|
Description:
Alias: Adware-GameSpy (Mcafee)
Threat Type: Adware
Systems Affected: Windows 95, 98, ME, NT, 2000, XP
Installer Name: gsda.dll
Download URL: http://www.gamespyarcade.com
This adware is a .DLL file component of another adware or spyware. It tries to connect to random IP addresses and displays popup advertisements. It also downloads and runs a copy of a software's installer file.
Solution:
TREND MICRO SOLUTION
- Minimum scan engine version needed: 7.100
TMAPTN version needed: 186.05
- DCE version needed: 3.8
TMADCE version needed: 151.01
MANUAL REMOVAL INSTRUCTIONS
Identifying the Grayware Program
Download the latest grayware pattern file and scan your system. Note all files detected as ADW_GAMESPY.A.
Terminating the Grayware Program
This procedure terminates the running grayware process. You will need the name(s) of the file(s) detected earlier.
- Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
- In the list of running programs*, locate the grayware file(s) detected earlier.
- Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
- Do the same for all detected grayware files in the list of running processes.
- To check if the grayware process has been terminated, close Task Manager, and then open it again.
- Close Task Manager.
*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the grayware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Entries from the Registry
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, located and delete the following subkeys:
- HKEY_CLASSES_ROOT>GSDA.GSDACtl>
CLSID - HKEY_CLASSES_ROOT>CLSID>
{578D8287-FB03-466E-A404-DD772E6CBEAE}
- HKEY_CLASSES_ROOT>CLSID>
{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}
- HKEY_LOCAL_MACHINE>Software>Classes>
GSDA.GSDACtl
- HKEY_LOCAL_MACHINE>Software>Classes>
GSDA.GSDACtl.1
- HKEY_LOCAL_MACHINE>Software>Classes>
GSDA.GSDAProp
- HKEY_LOCAL_MACHINE>Software>Classes>
GSDA.GSDAProp.1
- Close Registry Editor.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus
Download and unzip the latest grayware pattern file and scan your system. Then, delete all files detected as ADW_GAMESPY.A.
Details:
This adware is a .DLL file component of another adware or spyware.
Upon execution, it tries to connect to the following site to download and run a copy of a software's installer file:
http://www.gamespyarcade.com to download copy of its
It also attempts to connect to random IP addresses, where it performs DNS query to launch popup advertisements.
This adware adds the following registry subkeys to perform its intended routine:
HKEY_CLASSES_ROOT\GSDA.GSDACtl\CLSID
HKEY_CLASSES_ROOT\CLSID\{578D8287-FB03-466E-A404-DD772E6CBEAE}
HKEY_CLASSES_ROOT\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}
HKEY_LOCAL_MACHINE\Software\Classes\GSDA.GSDACtl
HKEY_LOCAL_MACHINE\Software\Classes\GSDA.GSDACtl.1
HKEY_LOCAL_MACHINE\Software\Classes\GSDA.GSDAProp
HKEY_LOCAL_MACHINE\Software\Classes\GSDA.GSDAProp.1
It is compiled using Microsoft Visual C++ 6.0 DLL, a high-level programming language.
Analysis by: Robellen F. Navelgas
|
Save & Share
