From: "Jonno" <
[email protected]>
| Hello David, thanks for your reply. I knew you were an expert in the field,
| but I did not know you had written av-cls. It is a great tool.
| I think I may be using an outdated version of the scripts. The date on my
| compressed file (Multi_AV.exe) is December 2006. That executable simply
| unzips a bunch of scripts to a folder called av-cls on my system (C
drive.
| I ran startmenu.bat to start the menu, and from there selected 1, 2, 3, 4 in
| turn to download the latest definitions. I then copied the whole (by now
| quite large) av-cls folder to my thumb drive, and pasted the whole folder to
| the system (C
drive of the target machine.
| From there I ran startmenu.bat to start the menu, and selected 1 to run
| sophos. At first all seemed to be well. I was prompted to scan or not. I
| seleceted yes. I was prompted to scan a particular folder. I selected no,
| and the scan began and started writing to the report text file as usual.
| After half an hour only one virus had been found and as the client was in a
| hurry I stopped the scan to restart the machine (to finish something else
| off). Just before leaving the client asked me to show him how to use av-cls
| one more time. I ran startmenu.bat to start the menu, and selected 1 to run
| sophos. This time all the desktop icons disappeared, and I mean completely
| disappeared. They were not hidden, and they were not in the trash. And even
| more weird, all the script files (.kix and .bat) had disappeared from the
| av-cls folder. It looks to me as if a bad script had run and deleted a bunch
| of files, but I can’t audit the scripts, because they also disappeared.
| What I can do and have done is to follow the link on your post, and download
| Multi_AV.exe from that page. I shall delete the av-cls folders from my
| computers and run the new Multi_AV.exe.
| I’ll leave the copy on my thumb drive for now, in case you want to look at
| anything from it. I’ll also record an HJT report from the bad machine, which
| has been returned to me for now.
I put out Multi AV v6 earlier this year. I am working on Multi AV v7.0 right now.
I am not sure what's going on. There is nothing in the script(s) to delete anything more
than the etc/hosts file (after a backup). The act of deletions are left upto each
individual vendor command line scanner.
I am wondering if the files were truly deleted or if Explorer process was killed and thus
the display of the DeskTop and/or folders became blank.
Feel free to email me with the HJT log or for any other reason. Just remove ~nospam~ from
my posting address.
BTW: Thank you for your kind words but I am no expert. Just someone who doesn't like
malware and wants to help those to keep from being infected or who are infected.