Jump to content
Sign in to follow this  
SteveH11

Microsoft Antispy exploit ???

Recommended Posts

Good day people !<br><br>I think I have an issue. I ran Startup Inspector and it showed my startup programs, but.....this time I got a warning telling me that this is not to be confused with the "real" MS AS. Here's what it looked like:<br><br>  gcasServ

Filename  C:Program FilesMicrosoft AntiSpywaregcasServ.exe

Params 

Required  Not recommended

Startup Location  LM Run

Memory Usage  6.3 MB

Peek Memory Usage  6.5 MB

Comments  Added by a variant of the RBOT WORM! Do not confuse with the Microsoft AntiSpyware executable of the same name

<br><br> So I go check out RBOT worm here: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437 <br><br>And this begins to worry me. You see, I (at this point) have only noticed a few symptoms i.e., a small number of attempts for packets trying to leave my machine (stopped by ZoneAlarm), or slowed down internet performance for short spells. I don't usually notice much outgoing activity on my "in-out" meter. Plus, I'm constantly scanning for spyware etc. using Spybot s-d, Adaware, and Microsoft A-S...although if that's been compromised I'm sure it's hidden.( I believe it's hidden in the Microsoft A-S folder itself). I also scan bi-weekly for viruses with AVG, but nothing is ever found. <br><br> I just disabled it from starting up. But who knows what that will do ?. Has anyone ever heard of this ? BTW, I am running XP service pack 2. And.......(geeeze)...There also seems to be five running processes involving- Antispy...that seems very weird. Perhaps I should uninstall all of them and get another version ???,<br><br>Thanks in advance.<br><br>EDITED<br><br>I just tried to block the startup of this and another program "LXBYCATS" Upon restart my spybot s&d kept asking permission for a registry change, I checked "remember",- allow block and restarted, !half of my screen filled up with multiple windows telling me registry change denied. It would not stop. I removed microsoft A-S, But nothing changed. The Gcaserv continued to ask for permission. I finally used a system restore point, and now I'm stable again.....And as I said earlier,  before I blocked Gcas, my PC was running (seemingly) OK. (with those few exceptions).<br><br> This has to be a worm since removing A-S was done through add/remove, and it was the only reference to micro A-S, yet there are now 8 of it's processes running as we speak...maybe 4 of them Antispy executables.

Share this post


Link to post
Share on other sites

http://www.extremetech.com/article2/0,1697,1849614,00.asp

read that.. you might have got the zotob worm..

The new version of the Malicious Software Removal Tool will now zap the following worms: Zotob.A, Zotob.B, Zotob.C, Zotob.D, Zotob.E, Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC.p

Share this post


Link to post
Share on other sites

Thanks for that. I had just downloaded the newest "malicious" removal tool from microsoft and it found nothing. PLUS, when I attempted to remove all of anti-spy, it spawned another copy of itself which is now taking up another 6 meg of my memory. When I try to block it from starting up, the machine goes crazy with hundreds of little spybot s-d windows telling me that gcaserv is reqesting permission to add itself to startup and the registry. I think I'm looking at reformat.

Share this post


Link to post
Share on other sites

Thanks guys, I tried the backlight...found nothing. I'll give spysweeper a go. What gets me is how after I uninstall MSAntispy the GcaServ still loads (or attempts to anyway) If I try to block it, it spawns another copy of itself. Like I said before, now I have two plus GcaServ processes loading at startup and even worse, Antispy won't scan. It starts to look like it wants to scan but then freezes. As well, I cant update my spybot, nor my yahoo toolbar anti-spy. Could this worm be so ingenious that it kills all of my other  anti spyware ? I really don't want to reformat but it's looking like the only option. Not to mention that I don't have a disc, as XP is loaded onto the D partition. We've faced this before. I just don't want to have to deal with re-configuring my internet connection in the firewall, updating all the drivers, losing my music, photo's etc....I know backup, but it's all such a pain.<br><br>I wonder if this problem is similar to 69's LSASS issue. <br><br>BTW, does anyone know if there will be an issue with microsoft office and the need to authenticate and activate the software ? I just purchased and installed 2003 pro and if I reactivate it won't the MS police deny me because it's already been registered to my soon to be formatted HD ??? <br><br>Ya know, I was happy in life before I put together this PC.  :angry5: It amazes me that you can't just have a computer anymore without some idiot trying to mess you up. WHY ??? Why do people, hackers need to do this ??? I can see big corps, but guys and girls like us have done nothing to deserve these worms and viruses. I sound naive, I know but I just don't get it. Cripes I don't even browse questionable sites. It seems like every 10 seconds some idiot in china is pinging my machine or trying to send "packets of some sort. I turned ny firewall off for 3 minutes when I first put this machine together and 9 viruses jumped in.  Unbelievable

Share this post


Link to post
Share on other sites

I figured that since my machine only had slight weirdness maybe I was dealing with leftovers or a glitch of some sort.  I just don't understand how It still always manages to start up. I even blocked it through MSCONFIG  and the tray still shows the bullseye. Granted I cant use it. My spybot SD just found a DSO exploit and supposedly removed it. Another funny thing, I ran winpatrol and just now, as I was attempting to have it read running processes, it told me It could not run cos the file was gone. I don't know what's going on. maybe I'm a really lame PC user, or I have a slick little demon running around. <br><br> The info I got through startup inspector said is was a "varient of the RBOT worm" Shoulda never trusted a beta.<br><br>Thanks for looking out guys...the voices keep saying reformat.

Share this post


Link to post
Share on other sites

Have you tried running your AV software? Also if you or a friend have an external HDD back up what's most important to you on the xternal and do a reformat on the corrupted HDD. Remember reformatting is the last thing you want to do, personally I would do a system restore then run my AV software on a complete PC scan.

TheHalf

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...