Multi-Av Av-cls corruption

  • Thread starter Thread starter Jonno
  • Start date Start date
J

Jonno

I have been using the Av-cls collection of command line anti-virus programs
for years with great success.

Today I had installed the expanded files on a client computer (XPH-SP2) from
my thumb drive, and when I selected “1†to run Sophos, I saw the desktop
icons disappearing before my eyes. At first I thought the computer was
restarting, but no, something had deleted the icons, as well as many items on
the start menu, and their dialup connection.

I am not asking for a fix here. Everything came back with system restore.
But I am asking if anyone else has witnessed this happening, especially in
association with av-cls.

Thanks in advance.
 
I have been using the Av-cls collection of command line anti-virus
programs for years with great success.

Today I had installed the expanded files on a client computer
(XPH-SP2) from my thumb drive, and when I selected "1" to run Sophos,
I saw the desktop icons disappearing before my eyes. At first I
thought the computer was restarting, but no, something had deleted
the icons, as well as many items on the start menu, and their dialup
connection.

I am not asking for a fix here. Everything came back with system
restore. But I am asking if anyone else has witnessed this happening,
especially in association with av-cls.

Thanks in advance.

I don't have that program, but I've had it happen with a badly written
VB6 install routine some time ago. Like you, restore saved the day.

Sounds like a case of badly written installation program or a glitch
during the install. If it were me, I'd cold-boot the machine (power off
for 30S min) start it again, create my own Restore Point, and try
installing it one more time. If it happened again, I'd either contact
the maker to see if they have an explanation or just toss it into the
bit bin as I Restored the computer.
Are you certain it's compatible with the operating system on that
computer?

HTH

Twayne
 
From: "Jonno" <[email protected]>

| I have been using the Av-cls collection of command line anti-virus programs
| for years with great success.

| Today I had installed the expanded files on a client computer (XPH-SP2) from
| my thumb drive, and when I selected “1” to run Sophos, I saw the desktop
| icons disappearing before my eyes. At first I thought the computer was
| restarting, but no, something had deleted the icons, as well as many items on
| the start menu, and their dialup connection.

| I am not asking for a fix here. Everything came back with system restore.
| But I am asking if anyone else has witnessed this happening, especially in
| association with av-cls.

| Thanks in advance.


I am the author of the Multi-AV Scanning Tool.

Please fully describe exactly HOW you transferred the files from the PC downloading the
signature to the thumb drive to the affected PC as well as if you chose "N" to set it into
the "Not connected to Internet" mode and what happened when you chose the Sophos module.
 
Hello David, thanks for your reply. I knew you were an expert in the field,
but I did not know you had written av-cls. It is a great tool.

I think I may be using an outdated version of the scripts. The date on my
compressed file (Multi_AV.exe) is December 2006. That executable simply
unzips a bunch of scripts to a folder called av-cls on my system (C:) drive.
I ran startmenu.bat to start the menu, and from there selected 1, 2, 3, 4 in
turn to download the latest definitions. I then copied the whole (by now
quite large) av-cls folder to my thumb drive, and pasted the whole folder to
the system (C:) drive of the target machine.

From there I ran startmenu.bat to start the menu, and selected 1 to run
sophos. At first all seemed to be well. I was prompted to scan or not. I
seleceted yes. I was prompted to scan a particular folder. I selected no,
and the scan began and started writing to the report text file as usual.
After half an hour only one virus had been found and as the client was in a
hurry I stopped the scan to restart the machine (to finish something else
off). Just before leaving the client asked me to show him how to use av-cls
one more time. I ran startmenu.bat to start the menu, and selected 1 to run
sophos. This time all the desktop icons disappeared, and I mean completely
disappeared. They were not hidden, and they were not in the trash. And even
more weird, all the script files (.kix and .bat) had disappeared from the
av-cls folder. It looks to me as if a bad script had run and deleted a bunch
of files, but I can’t audit the scripts, because they also disappeared.

What I can do and have done is to follow the link on your post, and download
Multi_AV.exe from that page. I shall delete the av-cls folders from my
computers and run the new Multi_AV.exe.

I’ll leave the copy on my thumb drive for now, in case you want to look at
anything from it. I’ll also record an HJT report from the bad machine, which
has been returned to me for now.
 
From: "Jonno" <[email protected]>

| Hello David, thanks for your reply. I knew you were an expert in the field,
| but I did not know you had written av-cls. It is a great tool.

| I think I may be using an outdated version of the scripts. The date on my
| compressed file (Multi_AV.exe) is December 2006. That executable simply
| unzips a bunch of scripts to a folder called av-cls on my system (C:) drive.
| I ran startmenu.bat to start the menu, and from there selected 1, 2, 3, 4 in
| turn to download the latest definitions. I then copied the whole (by now
| quite large) av-cls folder to my thumb drive, and pasted the whole folder to
| the system (C:) drive of the target machine.

| From there I ran startmenu.bat to start the menu, and selected 1 to run
| sophos. At first all seemed to be well. I was prompted to scan or not. I
| seleceted yes. I was prompted to scan a particular folder. I selected no,
| and the scan began and started writing to the report text file as usual.
| After half an hour only one virus had been found and as the client was in a
| hurry I stopped the scan to restart the machine (to finish something else
| off). Just before leaving the client asked me to show him how to use av-cls
| one more time. I ran startmenu.bat to start the menu, and selected 1 to run
| sophos. This time all the desktop icons disappeared, and I mean completely
| disappeared. They were not hidden, and they were not in the trash. And even
| more weird, all the script files (.kix and .bat) had disappeared from the
| av-cls folder. It looks to me as if a bad script had run and deleted a bunch
| of files, but I can’t audit the scripts, because they also disappeared.

| What I can do and have done is to follow the link on your post, and download
| Multi_AV.exe from that page. I shall delete the av-cls folders from my
| computers and run the new Multi_AV.exe.

| I’ll leave the copy on my thumb drive for now, in case you want to look at
| anything from it. I’ll also record an HJT report from the bad machine, which
| has been returned to me for now.

I put out Multi AV v6 earlier this year. I am working on Multi AV v7.0 right now.

I am not sure what's going on. There is nothing in the script(s) to delete anything more
than the etc/hosts file (after a backup). The act of deletions are left upto each
individual vendor command line scanner.

I am wondering if the files were truly deleted or if Explorer process was killed and thus
the display of the DeskTop and/or folders became blank.

Feel free to email me with the HJT log or for any other reason. Just remove ~nospam~ from
my posting address.

BTW: Thank you for your kind words but I am no expert. Just someone who doesn't like
malware and wants to help those to keep from being infected or who are infected.
 
Thanks again David.

No, I know there is nothing in your scripts to explain what happened. I
have looked at them in the past. My theory is that somehow a fake script
made its way on to the machine. Obviously I have no idea how, but it was not
my imagination. Files were deleted and the Start Menu was radically altered.
For example system restore had been removed from the start menu, and so had
run (although it was still listed in start menu preferences). To run system
restore I had to navigate there with task manager.

But for the record, explorer.exe had not been killed (I witnessed that
recently on another machine). The start menu was still there, albeit
altered, and a couple of system icons, such as my computer, were still there.
But all the user created shortcuts were gone. And also for the record, I
checked the desktop of every user profile on the machine, and the missing
shortcuts were nowhere.

I am currently running the version of av-cls, which I downloaded earlier
today, on my computer to get the latest definitions. I like the new look.
I’ll post the HJT script to you email address shortly.
 
OK, it’s happened again, this time on my computer (thank goodness I backed it
up last night and created a restore point this morning), and with the new
version of av-cls. I had selected 1 to download the sophos definitions, and
they had come in. I chose not to scan. I selected 2 to get the trend
definitions. I then took my eye off the machine for a few minutes. When I
looked back, it was on the main av-cls menu. I assumed the trend download
had compleded and selected 3 for McAfee. This time the download did not
begin and I was returned to the menu. I selected 4 for KAV, and again was
returned straight to the menu. When I checked my desktop icons were missing
and shortcuts to programs on the start menu were missing. The structure was
still there, but the folders were empty. I could not run paint or word or
anything to save a screen shot, but I was able to reinstall HJT, and I am
about to send you the log.
 
From: "Jonno" <[email protected]>

| OK, it’s happened again, this time on my computer (thank goodness I backed it
| up last night and created a restore point this morning), and with the new
| version of av-cls. I had selected 1 to download the sophos definitions, and
| they had come in. I chose not to scan. I selected 2 to get the trend
| definitions. I then took my eye off the machine for a few minutes. When I
| looked back, it was on the main av-cls menu. I assumed the trend download
| had compleded and selected 3 for McAfee. This time the download did not
| begin and I was returned to the menu. I selected 4 for KAV, and again was
| returned straight to the menu. When I checked my desktop icons were missing
| and shortcuts to programs on the start menu were missing. The structure was
| still there, but the folders were empty. I could not run paint or word or
| anything to save a screen shot, but I was able to reinstall HJT, and I am
| about to send you the log.


Log received. Nothing seen in it.

I don't understand what's going on on the pltforms you have described. Very curious.

BTW: I am in the Eastern USA, New Jersey.
 
OK, it?s happened again, this time on my computer (thank goodness I backed it
up last night and created a restore point this morning), and with the new
version of av-cls.

I just downloaded and ran it on 4 computers, all Xp, and it ran
normally.

What "Other" tools have you loaded other than multi-av?

Do you know if your machine has been compromised before this?
 
In reply to Leythos, my computer is a fairly recent clean build, and I have
not experienced any other malware problems with it. I run Computer
Associates Anti Virus, and Spybot S&D is also installed.

To follow on with my experience, yesterday I renamed the av-cls folder to
av-cls1 and I ran multi-av again to create a clean av-cls folder. Then I ran
the menu.kix file from the command line in debug mode.

I stepped through every line of the menu (twice) and downloaded the Sophos
definitions. Then I started stepping through the Trend downloads, but I hit
a problem. I got stuck in a loop and I couldn’t seem to step out of it. I
lost patience and hit F5. The trend download continued, and when it
finished, I was not prompted to run Trend, but before my very eyes, all the
av-cls files disappeared. And to crown it, all the screenshots I
painstakingly took during the process, had disappeared as well. In fact
everything had gone from my pictures and my music.

My next plan is to print the scripts and tick off each line as I go, and if
I hit the loop again, to assess more carefully what is happening.

Let me emphasise that I am not blaming the av-cls scripts, which I have used
without problem for years. But something unpleasant has happened to me on
two computers with two different versions of the scripts. It is as if
something is interacting with the scripts as they run.

I realise from the Leythos post and from David that the problem is difficult
to replicate, but I am keen to hear from anyone else who has experienced
anything similar.
 
I realise from the Leythos post and from David that the problem is difficult
to replicate, but I am keen to hear from anyone else who has experienced
anything similar.

I'll setup a couple VM XP installs and test it several times.

How much memory do you have?

What service pack are you on?

What video card/driver are you using?

What version of AV are you running?

What event log errors have you seen in System/Application?

Have you installed ALL Windows Updates, even custom ones?
 
Thanks Leythos, I hope you are still awake. I have identified the error as
occuring in the following zone of the menu.kix script:

Function CleanCache()
DIM $Location, $dir
$location="Default User","Administrator","All Users"

$Cache1=ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths","Directory")
del $Cache1+"\*.*" /c /f /h /s
DelDir($Cache1+"\*.*")

$Cache=ReadValue("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders","Cache")
$cache2=$Cache+"\Content.IE5"
if ($Cache1=$Cache2)=0
del $Cache2+"\*.*" /c /f /h /s
DelDir($Cache2+"\*.*")
endif

$Cache=ReadValue("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Cache")
$cache3=$Cache+"\Content.IE5"
if ($Cache1=$Cache3)=0
del $cache3+"\*.*" /c /f /h /s
DelDir($Cache3+"\*.*")
endif
del "%temp%\*.*" /c /f /h
del "%windir%\temp\*.*" /c /f /h /s
DelDir("%windir%\temp\*.*")
del "$pmfolder\Opera\profile\cache4\*.*" /c /f /h /s

I think the key to solving this is comparing these registry values on your
machines with mine. I’ll try to send a screenshot taken when the error was
occurring to your email address.

Meanwhile can you point me to some good deleted files recovery software?

Thanks in advance.
 
Sorry leythos:

2GB
SP3
GeForce 7300 SE
CA Anti-Virus 8.4.0.24
Sorry didn’t check before I restored
I use automatic update and let it run itself

As I reported privately, I think I might have been looking at the wrong line
of code, but as the event has repeated consistently (3 times) while I have
been stepping through the av-cls script, I am convinced that there is an
association with the script, albeit in conjunction with some setting on my
machine (and my clients).
 
Sorry leythos:

2GB
SP3
GeForce 7300 SE
CA Anti-Virus 8.4.0.24
Sorry didn?t check before I restored
I use automatic update and let it run itself

As I reported privately, I think I might have been looking at the wrong line
of code, but as the event has repeated consistently (3 times) while I have
been stepping through the av-cls script, I am convinced that there is an
association with the script, albeit in conjunction with some setting on my
machine (and my clients).

The only part I can't duplicate is the CA Antivirus product.

I wonder if it has something to do with an update/patch to CA-AV and
interacting with the script?

The only option I see from the CA site is version 2009, not 8....
 
David and Leythos,

After taking a break for the weekend I have returned to this.

Last week I was stepping through the original script. The advantage of this
was that it preserved the script intact, but the disadvantage was that it was
time consuming, and I was always taken by surprise when the event happened.
This time I put break points and markers at various point in the script, so I
could skim over the boring bits and focus on the interesting stuff.

I can now say with certainty that the event occurs when the second of the
following lines of code executes:

$Cache1=ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths","Directory")
del $Cache1+"\*.*" /c /f /h /s

I don’t know exactly what is going on here, because from the registry
extract I sent to Leythos last week, that path is:

"CachePath"="C:\\Documents and Settings\\Jonno\\Local Settings\\Temporary
Internet Files\\Content.IE5\\Cache1"

whereas on my computer the furthest you can get along that path is:

C:\Documents and Settings\Jonno\Local Settings\Temporary Internet Files

And when

del $Cache1+"\*.*" /c /f /h /s

was run, nothing from that folder was removed, but everything except kix.32
was deleted from av-cls and the content of my documents was deleted as before.
 
Back
Top