Comparing AV Scans/ Chasing “Virtual Bouncer” Strategy

Discussion in 'other security issues & news' started by ashwin, Feb 20, 2005.

Thread Status:
Not open for further replies.
  1. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Greetings

    I’m running Firefox Browser, Ewido, Outpost firewall, Microsoft Anti Spyware, Spyware Blaster, Spyware Guard, Ad-Aware, Spybot, Win Patrol, Security Task Mgr. (Trial), Spy Subtract (w/CWShredder), and AVG free, on XP/sp2. There are a few sites that Firefox doesn’t handle, where I dig out the IE.

    Yesterday I did a scan using the RAV free online scan http://www.ravantivirus.com/scan/indexie.php# . It reported 12 files infected with “my doom” and “love gate”. These files were all from Outlook Express, which I gave up on over a year ago, or from msn e-mail (which I gave up on yesterday!)

    The AVG, Avast!, and Etrust scans did not detect the viruses.

    The RAV site doesn’t remove the critters, but I found that the Pandasoftware free virus scan found and cleaned the 12 files. Panda reported something else in my Registry: “Virtual Bouncer” spy ware. The Panda virus scan doesn’t remove malware. http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Panda reports the Virtual Bouncer as basically a low level threat, issuing pop-ups, but on the SpywareGuide website, it is described as able to “call home” and install software which I would have to pay to remove. http://www.spywareguide.com/product_show.php?id=514

    There is currently a post in another forum with the same finding of Virtual Bouncer by Panda, and they submitted a hijack this log. I’ll keep watching…None of my software has detected the VB.

    I downloaded X-Cleaner from SpywareGuide, and ran it, but it didn’t report finding Virtual Bouncer, though VB was listed as one of the items it scanned for.

    I went the to the Spy Sweeper online scanner, and it found 3 items: “user monitor”, “NeededWare”, and” TopList Cookie.” The rating of this combo was well into the danger zone. No cleaning here either.
    http://www.webroot.com/services/spyaudit_03.htm?WRSID=0ce963957aed2c39c67e767ea3aab8b3

    I went to Steganos.com, where they sell a licensed/copy version of Spy Sweeper (made by Webfoot), and downloaded the free trial. It reported 4 items: Alexa Toolbar, Websearch Toolbar, Passport Cookie, and SecuryBanks Phish Trojan. It reported removing them all.
    http://www.steganos.com/?product=SASPY7&language=en&layout=default I think the free trial was just one scan though, so the 30 day trial with SS is better.

    It is interesting that though Webfoot is supposedly behind both scans, they came up with different infections. I’ve used the online scanner from SpySweeper before, and it has seemed to accurately reflect when malware is later removed. In my experience, it catches more than anything other than MAS. There is a review here: http://www.eweek.com/article2/0,175...3129TX1K0000614
    And thanks to Eric Howes and his website for giving so much scoop on spy ware here:
    http://www.spywarewarrior.com/rogue_anti-spyware.htm#background

    During this time also, I tried several times to set up A-Squared, but the updater would never connect to the internet. Likewise, the SpySubtract has always said the connection was not available to internet for update. On start up SpySubtract always says “Your network configuration is damaged…” and offers to fix it, but the alert always comes up. Does anyone know what this is about?

    By the way, SpySubtract and the CWShreddar is a new one for me. I was looking to find something to remove the VB, but it reported finding several other items: blaze find, search bar crash, search miracle, scoobidoo.com, , new media properties, effective I -inc …SpySubtract is here:
    http://www.intermute.com/spysubtract/cwshredder_download.html

    I used system restore to go back to the earliest time when I “thought” my system was clean- when I first started using anti spy ware software. It was only about 3 weeks ago.

    What I found at that restore point was the same VB registering with the Panda scan, BUT the my doom and love gate were gone. As I mentioned, they were in Outlook Express, which I haven’t used for over a year, so the removal of the viruses held through the restore process. The RAV site scan also was clean of the my doom and love gate viruses after the restore. I thought I was going to have to clean them off again. As a rookie this is all a learning curve. At that restore point, I was using the Spy Sweeper on trial, and it was all clean, as verified by a new scan on the webfoot website.

    My Outpost firewall is not reporting any suspicious software requesting an outbound connection. The feature is working, as I get them from other applications. My computer seems to be working fine (maybe a javascript issue in Firefox). Everything I scan now registers clean, except for the VB at the Panda scan. Of course, I wouldn’t want the first symptom of a problem to be a large phone bill from embedded malware…

    I’m going to watch the post on the other forum to see where it goes, and am looking at my priorities for the next level of security. I’m a novice, and considering: SpyCop, MJ Registry Watcher, Process Guard, Prevx, KarenWare Replicator for back-up…when I have some time to fiddle on the learning curves.

    I’ve seen the protocol for turning off system restore, and running the series of scans in safe-mode, which may be best at this point. I like the idea of running SpyCop and then putting up Process Guard and/or MJR, but I’m still trying to grasp some of the stuff from Outpost…Or a registry cleaner first? Hopefully user friendly.

    I’m open to suggestions. What would your priority be? Does the VB sound like a real concern?

    Thanks for the patience if this is overkill on the details- because I’m new at it, not sure what is important and what isn’t.

    Thanks everyone!

    Ashwin
     
  2. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Thanks Spanner!

    I’ll follow up. I’ve also had time to do some googling- even found the maker of the critter offering an uninstall program…hmmmm, no thanks!

    I checked the add/delete section, and there is nothing there with the name bouncer to uninstall.

    Also, I wanted to mention that I was actually NOT able to scan with the eTrust. I couldn’t get the active-X to work- with IE.

    Regards

    Ashwin
     
  3. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Greetings Spanner

    By eTrust I meant this site; http://www3.ca.com/Solutions/Collateral.asp?CID=40387&ID=

    I just ran my anti spy arsenal in safe mode, and there was no trace reported.

    I have not turned off system restore yet... Wanted to try one thing at a time.
    Is turning off the system restore mainly for viruses that are deleted, and then keep coming back, or for cases like this where nothing at all seems to turn up- (except of course for the panda scan).

    I'm curious that none of these other programs are finding anything, as the VB spyware has been around for some time now. What do you make of that?

    I'm still not having any symptoms that I can trace to the VB- no pop ups or alerts from Outpost of anything trying to phone home.

    Also, the XCleaner was supposedly able to find and delete the VB, but nothing was reported there either.

    Question: When I was pulling out of safe mode, a series screens popped up, and one of them is the system configuration dialogue box. Here is what I mean by "NOVICE". I have no idea what to do with the options. As it sits there, it has the "selective start-up" option selected.

    Should it be that, or one of the other two? I would think the "normal Start-up " would be the choice.

    All the square boxes are checked, and I have no idea what they mean.

    Also, The last option checked is " use modified boot ini" instead of "original boot ini". Does that seem correct? I'll keepthe computer running and hopefully some one can let me know...

    Thanks

    Ashwin
     
  4. preAARP

    preAARP Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    Ashwin, I currently have the same symptom of Panda seeing VB. Unlike you, little other anti-Spyware software has detected anything else on my PC, (the exception being Ad-Aware which keeps picking up several tracking cookies in IE cache - something I thought was entirely empty at the time).

    Thanks for the post as I used a lot of the free services you pointed out to try to resolve my somewhat similar problem.
     
  5. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    You are very welcome Pre AARP,

    I just ran a HiJack This Log, and there is a website here:

    http://hjt.iamnotageek.com/

    that has a very nifty service where all you have to do is paste in the log- right on the web page, and they have an automated analysis of it. Complete with alerts, and if you click on some of the items, it links you right to a page defining them, and whether or not they are usually to be saved or removed...

    Very nice for the novice, and I'm curious if anyone else here has had a chance to test drive it, and what they think of it. They are not promoting it as the final word, but as a place to get a good idea of the situation...

    My log does not have many alerts at all- looks clean to the untrained eye.

    The version of the HJT download is newer on the Wilder's site, so I'd use that one.

    Is your computer having any noticable problems?


    Good Hunting

    Ashwin
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Spanner - your duplicate post as a "guest" has been removed - you're welcome. I think you know better.
     
  7. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Greetings Spanner

    The BitDefender and Symantec both scan with nothing found. For grins I did the Symantec security check also: all OK, though it did not see my AVG protection as adequate, or that I was running any common anti virus protection at all.

    The Symantec scan noted it did not check compressed files, and it did not seem to be as in depth as some I’ve used.

    Thanks for reminding me about the links to VB on Wilders. I was going to ask you if it was supposed to be a link directly to a post, or just to the index page. Both the original and the link you sent last night for the Wilders lead to a page that says “sorry, no matches”…

    But the Spyware Warrior link I followed, and ran as directed, with no results. I liked the idea of turning off AVG to avoid interference, but still nothing reported by AdAware. As far as I saw, all the tweaked options were already checked in my AdAware scan profile.

    On the “tweak” instructs for the AdAware on SW forum, it said to check “activate in-depth scan”…..What I found and checked was “deep-scan Registry” as an option under the custom scanning options. Is that the item?


    Are you using a search feature on Wilders or SpywareWarrior to come up with those links, or Googleo_O
    I ‘d like to know how to find them.

    I noted also that the person they were helping on SW said the VB “couldn’t handle” the Ad Aware , but that there was an “extra hanger on called ISBIS toolbar …didn’t seem to be doing much…taking a wait and see attitude.”
    So, could I have such a “hanger on” like that- just a remnent of a more functioning VB item?

    I went to “start” and then to “search” and entered these, just to see what would come up:

    book2.dll
    sysfile.dll
    vern32.dll
    antis spy.exe
    bsx32.ini
    user.xml
    virtual bouncer.txt

    They are from these links:
    http://www.iamnotageek.com/a/389-p1.php

    http://www.securemost.com/articles/trou_3_remove_virtual_bouncer.htm
    I think Symantec has a similar page but I lost it in the shuffle somewhere.


    My search found nothing in the c drive.
    At any rate, I’m wondering if, since Panda found the critter with the virus check, their spy products will be able to find and remove it. Likewise, Pest Patrol has in- depth descriptions on VB, and may be worth a try.


    Thanks Much

    ashwin
     
  8. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    one more thing:

    My Ewido is now scanning up to about 60% complete and then jumping to "no infections found."

    I'm in contact with Ewido about it.

    Could one of those bad boy malware items be causing that?
     
  9. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Hey Spanner-

    The Virtual Bouncer reading from Panda appears to have been a false positive:

    http://forums.net-integration.net/index.php?showtopic=28389

    I am also getting a false positive on the Spy Sweeper on-line scan for one called "neededware", which is actually a spyblaster related item.

    Before I found this info, Ewido e-mailed me back, suggesting I use the uninstall from the VB maker...and then to try their scan again. I'm more inclined to uninstall and reinstall the Ewido.

    Thanks for all the effort Spanner. Let me know if that link dissappears!

    Highest Regards,

    Ashwin
     
  10. sumukh

    sumukh Registered Member

    Joined:
    Mar 14, 2005
    Posts:
    1
  11. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Ashwin, i wouldn't worry about it, it's not like Ewido is skippin the 40% (mine does exactly the same), it just looks like it, i'm sure it's something that will be corrected in a future release/update right now it's just not very accurate (a minor bug IMO). If you instead look at bottom where it says: "scanning c:\........" you can see that it's actually scanning the same files as your AV is doing (mine does at least ;) ). :)
     
  12. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    I can confirm Don's conclusions, as I have been in contact with fish25 on this 'problem' over the last week or so.

    As Don states this is a minor bug and the Ewido scanner is definitely checking all the files you select it to scan.
     
  13. Green Giant

    Green Giant Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    252
    Since installing and activating the Protector part of SpyCatcher 3.5 (www.tenebril.com), Panda Titanium AntiVirus 2005 no longer finds Virtual Bouncer, Super Spider, Media Tickets and other spyware in my PC. This is the only software I have found which actually does what is says on the tin - it prevents reinfection!
     
  14. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    It's a bit O/T, but after reading the original post, I decided to run Webroot's online scanner (with Process Guard fully active). I'm not sure how to interpret this, but after allowing spyaudit to start, PG blocked spyaudit from modifying 15 processes/programs, one right after the other. Almost of them are in my startup list. Nothing like that happened when I ran the online AV scans at RAV or Trend Micro. WTF?
     

    Attached Files:

    Last edited: Apr 25, 2005
Loading...
Thread Status:
Not open for further replies.