SpyBot / Adaware Users (heads up)

Mundane Pointless Stuff I Must Share (MPSIMS)
#1

I’ve been trying to track down a parasite on my system which has been inserting ad links into various web pages. I run Adaware and Spybot frequently yet they have both repeatedly reported my system as being clean.

Well, I just found a site which could scan my browser on-line and it returned the following results:

CRAP! SaveNow has been reported to cause system instability and I have been getting some very strange behavior and crashes lately (to the point that I was considering a Windows re-install). I’m surprised that Adaware and SpyBot are not detecting these parasites because some of them are listed as being included in the scans. Perhaps they are new versions that have been changed to avoid detection (I am running the latest updates to both apps).

At any rate, I thought I would share the scan link. You might want to scan your system.This link will launch a scan of your system for problems.

This link will take you to the front page of the same website where you can find a wealth of additional info about privacy and consumer protection.

#2

I would like to know just how that program can scan my browser (browser? Don’t they mean system?) without my giving them access to my computer, as is required for AdAware, Trend Micro, etc. I just tried the URL you gave for the free scan, and it said “Good News! Your computer appears to be clean of spyware parisites!” [sic]
That same results page is recommending Adaware, Spybot, GRC (Steve Gibson’s site) to fix problems. How could they fix problems if they don’t detect them?

Could it be that your AdAware database is out of date? Have you tried a scan AFTER getting the latest malware list?

#3

Sorry, SkyBum, I skipped over your statement that you have the lastest malware lists. Still, something doesn’t ad up. AdAware switched their engine a few months ago, and no new data updates are available for the old version. Could you be running that version and not be aware that that is the case? The latest engine is vs. 6.181 for the personal, free version.

Have you tried reporting or investigating this at the Lavasoft Support Forum?

#4

No that site can’t fix any problems, I believe it is looking at the browser specifically, not the system itself.

I am running version 6.181 and have the latest reference files installed for Adaware and SpyBot. On further inspection of the parasites listed in the OP I can not find any files associated with any of them on my system either (thank god, that VX2 looks to be a nasty bug indeed). I visited their website and read the privacy agreement and my god, I can’t believe that they are able to get away with such an invasive policy. You should give it a look if you want to see how bold they are getting these days, it’s a real eye opener.

Could the scan I linked to be capable of giving a false result? Seems quite possible. I do have something on here but I’m not really convinced it was any of the parasites mentioned. I see those commercial links with a double green underline on many websites I visit and can not track down the culprit after many weeks of investigating. I really thought I had the bugger this time but it looks like I am foiled again.

I’ll check that forum though, I didn’t even realize they had one. Thanks for the tip.

#5

I tried it an it reported I have the VX2, Flash Track and Webhancer. I also could not find any reference to those in control panel, program files, or even when I looked at RegCleaner. I haven’t had any weird advertising links, so I am also wondering about false positives.

#6

You probably got VX2 from a download & install of Audio Galaxy. Here are removal instructions. That site claims both AdAware & Spybot can handle it.

Manual removal of Toptext & Flashtrack. You probably got these from a Kazaa or Limeware installation. Note that the UNinstall routines packed with the installation do NOT completely remove the malware.

You probably installed BearShare, and got infected with OnFlow and SaveNow. AdAware/Spybot should handle it.

Webhancer (AKA Web Cancer), which may have come from AudioGalaxy too, is a little tricker. According to the company, removing the files will also remove your ability to connect to the Internet (this is deliberate, to make you less likely to try, of course). Here’s some info. Still, AdAware/Spybot should handle this one as well.

SkyBum, if you start or participate in a thread at one of the support forums on this topic, bring back & post a URL so we can see the replies, OK?

Boscibo and SkyBum, do you have firewalls in place? I still can’t understand how a web-based program can scan a user’s system for these things unless you let it in, and if you let that in, what else is breeching your security?

#7

I have never installed any of those programs. I am the only user (well, my SO browses sports sites but he doesn’t download stuff, and doesn’t use the email). I also have my AdAware and Spybot updates. I have security on my browser pretty tight, and I always read through user agreements when I d/l stuff.
I have a router, and I also have the XP firewall going. When I go to sites like Shields Up I am in stealth mode.

#8

Musicat - I just followed the instructions from the first link you posted - VX2.dll was not found in a search of my files.

#9

Hmmm. If you get similar results for the other stuff, I would begin to suspect a whole lot of false positives. Maybe AdAware is right and that test you linked to is bogus, altho that seems odd; it didn’t look like they had an ax to grind.

It would be good if we could get to the bottom of this. The last thing we need is a scan scam!

#10

I am skeptical. I searched for files (per instructions), then made sure my Ad Aware and Spybot were up to date, and ran full scans with each. I went back to the original page and found this:

3 were found on the first scan, but after not downloading anything it comes up with 3 additional parasites? Hmmm…

#11

Boscibo, notice that your list is exactly the same as Skybum’s! You guys aren’t using the same computer, are you? :eek:

That makes me even more suspicious that the test is flawed. But if so, what’s the point? It seems like the only thing the unwantedlinks.com site wants is more awareness of the problem, and perhaps some political support for legislation; there is also a low-key ISP/web design ad on some pages.

Boscibo, I can’t find a direct link from the home page of that site to the test page, even thru the drop-down menus, although the URL clearly indicates a connection. Where did you find that test link?

They claim to have a Message Board, but it appears to be a only a single thread with a half-dozen posts total. I didn’t add to it.

#12

I started a thread on this topic on the AdAware Support Forum, Is a scan by unwantedlinks.com valid?

FYI: I am known as Sherman Bay on that forum.

Whoops, I directed a request in a previous post to the wrong party. It was SkyBum that found the direct scan link. If you pick apart the URL, it has “testingscripts” and “standby” as part of the text. I wonder if this was not intended to be a publicly released address – where did you find this URL, SkyBum?

#13

I ran the scan from the link and it found nothing, which indicates it isn’t just pushing out a page. However, if it was running software on your computer, it should have given you a warning about a download. I’m not sure it was doing anything.

Try going to this site. It should tell you if you really are infected, and I’d trust him more than the one you went to.

#14

Heh.

#15

Don’t bother with the scan site, I think. It can’t tell the difference between Netscape and Opera. :stuck_out_tongue:

#16

Not unless Skybum is invisible. Nope, I’m the only person here.

Skybum also found that link, not I.

Anyway, I ran that other test and came up clean. It tested for everything (except VX2 - still can’t find that VX2.dll in my searches), so I don’t know what to think. Maybe the site gets referrals from the firewalls it’s linked to?

#17

I found the link to that scan while browsing within the site, odd though, because I can not find it again. I emailed the webmaster asking for further details. I’ll post them here if I get a reply.

I’m the only user of this machine and the only resident in this house. I’ve never installed LimeWire, Kaaza, BearShare or Audio Galaxy. Very odd that some of the parasites the scan found seem to be specific to those applications. Perhaps that link was buried for a reason.

I also use Zone Alarm with tight security settings and come up clean and stealthed at ShieldsUP. Sounds like that online scan is bogus. Could the firewall be causing it to return a default set of invalid results?

Hopefully the thread Musicat started will shed some light on the integrity of that site.

In retrospect, I wish I had investigated further before posting. I guess I was so excited at the thought I that I had identified my mystery parasite that I overracted a bit. Seems that the site is well intentioned but on further inspection, I don’t feel very confident about them overall.

Appologies for posting so hastily.

#18

OKay, I’m ignorant. What exactly is spyware? What is malware? Do I really need a firewall? I almost never download anything. I usually only go the the same 5-6 websites. I never open ads.

What do I need?

StG

#19

There are numerous scam sites that claim to be able to diagnose your system over the net and find spyware on your PC. This is nonsense, and they are in fact seeking to spread spyware. Do not DL any of these programs or install them. They are the spyware.

#20

Upon scrutinizing the source, the site (actually just the page names msie.htm, the standby.htm page is basically a splash screen) is using <object> tags with specific class IDs that (I assume) are known to belong to various spyware programs. It only tests for 8 programs, and its output is in a specific order–that’s why a few posters up above would get similar looking results. It’s all driven by some fancy-pants Javascript.

It only works with IE because IE can do some registry reading, being integrated with Windows like it is. Class IDs are stored in the Registry.

Overall, I’d trust Spybot and Adaware over this any day, although I’m not about to classify this site as malicious–just not very handy.