Adware.BMCentral not detected

[ralph]

Adware.BMCentral was reported by AVG AntiSpyWare but not by Windows
Defender. The odd thing is that AVG AntiSpyWare reports traces in a
subfolder of C:\Program Files\Microsoft AntiSpyWare\Quarantine. Also,
acording to the Symantec web site, Adware.BMCentral modifies the registry
but in my case there is no such modification.
I hesitate allowing AVG AntiSpyWare to delete this "spyware" partiularly
since it is in the Windows Defender installation folder. Also the PC appears
to be operating normally.
Any suggestions?
thanks....ralph

 

[Dave M]

The default program folder for Windows Defender is C:\Program Files\Windows
Defender\ .

C:\Program Files\Microsoft AntiSpyWare was the default program folder for
Microsoft AntiSpyware Beta01 that is no longer functional... and hasn't
been since January 1. Looks to me like you had a removal/quarantine last
year by the Beta product and AVG is just now detecting it in the MSAS
quarantine folder.
That Beta01 folder can be sent to the trash, if still present, once you
uninstall MSAS, since the time bomb built-in to the program code makes it
no longer functional.

 

[ralph]

Hi Dave:
Thank you for your response.
My question then is how can I now uninstall MSAS? According to my notes I
did indeed install MSAS inOctober 2005 and then installed Windows Defender
in May of 2006. Again, according to my notes, installing Windows Defender
removes MSAS Beta 1.
My current situation is as follows:
In Control Panel > Add/Remove Programs I have an entry for Windows Defender
but no entry for MSAS.

In C:\Program Files I have a folder named Microsoft Antispyware and and
another named Windows Defender.
In the MSAS folder I have files plus 3 subfolders named:
1: "Deactivated Items" (empty)
2: "Quarantine" (containing one subfolder containing 2 files all named
with arbitrary numbers and letters)
3: "TempUpdates" (containing windowsdefender.exe dated May 2006)
In the Windows Defender folder I have dll, exe and one chm files. The chm
file is the Windows Defender help file.
It's all very confusing. I hesitate to simply delete the MSAS Beta01 folder
as one of its subfolders appears to contain windowsdefender.exe.
What do you think?
.......regards......ralph

 

[Guest]

Hi Ralp,

I've a couple of thoughts:

Windows Installer CleanUp Utility:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

CCleaner
http://www.ccleaner.com
xxxxxxxxxxxxxxxxxxxx

I try these steps:

1.-
Log on as an administrator.

2.-
Stop WD
Go to Services (under Administrative Tools)
and highlight Windows Defender Service. "Stop" Windows Defender Service,
then right click the line with WD Service. Click properties. Select Disable
and apply.

Please First exit WD, click the down arrow to the right of the white
question mark in blue circle and then click Exit Windows Defender on the UI
page

3.-
Windows Installer CleanUp Utility
You can use it to remove the installer bits for the requested software, and
that should resolve the issue.

Use it to remove Windows Defender... items listed.

4,-
CCleaner -

Note, uncheck Yahoos toolbar during install.

Do the scans with all the check marks on.
Better if is run in safe mode.

Run the above remover in safe mode then Ccleaner on all 3
settings(windows,apps & issues) and clear anything found reboot and see if it
still exists.

Registry - CCleaner even has a built-in Registry Cleaner.

It's not the best (not CCleaner's main function), but it will find invalid
registry entries that most Registry Cleaners will not.

Unlike the Disk Cleaners with a Registry Cleaner, CCleaner does really fast
scanning for Registry Issues.

The reason is CCleaner doesn't want to effect Windows performance or effect
any applications.

It's better to be safe than sorry!

NOTE - The first time you run CCleaner's Issues scanner you'll have to keep
running it back-to-back until it finds nothing.

One scenario is a registry key may only be a reference pointing to a
completely different location in the registry and when it's removed then that
reference link is also noticed as being invalid on a subsequent scan.

It's generally a good idea to keep running the Issues scan until nothing is
listed.
xxxxxxxxxxxxxxxxxx

5-
Reboot


6.-
I'd recommend re-downloading WD, and saving to a known location--like the
desktop.

After the download is complete, disable real-time protection by your
antivirus for long enough to do the installation.

Please disable or turn off as much other software that always runs as you
can--real time antivirus scanning, any other antispyware software, (Stop all
programs that are open in the bottom taskbar) etc.
xxxxxxxxxxxxxxxxxx

7.-
Done

I hope this post is helpful.

§Еиçеl§

 

[Guest]

Try this link
Windows Installer CleanUp Utility:
http://support.microsoft.com/?scid=kb;en-us;290301

 

[Dave M]

Engel has some good thoughts, Ralph. Another thing you can do, perhaps
before following Engel's suggestions, is an old programmer trick of
renaming the MSAS Beta1 folder to see if it causes any system disruptions
then later follow the cleaning procedure if nothing gets broken. I don't
remember that any subfolders of MSAS got any Defender files by default.
Unfortunately, talking about MSAS at this point taxes my memory. Just
renaming should be the safest way to go for now. So I'd recommend that you
make this change:

C:\Program Files\Microsoft AntiSpyWare rename to
C:\Program Files\Microsoft AntiSpyWare.old080707

Doing that will disable anything that your system might be looking for in
the standard MSAS folder. If it breaks something like Defender you can
easily rename it back. If it doesn't then delete it and cleanup when your
ready per Engel, even if that's a month from now when you spot it again
with the old+today's date appended, but I'd suspect AVG will help you
remember that folder. Any files in the old Quarantine subfolder are not a
threat... they can't execute and infect your system in the packed format as
they're stored within Quarantine.

Your Windows Defender folder sounds about right... many .dll files, two
..exe files and one .chm therein for me. Might be safest, as Engel says, to
remove Defender and reinstall once you get the MSAS folders removed and out
of the picture.

 

[Guest]

Thank Dave M,

I forgot to mention to use the belt-and-suspenders mode. Make a Restore
Point.
;-) before anything,
--


TEMPTATION
All men that are ruined, are ruined on the side of their natural
propensities.—Burke

 

[ralph]

Hi Dave and Engel:
Excuse me for not responding earlier.

Dave: I like your suggestion that the first thing to do is to rename the
MSAS Beta directory and see if that affects Windows Defender operation (you
are correct that that is an old programer's hack- with emphasis on "old").
However, baring catastrophic failure I'm not sure how to determine if WD is
operating correctly. When testing anti-virus software, we can use the EICAR
test virus. WD's real time scan will also detect EICAR, but treats it as a
"severe" threat and will not let you quarantine it- and it's the quarantine
function that causes me the most concern. Do you know of any "test" spyware
that I could use to test WD's functionality? Also, do you know where WD
keeps quarantined files?

Engel: Thanks for your many suggestions. One question: Does CCleaner report
it's findings and ask permission to fix things before actually doing any
clean-up?

Finally, in my original posting, I made an error. I was concerned that the
WD executable was in the MSAS file structure. In fact, windowsdefender.exe
is there but it is a self-extracting archive that contains
windowsdefender.msi (the installation package). and thus is not reason for
concern.

I have some unrelated questions about WD but I'll start a new thread for
them.
many thanks.....ralph

 

[Dave M]

Hi ralph,

Sure enough, on my system anyway the quarantine folder is here:

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows
Defender\Quarantine
and the actual individual items are in folders in there named similar to
this:
{7FFFFFFE-0000-0000-24A3-B3CC90E4A454}
and within each of these folders are the files:
DATA.CAB
Manifest.ini

I believe your easiest route to quarantine would be to turn off (uncheck)
this Options default:

Apply default actions to items detected during a scan

That's how I normally run anyway because I'm a control freak... lol
and I like to make those decisions myself. So you should be able to shove
Eicar in quarantine with that setting. If you can't, I managed to
quarantine the Yahoo pager when it tried to automatically install along
with yahoo. It's registry key is still sitting in quarantine simply by
denying it's installation.

Regarding CCleaner, yes it does report findings within the registry, takes
a backup if you request, and lets you remove things one at a time or in
total. The cleanup function also reports findings first then allows either
a total removal or a re-specification and re-examination before removal.
Cookie removal is very much under control if you save any cookies you want
to keep continually in it's options before the cleanup, also don't clean
(uncheck) Windows Defender in Applications here. It makes WD loose track
of it's scan history so it will report no scan has been done.

In addition to Eicar, you can try SpyCar for an anti-spyware test, but be
aware it's basically behavioral based and Defender isn't, so you'll only
get a half dozen or so detections, and they should quarantine as well
without using the default actions in Defender options. Here:
http://www.spycar.org/Welcome to Spycar.html

Good to hear that you got your concerns resolved with the old MSAS
directory.