It's real, and it has popped out of a couple of machines I cleaned of spyware.
You'll know you have it when the computer does things like upchuck tons of popups every time you turn your back. Someone is making a LOT of commi$$ion on these ads.
There will be half a dozen randomly named processes running. The actual .exe files are created as hidden, system, protected, read-only, the whole bunch. You have to turn off ALL the idiot-proofing in Windows to delete them. Of course, you can't delete them while they are running, and the instant you kill one, two more are spawned by the other five you didn't kill. If you take them out of startup in the registry, they put themselves right back.
There's also a browser plugin. That's what was initially downloaded, and it will reinstall the .exe files upon opening any Internet or Windows Explorer window, even in safe mode. The plugin also turns off the security warning when installing plugins, hijacks the homepage, adds links to favorites, and hijacks Google (it actually replaces search results with ads!)
Oh yeah, and the ad pop-ups constantly try to reinstall the plugin. Can you say infinite loop?
Spybot and Ad-aware can't completely remove it, as it mutates so rapidly. Some new variants will actually kill Spybot or Ad-aware, or close the browser window when you visit anti-spyware websites.
To remove it you have to disable 3rd party extensions in IE, reboot in safe mode, reveal protected system files, delete the random .exe files, clean the startups in the registry, run a scan in spybot, and manually reset the browser pages and plugins in spybot's tools. Only then can you turn browser plugins back on and boot normally (if you dare!)
And guess what? No Antivirus I know of recognizes this thing. I guess it's not considered malicious enough. |
