Hi Bill ,
That makes sense as it was called azesearch.cab and inside that was
'azesearch4.ocx' and 'azesearch.inf' They were detected as CWS.MWSearch but
it displays the error in each scan . Ive also seen error's on these Programs
when they are detected in the scan which also displays failed if I choose
remove and prompts to scan again.
Failed : 0x80508017
SearchForItAdShooter
HKLM\SOFTWARE\Classes\SYI.SYIObj.1
HKLM\SOFTWARE\Classes\SYI.SYIObj
Replace Search
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl.1
HKLM\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl
Ive checked the registry key permissions and they are set to allow full
control to myself (Admin) but the system checkboxes for read and full control
are blank, enabled Full Control to System and Defender was able to remove
them.
There was a Failed: 0x80508026 for Webhancer which was detected as
(RARSfx-whInstaller.exe) in System Volume Information but it didnt show in
the second scan, The CWS.WMSearch Failed error is for
'\azesearch.cab>azesearch4.ocx' and could get frustrating for novice users as
it prompts to run another scan each time it fails which then loops back to
the scan prompt again.
Here's the Real Time detections Ive noticed up to now running on the default
settings (All installers and screenshots saved)
Windows Defender Alerts when installing and running:
Azesearch.ocx - Detected as CWS.WMSearch, Fails to clean as explained above
Blockchecker
BrowserAccelerator
BrowserPal
CnsMin
Country.exe (KillAvTrojan) - Detected as SpySheriff
Dashbar
DashMemory
DealHelper
Exploit.wmf
GotSmiley
MediaGateway
Mirar Toolbar
PopUpBlocker - Mirar Detected
ReplaceSearch
RXToolbar
SearchForItAdShooter
Seekmo
Splitter (From Deepcom) - Webhancer Detected
SpyAxe
SpySheriff
SpywareStrike
SurfSideKick
tool5.exe (KillAVTrojan)- Detected as SpySheriff
VCMain (Bundled with some SSK and Qoologic installs) - Detected as SpySheriff
Webhancer
WebSecure(Gain)
WhenU
WinFixer2005
Zango-180
Zsearch
No Alert or warnings when Installing and Running:
sf.exe (Installed By CoolOnlineOffers) Trojan.Small detected using Jotti's
scan site
WinFixer2006
HotBar
Look2me
mpcsvc.exe (Trojon Ciadoor-AA)
tool4.exe (Trojon Ciadoor-AA)
Side bySideSeach
Dialer.hc
Mirar gave a detection for the toolbar but Defender wasnt able to remove it
or the trusted zones entries. SpyAxe displayed an alert but failed to remove
the program or startup reg entries but it did fully remove Spyware Strike
which is from the same rogue family so maybe it just needs abit of tweaking,
The MS Removal Tool Homepage has happened alot and not something I'd noticed
before, with it giving no details of what it found or removed I think
Defender might be linked to that as it's detecting problems in the scans.
Hey Plun,
Regarding the settings, I'm just running it on the default settings for now
as I wanted to see what its stopping by default but I will run the junk again
on advanced.
With Winfixer, Winfixer2005 is being detected and removed but not
Winfixer2006, I was able to install that and run it without any alerts from
Defender including after the system rebooted when Winfixer autostarts and
scans. Ive just read the Sunbelt Blog and that shows the steps they will take
to get on systems so it would be nice to see all of WinSoftware's app's
detected.
Cheers for the second link, I visited HighConvert afew months ago and it
would load exploit files as soon as the page was opened which dropp a bundle
of junk but I've not checked the page recently and that was on a machine with
no service packs,
The IP address from the Sunbelt blog is displaying the image the Sunbelt
team show on their site 'The Finger' and no hidden code but I just noticed if
you use the same IP address range and change the last digit from 68 to 69
then load the page It redirects using a hidden Iframe in the pagecode to open
a blank looking page at HighConverts site and this contains another hidden
Iframe to load a file called video.wmf , Windows Defender instantly displays
an alert for a wmf exploit so the IP address range is definitely worth
keeping a eye on
Chat to you later
Andy
