Also can't run AntiSpyware

  • Thread starter Thread starter Glynn Novice
  • Start date Start date
G

Glynn Novice

I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
 
I noticed the response to message "Spyware keep coming..."
So I did what was suggested there, however, when I run the
GIANTAntiSpywareMain.exe program, I get the message: "...
Microsoft Windows AntiSpyware had encountered a critical
error (Error 101) ..." and then tells me to try re-
installing a more recent version, however, the version I
installed was one I downloaded last night.
My guess is that it is not able to install properly.

Glynn Novice
 
Probably not.

I'd advise doing that, but not while your machine may already be
compromised--that could make things worse, rather than better.

I think you need a good scan from a competent, up-to-date antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and then go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the sysclean file.

Run the sysclean executable. I think I'd do this in safe mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
Would Installing XP SP2 help?

Thanks,

Glynn Novice

-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.
 
Thanks for the reply,

I did what you suggested, but it did not seem to find any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re-run
the scan.

Regards,

Glynn Novice
-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may already be
compromised--that could make things worse, rather than better.

I think you need a good scan from a competent, up-to-date antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and then go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the sysclean file.

Run the sysclean executable. I think I'd do this in safe mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Would Installing XP SP2 help?

Thanks,

Glynn Novice

-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.


.
 
Permissions set "oddly" may indicate malware, for sure, and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) --submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
Thanks for the reply,

I did what you suggested, but it did not seem to find any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re-run
the scan.

Regards,

Glynn Novice
-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may already be
compromised--that could make things worse, rather than better.

I think you need a good scan from a competent, up-to-date antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and then go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the sysclean file.

Run the sysclean executable. I think I'd do this in safe mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.


.
 
Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice
-----Original Message-----
Permissions set "oddly" may indicate malware, for sure, and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) -- submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Thanks for the reply,

I did what you suggested, but it did not seem to find any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re- run
the scan.

Regards,

Glynn Novice
-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may already be
compromised--that could make things worse, rather than better.

I think you need a good scan from a competent, up-to-
date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and
then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the sysclean file.

Run the sysclean executable. I think I'd do this in
safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe said:
Which I think is an invalid process, but I can't seem to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.


.
 
Sure--post away!

I'm not sure what the sparse result indicates. It may be something in a
category that not everyone covers (i.e. "spyware"), or it could be something
detected only heuristically--and some vendors do this better than others, or
it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice
-----Original Message-----
Permissions set "oddly" may indicate malware, for sure, and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) -- submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Thanks for the reply,

I did what you suggested, but it did not seem to find any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re- run
the scan.

Regards,

Glynn Novice

-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may
already be
compromised--that could make things worse, rather than
better.

I think you need a good scan from a competent, up-to- date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the
sysclean file.

Run the sysclean executable. I think I'd do this in safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the
files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the
following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think
that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the
following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe said:
Which I think is an invalid process, but I can't seem to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control
manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.


.
 
Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found

-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It may be something in a
category that not everyone covers (i.e. "spyware"), or it could be something
detected only heuristically--and some vendors do this better than others, or
it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice
-----Original Message-----
Permissions set "oddly" may indicate malware, for sure, and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) -- submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Thanks for the reply,

I did what you suggested, but it did not seem to find any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re- run
the scan.

Regards,

Glynn Novice

-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may
already be
compromised--that could make things worse, rather than
better.

I think you need a good scan from a competent, up-to- date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the
sysclean file.

Run the sysclean executable. I think I'd do this in safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the
files
but running the start menu item or clicking on the .exe
does nothing.

I noticed that an erro log was created with the
following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think
that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the
following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver="" sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe said:
Which I think is an invalid process, but I can't
seem
to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control
manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.


.
 
The nod32 reading probably indicates the heuristic detection I mentioned.

Here's Trend Micro's description:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_CODALUSH.A

This is quite new--first in their definitions April 11, 2005

You could look at the technical details and try to verify that the named
files are present on your system.

Hmm - We did the sysclean run on April 12th--can you determine whether the
definitions were the April 11th ones or not?

I'd either get new defs for sysclean, or use their online scanner
http://housecall.trendmicro.com




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found

-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It may be something in a
category that not everyone covers (i.e. "spyware"), or it could be something
detected only heuristically--and some vendors do this better than others, or
it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice

-----Original Message-----
Permissions set "oddly" may indicate malware, for sure,
and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) --
submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in
some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Thanks for the reply,

I did what you suggested, but it did not seem to find
any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of
the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take
ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re-
run
the scan.

Regards,

Glynn Novice

-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may
already be
compromised--that could make things worse, rather than
better.

I think you need a good scan from a competent, up-to-
date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and
then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the
sysclean file.

Run the sysclean executable. I think I'd do this in
safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the
files
but running the start menu item or clicking on
the .exe
does nothing.

I noticed that an erro log was created with the
following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware
problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think
that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS
message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the
following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver=""
sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem
to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control
manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.


.
 
One other thought--It would be Good to do a Tools, Suspected Spyware Report
from this machine, and detail the name of the executable and the trend-micro
virus url for them.

Steve Wechsler [MVP] might be interested in the executable as well, and
could pass it on to Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found

-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It may be something in a
category that not everyone covers (i.e. "spyware"), or it could be something
detected only heuristically--and some vendors do this better than others, or
it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice

-----Original Message-----
Permissions set "oddly" may indicate malware, for sure,
and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) --
submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in
some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Thanks for the reply,

I did what you suggested, but it did not seem to find
any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of
the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take
ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re-
run
the scan.

Regards,

Glynn Novice

-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may
already be
compromised--that could make things worse, rather than
better.

I think you need a good scan from a competent, up-to-
date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and
then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the
sysclean file.

Run the sysclean executable. I think I'd do this in
safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the
files
but running the start menu item or clicking on
the .exe
does nothing.

I noticed that an erro log was created with the
following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware
problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think
that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS
message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the
following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver=""
sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem
to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control
manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.


.
 
I looked up the Trend Micro definition and there are some
differences.
Yes, the file name is changing after each time I delete
it, but there is also an corresponding .ocx (same base
name) that goes with it.

The registry key that runs it is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
"Remote Media" C:\WINDOWS\System32\umpndisk.exe

As mentioned in the beginning of this thread, the process
does appear in the task manager but I can't seem to stop
it from the Task Manager (Complains that it "...runs in
the same process as the service control manager")

I have also noticed that I can't stop the "explorer"
process anymore - gives the same message.

But something else is creating this rogue process and
starting the service.

If I delete it in safe mode and then re-start it in normal
mode - open the task manager ASAP, then two "iexplore"
processes appear briefly, and soon after the new rogue
process appears.

As also mentioned, for some reason, the Send report in the
Suspected Spyware Report Tool is not working.
(Also, I would also assume that this report would have to
be run in normal mode for it to be useful)

Is there an email that I can send the report and rogue
files to?

I have to retire for the night, so I wont be able to
respond till tomorrow.

Many thanks for your assistance with this.

Regards,
Glynn Novice
-----Original Message-----
One other thought--It would be Good to do a Tools, Suspected Spyware Report
from this machine, and detail the name of the executable and the trend-micro
virus url for them.

Steve Wechsler [MVP] might be interested in the executable as well, and
could pass it on to Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found

-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It may
be
something in a
category that not everyone covers (i.e. "spyware"), or
it
could be something
detected only heuristically--and some vendors do this better than others, or
it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice

-----Original Message-----
Permissions set "oddly" may indicate malware, for sure,
and also has
historically confounded Microsoft Antispyware's scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) --
submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in
some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Thanks for the reply,

I did what you suggested, but it did not seem to find
any
virus files, however it reported that for several files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of
the
files, I got a message:
"You do not have permission to view or edit the current
permission settings for admin, but you can take
ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re-
run
the scan.

Regards,

Glynn Novice

-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may
already be
compromised--that could make things worse, rather than
better.

I think you need a good scan from a competent, up- to-
date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and
then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the
sysclean file.

Run the sysclean executable. I think I'd do this in
safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.ht m

"Glynn Novice" <[email protected]>
wrote in message
Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the
files
but running the start menu item or clicking on
the .exe
does nothing.

I noticed that an erro log was created with the
following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware
problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think
that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however after
the report is generated, it complained that "An error
occurred submitting the scan results. Please check you
Internet proxy setiings ant try again". [The MS
message
does say "You" and not "Your".]
I checked my internet settings and they seem to be OK.

Inside of the XML report output, I noticed the
following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)" pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver=""
sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe</Process>
Which I think is an invalid process, but I can't seem
to
stop it from the Task Manager (Complains that it "...
runs in the same process as the service control
manager")

I am running XP SP1, but my "Windows Update" wont work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.



.


.
 
You can send the rogue files to Steve Wechsler [MVP] at this address:

(e-mail address removed)

He can get them to Microsoft

I think you are very close to being able to clean this up--what's needed is
to look at the descriptions of the virus as published by various vendors--it
pays to look at several--and use the system explorers in Microsoft
Antispyware, or MSCONFIG to uncheck the code that is recreating these
processes when you restart. You'd need to be doing this in safe mode so
that the thing is not running.

Ron Kinner and HijackThis logs are one way to go at this--I was hoping that
the standard antivirus tools would take care of this, since they identify
it, but clearly they are not doing the job.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
I looked up the Trend Micro definition and there are some
differences.
Yes, the file name is changing after each time I delete
it, but there is also an corresponding .ocx (same base
name) that goes with it.

The registry key that runs it is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
"Remote Media" C:\WINDOWS\System32\umpndisk.exe

As mentioned in the beginning of this thread, the process
does appear in the task manager but I can't seem to stop
it from the Task Manager (Complains that it "...runs in
the same process as the service control manager")

I have also noticed that I can't stop the "explorer"
process anymore - gives the same message.

But something else is creating this rogue process and
starting the service.

If I delete it in safe mode and then re-start it in normal
mode - open the task manager ASAP, then two "iexplore"
processes appear briefly, and soon after the new rogue
process appears.

As also mentioned, for some reason, the Send report in the
Suspected Spyware Report Tool is not working.
(Also, I would also assume that this report would have to
be run in normal mode for it to be useful)

Is there an email that I can send the report and rogue
files to?

I have to retire for the night, so I wont be able to
respond till tomorrow.

Many thanks for your assistance with this.

Regards,
Glynn Novice
-----Original Message-----
One other thought--It would be Good to do a Tools, Suspected Spyware Report
from this machine, and detail the name of the executable and the trend-micro
virus url for them.

Steve Wechsler [MVP] might be interested in the executable as well, and
could pass it on to Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found


-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It may be
something in a
category that not everyone covers (i.e. "spyware"), or it
could be something
detected only heuristically--and some vendors do this
better than others, or
it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs identified
it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice

-----Original Message-----
Permissions set "oddly" may indicate malware, for sure,
and also has
historically confounded Microsoft Antispyware's
scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) --
submit it to

www.virustotal.com

At least one of those vendors will also flag spyware in
some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>
wrote in message
Thanks for the reply,

I did what you suggested, but it did not seem to find
any
virus files, however it reported that for several
files
(around 100) that it "Could not set file for reading"
or "Access is denied" and did not report that the
rogue
service process file (umpndisk.exe) was a virus file.
I did log in on as an Administrator account to run the
Scan (in Safe mode).

When I went to the properties (Security tab) on one of
the
files, I got a message:
"You do not have permission to view or edit the
current
permission settings for admin, but you can take
ownership
or change auditing settings"
I was able to change the owner and then able to add my
account to its permissions.

So I'll try fixing up the permissions manually and re-
run
the scan.

Regards,

Glynn Novice

-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine may
already be
compromised--that could make things worse, rather than
better.

I think you need a good scan from a competent, up- to-
date
antivirus, in safe
mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and
then
go to:
http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the
sysclean file.

Run the sysclean executable. I think I'd do this in
safe
mode, but I'm not
sure I've tested to be sure that is possible---try it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.ht m

"Glynn Novice" <[email protected]>
wrote in message
Would Installing XP SP2 help?

Thanks,

Glynn Novice


-----Original Message-----
I have downloaded the
MicrosoftAntiSpywareInstall.exe
program but it doesn't seem to run. It installs the
files
but running the start menu item or clicking on
the .exe
does nothing.

I noticed that an erro log was created with the
following
content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware
problem
on my PC.
Yesterday I manually removed a strange "Workstation
Netlogon Service" service registry but I still think
that
there is a problem on my PC.

I was able to run the MSSSRT.exe program however
after
the report is generated, it complained that "An
error
occurred submitting the scan results. Please check
you
Internet proxy setiings ant try again". [The MS
message
does say "You" and not "Your".]
I checked my internet settings and they seem to be
OK.

Inside of the XML report output, I noticed the
following:
<Process ex="1" pid="1756" nam="(umpndisk.exe)"
pub=""
md5="41bce3430bc03b28af9c3e290d8041c6" ver=""
sz="88064"
is="0" gfp="">C:\WINDOWS\System32
\umpndisk.exe</Process>
Which I think is an invalid process, but I can't
seem
to
stop it from the Task Manager (Complains that
it "...
runs in the same process as the service control
manager")

I am running XP SP1, but my "Windows Update" wont
work
stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within the
required timeout." Error messages in my system log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.



.


.
 
Glynn,

W32.Codalush has just been identified recently. Unfortunately, Trend
Micro's description is of no use in your situation since it appears that
you are dealing with a different variant.

The ActiveX component ( .ocx ) you mention may very well may be from
MediaPass. Is that listed in Add/Remove Programs ? If so, uninstall it.
(Also, check for RemoteMedia)

1) Show hidden files, folders, and system files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Next, go to http://www3.ca.com/virusinfo/virusscan.aspx
eTrust's scanner will detect the files associated with Codalush.

Then download a copy of Hijack This :
http://www.aumha.org/downloads/hijackthis.zip
Unzip it to the root drive, usually C:\ or to My Documents.
With all programs and browsers CLOSED, scan the system, save the log,
and email it to me along with the results of the eTrust scan.

Here's the results of another Codalush infection detected by eTrust's
online scanner. The file names may be random so do not expect to find
these on your system :

dbgesapi.exe Win32.Codalush cannot delete C:\WINDOWS\system32\
servns32.dll Win32.Codalush cannot delete C:\WINDOWS\system32\
zipfrpcn.dll Win32.Codalush cannot delete C:\WINDOWS\system32\

The phantom Service you mention, Workstation Netlogon Service, has been
associated with Cool Web Search infestations. Thus, you may be dealing
with a blended threat.


Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============


Glynn said:
I looked up the Trend Micro definition and there are some
differences.
Yes, the file name is changing after each time I delete
it, but there is also an corresponding .ocx (same base
name) that goes with it.

The registry key that runs it is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
"Remote Media" C:\WINDOWS\System32\umpndisk.exe

As mentioned in the beginning of this thread, the process
does appear in the task manager but I can't seem to stop
it from the Task Manager (Complains that it "...runs in
the same process as the service control manager")

I have also noticed that I can't stop the "explorer"
process anymore - gives the same message.

But something else is creating this rogue process and
starting the service.

If I delete it in safe mode and then re-start it in normal
mode - open the task manager ASAP, then two "iexplore"
processes appear briefly, and soon after the new rogue
process appears.

As also mentioned, for some reason, the Send report in the
Suspected Spyware Report Tool is not working.
(Also, I would also assume that this report would have to
be run in normal mode for it to be useful)

Is there an email that I can send the report and rogue
files to?

I have to retire for the night, so I wont be able to
respond till tomorrow.

Many thanks for your assistance with this.

Regards,
Glynn Novice

-----Original Message-----
One other thought--It would be Good to do a Tools,

Suspected Spyware Report
from this machine, and detail the name of the executable
and the trend-micro
virus url for them.

Steve Wechsler [MVP] might be interested in the

executable as well, and
could pass it on to Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>

wrote in message
be

it

identified

sure,

in

find

reading"

file.

the

of

my

re-

may

than

to-

it.

m

the

strange "Workstation
Netlogon Service" service registry but I still
think
that

there is a problem on my PC.

I was able to run the MSSSRT.exe program however

after

the report is generated, it complained that "An

error

occurred submitting the scan results. Please check

you

Internet proxy setiings ant try again". [The MS

message

does say "You" and not "Your".]
I checked my internet settings and they seem to be

OK.

Inside of the XML report output, I noticed the

following:

<Process ex="1" pid="1756" nam="(umpndisk.exe)"

pub=""

md5="41bce3430bc03b28af9c3e290d8041c6" ver=""

sz="88064"

is="0" gfp="">C:\WINDOWS\System32

\umpndisk.exe</Process>

Which I think is an invalid process, but I can't

seem

to

stop it from the Task Manager (Complains that

it "...

runs in the same process as the service control

manager")

I am running XP SP1, but my "Windows Update" wont

work

stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I
am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within
the
required timeout." Error messages in my system
log.
Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.



.


.
 
Good news (for me anyway)
As eTrust-Vet (Computer Associates) was one of the few
that did identify the file as a virus, I did download
their Anti-virus and ran it overnight. (which I note that
you, Steve, also suggested to do)
It did identify two virus strains:
Win32.Codalush trojan (15 DLL files deleted)
Win32.Winshow trojan (5 files deleted)
This has seemed to fix up most of the symptoms on my
machine - at least all of the bad ones.
I don't know if one worked (blended) with the other.

In reply to your question, Steve, I didn't find any
MediaPass or RemoteMedia programs installed.

However, I will still send you the suspect files and a
before and after hijackthis log (before and after I
manually fixed my settings - embarrasing to find out how
much junk was on my machine!) plus the eTrust and
MSSSRT.exe logs.

I am reasonably confident that I should now be able to
Install XP SP2.

My sincere thanks to you, Bill and Steve for assisting me
with this. Particularily being introduced to the
www.virustotal.com site.

Regards,
Glynn
-----Original Message-----
Glynn,

W32.Codalush has just been identified recently. Unfortunately, Trend
Micro's description is of no use in your situation since it appears that
you are dealing with a different variant.

The ActiveX component ( .ocx ) you mention may very well may be from
MediaPass. Is that listed in Add/Remove Programs ? If so, uninstall it.
(Also, check for RemoteMedia)

1) Show hidden files, folders, and system files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Next, go to http://www3.ca.com/virusinfo/virusscan.aspx
eTrust's scanner will detect the files associated with Codalush.

Then download a copy of Hijack This :
http://www.aumha.org/downloads/hijackthis.zip
Unzip it to the root drive, usually C:\ or to My Documents.
With all programs and browsers CLOSED, scan the system, save the log,
and email it to me along with the results of the eTrust scan.

Here's the results of another Codalush infection detected by eTrust's
online scanner. The file names may be random so do not expect to find
these on your system :

dbgesapi.exe Win32.Codalush cannot delete C:\WINDOWS\system32\
servns32.dll Win32.Codalush cannot delete C:\WINDOWS\system32\
zipfrpcn.dll Win32.Codalush cannot delete C:\WINDOWS\system32\

The phantom Service you mention, Workstation Netlogon Service, has been
associated with Cool Web Search infestations. Thus, you may be dealing
with a blended threat.


Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============


Glynn said:
I looked up the Trend Micro definition and there are some
differences.
Yes, the file name is changing after each time I delete
it, but there is also an corresponding .ocx (same base
name) that goes with it.

The registry key that runs it is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run
"Remote Media" C:\WINDOWS\System32\umpndisk.exe

As mentioned in the beginning of this thread, the process
does appear in the task manager but I can't seem to stop
it from the Task Manager (Complains that it "...runs in
the same process as the service control manager")

I have also noticed that I can't stop the "explorer"
process anymore - gives the same message.

But something else is creating this rogue process and
starting the service.

If I delete it in safe mode and then re-start it in normal
mode - open the task manager ASAP, then two "iexplore"
processes appear briefly, and soon after the new rogue
process appears.

As also mentioned, for some reason, the Send report in the
Suspected Spyware Report Tool is not working.
(Also, I would also assume that this report would have to
be run in normal mode for it to be useful)

Is there an email that I can send the report and rogue
files to?

I have to retire for the night, so I wont be able to
respond till tomorrow.

Many thanks for your assistance with this.

Regards,
Glynn Novice

-----Original Message-----
One other thought--It would be Good to do a Tools,

Suspected Spyware Report
from this machine, and detail the name of the
executable
and the trend-micro
virus url for them.

Steve Wechsler [MVP] might be interested in the

executable as well, and
could pass it on to Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>

wrote in message
Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found



-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It
may

be
something in a

category that not everyone covers (i.e. "spyware"),
or

it
could be something

detected only heuristically--and some vendors do this

better than others, or

it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>

wrote in message


Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs
identified

it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice


-----Original Message-----
Permissions set "oddly" may indicate malware, for
sure,

and also has

historically confounded Microsoft Antispyware's

scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) - -

submit it to

www.virustotal.com

At least one of those vendors will also flag
spyware

in
some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.h tm

"Glynn Novice"
wrote in message


Thanks for the reply,

I did what you suggested, but it did not seem to
find

any

virus files, however it reported that for several

files

(around 100) that it "Could not set file for
reading"

or "Access is denied" and did not report that the

rogue

service process file (umpndisk.exe) was a virus
file.

I did log in on as an Administrator account to
run

the
Scan (in Safe mode).

When I went to the properties (Security tab) on
one

of
the

files, I got a message:
"You do not have permission to view or edit the

current

permission settings for admin, but you can take

ownership

or change auditing settings"
I was able to change the owner and then able to
add

my
account to its permissions.

So I'll try fixing up the permissions manually
and

re-
run

the scan.

Regards,

Glynn Novice


-----Original Message-----
Probably not.

I'd advise doing that, but not while your
machine

may
already be

compromised--that could make things worse,
rather

than
better.

I think you need a good scan from a competent,
up-

to-
date

antivirus, in safe

mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and

then

go to:

http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the

sysclean file.

Run the sysclean executable. I think I'd do this in

safe

mode, but I'm not

sure I've tested to be sure that is possible---
try

it.
..ht

m
"Glynn Novice"
wrote in message


Would Installing XP SP2 help?

Thanks,

Glynn Novice



-----Original Message-----
I have downloaded the

MicrosoftAntiSpywareInstall.exe

program but it doesn't seem to run. It
installs

the
files

but running the start menu item or clicking on

the .exe

does nothing.

I noticed that an erro log was created with the

following

content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware

problem

on my PC.
Yesterday I manually removed a

strange "Workstation
Netlogon Service" service registry but I still
think

that

there is a problem on my PC.

I was able to run the MSSSRT.exe program however

after

the report is generated, it complained that "An

error

occurred submitting the scan results. Please check

you

Internet proxy setiings ant try again". [The MS

message

does say "You" and not "Your".]
I checked my internet settings and they seem to be

OK.

Inside of the XML report output, I noticed the

following:

<Process ex="1" pid="1756" nam="(umpndisk.exe)"

pub=""

md5="41bce3430bc03b28af9c3e290d8041c6" ver=""

sz="88064"

is="0" gfp="">C:\WINDOWS\System32

\umpndisk.exe</Process>

Which I think is an invalid process, but I can't

seem

to

stop it from the Task Manager (Complains that

it "...

runs in the same process as the service control

manager")

I am running XP SP1, but my "Windows Update" wont

work

stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and
I

am
seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM
within

the
required timeout." Error messages in my system
log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.



.



.
.
 
Excellent news--thanks Steve, and congratulation Glynn--this wasn't an easy
one. I spent much longer than I should have this afternoon on a
coolwebsearch critter, so I have recent first-hand experience with how hard
this can be.

I'm impressed with EZ-trust, too--are you aware that you can get this on a 1
year free trial?
http://www.microsoft.com/athome/security/protect/windows2000/antivirus.mspx

These should all work on XP as well, I believe.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Glynn Novice said:
Good news (for me anyway)
As eTrust-Vet (Computer Associates) was one of the few
that did identify the file as a virus, I did download
their Anti-virus and ran it overnight. (which I note that
you, Steve, also suggested to do)
It did identify two virus strains:
Win32.Codalush trojan (15 DLL files deleted)
Win32.Winshow trojan (5 files deleted)
This has seemed to fix up most of the symptoms on my
machine - at least all of the bad ones.
I don't know if one worked (blended) with the other.

In reply to your question, Steve, I didn't find any
MediaPass or RemoteMedia programs installed.

However, I will still send you the suspect files and a
before and after hijackthis log (before and after I
manually fixed my settings - embarrasing to find out how
much junk was on my machine!) plus the eTrust and
MSSSRT.exe logs.

I am reasonably confident that I should now be able to
Install XP SP2.

My sincere thanks to you, Bill and Steve for assisting me
with this. Particularily being introduced to the
www.virustotal.com site.

Regards,
Glynn
-----Original Message-----
Glynn,

W32.Codalush has just been identified recently. Unfortunately, Trend
Micro's description is of no use in your situation since it appears that
you are dealing with a different variant.

The ActiveX component ( .ocx ) you mention may very well may be from
MediaPass. Is that listed in Add/Remove Programs ? If so, uninstall it.
(Also, check for RemoteMedia)

1) Show hidden files, folders, and system files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Next, go to http://www3.ca.com/virusinfo/virusscan.aspx
eTrust's scanner will detect the files associated with Codalush.

Then download a copy of Hijack This :
http://www.aumha.org/downloads/hijackthis.zip
Unzip it to the root drive, usually C:\ or to My Documents.
With all programs and browsers CLOSED, scan the system, save the log,
and email it to me along with the results of the eTrust scan.

Here's the results of another Codalush infection detected by eTrust's
online scanner. The file names may be random so do not expect to find
these on your system :

dbgesapi.exe Win32.Codalush cannot delete C:\WINDOWS\system32\
servns32.dll Win32.Codalush cannot delete C:\WINDOWS\system32\
zipfrpcn.dll Win32.Codalush cannot delete C:\WINDOWS\system32\

The phantom Service you mention, Workstation Netlogon Service, has been
associated with Cool Web Search infestations. Thus, you may be dealing
with a blended threat.


Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============


Glynn said:
I looked up the Trend Micro definition and there are some
differences.
Yes, the file name is changing after each time I delete
it, but there is also an corresponding .ocx (same base
name) that goes with it.

The registry key that runs it is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
n\Run
"Remote Media" C:\WINDOWS\System32\umpndisk.exe

As mentioned in the beginning of this thread, the process
does appear in the task manager but I can't seem to stop
it from the Task Manager (Complains that it "...runs in
the same process as the service control manager")

I have also noticed that I can't stop the "explorer"
process anymore - gives the same message.

But something else is creating this rogue process and
starting the service.

If I delete it in safe mode and then re-start it in normal
mode - open the task manager ASAP, then two "iexplore"
processes appear briefly, and soon after the new rogue
process appears.

As also mentioned, for some reason, the Send report in the
Suspected Spyware Report Tool is not working.
(Also, I would also assume that this report would have to
be run in normal mode for it to be useful)

Is there an email that I can send the report and rogue
files to?

I have to retire for the night, so I wont be able to
respond till tomorrow.

Many thanks for your assistance with this.

Regards,
Glynn Novice


-----Original Message-----
One other thought--It would be Good to do a Tools,

Suspected Spyware Report
from this machine, and detail the name of the executable
and the trend-micro

virus url for them.

Steve Wechsler [MVP] might be interested in the

executable as well, and

could pass it on to Microsoft.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>

wrote in message


Result
AntiVir 6.30.0.7 04.14.2005 no virus found
AVG 718 04.14.2005 no virus found
BitDefender 7.0 04.14.2005 no virus found
ClamAV devel-20050307 04.14.2005 no virus found
DrWeb 4.32b 04.14.2005 no virus found
eTrust-Iris 7.1.194.0 04.14.2005 no virus found
eTrust-Vet 11.7.0.0 04.14.2005 Win32.Codalush
Fortinet 2.51 04.14.2005 no virus found
F-Prot 3.16b 04.14.2005 no virus found
Ikarus 2.32 04.13.2005 no virus found
Kaspersky 4.0.2.24 04.14.2005 no virus found
McAfee 4468 04.13.2005 no virus found
NOD32v2 1.1061 04.14.2005 probably unknown NewHeur_PE
virus
Norman 5.70.10 04.12.2005 no virus found
Panda 8.02.00 04.13.2005 no virus found
Sybari 7.5.1314 04.14.2005 Win32.Codalush
Symantec 8.0 04.14.2005 no virus found
VBA32 3.10.3 04.13.2005 no virus found



-----Original Message-----
Sure--post away!

I'm not sure what the sparse result indicates. It may

be

something in a

category that not everyone covers (i.e. "spyware"), or

it

could be something

detected only heuristically--and some vendors do this

better than others, or

it could be something brand new......

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Glynn Novice" <[email protected]>

wrote in message


Tried the file on www.virustotal.com

Interestingly only 3 of the 18 virus programs

identified

it as a virus.

Is it appropriate to post the detailed results here?

I havn't had much time to work on this computer so am
still to fix my file permissions.

Regards,
Glynn Novice


-----Original Message-----
Permissions set "oddly" may indicate malware, for

sure,

and also has

historically confounded Microsoft Antispyware's

scanning.

So--resetting permissions seems like a good idea.

If you can grab that executable (for the process) - -

submit it to

www.virustotal.com

At least one of those vendors will also flag spyware

in

some cases.


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.h tm

"Glynn Novice"
wrote in message


Thanks for the reply,

I did what you suggested, but it did not seem to

find

any

virus files, however it reported that for several

files

(around 100) that it "Could not set file for

reading"

or "Access is denied" and did not report that the

rogue

service process file (umpndisk.exe) was a virus

file.

I did log in on as an Administrator account to run

the

Scan (in Safe mode).

When I went to the properties (Security tab) on one

of

the

files, I got a message:
"You do not have permission to view or edit the

current

permission settings for admin, but you can take

ownership

or change auditing settings"
I was able to change the owner and then able to add

my

account to its permissions.

So I'll try fixing up the permissions manually and

re-

run

the scan.

Regards,

Glynn Novice


-----Original Message-----
Probably not.

I'd advise doing that, but not while your machine

may

already be

compromised--that could make things worse, rather

than

better.

I think you need a good scan from a competent, up-

to-

date

antivirus, in safe

mode.

I think I'd recommend Trend Micro's System Cleaner:
http://www.trendmicro.com/download/dcs.asp

Download the Sysclean Package from the above URL and

then

go to:

http://www.trendmicro.com/download/pattern.asp

and download the zip of the latest patterns.

Unzip and put the result in the same folder as the

sysclean file.

Run the sysclean executable. I think I'd do this in

safe

mode, but I'm not

sure I've tested to be sure that is possible--- try

it.




--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy .ht

m

"Glynn Novice"
wrote in message


Would Installing XP SP2 help?

Thanks,

Glynn Novice



-----Original Message-----
I have downloaded the

MicrosoftAntiSpywareInstall.exe

program but it doesn't seem to run. It installs

the

files

but running the start menu item or clicking on

the .exe

does nothing.

I noticed that an erro log was created with the

following

content "429::ln 0:ActiveX component can't create
object::gcasServ:modMain:Main::12/04/2005 12:16:59
AM:1.0.509"

I do suspect that I do have some sort of spyware

problem

on my PC.
Yesterday I manually removed a

strange "Workstation

Netlogon Service" service registry but I still

think

that

there is a problem on my PC.

I was able to run the MSSSRT.exe program however

after

the report is generated, it complained that "An

error

occurred submitting the scan results. Please check

you

Internet proxy setiings ant try again". [The MS

message

does say "You" and not "Your".]
I checked my internet settings and they seem to be

OK.

Inside of the XML report output, I noticed the

following:

<Process ex="1" pid="1756" nam="(umpndisk.exe)"

pub=""

md5="41bce3430bc03b28af9c3e290d8041c6" ver=""

sz="88064"

is="0" gfp="">C:\WINDOWS\System32

\umpndisk.exe</Process>

Which I think is an invalid process, but I can't

seem

to

stop it from the Task Manager (Complains that

it "...

runs in the same process as the service control

manager")

I am running XP SP1, but my "Windows Update" wont

work

stating "Windows Update cannot continue because a
required service application is disabled".

Also my Nortons Virus program wont install and I

am

seeing :"The server {72C2714F-4478-11D3-B537-
00902771A435} did not register with DCOM within

the

required timeout." Error messages in my system

log.

Hope you guys can sort this one out.

Regards,

Glynn Novice
.



.



.



.



.
.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top