Scumware

[SkyBum]

Lately I’ve noticed scumware links inserted into various webpages, although not every page I view (probably 30 - 40% are effected by this). Most of the links in question are green with a double underline, the rest are orange with a single underline.

I’m running up to date versions of Ad-aware and SpyBot S&D, but they both report that my system is clean.

What can I do to identify this scumware when the above programs can’t find it. Are there any available clues beyond the link’s look and color that might help me to ID it?

Thanks.

[Q.E.D]

From here:

You can tell if you’re infected by VX2 itself by searching for the “VX2.dll” file on your system. If it’s there, you got bit. You can supposedly fully uninstall the software by following the instructions at http://www.vx2.cc/uninstall.html . I assume future versions of tools like Pestpatrol and Ad Aware will detect and remove VX2, but for now, it’s a good idea to take a look for yourself.

Another subscribed reported this: Without authorization, eZula & Surf+ insert software into users PCs. This hidden, secret (and often self-reinstalling) software then takes selected words on your web page and turns these words into links that re-direct whoever visits you onto some other site… See this site for code to detect these. Also visit this site which will automatically check your browser for these and provide detailed explanations. Here is a site with free spyware detecting software SpyBlocker

[SkyBum]

A file search for VX2.dll and came up empty handed. The link you posted does not seem to work. I also can’t seem to come up with much on Google for variations of “green underlined scumware link”.

Thanks for trying though.

[SkyBum]

Odd…the link is working now.

[Eleusis]

Very odd indeed. That link is still 404 for me…

From here:

Contrary to VX2’s claims there is no entry to remove VX2 in the standard “Add/Remove Programs” Control Panel item.

VX2 installs itself into your System directory and is called either “IEHelper.DLL” (Transponder variant) or “VX2.dll” (RespondMiter variant). Before you can delete this file you will need to deregister it. Enter the following command from the command line for Windows 95/98/Me:

“%WinDir%\SYSTEM\regsvr32.exe” /u “%WinDir%\VX2.dll”
Or for Windows NT/2000/XP:

regsvr32 /u “%WinDir%\VX2.dll”
That’s for the RespondMiter variant - for the Transponder variant, write ‘IEHelper.DLL’ instead of ‘VX2.dll’ above.

After doing this and restarting the computer you can delete the file. There will also be some keys in the registry under HKLM\Software\Transponder or RespondMiter, which you can clean.

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\clsid\{00000000-5eb9-11d5-9d45-009027c14662}
HKEY_CLASSES_ROOT\clsid\{ef100607-f409-426a-9e7c-cb211f2a9030}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-5eb9-11d5-9d45-009027c14662}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000580-c637-11d5-831c-00105ad6acf0}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{11111111-1111-1111-1111-111111111111}

[Urban_Ranger]

Moral of the story: ditch IE.

[Fear_Itself]

*Originally posted by Urban Ranger *
**Moral of the story: ditch IE. **

:smack: But of course! It is so obvious! Why hasn’t anyone suggested this before?

[SkyBum]

My assumption is that scumware effects other browsers as well. But for what it’s worth, I’m planning to take Mozilla out for a spin.

Regardless of what browser I use, I still need to identify this scumware and get it off of my system.

[Tusculan]

I’m not sure what scumware is, so if I’m off base here, just ignore…

I recently got bit by something called ‘luckysearch’, which infected my IE 5.0, slowing it down to a crawl and resetting my home page every time on start-up. It seems to enter IE through a flaw in the MS Java engine, then changing registry settings and the like :(. Very nasty.

When googling on ‘luckysearch’ I did find a site that described the problem and listed signs similar to those you listed: http://www.spywareinfo.com/~merijn/cwschronicles.html. The site also had a download program that did seem to cure the problem. I don’t know these guys from Adam so I don’t know whether the program is safe, but it worked for me.

From what I understood at that page, it is a specific IE problem for which there is a patch. Unfortunately it didn’t work for my machine (Win '95). So now I use Opera.

[RealityChuck]

Try this for a quick test: http://www.doxdesk.com/parasite/ It should indicate most scumware, though it isn’t comprehensive.

It sounds like something similar to eZula Top Text, but those links are yellow, and Spybot and Ad-Aware would find it.

You may try posing the question at http://www.spywareinfo.com