[zerodamage]

I've come across the ugliest spyware to date. This thing will just not go away by normal means. Adaware, Spybot, nothing will remove it at this time.

I've been working on removing this spyware infection on a customer's computer for 2 days now. Adaware has an update to find the infection but what happens is that it can not be removed. Spybot doesn't detect it either. What happens is that Adaware finds this and says it will have to reboot, even in safe mode, and when the computer restarts, this spyware kills Adaware from starting up at startup. This spyware also connects to the internet and installs other spyware. Not only that but it digs itself into the Winlogon.exe file. You do NOT want this thing on your computer. The only way to remove this thing right now is by reinstalling windows and possibly by other complicated methods. Norton Antivirus 2004 did not detect it.

Now this thing is called: VX2.BetterInternet
The file is ausmsext.cpy.dll located in your system32 folder. This thing uses different DLL files and makes copies.
There is also a registry entry going into Hkey_Local_Machine/Software/Microsoft/Windows NT/winlogon/notify/guardian

Adaware classifies this thing as a Data Miner. Now there are ways to remove this but none of them are 100% and it finds ways of getting back. So the only sure way of removing this is a format and reinstall of Windows. Adaware finds it but can not fully remove it.
You can see how ugly this thing can be at the Adaware forums Here.

To help you avoid getting this thing, avoid the sites listed at: PCSympathy.com

This seems to be the only working method for removing this thing. It did not work for me but has worked for many others if you have this thing on your computer. Read the instructions Here

There is some good news in all of this. Spyware Blaster blocks this from ever installing on your system. You can download it from Javacoolsoftware. Remember to update after installing it. Also make sure you enable all of the protection.

These types of infections are only going to get worse. Laws need to be put into place to punish companies that do this.

UPDATE: I noticed this and it should tell you a lot about this VX2 stuff. Companies name was VX2 based out of the U.K.
Read about it here: ZDnet

[Dom]

Thanks for this, my friend's PC had this crap on there.

[MIG-31]

i already have this installed from this morning.surprised how much i had to remove after 3 days after transferring to cable broadband access.

[zerodamage]

This stuff is just getting worse and worse. I had another computer that had a search bar that actually sat right above the taskbar and this thing would not let me install Adaware. It would kill the process before the dialoge came up. This stuff ...... Adspy-Viruses is what I will call them. They are nothing but viruses that spy. This Adspy-virus and what it did is only the beginning. Will not be long and the only thing a computer will be good for is visitting DH. No more browsing.

[shortstuff]

I don't think I have gotten that. Thanks for the info zerodamage. I will be looking out for it. I have adaware installed on my system, it hasn't picked up anything like that though.

[germanjulian]

wait.... if u dont use ie and dont click install crap on my computer you wont get this?! yes....... no problem then... just like I dont have an AV program and no virus for over 2 years... sad for the average user though

[zerodamage]

You do NOT have to authorize for it to install. MOST spyware installs without you knowing about it or without asking you. It just installs, plain and simple.

[wertret]

I use firefox, am i safe?

[FDM80]

Yeah, a friend of mine has some monster of a thing on her computer that is constantly trying to mail itself to many addresses. Always trying to send emails about viagra and stuff. She's not tech savvy enough to remove it herself so the only way I could try and get rid of it was using XP's remote assistance to try and do as much as I could. At the time the combination of spyware software and virus scanning wasn't enough to get rid of it. Probably only way to totally deal with it is a reformat when she is back in town. Just sad in the fact that this stuff will end up causing people to lose so much time.

[Xiphias]

So is this thing showing up as a process? And does anyone know what method the sites use to install this thing?

I'm probably covered and I can always reinstall but it doesn't hurt to check for it.

[AshG]

I've visited some interesting sites recently, don't remember any URLS right now... IE 6 from SP2 pops up a "This site attempted to install software on your computer" notice. I'll start scribbling down URLs and trying to find what those sites have been trying to install...

[Rayder]

Luckily, I have SpywareBlaster installed (as well as Ad-aware and Spybot), I should be OK. Besides, I never went to any of the sites listed anyway.

You know, they should chop the hands off and gouge out the eyes of the people that create these things when they find them......I just don't understand what kind of sick pleasure those people get out of doing this stuff.

[astrolabos]

I have in my pc at work (sadly i am not the only one to use it) a trojan that Mcaffee found (while Norton wasn't able to find ) named Coreflood.dll

Quote:

It is likely that this component of the trojan is downloaded to the victim machine via a JavaScript trojan detected as JS/Cisp . This script results in the downloading of a 5,120 byte PE executable (with filename README.TXT). When the 5,120 byte executable is run, it extracts a DLL from its body, saving it to disk as: %SysDir%\XXXXXXX.DLL (20,480 bytes) (where %SysDir% is the Windows System directory, and XXXXXXX represents 7 random characters, e.g. C:\WINDOWS\SYSTEM\AVCXKDM.DLL) The EXE and the DLL are detected as CoreFlood and CoreFlood.dll respectively by the latest engine/DATs. Code within the DLL is run via a function call by the executable. The DLL is injected into the memory space of EXPLORER.EXE. In this manner personal firewalls may be bypassed (if EXPLORER.EXE is a "trusted" process).

The thing is that this trojan CANNOT be removed by any means. It creates an entry at run folder in registry that when you try to manually delete it, it regenerates again!!!!

You might say "Why do you write all these stuff?" I write them because the way that this adspy virus acts the same way that coreflood.dll does (which was first noticed @2001)

The McAffee link that reports coreflood.dll can be found here

Any help or suggestion would be appreciated

[zerodamage]

Quote:

Originally posted by Xiphias
So is this thing showing up as a process? And does anyone know what method the sites use to install this thing?

I'm probably covered and I can always reinstall but it doesn't hurt to check for it.

It runs as part of the Winlogon.exe process, but is not in the "Services" list at all. I removed all signs of it to the point where there is nothing showing up on Adaware, reboot and both the registry entry and that DLL file is back. I told my customer that he will have to format and reinstall. This is a business computer too. One, it is sad that this adspy virus is causing me so much time and he is losing data, time, and money because this is part of my business, can not do it for free.

I wonder how many corporations out there have spyware riddled workstations and not even know it.

[zerodamage]

What do you all think should be the name of these things? Spyware doesn't sound appropriate enough. I am currently using Adspy-Virus but thought maybe Adspirus or Adspyrus or something like that would be better suiting to these things. They are worse than viruses. I do not know of many viruses that can't be removed with some sort of tool or virus program. But these adspy-viruses are now to the point where you need to format and reinstall or jump through hoops with 4 different 3rd party programs, registry edits, etc. It's to the point where regular joe schmoe can't remove adspy-viruses anymore.

[EcPercy]

Man this sounds like work... these people where I work... I feel so sorry for them... man we have tried everything to get rid of this crap... I think that a joint lawsuit against all of the major spy/hijacking program makers should do it.. I have tried to convince the place I work to switch to firefox, but I don't know if they will they are stuck on MS too freakin hard....

Oh well ... everyone I talk to I tell about Firefox.. and they use it. The real problem is that this crap installs without you asking.. well only with IE though... thats the real problem. They (MS) are trying to fix this with sp2, but its too little too late.

Sue the companies that make this and it will go away.

[zerodamage]

Firefox is just as open to adspy-virus cookies as IE. Spyware Blaster blocks adspy-virus cookies for mozilla and firefox as well. I highly recommend it. Actually, that is the FIRST program I install now with a fresh install of Windows.

[jsx[ifl]]

i reinstalled windows last week and formatted, as i do every so often and almost instantly i received this crap. i dont feel like reinstalling and going through the process again its so ridiculous. ill try some of the other methods b4 i reinstall again/

[zerodamage]

If you have that junk I posted about here, then you will most likely have to format and reinstall. I tried EVERYTHING suggested in every forum I could find a link to via a google search and nothing.

[jsx[ifl]]

well im gonna have to reinstall/format and the likes YET AGAIN. Id love to meet the people who make these things and knock their brains out allover the sidewalk.

[grimfang]

I,ve got this damn thing on my xp home. Is this why it pauses at welcome screen for a minute or two. Also is there anyway I can get rid of this since I have xp home or am i going to have to reformat?

[zerodamage]

If you have it, you will NEED to format and reinstall if the method shown in my original post doesn't work. The thing to do is follow it to a "T" and then restart and check again in an updated Adaware. If it isn't there, restart and try one more time to make sure. If it comes back then, then you will need to format and reinstall. Keep in mind it did not work for me but may work for you.

And yes, that is why the welcome screen takes a LONG time to load. Did it to me as well. Remember, it has integrated itself into Winlogon.exe.

[grimfang]

Thanks for the quick reply. The instuction for removal is for pro version correct? How do i do it for home version

[No_Style]

This weekend I decided to reformat my laptop. Unfortunately, I thought it would be safe to go online and get updates. I was sorely wrong. Instantly, I got a variant of the gaobot virus and and RPC shutdown. This thing was awful. It was detected by NAV, but I couldn't remove it unless I was in safe mode. But even then, It came back! I tried doing some windows updates, but it refused to install them. Everything was solved after going into Safe Mode with Networking and installing the updates manually. What's worse was that it left permanant "damage" on the laptop. I can't access anything on the symantec site or do any LiveUpdates either.

Now I'm doing an offline reformat and update.

[AshG]

Hrm... Adspy-Virus is a little long to handle.... How about Virad?

I've got McAffee Enterprise set to detect spyware and joke programs now, plus Spyware Blaster and Ad-Aware. IE6 SP2 seems to work well too. Here's hoping...

[zerodamage]

Quote:

Originally posted by grimfang
Thanks for the quick reply. The instuction for removal is for pro version correct? How do i do it for home version

The instructions should be the same for the Home version as for the Pro or really close. So close that you should be able to go along just the same, but if not, drop a note here and we'll try to help you out.


As for the virus getting on the laptop, that is what hapens when DCOM and Messenger services are running when going on the net and not have a firewall present. I stay offline and do all of my updates via CD-Rom, then I disable those junk progs and services.

[grimfang]

On the xp home where is the local security policy? I see administrative tools but after that i dont see local security policy. Is it called something else under home?

[pr0digal jenius]

Quote:

Originally posted by zerodamage
Firefox is just as open to adspy-virus cookies as IE.

WRONG

with firefox there is about a page long peice fo script you can roll up in the chrome file that automatically purges all known forms of adds and blocks the URLs/scripts/etc

if anyone is interested i'll try and dig up the page and post it later

[zerodamage]

Quote:

Originally posted by grimfang
On the xp home where is the local security policy? I see administrative tools but after that i dont see local security policy. Is it called something else under home?

Try everything except that part of the removal. If you are using XP Home, then you may have to format and reinstall.

[zerodamage]

Quote:

Originally posted by pr0digal jenius
WRONG

with firefox there is about a page long peice fo script you can roll up in the chrome file that automatically purges all known forms of adds and blocks the URLs/scripts/etc

if anyone is interested i'll try and dig up the page and post it later

I would be wrong if Firefox did not have a problem with adware cookies by default. The regular everyday user is not going to know about this script or where to get it. The same goes for IE. This is where Spyware Blaster comes in. It blocks the URL's and the tracking cookies all in one program.