What's Autoloading Microsoft AntiSpyware gCAServ?

[Guest]

Up until late February 2006, I ran Microsoft AntiSpyware (Beta 1) under XP
S2, when I upgraded to Windows Defender (Beta 2). Everything worked just fine
until March 1st, when Windows Defender tried to update its definitions file.
Windows Installer kept downloading the definitions file, installing it and
failing, endlessly. I tried every one of the many suggestions posted here and
nothing worked. The problem is definitely with MSI, not WinDefender.

Then I noticed something very odd: the gCAServ.exe file in the C:\Program
Files\Microsoft AntiSpyware was set to load automatically at startup. This
was odd because there was no CAServ.exe file in the Microsoft AntiSpyware
folder. So I ran MSConfig and discovered a key in HKLM/Run that was "loading"
the nonexistant file, but every time I deleted the key, some unknown process
kept putting it back, usually within a minute of the deletion.

I deleted the Microsoft AntiSpyware folder entirely (I was, after all, now
using Windows Defender, installed in a different folder) but the gremlin
doesn't care. It has, after all, been a nonexistent file all along.

Then I got to thinking that this might be root cause of the endlessly
looping MSI problem. Whatever keeps "reinstalling" gCAServe.exe may be a
residual process of Microsoft AntiSpyware that, in addition to futilely
trying to keep MSAS alive, might also be interfering in some other unseen
fashion with MSI.

But try as I might, I can't find whatever process keeps to this and, so long
as WinDefender is available to be updated, MSI will keep trying to update it,
forever. So I've had no choice by to delete WinDefender completely, which
finally stopped the endless MSI loop.

And the invisible gCAServ.exe autoloader is still in there, replacing the
HKLM Run key any time it's removed...

 

[Bill Sanderson]

Hmm..

Good one! (sorry---I'm easily entertained, don't want to minmize what a pain
this must be.)

The cycling update problem is usually solved by using this KB article:

http://support.microsoft.com/?kbid=915105

followed by a successful update. In some cases, that procedure errors out,
and using theWindows Installer Cleanup tool seems to be needed:

http://support.microsoft.com/?scid=kb;en-us;290301

Agreed--this is an MSI issue--and one of those procedures should get this
back on track, but it is also true that for a few users, this experience
repeats with succeeding updates.

About your other, more interesting issue, I don't have a clue. Do you have
some other security, goback, protective software in place which is intended
to "protect" registry settings or "\program files" against modification?

Here's what I would think about, in terms of trying to clear it up:

1) uninstall Windows Defender (I think you said you've done that?)

2) reinstall build .701 of Microsoft Antispyware as an administrator (you
can get the download at www.filehippo.com make sure you get the .701 build.

If you are successful in that reinstall, I'd then uninstall it, via control
panel, add or remove programs.

Let's see if that process gets rid of this errant startup item.

At that point, I'd reinstall Windows Defender, and see if either the cycling
update problem is gone, or correct it using the method posted above.

I do have one other thought: There have been some viruses which have
removed Microsoft Antispyware processes. I'm not certain whether there are
any which mimic Microsoft Antispyware processes. A full scan for viruses
with an updated antivirus app wouldn't hurt, although I don't think this is
a likely cause of the symptoms.

--

 

[Guest]

No go. I downloaded and installed MSAS 701, ran it to engage the AutoUpdater
and enlist in SpyNet, but skipped the initial scan, then uninstalled it using
Add or Remove Program control panel. During the removal process, both Startup
Monitor (a memory resident utility the alerts whenever any process changes
the Windows Startup folders or the HKLM/Run, HKCU/Run or RunOnce registry
nodes) and ZoneAlarm alerted me that C:\Program Files\Microsoft
AntiSpyware\gcaserv.exe was being added to HKLM/Run. The gremlin's alive and
well.

For what it may be worth, ZoneAlarm logged six processes during the
installation and removal of MSAS:

gcasDTserv.exe (MSAS Data Service)
gcasInstallHelper.exe (MSAS Installation Helper)
GIANTAntiSpywareMain.exe (MSAS Main)
gcasServ.exe (MSAS Service)
gcasSWUpdater.exe (MSAS Software Updater)
GIANTAntiSpywareUpdater.exe (MSS Updater)

Following the removal, the following 9 files remain behind in the Microsoft
AntySpyware folder, presumably because they're generated after installation
and thus not part of the installation package.

error.log (87 bytes)
gcAgentsData.gcd (67.8 KB)
gcAgentsDataStoreData.gcd (104 KB)
gcDeterminationDataUser.gcd (311 bytes)
gcEventsData.gcd (81 bytes)
gcExplorersData.gcd (3.37 KB)
gcThreatAuditIgnoredThreatsData.gcd (89 bytes)
gcThreatAuditScanHistoryData.gcd (86 bytes)
gcUserData.gcd (1.53 KB)

In any case, my situation is now virtually unchanged. Something running on
my system keeps adding gcasServ.exe to HKLM/Run, even though the file no
longer exists (and, btw, Windows never complains about it not being there,
even though it's theoretically supposed to be loading during startup).

Until I find out what's going on, why it's happening without error messages
from Windows or how to stop it from happening, I dare not reinstall Windows
Defender.

Thank you for your time and consideration

-DND-

 

[Bill Sanderson]

I'm suspicious of Startup Monitor. I do wonder whether it may somehow be
behind the observed behavior?

Are there multiple users on this machine? Is Microsoft Antispyware
installed in more than one user profile?

--

 

[Guest]

(blink) You supect Startup Monitor?

All it does is monitor the Run nodes of the registry, throw a dialog box
alerting the use that a process is trying to change something and allow the
use the option to confirm or deny the request. In other words, the same thing
that Zone Alarm does for the same "Suspicious Behavior", except that SM
typically reacts faster and reports every time such a request is made, even
if you've already allowed it once.

You can look into it yourself by going straight to the source:

http://www.mlin.net/StartupMonitor.shtml

It has a companion utility, Startup Control Panel, that allows the disable
or delete an item in the Run nodes more directly that does MSConfig. Very
handy, indeed!

SM will unload itself on commandl and the termination of the SM process can
be verified in realtime with Task Manager, which I just did.

I then opened RegEdit and worked my way down the hierarchy: HKLM, Software,
Microsoft, Windows, CurrentVersion, Run and manually deleted gcasServ. I got
a dialog box asking me to verify the deletion and clicked OK. Then I hit F5
to refresh the screen and lo! The gcasServ key I just deleted was back.

Some ongoing process is replacing that key. Startup Monitor is simply
reliably reporting the behavior of that process. Unfortunately, SM doesn't
report which process is accessing the registry, merely that access has been
requested.

I can see no reason why any malware (or any other third-party product, for
that atter) process would attempt to ENABLE the gcasServ.exe program in the
Microsoft AntiSpyware folder at startup EXCEPT some remnant of MSAS running
in some sort of stealth mode in the background.

This is a tactic generally used by spyware to keep itself alive, so it seems
odd to see it being used to keep a MSAS component registered after MSAS has
been removed (twice!) by its own installer via the Add or Remove Programs
cpanel.

I wouldn't've become aware of it at all, except that I ran a registry
cleaner utility (Registry First Aid) after upgrading from MSAS to
WinDefender, which flagged the gcasServ key for removal as an "invald" entry.
The gremlin kicked it and Startup Monitor alerted me that something was
trying to replace the "invalid" key that RFA had just removed.

As far I can see, Startup Monitor is hero here, not the villain...

-DND-

 

[Bill Sanderson]

(blink) You supect Startup Monitor?

OK - Sorry--didn't mean to malign it--just something I've not used, and thus
wonder whether it has more functionality than simply reporting.

I hear you when you say this is more like malware than is comfortable. I
agree--and I don't know of malware that uses this filename.

Can you kill the beast in safe mode?

Can you rename or copy over with a zero byte file, the executable involved?

 

[Guest]

I hear you when you say this is more like malware than is comfortable. I
agree--and I don't know of malware that uses this filename.

Can you kill the beast in safe mode?

Can you rename or copy over with a zero byte file, the executable involved?

My problem has always been that I don't know the beast's name, which is to
say I don't what process is doing the deed. I only know that it continues to
commit the deed, which is to add gcasServ.exe to the HKLM\Run key, even
though there's no such file and no such folder. Both have long since been
deleted.

If there's a process called "gcaServ" running on my system, I can't see it
in Task Manager or any other utility that displays system processes, such as
WinDefender's Software Explorer, back when I had that installed.

When the gremlin does its thang, Zone Alarm reports:

"SUSPICIOUS BEHAVIOR
<Registry Editor> may be trying to prevent 'gcasServ' from running each time
your computer is started bt modifying the registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION]RUN
Application: regedit.exe"

That's when I delete the key manually. If it gets deleted by Registry First
Aid, RFA gets reported as the "suspicious" application.

Contrariwise, Startup Monitor reports:

"The program

gcasServ

has registered the executable

'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe'

to run at system startup.

Do you wish to allow this change?"

But, according to Task manager, there's no gcasServ application or process
running. Either SM simply assumes that the application trying to add the key
in gcasServ because that's name of the program being registered (probable)
-OR- it can somehow see a process that's hidden from Task Manager
(improbable).

So what, then, am I supposed to kill in order to break the loop? Because,
until I know its True Name, I cannot conjure and abjure this daemon...

-DND-

 

[Guest]

Aha! I found the little bugger!

Bill Sanderson was correct in suspecting a third-party monitoring utility of
being the culprit, just wrong it suspecting Startup Monitor.

The culprit was an Ad-Aware add-on program called Ad-Watch, which loads at
startup and runs in background to detect attempts to hijack the Web browser
home and search pages, etc. It generally behaves like Startup Monitor and, in
fact, adds its own alert to the chorus of alerts from ZoneAlarm regarding
suspicious behavior, such any attempt to remove certain programs from the
HKLM Run node.

But Ad-Watch is overzealous. Having registered certain keys as benign
security applications, it dutifully protects the system by safeguarding them
from removal. Ad-Watch has been the mysterious gremlin replacing the gcasServ
key.

I could find no way to view, much less revise, Ad-Watch's list of items to
be guarded or protected against, so I disabled it and, just to be on the safe
side, deleted it entirely. This sort of help I don't need!

Case closed, but it raises the always-interesting question:

Who Watches the Watchmen?

 

[Bill Sanderson]

Terrific--thanks for persisting, and for coming up with the answer and
posting it. There have been two or three threads in the context of the
earlier beta which related to this ad-aware piece, but I wasn't able to
recall them clearly enough to think of it in relation to your issue.