This post overlaps a little with one I posted some time ago. My main computer has an odd problem. My antivirus, Kaspersky, and my antispyware, Ewido, are normally set (in the registry) to start on bootup. If the registry entries are set to start during bootup at the time I shut down the machine, on bootup, Ewido will start early in the boot process as indicated by the tray icon appearing colored yellow to show that Ewido is active. A short time later the icon will be greyed out indicating that Ewido has just been switched to inactive -- as can be verified by opening the Ewido window. Kaspersky will start normally and remain active, but the registry entry will have been switched off. If I shut down and reboot in this state neither Kaspersky nor Ewido will start. This started about two weeks ago. Before then both pieces of software started normally in bootup.
OK, that is the background. Here is the question. I have run virtually every piece of malware detection software there is in an attempt to solve this problem -- with help and suggestions from a lot of folks. SpyBot, Ewido, SpySweeper, XoftSpy, Zone Alarm (and probably several others I am forgetting at the moment) all find some cookies, but no malware. If I run Panda Active Scan after a bootup it will report:
Incident Status Location
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/24-7-search Not disinfected c:\windows\system32\unPPC.exe
Spyware:spyware/cws.olehelp Not disinfected Windows Registry
and some innocous cookies, which indicates my machine is infected with Cool Web Search (CWS). None of the other malware detection softwares see this. More puzzling, is that if I run Ewido and allow it to clear the cookies it finds and then run the Panda Active Scan, the three entries shown above are no longer there.
If I run regmon and allow it to log the actions during boot, I find the line
FOUND
559326: explorer.exe:1668 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\kav.exe SUCCESS
which appears to be the culprit in turning off the Kaspersky antivirus (kav.exe).
I know that several malwares use explorer.exe as their cover so I am suspicious that that may be the case here. CWS is a malware that redirects web browsing, so even if it were present (which I am not sure is the case) it isn't clear that it could be associated with the problem of programs being removed during bootup.
Do any of you have an idea of what the problem (or solution) might be?
Thanks for your help.
PS
No, I do not keep all of that software running so there are no conflicts (that I know of or can find). Normally I run Kaspersky as my antivirus, Zone Alarm as my firewall and Ewido as my antispyware -- with all other features disabled in these softwares. I have of course uninstalled them one by one to test if they were the culprits and then reinstalled them. Something hates Kaspersky and Ewido and is removing them from the startup, even if only the one software is installed.
OK, that is the background. Here is the question. I have run virtually every piece of malware detection software there is in an attempt to solve this problem -- with help and suggestions from a lot of folks. SpyBot, Ewido, SpySweeper, XoftSpy, Zone Alarm (and probably several others I am forgetting at the moment) all find some cookies, but no malware. If I run Panda Active Scan after a bootup it will report:
Incident Status Location
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/24-7-search Not disinfected c:\windows\system32\unPPC.exe
Spyware:spyware/cws.olehelp Not disinfected Windows Registry
and some innocous cookies, which indicates my machine is infected with Cool Web Search (CWS). None of the other malware detection softwares see this. More puzzling, is that if I run Ewido and allow it to clear the cookies it finds and then run the Panda Active Scan, the three entries shown above are no longer there.
If I run regmon and allow it to log the actions during boot, I find the line
FOUND
559326: explorer.exe:1668 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\kav.exe SUCCESS
which appears to be the culprit in turning off the Kaspersky antivirus (kav.exe).
I know that several malwares use explorer.exe as their cover so I am suspicious that that may be the case here. CWS is a malware that redirects web browsing, so even if it were present (which I am not sure is the case) it isn't clear that it could be associated with the problem of programs being removed during bootup.
Do any of you have an idea of what the problem (or solution) might be?
Thanks for your help.
PS
No, I do not keep all of that software running so there are no conflicts (that I know of or can find). Normally I run Kaspersky as my antivirus, Zone Alarm as my firewall and Ewido as my antispyware -- with all other features disabled in these softwares. I have of course uninstalled them one by one to test if they were the culprits and then reinstalled them. Something hates Kaspersky and Ewido and is removing them from the startup, even if only the one software is installed.