when going on the net and not have a firewall present. I stay offline and do all of my updates via CD-Rom, then I disable those junk progs and services. |
|
|
|
|
|
Apr 20, 2004, 03:38 AM
|
#27 |
|
DriverHeaven Senior Member
Join Date: Dec 2002
Posts: 558
Rep Power: 0 |
On the xp home where is the local security policy? I see administrative tools but after that i dont see local security policy. Is it called something else under home?
|
|
|
|
|
Apr 20, 2004, 04:08 AM
|
#28 | |
|
Delete Me
Join Date: Mar 2004
Posts: 14,648
Rep Power: 0 |
Quote:
with firefox there is about a page long peice fo script you can roll up in the chrome file that automatically purges all known forms of adds and blocks the URLs/scripts/etc if anyone is interested i'll try and dig up the page and post it later |
|
|
|
|
|
Apr 20, 2004, 04:28 AM
|
Thread Starter
#29
|
|
|
HardwareHeaven Extreme Member
|
Quote:
|
|
|
|
|
|
Apr 20, 2004, 04:31 AM
|
Thread Starter
#30
|
|
|
HardwareHeaven Extreme Member
|
Quote:
|
|
|
|
|
|
| Bookmarks |
| Thread Tools | |
|
|
