I am hoping that someone can offer me a little advice here. MS Antispyware is encountering problems evidently, and my searches haven't turned up much. The most consistent thing I can find from Google, is a reference to a *chod* related virus. Every one of the pages referring to it says that the virus will stop Zone Alarm and MS Antispyware which are running, and that it will append to my hosts file blocking several sites that I am able to get to.

The "errors.log" file in the Microsoft Antispyware folder contains the following text. The time logged is when my system is set to perform a scheduled spyware scan:

7::ln 10:Out of memory::gcasDtServ:ScheduleScans:Update::10/10/2005 7:00:28 AM:XP:1.0.615
7::ln 10:Out of memory::gcasDtServ:ScheduleScans:Update::10/12/2005 7:00:22 AM:XP:1.0.615
7::ln 10:Out of memory::gcasDtServ:ScheduleScans:Update::10/13/2005 7:00:28 AM:XP:1.0.615
7::ln 10:Out of memory::gcasDtServ:ScheduleScans:Update::10/15/2005 7:00:26 AM:XP:1.0.615
7::ln 10:Out of memory::gcasDtServ:ScheduleScans:Update::10/16/2005 7:00:27 AM:XP:1.0.615
7::ln 10:Out of memory::gcasDtServ:ScheduleScans:Update::10/18/2005 7:00:17 AM:XP:1.0.615

The "diagnostic.log" file in the Antispyware folder ends with the following text:

gcAntiSpywareLibrary IsAuthorized: True
gcASThreatAudit Status: Loaded
gcASThreatAudit IsAuthorized: True
Now: 10/11/2005 7:21:42 PM

Initially I thought the diagnostic.log was overriding my system settings. My errors.log contains similar error messages both before and after the date shown after "Now:" though. I'll include a HTJ log immediately after this post, but it sure looks clean to me. Any ideas on how I can get MSAS up and working again? I've seen a post that says to delete a couple files in order to get updates working again, but I am not totally thrilled by that technique. I have disabled a couple services, including IIS and MDM. Not sure if it is relevent, but I wanted to mention it. Thanks for any input.

Link to chod info: http://securityresponse.symantec.com/avcenter/venc/data/w32.chod.b@mm.html

Logfile of HijackThis v1.99.1
Scan saved at 3:02:37 AM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WCEFLMS.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\devldr32.exe
E:\Applications\System Utils\Anti Spyware\hijackthis v1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://127.0.0.1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://127.0.0.1/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://127.0.0.1/
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WCEFLMS] WCEFLMS.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{44C4C4EC-0207-4B53-BC25-8ADED67F6988}: NameServer = 64.192.96.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ArGoSoft FTP Server (msFTPServerForm) - ArGo Software Design - c:\Program Files\ArGo Software Design\FTP Server\ftpsrvnt.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Your log looks basically clean... I couldn't find anything very helpful on this:

C:\WINDOWS\system32\WCEFLMS.exe

It would probably be a good idea to find it and check Properties... Post back on what you find here... If it looks suspicious, try this:

Please go to Jotti's malware scan at http://virusscan.jotti.org/ and upload the file for scanning and post the results here.

Thanks for the reply Budfred. I've gone round and round about that stupid file "WCEFLMS.exe" Search results usually lead me to a driver for Xerox WorkCenter, and I've got one of those. Its a laser scanner, printer, fax, copier deal.

The file always uses about 260k and instantiates about 10 or 15 dlls that are identified as belonging to Microsoft or Sharp. The exe file itself doesn't have any company name identified in Process Explorer. Not sure if that's unusual or not.

This file has been on my system as long as I can remember, and oftentimes I'll disable the startup with no identifieable problems. I mostly use my Workcenter for printing only though. I've been eliminating startup disables as I try to slim down the footprint of my XP install.

I thought that one seemed familiar... I think we looked at it in a prior thread...

As for your original problem... I would probably go with running a couple of online virus scans and see what they say... It may just be a false positive... If it is something that Norton identifies, it is probably known to the other companies as well....

I might not have been real clear in my original post, because it was late. The Symantec link was only attached as a reference. There were many more hits on the same alleged virus, but they all said essentially the same thing. Including the claim that the chod related nasty will shut down processes that are running on my PC, and redirect hosts entries that my machine can navigate to. Specifically the securityresponse.symantec.com domain.

Thanks for the feedback. Headed over to Jotti now.

I just headed over to Jotti. WCEFLMS.exe had previously scanned, and all engines reported nothing suspicious. Thanks for the suggestion though.

I might not have been real clear in my original post, because it was late. The Symantec link was only attached as a reference. There were many more hits on the same alleged virus, but they all said essentially the same thing. Including the claim that the chod related nasty will shut down processes that are running on my PC, and redirect hosts entries that my machine can navigate to. Specifically the securityresponse.symantec.com domain.

That is why I am suggesting the online virus scans... If it is really there, one of them should pick it up...

Oops, I guess I did skip over the online system scan suggestion. Ever since finding out what risks are out there, I've been worried about Active-X. Especially since there are most likely some potentially questionable dlls lingering about my system, from a riskier time in my life.

Looks like its time to invest in a DVD burner, so that I can stop worrying about losing my data. Reinstalling apps on a clean system is actually fun to some degree. I'll quit posting on this subject until I can perform all the suggestions offered.

I promise to try my hardest to stick to that statement. :D