Is ActiveSearch really trying to install??

[Jonks]

Hi there,

I have 3 user accounts on my computer.
Every time someone logs in they get a warning the ActiveSearch is trying
to install.

I've checked all the places where an app could be set to run at startup,
but there is nothing there.
I've even allowed it to install (!!!), booted into safe mode and run
MSAS deep scan. When I do this, MSAS doesn't detect _anything_ even
though ActiveSearch has been allowed to install.

Here are the last logs from cleaner.log
I notice that when other spyware has been removed in the past, the
removal logs are very detailed. In this case, it appears that nothing
has been deleted by MSAS.

Thanks



22/02/2005 8:03:01
PM::------------------------------------------------------------------
22/02/2005 8:03:01 PM::Initializing Clean - (ScanID: 0)
22/02/2005 8:03:01 PM::Remove Threat (ID:14882)
22/02/2005 8:03:01 PM::Clean Threat ActiveSearch (ID:14882)
22/02/2005 8:03:01 PM::Generating threat
22/02/2005 8:03:13 PM::Clean Threat ActiveSearch (ID:14882) Complete
22/02/2005 8:03:14 PM::Remove Threat (ID:14882) Complete
22/02/2005 8:03:23 PM::Unititializing Clean
22/02/2005 8:03:23
PM::------------------------------------------------------------------
24/02/2005 9:00:11
PM::------------------------------------------------------------------
24/02/2005 9:00:11 PM::Initializing Clean - (ScanID: 0)
24/02/2005 9:00:11 PM::Remove Threat (ID:14882)
24/02/2005 9:00:11 PM::Clean Threat ActiveSearch (ID:14882)
24/02/2005 9:00:11 PM::Generating threat
24/02/2005 9:00:15 PM::Clean Threat ActiveSearch (ID:14882) Complete
24/02/2005 9:00:15 PM::Remove Threat (ID:14882) Complete
24/02/2005 9:00:24 PM::Unititializing Clean
24/02/2005 9:00:24
PM::------------------------------------------------------------------
25/02/2005 9:18:15
PM::------------------------------------------------------------------
25/02/2005 9:18:15 PM::Initializing Clean - (ScanID: 0)
25/02/2005 9:18:15 PM::Remove Threat (ID:14882)
25/02/2005 9:18:15 PM::Clean Threat ActiveSearch (ID:14882)
25/02/2005 9:18:15 PM::Generating threat
25/02/2005 9:18:20 PM::Clean Threat ActiveSearch (ID:14882) Complete
25/02/2005 9:18:20 PM::Remove Threat (ID:14882) Complete
25/02/2005 9:18:32 PM::Unititializing Clean
25/02/2005 9:18:32
PM::------------------------------------------------------------------
26/02/2005 4:13:15
PM::------------------------------------------------------------------
26/02/2005 4:13:16 PM::Initializing Clean - (ScanID: 0)
26/02/2005 4:13:16 PM::Remove Threat (ID:14882)
26/02/2005 4:13:16 PM::Clean Threat ActiveSearch (ID:14882)
26/02/2005 4:13:16 PM::Generating threat
26/02/2005 4:13:20 PM::Clean Threat ActiveSearch (ID:14882) Complete
26/02/2005 4:13:20 PM::Remove Threat (ID:14882) Complete
26/02/2005 4:13:24 PM::Unititializing Clean
26/02/2005 4:13:24
PM::------------------------------------------------------------------
27/02/2005 4:35:36
PM::------------------------------------------------------------------
27/02/2005 4:35:36 PM::Initializing Clean - (ScanID: 0)
27/02/2005 4:35:36 PM::Remove Threat (ID:14882)
27/02/2005 4:35:36 PM::Clean Threat ActiveSearch (ID:14882)
27/02/2005 4:35:36 PM::Generating threat
27/02/2005 4:35:42 PM::Clean Threat ActiveSearch (ID:14882) Complete
27/02/2005 4:35:42 PM::Remove Threat (ID:14882) Complete
27/02/2005 4:35:47 PM::Unititializing Clean
27/02/2005 4:35:47
PM::------------------------------------------------------------------
28/02/2005 9:03:50
PM::------------------------------------------------------------------
28/02/2005 9:03:50 PM::Initializing Clean - (ScanID: 0)
28/02/2005 9:03:50 PM::Remove Threat (ID:14882)
28/02/2005 9:03:50 PM::Clean Threat ActiveSearch (ID:14882)
28/02/2005 9:03:50 PM::Generating threat
28/02/2005 9:03:55 PM::Clean Threat ActiveSearch (ID:14882) Complete
28/02/2005 9:03:55 PM::Remove Threat (ID:14882) Complete
28/02/2005 9:06:58 PM::Unititializing Clean
28/02/2005 9:06:58
PM::------------------------------------------------------------------
01/03/2005 9:19:22
PM::------------------------------------------------------------------
01/03/2005 9:19:22 PM::Initializing Clean - (ScanID: 0)
01/03/2005 9:19:22 PM::Remove Threat (ID:14882)
01/03/2005 9:19:22 PM::Clean Threat ActiveSearch (ID:14882)
01/03/2005 9:19:22 PM::Generating threat
01/03/2005 9:19:25 PM::Clean Threat ActiveSearch (ID:14882) Complete
01/03/2005 9:19:25 PM::Remove Threat (ID:14882) Complete
01/03/2005 9:19:27 PM::Unititializing Clean
01/03/2005 9:19:27
PM::------------------------------------------------------------------
02/03/2005 10:21:36
PM::------------------------------------------------------------------
02/03/2005 10:21:36 PM::Initializing Clean - (ScanID: 0)
02/03/2005 10:21:36 PM::Remove Threat (ID:14882)
02/03/2005 10:21:37 PM::Clean Threat ActiveSearch (ID:14882)
02/03/2005 10:21:37 PM::Generating threat
02/03/2005 10:21:44 PM::Clean Threat ActiveSearch (ID:14882) Complete
02/03/2005 10:21:44 PM::Remove Threat (ID:14882) Complete
02/03/2005 10:21:48 PM::Unititializing Clean
02/03/2005 10:21:48
PM::------------------------------------------------------------------
03/03/2005 9:01:20
PM::------------------------------------------------------------------
03/03/2005 9:01:20 PM::Initializing Clean - (ScanID: 0)
03/03/2005 9:01:20 PM::Remove Threat (ID:14882)
03/03/2005 9:01:21 PM::Clean Threat ActiveSearch (ID:14882)
03/03/2005 9:01:21 PM::Generating threat
03/03/2005 9:01:36 PM::Clean Threat ActiveSearch (ID:14882) Complete
03/03/2005 9:01:36 PM::Remove Threat (ID:14882) Complete
03/03/2005 9:01:38 PM::Unititializing Clean
03/03/2005 9:01:38
PM::------------------------------------------------------------------
04/03/2005 8:45:58
PM::------------------------------------------------------------------
04/03/2005 8:45:58 PM::Initializing Clean - (ScanID: 0)
04/03/2005 8:45:58 PM::Remove Threat (ID:14882)
04/03/2005 8:45:58 PM::Clean Threat ActiveSearch (ID:14882)
04/03/2005 8:45:58 PM::Generating threat
04/03/2005 8:46:09
PM::------------------------------------------------------------------
04/03/2005 8:46:09 PM::Initializing Clean - (ScanID: 0)
04/03/2005 8:46:09 PM::Remove Threat (ID:14882)
04/03/2005 8:46:09 PM::Clean Threat ActiveSearch (ID:14882)
04/03/2005 8:46:09 PM::Generating threat
04/03/2005 8:46:12 PM::Clean Threat ActiveSearch (ID:14882) Complete
04/03/2005 8:46:13 PM::Remove Threat (ID:14882) Complete
04/03/2005 8:46:14 PM::Unititializing Clean
04/03/2005 8:46:14
PM::------------------------------------------------------------------
05/03/2005 7:05:01
PM::------------------------------------------------------------------
05/03/2005 7:05:01 PM::Initializing Clean - (ScanID: 0)
05/03/2005 7:05:01 PM::Remove Threat (ID:14882)
05/03/2005 7:05:01 PM::Clean Threat ActiveSearch (ID:14882)
05/03/2005 7:05:01 PM::Generating threat
05/03/2005 7:05:05 PM::Clean Threat ActiveSearch (ID:14882) Complete
05/03/2005 7:05:05 PM::Remove Threat (ID:14882) Complete
05/03/2005 7:05:10 PM::Unititializing Clean
05/03/2005 7:05:10
PM::------------------------------------------------------------------
06/03/2005 6:17:58
AM::------------------------------------------------------------------
06/03/2005 6:17:58 AM::Initializing Clean - (ScanID: 0)
06/03/2005 6:17:58 AM::Remove Threat (ID:14882)
06/03/2005 6:17:58 AM::Clean Threat ActiveSearch (ID:14882)
06/03/2005 6:17:58 AM::Generating threat
06/03/2005 6:18:02 AM::Clean Threat ActiveSearch (ID:14882) Complete
06/03/2005 6:18:02 AM::Remove Threat (ID:14882) Complete
06/03/2005 6:18:04 AM::Unititializing Clean
06/03/2005 6:18:04
AM::------------------------------------------------------------------

 

[AndyManchesta]

Hi mate you need to log into the account which is showing
these warnings or if its all accounts then check for
these in each:

First go to the Add/Remove screen and repost if found,

WAST
FTApp
flt
FlashTrack Uninstall
FT remove
Cpr
TurboDownload
IEDriver
webHancer
Windows Related
411Ferret Toolbar
Searchit - toolbar
Toolbar - My toolbar
qidion - toolbar
masterbarHallmedia.net
IE Toolbar
autoSearch
YuupSearch Toolbar
iSearch


Repost if any are found and then i can advise how to
remove it,theres too many possible causes for now so
hopefully you will find one of these listed so we can
easily remove it,Also try searching for them by enabling
hidden files and folders and unchecking the hide for
known file types option as described below

Enable viewing of hidden files and folders and
extensions; Some programs can hide this way by not being
visible in Windows. Start Windows Explorer and click on
your main hard drive, usually c:\. Then select Tools from
the top of Windows Explorer and then Folder Options. Go
to the View tab. Scroll down to the folder icon that says
Hidden files and folders and check show hidden files and
folders. Also, right below it, uncheck the hide file
extensions for known types. Not doing this could allow
file extensions commonly used by trojans and spyware to
be hidden, for example a file ending in .exe or dll
making manually finding it Very difficult

Good Luck

Andy

 

[Jonks]

Thanks for the list.

Web CPR was in A/R programs.

I remember removing it a month ago or so using a different scanner.
It seems that the removal did not remove the entry from the
HKLM\..\Uninstall registry key.

MSAS must have been detecting this key, thinking ActiveSearch was
installing, warning me, but then failing to remove the reg key.

False positive -
The 'problem' has goes away when the reg key is deleted.
Then, as a test, if you manually add the reg key and values, the problem
re-surfaces.

Thanks again.

 

[AndyManchesta]

Hi Jonks,

No problem Mate,Glad to help,I assume you have fixed this
now by reading your reply but just incase it comes back
or you think there may be traces left then just delete
these to be sure

Unregistering the .dll

Open a DOS command prompt window (Start->All programs-

Accessories) and enter the following command:

Copy & Paste this first line in:

cd "%WinDir%\System"


Then copy and paste this one in:

regsvr32 /u Cpr.dll


Restart the computer and you should be able to
delete 'Cpr.dll' from the System folder

('System32' on Windows NT/2000/XP/2003; inside the
Windows folder)


You probably will not need this but it might some in
usefull to other users.

All the Best

Andy