Hi,
I was using Spybot search and Destroy 1.4 on MS Windows Server 2003 machine.
After a malware signature update on 08/02/2008 it detected the following threat.
SB S&D Checks log:
07.02.2008 08:27:53 - found: CoolWWWSearch.Tapicfg Executable.
It was then 'fixed' by SpyBot Search and Destroy.
SB S&D fixes Log:
Report generated : 2008-02-07 10:33
CoolWWWSearch.Tapicfg: Executable (file,fixed)
c:\windows\system32\tapicfg.exe
But upon re-scan the same threat was detected.
Following Event was Logged.
Microsoft Event Log:
Event type: Information
Event source : Windows file protection
Event category:none
Event ID: 64002
Date: 2/7/2008
Time:10:33:42 AM
User : N/A
Description:
File replacement was attempted on the protected system file c:\windows\system32\tapicfg.exe.
This file was restored to the original version to maintain system stability.The file version of the system file is 5.2.3790.0.
For more information , see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
SD Resident was configured in such a way to deny subsequent modifications made to the windows registry (addition of a start up item to check the integrity of windows system files - "UserFaultCheck") due to this 'Fixing'
SD Resident Log entry :
Timestamp: 02/07/2008 - 10:38:10 AM
Description: Denied value "UserFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -u") added in System Startup global entry!
SD was then updated to version 1.5.2.20. and malware signatures were updated as at 02/06/2008.
But the same problem persists.
Your good advice is needed on the above issue.
An early reply is very much appreciated.
Thanks in advance.
Ruwan
I was using Spybot search and Destroy 1.4 on MS Windows Server 2003 machine.
After a malware signature update on 08/02/2008 it detected the following threat.
SB S&D Checks log:
07.02.2008 08:27:53 - found: CoolWWWSearch.Tapicfg Executable.
It was then 'fixed' by SpyBot Search and Destroy.
SB S&D fixes Log:
Report generated : 2008-02-07 10:33
CoolWWWSearch.Tapicfg: Executable (file,fixed)
c:\windows\system32\tapicfg.exe
But upon re-scan the same threat was detected.
Following Event was Logged.
Microsoft Event Log:
Event type: Information
Event source : Windows file protection
Event category:none
Event ID: 64002
Date: 2/7/2008
Time:10:33:42 AM
User : N/A
Description:
File replacement was attempted on the protected system file c:\windows\system32\tapicfg.exe.
This file was restored to the original version to maintain system stability.The file version of the system file is 5.2.3790.0.
For more information , see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
SD Resident was configured in such a way to deny subsequent modifications made to the windows registry (addition of a start up item to check the integrity of windows system files - "UserFaultCheck") due to this 'Fixing'
SD Resident Log entry :
Timestamp: 02/07/2008 - 10:38:10 AM
Description: Denied value "UserFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -u") added in System Startup global entry!
SD was then updated to version 1.5.2.20. and malware signatures were updated as at 02/06/2008.
But the same problem persists.
Your good advice is needed on the above issue.
An early reply is very much appreciated.
Thanks in advance.
Ruwan