Warning about MS AntiSpyWare

J

James R. Brown

I have had the Microsoft AntiSpyware running for a few
months and no complaints. I also have a program
called "Startup Inspector for Windows" on my computer
which I got at http://www.windowsstartup.com/. Startup
Inspector looks at the programs that run on startup and
tells you what they are and suggests if you should
disable them or not.

Microsoft AntiSpyware puts a program in the registry
startup called gcasServ.exe. In the past, Startup
Inspector had no information on this program. Now,
Startup Inspector says in the comments for
gcasServ.exe ; "Added by a variant of the RBOT WORM! Do
not confuse with the Microsoft AntiSpyware executable of
the same name."

I uninstalled Microsoft AntiSpyware, rebooted,
redownloaded it, then reinstalled it. Then I ran Startup
Inspector which still gives the same warning.

I wonder if there is a way if I can find out if I
actually have the RBOT worm or if Startup Inspector is
full of beans.

Thanks
 
B

Bill Sanderson

I think this is most likely a false positive on the part of Startup
Inspector.

If I inspect gcasServ.exe on my system with Tools, advanced tools, advanced
file analyzer, here's what I get:

If you get the same reading, and maybe we can get somebody else to chime in,
just for safety (who knows--maybe I'm infected too!)--I'd say you are pretty
safe:
-----------------------------
Detailed File Analysis

Display name: Microsoft AntiSpyware (Beta 1)

Name: gcasServ.exe

Description: Microsoft AntiSpyware Service

Publisher: Microsoft Corporation

Path: D:\Program Files\Microsoft AntiSpyware\gcasServ.exe

Version: 1.0.0.615

Size: 473928 bytes

Copyright: Copyright © 2004-2005 Microsoft Corporation. All rights reserved.

MD5: 263740ede788a60a6c0a47249fc410bf

This file is currently running

File linked to startup registry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run


Check the MD5 hash, in particular.
 
A

AndyManchesta

It is true that there is some worms and viruses which are
now using Giant/MS Antispy names but you would see the
side effects of this such as not being able to enter
security related sites and having your AntiVirus
protection disabled, There others that will completly
remove MS Antispy and other protection products once
executed so if you dont see any of this Id say its a
false positive,

Here's a few of the main ones but most of these will
delete gcasServ.exe not use the name :

http://securityresponse.symantec.com/avcenter/venc/data/w3
(e-mail address removed)

http://securityresponse.symantec.com/avcenter/venc/data/w3
(e-mail address removed)

http://securityresponse.symantec.com/avcenter/venc/data/tr
ojan.killav.f.html

http://uk.trendmicro-
europe.com/enterprise/vinfo/encyclopedia.php?
LYstr=VMAINDATA&vNav=1&VName=TROJ_DROPPER.AI&highlight=gca
sServAlert

http://uk.trendmicro-
europe.com/enterprise/vinfo/encyclopedia.php?
LYstr=VMAINDATA&vNav=1&VName=TSPY_ASH.C&highlight=gcasServ
Alert


Regarding the Rbot worm this is the same as Linkbot/
Randex/ Sdbot and the Spybot worm so there's alot of
variants out there but I'm not aware of any that use
gcasServ.exe as a start up name, I would ignore the alert
but if you find anything suspicious write to them and ask
what variant of the Rbot worm are they referring to.

If you follow the link they give about the Rbot worm it
just opens this page

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?
id=39437

So you could follow this and check the system folder for
gcasServ.exe and then search and see if its found any
where on your system except for c:\ProgramFiles\Microsoft
Antispyware folder if not ignore the detection

Regards

Andy
 
A

AndyManchesta

Sorry Bill I didnt realize you had replied to I sent the
message, My details for this file is the same :

Display name: Microsoft AntiSpyware (Beta 1)
Name: gcasServ.exe
Description: Microsoft AntiSpyware Service
Publisher: Microsoft Corporation
Path: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
Version: 1.0.0.615
Size: 473928 bytes
Copyright: Copyright © 2004-2005 Microsoft Corporation.
All rights reserved.
MD5: 263740ede788a60a6c0a47249fc410bf
This file is currently running

So like you say its looks like a false positive

Andy
 
B

Bill Sanderson

Thanks for the confirmation!

--


Sorry Bill I didnt realize you had replied to I sent the
message, My details for this file is the same :

Display name: Microsoft AntiSpyware (Beta 1)
Name: gcasServ.exe
Description: Microsoft AntiSpyware Service
Publisher: Microsoft Corporation
Path: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
Version: 1.0.0.615
Size: 473928 bytes
Copyright: Copyright © 2004-2005 Microsoft Corporation.
All rights reserved.
MD5: 263740ede788a60a6c0a47249fc410bf
This file is currently running

So like you say its looks like a false positive

Andy
 
J

James R. Brown

Thanks alot for your help. My copy of gcasServ.exe checks out exactly as
yours did so either we're both infected or Startup Inspector was giving a
false warning. It's much more likely that there is nothing wrong with the
file.

Thanks
 
G

Guest

-----Original Message-----
I have had the Microsoft AntiSpyware running for a few
months and no complaints. I also have a program
called "Startup Inspector for Windows" on my computer
which I got at http://www.windowsstartup.com/. Startup
Inspector looks at the programs that run on startup and
tells you what they are and suggests if you should
disable them or not.

Microsoft AntiSpyware puts a program in the registry
startup called gcasServ.exe. In the past, Startup
Inspector had no information on this program. Now,
Startup Inspector says in the comments for
gcasServ.exe ; "Added by a variant of the RBOT WORM! Do
not confuse with the Microsoft AntiSpyware executable of
the same name."

I uninstalled Microsoft AntiSpyware, rebooted,
redownloaded it, then reinstalled it. Then I ran Startup
Inspector which still gives the same warning.

I wonder if there is a way if I can find out if I
actually have the RBOT worm or if Startup Inspector is
full of beans.

Thanks


.
I am in exactly the same situation - which you have
Click to expand...
described very well, so you are not alone! I trust someone
will come up with a reasonable explanation for this?

Regards H.
 
B

Bill Sanderson

described very well, so you are not alone! I trust someone
will come up with a reasonable explanation for this?

Regards H.
Click to expand...

This appears to be a false positive on the part of Startup Inspector, but
please confirm the details which Andy and I have posted to this thread.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

gasServ.exe variant of the RBOT WORM? 2
AntiSpyware Beta Startup Bug... 1
Wrong name in AntiSpyware warning window. 1
Config\Startup operation - help!! 4
GIANT didn't call it BETA; why does MS? 4
MS Antispyware failed to detect WildTangent 2
Error 101 1
Microftsoft AntiSpyware Beta1 1

Top