Coolwebsearch

C

ccrashh

Here is what I get in the cleaner.log file when I tell MSAS to "Remove" the
YourSiteBar threat.

2005-04-19 10:04:07
PM::------------------------------------------------------------------
2005-04-19 10:04:07 PM::Initializing Clean - (ScanID: 0)
2005-04-19 10:04:07 PM::Remove Threat (ID:15049)
2005-04-19 10:04:07 PM::Clean Threat YourSiteBar (ID:15049)
2005-04-19 10:04:07 PM::Generating threat
2005-04-19 10:04:14 PM::Clean Threat YourSiteBar (ID:15049) Complete
2005-04-19 10:04:14 PM::Remove Threat (ID:15049) Complete
2005-04-19 10:04:16 PM::Unititializing Clean
2005-04-19 10:04:16
PM::------------------------------------------------------------------


As you can see...there does not appear to be any cleaning going on. BTW,
note the typo on the 2nd last line...Unititializing insteading of
Uninitializing.
 
C

ccrashh

Sorry...one more log file:


In the error.log file I get:

91::ln 0:Object variable or With block variable not
set:ScanID=0::ThreatID=15049::gcASThreatAudit:ScanHistory:AddDeletedThreat::2005-04-19
10:04:14 PM:1.0.509

When you combine the Error.log entry with the entry I posted earlier from
cleaner.log:

2005-04-19 10:04:07 PM::Initializing Clean - (ScanID: 0)
2005-04-19 10:04:07 PM::Remove Threat (ID:15049)


You will note that the same thread id (15049) is being referenced. Not sure
what the logs mean though. Anyone have any ideas?
 
S

Scott

I am a computer technician and have the same exact
problem with 2/4 accounts on a Windows XP Home computer.
Every 3 or 4 logons, MSAS detects "CoolWebSearch" trying
to install. Nothing indicates where it is orginating. The
program seams to properly remove it, but after 3-4
logons, it's back.

Adaware SE, Spybot v1.3, CWSShredder, HiJack This!,
Norton AntiVirus 2005 scan, Housecall, etc. (System
Restore Disabled) EVERYTHING is clean.

Perhaps this false positive might be Norton AntiVirus
2005? Just trying to help.

Scott.

-----Original Message-----
For me, it is YourSiteBar. When the warning comes up, I just say "Allow".
Of course, nothing gets installed at all.

HijackThis shows nothing. A system scan with MSAS (in safe mode) shows
nothing. A scan with Spybot shows nothing.


news:% (e-mail address removed)..
..
What was the false positive file which AS is hitting on? If it is not a
false positive, what is the behavior?

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
Not much use to you guys I know but yesterday uninstalled
MSAS. Then reinstalled and updated to latest definitions.
Went into account and the warning came up again.

Then went into safe mode. Ran MSAS twice found nothing.
Ran CWS and SpyBot - nothing. Ran AdAware - 11 minor
problems.

Went back into XP and into the account - nothing. No
warnings at all. So for now it has disappeared but a few
more checks tonight will convince me.

-----Original Message-----
Nope. Still there. Maybe time to uninstall, clean out
the registry, and
then wait for beta 2.


ft.c
om...
Interesting. I re-installed Spybot and it discovered
two IST registry
entries. Unfortunately, SD doesn't make a log file,
and I purged the
recovery files. However, the false-positive doesn't
seem to appear
anymore (for YourSiteBar).

Will keep the forum posted.



.
Click to expand...
Click to expand...


.
Click to expand...
 
B

Bill Sanderson

I don't think we understand very much about these logs here.

It looks to me from errors.log that the action of cleaning the threatID
15049 was recorded in gcASThreatAuditScanHistory, which I believe is one of
the .gcd files you'll see in the installation location.

I agree that the clean action doesn't show anything apparently happening,
but I don't know whether this is really significant or not.
 
C

ccrashh

Well. the Cleaner.log I had before (when it actually cleaned something)
shows a lot more info.
 
L

Leon Zandman

I'm pretty sure my laptop isn't infected with a new
CoolwebSearch variant. I've researched my computer using
HijackThis and didn't find anything suspicious.
What was the false positive file which AS is hitting on?
Click to expand...

AS doesn't show a filename. That's what I meant when I
said I would like some more detailed information from AS.
The event log also doesn't contain any clues.

Maybe I can track the file(s) using FileMon and RegMon.

Greetings,

Leon Zandman
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Repdirection - Antispyware comparison reports ! 2
Web all find.org IE redirect 5
XP and Anti-Spyware 2
Multiple Account Scanning with MSAS,Ad-Aware, Spybot, CWShredder 3
MS Defender Spy Sweeper confict Q.. 1
Incredifind 1
browser hi-jacked 2
CWShredder not infallible? 2

Top