Error during cleaning

Discussion in 'ewido anti-spyware forum' started by traber, Oct 4, 2006.

Thread Status:
Not open for further replies.
  1. traber

    traber Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    2
    AVG Anti-Spyware 7.5: After all scans, when I choose either DELETE or QUARANTINE I always get "error during cleaning" as the result after applying action for most all objects. I've even done a complete scan while in safe mode. I am using Firefox as the browser. Any ideas for preventing error messages during cleaning.
     
  2. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Can you attach here a scan log or which detected files cannot be removed?
     
  3. Lantakik

    Lantakik Registered Member

    Joined:
    Oct 5, 2006
    Posts:
    1
    Mrs

    I have the same problem with Ewido Anti-Malware.
     
  4. traber

    traber Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    2
    Attached is error report.
     
  5. zhaoxiubo

    zhaoxiubo Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    6
    i also encountered similar plights. At first i guess some correlated courses are not shut down, however, after a restart and in a safemode pattern, it still says that error during cleaning. So i guess the virus has juggled and replaced the correct system files. if we delete or quarantine it, the system will be damaged, if we leave it, the system will report error repeatedly.
    Oh, it's a dilemma.
     
  6. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Please post here the requested scan logs
     
  7. pachips

    pachips Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    5
    I had the same problem. After I downloaded the program, I scaned my computer and it found 24 traces detected. So I tried selecting Quarantine, but once I did It, In one part said "Actions have been aplied", While next to the name of the malware said "Error while Quarantine".

    The name of the threat is "downloader.Agent.uj"

    And the report said:


    [1036] VM_00A90000 -> Downloader.Agent.uj : Error during cleaning.
    [1324] VM_00970000 -> Downloader.Agent.uj : Error during cleaning.
    [1372] VM_00930000 -> Downloader.Agent.uj : Error during cleaning.
    [1440] VM_00B20000 -> Downloader.Agent.uj : Error during cleaning.
    [1536] VM_00910000 -> Downloader.Agent.uj : Error during cleaning.
    [2372] VM_00380000 -> Downloader.Agent.uj : Error during cleaning.
    [2560] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning.
    [2752] VM_00B20000 -> Downloader.Agent.uj : Error during cleaning.
    [332] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
    [344] VM_003D0000 -> Downloader.Agent.uj : Error during cleaning.
    [3892] VM_003D0000 -> Downloader.Agent.uj : Error during cleaning.
    [400] VM_00920000 -> Downloader.Agent.uj : Error during cleaning.
    [424] VM_00B80000 -> Downloader.Agent.uj : Error during cleaning.
    [548] VM_00C10000 -> Downloader.Agent.uj : Error during cleaning.
    [560] VM_00B20000 -> Downloader.Agent.uj : Error during cleaning.
    [584] VM_00C20000 -> Downloader.Agent.uj : Error during cleaning.
    [592] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning.
    [612] VM_00B30000 -> Downloader.Agent.uj : Error during cleaning.
    [668] VM_00920000 -> Downloader.Agent.uj : Error during cleaning.
    [740] VM_03580000 -> Downloader.Agent.uj : Error during cleaning.
    [764] VM_00DD0000 -> Downloader.Agent.uj : Error during cleaning.
    [784] VM_003D0000 -> Downloader.Agent.uj : Error during cleaning.
    [832] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning.
    [864] VM_01270000 -> Downloader.Agent.uj : Error during cleaning.

    Please, help... Thanks
     
  8. vinzenz.ewido

    vinzenz.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    425
    Location:
    Brno, Czech Republic
    Hi,

    Please download rmdlagentuj.exe from http://fileserver.ewido.net/public.cgi?id=20845 and save it to your desktop.

    Then execute this little tools and reboot your computer. After rebooting execute a complete system scan. Now the threat should be removed.

    Regards,

    Vinzenz
     
  9. pachips

    pachips Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    5
    I did what you said, but it won't go away, now there's only 2 items, and the new name of the threat is " trojan.small.fb "
    I'm a little bit concern 'coz it says that the threat has high risk.
    what should i do?
    thanks
     
  10. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
  11. pachips

    pachips Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    5
    It's extremely long but i'll post it any ways...

    Logfile of HijackThis v1.99.1
    Scan saved at 12:58:20, on 13-10-2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
    c:\archivos de programa\mcafee.com\agent\mcdetect.exe
    c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
    c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
    c:\ARCHIV~1\mcafee.com\vso\OasClnt.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
    C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Archivos de programa\Dell\QuickSet\quickset.exe
    C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe
    c:\archivos de programa\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
    C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
    c:\archiv~1\mcafee.com\vso\mcvsescn.exe
    C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    C:\Archivos de programa\BitTorrent\bittorrent.exe
    c:\archiv~1\mcafee.com\vso\mcvsftsn.exe
    C:\Archivos de programa\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Archivos de programa\Digital Line Detect\DLG.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\ARCHIV~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Pachi\Mis documentos\gestiopolis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.la.dell.com/content/default.aspx?c=cl&l=es&s=gen
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.la.dell.com/content/default.aspx?c=cl&l=es&s=gen
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Archivos de programa\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ShowLOMControl] 
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [OASClnt] C:\Archivos de programa\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [dmolp.exe] C:\WINDOWS\system32\dmolp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\ARCHIV~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Archivos de programa\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://pachips.spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{008732CF-D231-4DB0-BABB-1D1DB56EFA7C}: NameServer = 85.255.114.61,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B6011837-9564-4A1A-BCA4-D2CCC33E18A0}: NameServer = 85.255.114.61,85.255.112.60
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.61 85.255.112.60
    O17 - HKLM\System\CS1\Services\Tcpip\..\{008732CF-D231-4DB0-BABB-1D1DB56EFA7C}: NameServer = 85.255.114.61,85.255.112.60
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.61 85.255.112.60
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Archivos de programa\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



    Thanks for your time.
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just a reminder since a HJT log was posted:

    Thanks,
    Bubba
     
  13. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    pachips restart Windows in safe-mode, start hijackthis again, select following entries and press 'Fix checked':

    O4 - HKLM\..\Run: [dmolp.exe] C:\WINDOWS\system32\dmolp.exe
    NOTE: This suspicious file uses random filenames. So it is possible that after a restart you will see here an other filename. But all filenames start with the same two letters 'dm' followed by three random letters: dm***.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{008732CF-D231-4DB0-BABB-1D1DB56EFA7C}: NameServer = 85.255.114.61,85.255.112.60

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B6011837-9564-4A1A-BCA4-D2CCC33E18A0}: NameServer = 85.255.114.61,85.255.112.60

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.61 85.255.112.60

    O17 - HKLM\System\CS1\Services\Tcpip\..\{008732CF-D231-4DB0-BABB-1D1DB56EFA7C}: NameServer = 85.255.114.61,85.255.112.60

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.61 85.255.112.60
     
  14. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    karl, if you dont mind ;)



    pachips:

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    You will be asked to reboot your computer; please do so.
    Your system may take longer than usual to load; this is normal.
    Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
     
  15. pachips

    pachips Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    5
    No need, but thanks. I was away on bussines trip, but when i got home, i did the hijack thing and it worked!. It's like having a new computer, everything works.. haha..

    Well, thanks for saving my pc..

    Pachips
     
  16. pachips

    pachips Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    5
    Ps: Do you think I need to do that anyways?...
    If you think i should i'll do it...
     
Thread Status:
Not open for further replies.