Question about ccSvcHst.exe trying to launch old or missing stuff
Hoping some folks with intense and deep SEP knowledge can give an idea or two. Possibly no real solution, but out of ideas on where to look for this one. It's like a ghost of the past - and I've spent hours searching for the source.
I'm hoping a real technical guru like sav2sep or whoever sees this and knows...... it's driving me bonkers trying to find the source of this.
Here's the scenario - Windows 7 32bit OS on a desktop computer (actually 3 or 4, but one will suffice). So we have what I believe to be the latest SEP installed, Windows 7 32 bit OS on desktop computer(s) so that's laid out right up front. This is not a server nor a SEPM issue, etc. but right on the workstation this is happening, and it's not just an isolated case, but has become annoying, bothersome, etc. lately.
Some helpful staff tried to help another staff member who wanted a countdown timer on their computer. This person will retire in a few months and it's a fun tradition to have such a countdown on the desktop (ok, not business related, not even helpful to productivity, but it makes them feel good)
In attempting to get such a thing installed, the install file was downloaded (I believe from CNET) and upon launch, it went into installing the countdown timer, but also installed Default Tab, Web Cake and one other nifty adware annoyance shoved down our throats by unscrupulous folks. I alerted the helpful staff to what had happened, what "they had done" (unknowingly) and they uninstalled the parts they were aware of. I manually deleted "Default Tab" and one other piece of !@#%$ from the computer. Good, that's gone. I purged the registry based on information gathered from other security sites, other malware killer companies and it seemed clean.
Ah, so what's the question? ccSvcHst.exe constantly is attempting to launch processes that were once related to those adware #$@% items (I can't say in a family public forum what I really feel about such scum but you probably get the idea - a nice stark dark cell for a few years would be just reward, I believe)
I'd like to find out why - what is telling ccSvcHst.exe to keep trying to launch those products or processes - they are gone, they exist no more. Like Monty Python's parrot - they are ex-software. They've gone to that great bit-bucket - yet SEP's ccSvcHst.exe is filling the logs in the application control where it's attempting to launch or run those processes.
Oh, the reason it's showing in the logs - after I found the mess the helpful folks unknowingly made, I created RULES in SEP's application control to BLOCK any attempt to read, create or launch any files associated with Default Tab and Web Cake in any related folders. So this cannot possibly happen in the future - at least for those junkware @#$%@#$ it can't happen. So, when ccSvcHst.exe tries to access and launch said files, it's logged.
But please read this - thise files don't exist. The folders are gone, the files are gone, all traces are gone - EXCEPT the trace telling ccSvcHst.exe to launch the processes!
So the question is - what is telling ccSvcHst.exe to find and launch those processes?
Isn't - very simply speaking - ccSvcHst SEP's counterpart to Microsoft's service launcher? Windows reads the registry to know what to launch. What does SEP read?