Please advise regarding virus problem

  • Thread starter Thread starter JD
  • Start date Start date
J

JD

CA A-V "quarantined" 35 files, all related to Win32/AMalum.zzxxx, all have
the same name but different letters after the "zz."
Now System File Checker keeps running. It does complete, but four times it
asks me to insert the WindowsXP SP3 CD, which I don't have. All I can do is
click "Cancel" and the SFC continues.
I've run SFC many times in the last few years and have never been asked for
the CD. Can it be that it is looking for files that are not properly
WindowsXP files?
I've researched the error codes and the files in question appear to belong
to Windows 2000, which I am not running.
I have ordered the CD from MS, but it will take at least a week to arrive by
mail. I somehow doubt that the "missing" files will be found thereon anyway.
I am at a loss. Can anyone suggest what I should do?
The files identified are in the "quarantine" list and can be "restored."
Might it make sense to do that?
The Event Viewer identifies the files that it cannot find:

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:34:40 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\wbem\wmiadap.exe could not be copied
into the DLL cache. The specific error code is 0x000004c7 [The operation was
canceled by the user. ]. This file is necessary to maintain system
stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:31:25 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\reg.exe could not be copied into the DLL
cache. The specific error code is 0x000004c7 [The operation was canceled by
the user. ]. This file is necessary to maintain system stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:29:57 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\netsh.exe could not be copied into the
DLL cache. The specific error code is 0x000004c7 [The operation was canceled
by the user. ]. This file is necessary to maintain system stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:29:47 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\net.exe could not be copied into the DLL
cache. The specific error code is 0x000004c7 [The operation was canceled by
the user. ]. This file is necessary to maintain system stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
From: "JD" <[email protected]>

| CA A-V "quarantined" 35 files, all related to Win32/AMalum.zzxxx, all have
| the same name but different letters after the "zz."
| Now System File Checker keeps running. It does complete, but four times it
| asks me to insert the WindowsXP SP3 CD, which I don't have. All I can do is
| click "Cancel" and the SFC continues.
| I've run SFC many times in the last few years and have never been asked for
| the CD. Can it be that it is looking for files that are not properly
| WindowsXP files?
| I've researched the error codes and the files in question appear to belong
| to Windows 2000, which I am not running.
| I have ordered the CD from MS, but it will take at least a week to arrive by
| mail. I somehow doubt that the "missing" files will be found thereon anyway.
| I am at a loss. Can anyone suggest what I should do?
| The files identified are in the "quarantine" list and can be "restored."
| Might it make sense to do that?
| The Event Viewer identifies the files that it cannot find:


Copy the i386 folder from the Windows SP2 CD to the root of C: such as c:\i386

Download the administrators WinXP SP3 EXE file
http://www.microsoft.com/downloads/...A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Rename the EXE file to; WinXP-SP3.exe

Run the following command line which will slipstream the C:\i386 folder to SP3 level...

WinXP-SP3.exe -u -s:c:\

Run; REGEDIT.EXE

go to...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

find; SourcePath

set; SourcePath to be; C:\

When the OS next determines "windows must restore the original versions of these files..."
it will find them in; c:\i386 and will NOT need to prompt you for the CD.
 
Thank you for your response. I observed that I already have a i386 folder on
C. It includes (prsumably) all the files needed for SP 3. My intuition tells
me that the system is looking for files that are NOT XP SP3 files, perhaps
because they have been quarantined, but are still in the registry.
The error code references Windows 2000 and Windows XP Media Edition, neither
of which I have.
I read the following from a Windows kb article regarding what's happening:

This problem occurs because the System File Checker utility cannot locate
certain Windows installation files. These Windows installation files are
described in the System log event messages in the "Symptoms" section.
Note These Windows installation files are not required by Windows XP Media
Center Edition 2005.
WORKAROUND To work around this problem, make sure that the Windows
installation files are available when you run the sfc.exe /scannow command,
and then click Cancel every time that you receive an error message. The
System File Checker utility will successfully complete the scan operation.
Note If no Windows installation files are available, you may have to cancel
the error message many times. In this scenario, you may want to cancel the
whole operation. To do this, follow these steps:
Drag the Windows File Protection dialog box to another location on the
desktop.
Note After you move the Windows File Protection dialog box, you will see a
second Windows File Protection dialog box. This second Windows File
Protection dialog box contains the following message: Please wait while
Windows verifies that all protected Windows files are intact and in their
original versions.
Click Cancel in the second Windows File Protection dialog box.
Click Cancel in the first Windows File Protection dialog box, and then click
Yes.

Let me add this note: The last two times I've booted, within minutes I get a
popup from the A-V informing me that "37 threats have been removed."
Apparently something in the system is still in need of correction.
I have 35 files currently in the quarantine list. Would I be well advised to
"remove" them rather than keep them "quarantened"?
 
I have learned in the last several hours that this is a "false positive,"
and that CA is working on a "fix." But here's a question which an online
tech support person was unable to answer. Since 35 system files were
"quarantined," and I have subsequently run System File Checker (three
times), Should assume that the "missing" files have been restored. In that
case, should I not "restore" the files from the CA Quarantine list? Or
should I delete them?
JD said:
CA A-V "quarantined" 35 files, all related to Win32/AMalum.zzxxx, all have
the same name but different letters after the "zz."
Now System File Checker keeps running. It does complete, but four times it
asks me to insert the WindowsXP SP3 CD, which I don't have. All I can do
is click "Cancel" and the SFC continues.
I've run SFC many times in the last few years and have never been asked
for the CD. Can it be that it is looking for files that are not properly
WindowsXP files?
I've researched the error codes and the files in question appear to belong
to Windows 2000, which I am not running.
I have ordered the CD from MS, but it will take at least a week to arrive
by mail. I somehow doubt that the "missing" files will be found thereon
anyway.
I am at a loss. Can anyone suggest what I should do?
The files identified are in the "quarantine" list and can be "restored."
Might it make sense to do that?
The Event Viewer identifies the files that it cannot find:

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:34:40 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\wbem\wmiadap.exe could not be copied
into the DLL cache. The specific error code is 0x000004c7 [The operation
was canceled by the user. ]. This file is necessary to maintain system
stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:31:25 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\reg.exe could not be copied into the
DLL cache. The specific error code is 0x000004c7 [The operation was
canceled by the user. ]. This file is necessary to maintain system
stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:29:57 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\netsh.exe could not be copied into the
DLL cache. The specific error code is 0x000004c7 [The operation was
canceled by the user. ]. This file is necessary to maintain system
stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64021
Date: 7/9/2009
Time: 2:29:47 AM
User: N/A
Computer: GATEWAY-B2287A3
Description:
The system file c:\windows\system32\net.exe could not be copied into the
DLL cache. The specific error code is 0x000004c7 [The operation was
canceled by the user. ]. This file is necessary to maintain system
stability.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Click to expand...
 
From: "JD" <[email protected]>

| Thank you for your response. I observed that I already have a i386 folder on
| C. It includes (prsumably) all the files needed for SP 3. My intuition tells
| me that the system is looking for files that are NOT XP SP3 files, perhaps
| because they have been quarantined, but are still in the registry.
| The error code references Windows 2000 and Windows XP Media Edition, neither
| of which I have.
| I read the following from a Windows kb article regarding what's happening:

| This problem occurs because the System File Checker utility cannot locate
| certain Windows installation files. These Windows installation files are
| described in the System log event messages in the "Symptoms" section.
| Note These Windows installation files are not required by Windows XP Media
| Center Edition 2005.
| WORKAROUND To work around this problem, make sure that the Windows
| installation files are available when you run the sfc.exe /scannow command,
| and then click Cancel every time that you receive an error message. The
| System File Checker utility will successfully complete the scan operation.
| Note If no Windows installation files are available, you may have to cancel
| the error message many times. In this scenario, you may want to cancel the
| whole operation. To do this, follow these steps:
| Drag the Windows File Protection dialog box to another location on the
| desktop.
| Note After you move the Windows File Protection dialog box, you will see a
| second Windows File Protection dialog box. This second Windows File
| Protection dialog box contains the following message: Please wait while
| Windows verifies that all protected Windows files are intact and in their
| original versions.
| Click Cancel in the second Windows File Protection dialog box.
| Click Cancel in the first Windows File Protection dialog box, and then click
| Yes.

| Let me add this note: The last two times I've booted, within minutes I get a
| popup from the A-V informing me that "37 threats have been removed."
| Apparently something in the system is still in need of correction.
| I have 35 files currently in the quarantine list. Would I be well advised to
| "remove" them rather than keep them "quarantened"?

Keep the files in qurantine until such a later date you KNOW they weren't False Positive
declarations and can be purged.

Jut becuase you have a c:\i386 folder don't ASSUME it is at the same Service Pack level as
the OS.
The ONLY well to tell for sure is that the file; C:\I386\SP3.CAT exists.
If not (such as SP2CAT) the folder needs to be slipstreamed.

Additionally if the Registry doesn't point to the i386 folder, it will request the CDROM.
 
I have learned in the last several hours that this is a "false positive,"
and that CA is working on a "fix." But here's a question which an online
tech support person was unable to answer. Since 35 system files were
"quarantined," and I have subsequently run System File Checker (three
times), Should assume that the "missing" files have been restored. In that
case, should I not "restore" the files from the CA Quarantine list? Or
should I delete them?
Click to expand...


How to fix your XP machine after CaAV broke it
http://homeofficeforum.ca.com/homeofficeforum/showthread.php?t=4868

" first off, update to signature file 6606

2. turn off real time protection (real time scanner)

3. restore the files from the quarintine (windows will complain that the
file is not genuine, this is because it was "modified" and the checksum
for the file has changed, it does not mean the file is different or
broken, tell windows to use it anyway) *after reboot if windows is still
angry, you will need to go to microsoft.com and find the download for XP
service pack 3 to fully restore modified or deleted files. none of the
affected files should prevent your machine from starting up, though it
may complain a bit.

4. turn the scanner back on but keep the "clean" and "quarintine" boxes
unchecked for the moment

5. scan your windows directory and everything inside, if there are no
problems you can return to your normal AV settings and hope Ca buys a xp
machine to check new sig files on "


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============
 
| How to fix your XP machine after CaAV broke it
| http://homeofficeforum.ca.com/homeofficeforum/showthread.php?t=4868

| " first off, update to signature file 6606

| 2. turn off real time protection (real time scanner)

| 3. restore the files from the quarintine (windows will complain that the
| file is not genuine, this is because it was "modified" and the checksum
| for the file has changed, it does not mean the file is different or
| broken, tell windows to use it anyway) *after reboot if windows is still
| angry, you will need to go to microsoft.com and find the download for XP
| service pack 3 to fully restore modified or deleted files. none of the
| affected files should prevent your machine from starting up, though it
| may complain a bit.

| 4. turn the scanner back on but keep the "clean" and "quarintine" boxes
| unchecked for the moment

| 5. scan your windows directory and everything inside, if there are no
| problems you can return to your normal AV settings and hope Ca buys a xp
| machine to check new sig files on "


| MowGreen
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============



Thanx.

I was just reading this was a BIG FP problem.
 
Thanks very much. I had no problem restoring the quarantined files. Only two
or three reported that the file "already exists" (presumably because SFC had
replaced them). The only item that would not "restore" was a folder on "C"
with a l-o-n-g series of letters and numbers. The folder is there already
(again, presumably because Windows replaced it upon reboot); it contains
only one subfolder named SP2, and it's empty.
Since both the "Clean" and "Quarantine" boxes are checked by default in CA
A-V, I don't understand why it only quarantined these files rather that
delete them. However, I'm glad that was the case and that I was able to
restore them.
A few hours of near panic and aggravation, but in the end, no harm done.
 
False positives are becoming an ever-increasing problem, and I would
therefore never advise anyone to have an AV product set to auto-quarantine
files. Always keep a human in the loop.

I recently ran an antivirus check on my collection of engineering utilites
and software. To prevent any possible damage I performed the scan via a
readonly share. Over a hundred false positives were found. It is notable that
many of these were utilites coded with popular compilers, and the common
factor was the compiler itself, or libraries used. Clearly the (overworked?)
AV guys are latching-on to the first identifiable byte-sequence in a
polymorphic virus as a detection-string, and not realising that these bytes
are present in all projects built with the same tools.

A useful facility is http://virustotal.com which can give you an opinion
based on multiple AV tools. Even here though, false-positives often produce a
result from several sources, showing that many AV vendors share information.
 
Back
Top