Microsoft Antispy exploit ???

[SteveH11]

Good day people !<br><br>I think I have an issue. I ran Startup Inspector and it showed my startup programs, but.....this time I got a warning telling me that this is not to be confused with the "real" MS AS. Here's what it looked like:<br><br>  gcasServ

Filename  C:Program FilesMicrosoft AntiSpywaregcasServ.exe

Params 

Required  Not recommended

Startup Location  LM Run

Memory Usage  6.3 MB

Peek Memory Usage  6.5 MB

Comments  Added by a variant of the RBOT WORM! Do not confuse with the Microsoft AntiSpyware executable of the same name

<br><br> So I go check out RBOT worm here: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437 <br><br>And this begins to worry me. You see, I (at this point) have only noticed a few symptoms i.e., a small number of attempts for packets trying to leave my machine (stopped by ZoneAlarm), or slowed down internet performance for short spells. I don't usually notice much outgoing activity on my "in-out" meter. Plus, I'm constantly scanning for spyware etc. using Spybot s-d, Adaware, and Microsoft A-S...although if that's been compromised I'm sure it's hidden.( I believe it's hidden in the Microsoft A-S folder itself). I also scan bi-weekly for viruses with AVG, but nothing is ever found. <br><br> I just disabled it from starting up. But who knows what that will do ?. Has anyone ever heard of this ? BTW, I am running XP service pack 2. And.......(geeeze)...There also seems to be five running processes involving- Antispy...that seems very weird. Perhaps I should uninstall all of them and get another version ???,<br><br>Thanks in advance.<br><br>EDITED<br><br>I just tried to block the startup of this and another program "LXBYCATS" Upon restart my spybot s&d kept asking permission for a registry change, I checked "remember",- allow block and restarted, !half of my screen filled up with multiple windows telling me registry change denied. It would not stop. I removed microsoft A-S, But nothing changed. The Gcaserv continued to ask for permission. I finally used a system restore point, and now I'm stable again.....And as I said earlier,  before I blocked Gcas, my PC was running (seemingly) OK. (with those few exceptions).<br><br> This has to be a worm since removing A-S was done through add/remove, and it was the only reference to micro A-S, yet there are now 8 of it's processes running as we speak...maybe 4 of them Antispy executables.

[Swimmer]

http://www.extremetech.com/article2/0,1697,1849614,00.asp

read that.. you might have got the zotob worm..

The new version of the Malicious Software Removal Tool will now zap the following worms: Zotob.A, Zotob.B, Zotob.C, Zotob.D, Zotob.E, Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC.p

[SteveH11]

Thanks for that. I had just downloaded the newest "malicious" removal tool from microsoft and it found nothing. PLUS, when I attempted to remove all of anti-spy, it spawned another copy of itself which is now taking up another 6 meg of my memory. When I try to block it from starting up, the machine goes crazy with hundreds of little spybot s-d windows telling me that gcaserv is reqesting permission to add itself to startup and the registry. I think I'm looking at reformat.

[Swimmer]

good call.. that look like the only way to get your system back..

[cak46]

You could try a few other spyware programs such as trojanhunter, blacklight http://www.f-secure.com/blacklight/, and/or ewido.  Problem with only using a couple is that no one anti malware program finds everything.  I wish there was one that did.........

[need4speed]

Try Webroot's Spy Sweeper. It's a 30 day trial, and it found stuff that Adaware and S and Destroy didn't touch. If that doesn't work, I would blow the Box(reformat etc. etc.)

[SteveH11]

Thanks guys, I tried the backlight...found nothing. I'll give spysweeper a go. What gets me is how after I uninstall MSAntispy the GcaServ still loads (or attempts to anyway) If I try to block it, it spawns another copy of itself. Like I said before, now I have two plus GcaServ processes loading at startup and even worse, Antispy won't scan. It starts to look like it wants to scan but then freezes. As well, I cant update my spybot, nor my yahoo toolbar anti-spy. Could this worm be so ingenious that it kills all of my other  anti spyware ? I really don't want to reformat but it's looking like the only option. Not to mention that I don't have a disc, as XP is loaded onto the D partition. We've faced this before. I just don't want to have to deal with re-configuring my internet connection in the firewall, updating all the drivers, losing my music, photo's etc....I know backup, but it's all such a pain.<br><br>I wonder if this problem is similar to 69's LSASS issue. <br><br>BTW, does anyone know if there will be an issue with microsoft office and the need to authenticate and activate the software ? I just purchased and installed 2003 pro and if I reactivate it won't the MS police deny me because it's already been registered to my soon to be formatted HD ??? <br><br>Ya know, I was happy in life before I put together this PC.  It amazes me that you can't just have a computer anymore without some idiot trying to mess you up. WHY ??? Why do people, hackers need to do this ??? I can see big corps, but guys and girls like us have done nothing to deserve these worms and viruses. I sound naive, I know but I just don't get it. Cripes I don't even browse questionable sites. It seems like every 10 seconds some idiot in china is pinging my machine or trying to send "packets of some sort. I turned ny firewall off for 3 minutes when I first put this machine together and 9 viruses jumped in.  Unbelievable

[need4speed]

It appears that after doing a search that there have been a few issues with the Mickey soft anti spy ware tool. I think for that I am not going to use it in the future. Try this link.

http://www.pcreview.co.uk/forums/archive/forum-261-2.php

[resopalrabotnick]

yeah, seems like nowadays as soon as you hook up your computer to the web it's like putting your picknick table under a hornets nest. too many people with too much time on their hands, i guess.

[resijs]

You ever considered autoupdate was going through?

Those are not the symtoms of the zotob worm, that is MUCH more fatal ie, restarting and shuting down the computer alot and only effects windows 2000 computers.

[SteveH11]

I figured that since my machine only had slight weirdness maybe I was dealing with leftovers or a glitch of some sort.  I just don't understand how It still always manages to start up. I even blocked it through MSCONFIG  and the tray still shows the bullseye. Granted I cant use it. My spybot SD just found a DSO exploit and supposedly removed it. Another funny thing, I ran winpatrol and just now, as I was attempting to have it read running processes, it told me It could not run cos the file was gone. I don't know what's going on. maybe I'm a really lame PC user, or I have a slick little demon running around. <br><br> The info I got through startup inspector said is was a "varient of the RBOT worm" Shoulda never trusted a beta.<br><br>Thanks for looking out guys...the voices keep saying reformat.

[TheHalf]

Have you tried running your AV software? Also if you or a friend have an external HDD back up what's most important to you on the xternal and do a reformat on the corrupted HDD. Remember reformatting is the last thing you want to do, personally I would do a system restore then run my AV software on a complete PC scan.

TheHalf

[cak46]

Have you done your scans in safe mode?  Some viruses, spyware, etc. will block the spyware etc. program from finding the worm, etc. in normal mode.