Continuos false alert of removed spyware (myWay search bar)

[Ari]

I'm getting repeated false alarms of a spyware program that
has already been removed from the system (before MSAS).
At first scan MSAS detected and removed the remains of the
spyware in the registry. The log says:
"
10.1.2005 14:48:28::Remove Threat (ID:14826)
10.1.2005 14:48:28::Clean Threat MyWay Search Bar (ID:14826)
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
[=64E4104A-AD8F-4468-9D81-3290F77798CC
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
[=1859849278
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Clean Threat MyWay Search Bar
(ID:14826) Complete
10.1.2005 14:48:28::Remove Threat (ID:14826) Complete
"

After that it has occasionally on logon made a realtime
protection alert of MyWay Search bar.
When "remove" is selected, it seems to remove the threat.
The log reads
"
11.1.2005
21:03:48::------------------------------------------------------------------
11.1.2005 21:03:48::Initializing Clean - (ScanID: 0)
11.1.2005 21:03:48::Remove Threat (ID:14826)
11.1.2005 21:03:48::Clean Threat MyWay Search Bar (ID:14826)
11.1.2005 21:03:48::Generating threat
11.1.2005 21:03:56::Clean Threat MyWay Search Bar
(ID:14826) Complete
11.1.2005 21:03:56::Remove Threat (ID:14826) Complete
11.1.2005 21:04:02::Unititializing Clean
11.1.2005
21:04:02::------------------------------------------------------------------
"

When a scan (with any options) is done, nothing is detected.
The registry keys MSAS deleted on the first run have not
come back. Neither there seems to be any other sign of MyWay.

While I otherwise do not consider this funny, the line
"11.1.2005 21:03:48::Generating threat"
is causing some amusement.

Any ideas how to get rid of this ?

 

[Steve Wechsler [MVP]]

Ari,

It *is* possible that there is an infesting file still remaining on the
system that is attempting to write to the registry. Suggest you do a
full scan in Safe Mode to see if the reg entries still appear.
Please post back with your result.

Steve Wechsler (akaMowGreen)
MVP Windows Server

 

[PYPC Dream]

Do try to run the MSAS in safe mode, but also open MSAS
and go to Advanced Tools, then System Explorer, and check
the following things

IE BHO, anything that does not have a star, block, if it
has the hazardous box, remove it.

IE Toolbars, do the same.

Windows Hosts File. the only thing that should be listed
is:
127.0.0.1 Local Host

If anything else is listed remove it. Re-Run a scan,
reboot. Report results.

-----Original Message-----
Ari,

It *is* possible that there is an infesting file still remaining on the
system that is attempting to write to the registry. Suggest you do a
full scan in Safe Mode to see if the reg entries still appear.
Please post back with your result.

Steve Wechsler (akaMowGreen)
MVP Windows Server

I'm getting repeated false alarms of a spyware program that
has already been removed from the system (before MSAS).
At first scan MSAS detected and removed the remains of the
spyware in the registry. The log says:
"
10.1.2005 14:48:28::Remove Threat (ID:14826)
10.1.2005 14:48:28::Clean Threat MyWay Search Bar (ID:14826)
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD- 3554-49CA-8125-44DEEFB881DE}
[=64E4104A-AD8F-4468-9D81-3290F77798CC
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD- 3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD- 3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88- 0198-4921-b630-957f3eb814e0}
[=1859849278
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88- 0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88- 0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Clean Threat MyWay Search Bar
(ID:14826) Complete
10.1.2005 14:48:28::Remove Threat (ID:14826) Complete
"

After that it has occasionally on logon made a realtime
protection alert of MyWay Search bar.
When "remove" is selected, it seems to remove the threat.
The log reads
"
11.1.2005
21:03:48::---------------------------------------------- --------------------
11.1.2005 21:03:48::Initializing Clean - (ScanID: 0)
11.1.2005 21:03:48::Remove Threat (ID:14826)
11.1.2005 21:03:48::Clean Threat MyWay Search Bar (ID:14826)
11.1.2005 21:03:48::Generating threat
11.1.2005 21:03:56::Clean Threat MyWay Search Bar
(ID:14826) Complete
11.1.2005 21:03:56::Remove Threat (ID:14826) Complete
11.1.2005 21:04:02::Unititializing Clean
11.1.2005
21:04:02::---------------------------------------------- --------------------
"

When a scan (with any options) is done, nothing is detected.
The registry keys MSAS deleted on the first run have not
come back. Neither there seems to be any other sign of MyWay.

While I otherwise do not consider this funny, the line
"11.1.2005 21:03:48::Generating threat"
is causing some amusement.

Any ideas how to get rid of this ?

.

 

[Ari]

Tried this first, as its faster.

Only IE BHO is acrobat helper, it certainly has a star
besides it.
No toolbars.
Only localhost in hosts-file.

Currently running scan in safe mode, will report when done.

Thanks.

-----Original Message-----
Do try to run the MSAS in safe mode, but also open MSAS
and go to Advanced Tools, then System Explorer, and check
the following things

IE BHO, anything that does not have a star, block, if it
has the hazardous box, remove it.

IE Toolbars, do the same.

Windows Hosts File. the only thing that should be listed
is:
127.0.0.1 Local Host

If anything else is listed remove it. Re-Run a scan,
reboot. Report results.

-----Original Message-----
Ari,

It *is* possible that there is an infesting file still remaining on the
system that is attempting to write to the registry. Suggest you do a
full scan in Safe Mode to see if the reg entries still appear.
Please post back with your result.

Steve Wechsler (akaMowGreen)
MVP Windows Server

I'm getting repeated false alarms of a spyware program that
has already been removed from the system (before MSAS).
At first scan MSAS detected and removed the remains of the
spyware in the registry. The log says:
"
10.1.2005 14:48:28::Remove Threat (ID:14826)
10.1.2005 14:48:28::Clean Threat MyWay Search Bar (ID:14826)
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD- 3554-49CA-8125-44DEEFB881DE}
[=64E4104A-AD8F-4468-9D81-3290F77798CC
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD- 3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD- 3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88- 0198-4921-b630-957f3eb814e0}
[=1859849278
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88- 0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88- 0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Clean Threat MyWay Search Bar
(ID:14826) Complete
10.1.2005 14:48:28::Remove Threat (ID:14826) Complete
"

After that it has occasionally on logon made a realtime
protection alert of MyWay Search bar.
When "remove" is selected, it seems to remove the threat.
The log reads
"
11.1.2005
21:03:48::---------------------------------------------- --------------------
11.1.2005 21:03:48::Initializing Clean - (ScanID: 0)
11.1.2005 21:03:48::Remove Threat (ID:14826)
11.1.2005 21:03:48::Clean Threat MyWay Search Bar (ID:14826)
11.1.2005 21:03:48::Generating threat
11.1.2005 21:03:56::Clean Threat MyWay Search Bar
(ID:14826) Complete
11.1.2005 21:03:56::Remove Threat (ID:14826) Complete
11.1.2005 21:04:02::Unititializing Clean
11.1.2005
21:04:02::---------------------------------------------- --------------------
"

When a scan (with any options) is done, nothing is detected.
The registry keys MSAS deleted on the first run have not
come back. Neither there seems to be any other sign of MyWay.

While I otherwise do not consider this funny, the line
"11.1.2005 21:03:48::Generating threat"
is causing some amusement.

Any ideas how to get rid of this ?

.

.

 

[Ari]

Steve,
and PYPC Dream,

Now got the safe mode scan done. Nothing to report found.

Noticed that error log also has a line added at the same
time when the realtime cleaning is tried.
it reads:
"
91::ln 0:Object variable or With block variable not
set:ScanID=0::ThreatID=14826::gcASThreatAudit:ScanHistory:AddDeletedThreat::11.1.2005
21:03:56:1.0.501
"

Don't you find the "Generating threat" interesting ?
I just wonder what on earth that can mean.

btw. it's a xp pro with fast user switching and
multilingual support (engl us + fin). All enabled users are
admins.

Ari
ps. now going to sleep for a while

-----Original Message-----
Ari,

It *is* possible that there is an infesting file still remaining on the
system that is attempting to write to the registry. Suggest you do a
full scan in Safe Mode to see if the reg entries still appear.
Please post back with your result.

Steve Wechsler (akaMowGreen)
MVP Windows Server

I'm getting repeated false alarms of a spyware program that
has already been removed from the system (before MSAS).
At first scan MSAS detected and removed the remains of the
spyware in the registry. The log says:
"
10.1.2005 14:48:28::Remove Threat (ID:14826)
10.1.2005 14:48:28::Clean Threat MyWay Search Bar (ID:14826)
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
[=64E4104A-AD8F-4468-9D81-3290F77798CC
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
[=1859849278
10.1.2005 14:48:28::Removing registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Removing registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
10.1.2005 14:48:28::Clean Threat MyWay Search Bar
(ID:14826) Complete
10.1.2005 14:48:28::Remove Threat (ID:14826) Complete
"

After that it has occasionally on logon made a realtime
protection alert of MyWay Search bar.
When "remove" is selected, it seems to remove the threat.
The log reads
"
11.1.2005
21:03:48::------------------------------------------------------------------
11.1.2005 21:03:48::Initializing Clean - (ScanID: 0)
11.1.2005 21:03:48::Remove Threat (ID:14826)
11.1.2005 21:03:48::Clean Threat MyWay Search Bar (ID:14826)
11.1.2005 21:03:48::Generating threat
11.1.2005 21:03:56::Clean Threat MyWay Search Bar
(ID:14826) Complete
11.1.2005 21:03:56::Remove Threat (ID:14826) Complete
11.1.2005 21:04:02::Unititializing Clean
11.1.2005
21:04:02::------------------------------------------------------------------
"

When a scan (with any options) is done, nothing is detected.
The registry keys MSAS deleted on the first run have not
come back. Neither there seems to be any other sign of MyWay.

While I otherwise do not consider this funny, the line
"11.1.2005 21:03:48::Generating threat"
is causing some amusement.

Any ideas how to get rid of this ?

.

 

[Steve Wechsler [MVP]]

This is what stands out to me :

AddDeletedThreat

Appears that the threat was added to the deleted threats while in
Safe Mode.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Steve,
and PYPC Dream,

Now got the safe mode scan done. Nothing to report found.

Noticed that error log also has a line added at the same
time when the realtime cleaning is tried.
it reads:
"
91::ln 0:Object variable or With block variable not
set:ScanID=0::ThreatID=14826::gcASThreatAudit:ScanHistory:AddDeletedThreat::11.1.2005
21:03:56:1.0.501
"

Don't you find the "Generating threat" interesting ?
I just wonder what on earth that can mean.

btw. it's a xp pro with fast user switching and
multilingual support (engl us + fin). All enabled users are
admins.

Ari
ps. now going to sleep for a while

-----Original Message-----
Ari,

It *is* possible that there is an infesting file still

remaining on the

system that is attempting to write to the registry.

Suggest you do a

full scan in Safe Mode to see if the reg entries still appear.
Please post back with your result.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Ari wrote:

I'm getting repeated false alarms of a spyware program that
has already been removed from the system (before MSAS).
At first scan MSAS detected and removed the remains of the
spyware in the registry. The log says:
"
10.1.2005 14:48:28::Remove Threat (ID:14826)
10.1.2005 14:48:28::Clean Threat MyWay Search Bar (ID:14826)
10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}

[=64E4104A-AD8F-4468-9D81-3290F77798CC
10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}

10.1.2005 14:48:28::Removing registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}

10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}

[=1859849278
10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}

10.1.2005 14:48:28::Removing registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}

10.1.2005 14:48:28::Clean Threat MyWay Search Bar
(ID:14826) Complete
10.1.2005 14:48:28::Remove Threat (ID:14826) Complete
"

After that it has occasionally on logon made a realtime
protection alert of MyWay Search bar.
When "remove" is selected, it seems to remove the threat.
The log reads
"
11.1.2005

21:03:48::------------------------------------------------------------------

11.1.2005 21:03:48::Initializing Clean - (ScanID: 0)
11.1.2005 21:03:48::Remove Threat (ID:14826)
11.1.2005 21:03:48::Clean Threat MyWay Search Bar (ID:14826)
11.1.2005 21:03:48::Generating threat
11.1.2005 21:03:56::Clean Threat MyWay Search Bar
(ID:14826) Complete
11.1.2005 21:03:56::Remove Threat (ID:14826) Complete
11.1.2005 21:04:02::Unititializing Clean
11.1.2005

21:04:02::------------------------------------------------------------------

"

When a scan (with any options) is done, nothing is detected.
The registry keys MSAS deleted on the first run have not
come back. Neither there seems to be any other sign of

MyWay.

While I otherwise do not consider this funny, the line
"11.1.2005 21:03:48::Generating threat"
is causing some amusement.

Any ideas how to get rid of this ?
.

 

[Ari]

Sorry to say that it obviuously did not.
The situation is exactly the same after the safe mode scan.
The alert still comes, remove seems to run, scan finds
nothing. And on some following logon, the same again.
Did you notice that the line in my previous post was from
the ERROR log. I assume it thus indicates what failed, not
what was done.

Ari

-----Original Message-----
This is what stands out to me :

AddDeletedThreat

Appears that the threat was added to the deleted threats while in
Safe Mode.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Steve,
and PYPC Dream,

Now got the safe mode scan done. Nothing to report found.

Noticed that error log also has a line added at the same
time when the realtime cleaning is tried.
it reads:
"
91::ln 0:Object variable or With block variable not
set:ScanID=0::ThreatID=14826::gcASThreatAudit:ScanHistory:AddDeletedThreat::11.1.2005
21:03:56:1.0.501
"

Don't you find the "Generating threat" interesting ?
I just wonder what on earth that can mean.

btw. it's a xp pro with fast user switching and
multilingual support (engl us + fin). All enabled users are
admins.

Ari
ps. now going to sleep for a while

-----Original Message-----
Ari,

It *is* possible that there is an infesting file still

remaining on the

system that is attempting to write to the registry.

Suggest you do a

full scan in Safe Mode to see if the reg entries still appear.
Please post back with your result.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Ari wrote:


I'm getting repeated false alarms of a spyware program that
has already been removed from the system (before MSAS).
At first scan MSAS detected and removed the remains of the
spyware in the registry. The log says:
"
10.1.2005 14:48:28::Remove Threat (ID:14826)
10.1.2005 14:48:28::Clean Threat MyWay Search Bar (ID:14826)
10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}

[=64E4104A-AD8F-4468-9D81-3290F77798CC
10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}

10.1.2005 14:48:28::Removing registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}

10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}

[=1859849278
10.1.2005 14:48:28::Removing registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}

10.1.2005 14:48:28::Removing registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}

10.1.2005 14:48:28::Clean Threat MyWay Search Bar
(ID:14826) Complete
10.1.2005 14:48:28::Remove Threat (ID:14826) Complete
"

After that it has occasionally on logon made a realtime
protection alert of MyWay Search bar.
When "remove" is selected, it seems to remove the threat.
The log reads
"
11.1.2005

21:03:48::------------------------------------------------------------------

11.1.2005 21:03:48::Initializing Clean - (ScanID: 0)
11.1.2005 21:03:48::Remove Threat (ID:14826)
11.1.2005 21:03:48::Clean Threat MyWay Search Bar (ID:14826)
11.1.2005 21:03:48::Generating threat
11.1.2005 21:03:56::Clean Threat MyWay Search Bar
(ID:14826) Complete
11.1.2005 21:03:56::Remove Threat (ID:14826) Complete
11.1.2005 21:04:02::Unititializing Clean
11.1.2005

21:04:02::------------------------------------------------------------------

"

When a scan (with any options) is done, nothing is detected.
The registry keys MSAS deleted on the first run have not
come back. Neither there seems to be any other sign of
MyWay.

While I otherwise do not consider this funny, the line
"11.1.2005 21:03:48::Generating threat"
is causing some amusement.

Any ideas how to get rid of this ?

.

.