Detections not being removed.

[Dean]

I have two issues that MSAS is detecting but not
removing. One is an instance where a
WindUpdates.MediaAccess Adware warning pops up and the
remove option is selected. The other is an information
box requesting approval for a Browser Helper Object where
I chose block.
It would be nice if more details could be provided up
front on each of these so I would know which file was
trying to install the adware, or which BHO was needing
approval so informed decisions could be made. The
cleaner.log shows the windupdates removal attempt
(HKLM\Software\uS\Code Store Database\Distribution
Units\"data", but it is not successful in removing this
and does not show the BHO request. gcASCleaner is put in
the RunOnce registry area but for some reason it either
isn't successful, or something else is rewriting this
information ("Visible" running processes are all valid
and don't appear to be the source of this problem). Any
assistance would be appreciated.

Dean

 

[Andre Da Costa]

Hi

- Download CCleaner, www.ccleaner.com , remove all temporarily junk.

- Download Lavasofts Adaware
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=pop

Done, maybe its needed to restart in safe mode, press F8 during reboot.
Scan again with MSAS and Adaware, always choose "Full Scan"

--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Dean]

Thanks for the suggestions. I cleared the history and
ran Virus (McAfee), Adaware, Spybot, and MSAS scans in
safe mode which didn't help. None of these are detecting
anything at this point but the start up warnings below
remain. Any other thoughts or information on determining
the source?

Thanks,

Dean

 

[Alan]

Are you running the application under a limited-user
account?

If so, this is likely the problem. One person posted a
problem that CoolWebSearch was removed by the
administrator account, but anythime a limited-user
account was accessed, a warning was displayed stating
that "CoolWebSearch is trying to install ..."

If you are trying to run it under a limited-user account,
log in under an adminstrator account and rerun the scan.

Alan

 

[Dean]

Thanks Alan,

I should be more clear on the adware issue. I am logged
in as administrator. Some of the items detected in the
registry are removed (per the cleaner.log) and verified
manually using regedit, but since the gcASCleaner entry
is put in place to clean more at startup, I'm assuming
that this portion of the cleanup isn't working correctly
(and isn't available in any source I could find). If I
am reading the clues correctly, this final step isn't
working at startup which results in the registry entries
getting re-added, detected, and the cycle continues. If
this is indeed what is happening, it would be nice if a
clue to what process or ? is writing the registry entries
and could be stored in a log or available some other way
(maybe a short lookback log that could be enabled for
startup issues so the history could be looked at by the
programming to determine to root cause of the
detection??).
The BHO item doesn't show up anywhere that I could find
so I don't have specifics on what was detected and
apparently not cleaned so it wouldn't re-occur each time.

Thanks,

Dean
-----Original Message-----

 

[Alan]

If you are running XP, I have an almost sure-fire fix to
the neverending detect-remove-detect-remove-... problem.

Go to c:\windows\prefetch and shred any files whose
filenames contain the names of the spyware that you are
constantly removing. You can get a FREE file shredder
from download.com.

You can also try to run a FULL SYSTEM scan in Safe Mode
(press F8 before Windows screen during boot/reboot).
This seems to help remove these types of infections.

Also, make certain that your firewall is up-to-date, as
this can also be where these files are getting onto your
system. Make CERTAIN that Real-time Protections is
enabled in ONLY one of your antispyware (AS)
applications. If you have it turned on in more than one
AS app, this can cause conflicts, leading to things
slipping past both AS applications.

The reason that I told you to check the prefetch folder
is that any the folder is used by Windows to help speed
up the load time of many applications. Spyware/malware
writers, and any other type of damaging application
writers for that matter, can use this folder to keep the
infections on your system, even though they have been
removed. When you launch any application, Windows runs
any code in the prefetch folder associated/linked to that
application. Any code that these infections have placed
there that is associated/linked to that application WILL
also be run, causing your system to get infected once
again. This cycle WILL NOT end until you remove these
files from the prefetch folder. I had this problem right
before MS bought out Giant Company to acquire Giant
AntiSpyware, now known as Microsoft Windows AntiSpyware,
with a few modifications. Even then, the software didn't
find the code in the prefetch folder.

Alan

 

[Dean]

Alan,

Thanks for the prefetch tip. I had cleaned that earlier
but not recently after cleaning up a lot of other junk.
That could very well be where my problem lies since the
sofware finds nothing after the initial warnings and
cleaning.

Thanks,

Dean

 

[Guest]

Well,

I found 6 items that shouldn't be loaded in the prefetch
directory and cleaned them out and verified (as best as
the search engine allows for explorer) that they don't
exist on the hard drive anymore (system restore is turned
off as well). That seemed to get rid of the BHO object
but the "WindUpdates.MediaAccess " issue remains. Does
anyone have any other ideas (I have run a full McAfee
Virus scan, Adaware, Spybot, and MSAS scan again with no
findings).

Thanks,

Dean

 

[Bill Sanderson]

This may be a bit late for this thread, but doing that cleaning and
scanning, both with Microsoft Antispyware and your updated antivirus --in
SAFE MODE--can really help with the cleaning effort.

--