SPR/Madtol.C program

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
from one of my anti virus programs (AntiVir) popped up displaying the
following message:

C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
Contains signature of the SPR/Madtol.C program

The AntiVir program provided sevaral option as to what to do with this file,
I opted for deletion.

When clicking afterward on to Spyware doctor the AntiVir Warning sign
reappears displaying almost the same message ( instead of MC27 it shows
MC28). I again deleted this file.

The warning sign only appears when clicking on to Spyware Doctor which by
the way I installed some 6 months ago. But the problem only has started
yesteday.

I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
but none of the scans indicated the presence of this file.

Would somebody know and advise a proper elimination procedures of this file.

Thank you in advance for your attention and kind assistance.
 
From: "Kayman" <[email protected]>

| I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
| from one of my anti virus programs (AntiVir) popped up displaying the
| following message:
|
| C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
| Contains signature of the SPR/Madtol.C program
|
| The AntiVir program provided sevaral option as to what to do with this file,
| I opted for deletion.
|
| When clicking afterward on to Spyware doctor the AntiVir Warning sign
| reappears displaying almost the same message ( instead of MC27 it shows
| MC28). I again deleted this file.
|
| The warning sign only appears when clicking on to Spyware Doctor which by
| the way I installed some 6 months ago. But the problem only has started
| yesteday.
|
| I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
| Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
| but none of the scans indicated the presence of this file.
|
| Would somebody know and advise a proper elimination procedures of this file.
|
| Thank you in advance for your attention and kind assistance.

This could very well be a RootKit !
http://www.sysinternals.com/utilities/rootkitrevealer.html


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *
 
Hi David:
Here are the scan results:-
1. TREND (F8 % clean boot):
33303 files read, 33303 files checked, 29440 files scanned, 39817 files
scanned (incl. files in archived), 0 files containing viruses, found 0
viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
1a. TREND (normal mode):
33205 files read, 33205 files checked, 29891 files scanned, 38760 files
scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
totally, mayby 0 viruses totally; scan time 17 min. 37 sec.

2. SOPHOS (F8 & clean boot):
40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
noviruses discovered, 46 encrypted files were not checked; ending Spohos
anti-Virus.
2a. SOPHOS (normal mode):
40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.

3. MCAFEE (both in F8 & clean boot and notmal mode):
Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
the following message appears:
c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]

David, should I delete the McAfee folder and try to downlowd one more time?

For you information, after scanning with Trend and Sophos, I clicked on to
Spyware Doctor and the AntiVir Warning sign popped up again indicating that
the SPR/Madtol.C program is still present, the number has changed to MC2104.

With best regards,

David H. Lipman said:
From: "Kayman" <[email protected]>

| I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
| from one of my anti virus programs (AntiVir) popped up displaying the
| following message:
|
| C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
| Contains signature of the SPR/Madtol.C program
|
| The AntiVir program provided sevaral option as to what to do with this file,
| I opted for deletion.
|
| When clicking afterward on to Spyware doctor the AntiVir Warning sign
| reappears displaying almost the same message ( instead of MC27 it shows
| MC28). I again deleted this file.
|
| The warning sign only appears when clicking on to Spyware Doctor which by
| the way I installed some 6 months ago. But the problem only has started
| yesteday.
|
| I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
| Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
| but none of the scans indicated the presence of this file.
|
| Would somebody know and advise a proper elimination procedures of this file.
|
| Thank you in advance for your attention and kind assistance.

This could very well be a RootKit !
http://www.sysinternals.com/utilities/rootkitrevealer.html


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *
Click to expand...
 
From: "Kayman" <[email protected]>

| Hi David:
| Here are the scan results:-
| 1. TREND (F8 % clean boot):
| 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
| scanned (incl. files in archived), 0 files containing viruses, found 0
| viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
| 1a. TREND (normal mode):
| 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
| scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
| totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
|
| 2. SOPHOS (F8 & clean boot):
| 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
| noviruses discovered, 46 encrypted files were not checked; ending Spohos
| anti-Virus.
| 2a. SOPHOS (normal mode):
| 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
| discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
|
| 3. MCAFEE (both in F8 & clean boot and notmal mode):
| Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
| the following message appears:
| c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
|
| David, should I delete the McAfee folder and try to downlowd one more time?
|
| For you information, after scanning with Trend and Sophos, I clicked on to
| Spyware Doctor and the AntiVir Warning sign popped up again indicating that
| the SPR/Madtol.C program is still present, the number has changed to MC2104.
|
| With best regards,
|

The error message...
"update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
parsed for the verion information of the McAfee files. Without it the utility does not what
is the name of the Mcafee SuperDAT.

Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
FireWall.

Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
RotKit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html


There is also a possibility that this is a False Positive declaration.

There must be SOME file that is being flagged as having this.

Please submit the suspect file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.
 
Hi David:
Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.

Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
McAfee. After reboot tried to scan without success, the same error message
popped up.

I then deleted the entire AV-CSL folder and started from scratch. I again
disabled my firewall prior downloading and left it disabled during the entire
download operation. (This time I downloaded McAfee first, Trend second and
Sophos third).
I am able to perform scans with Trend and Sophos.
McAfee however produces the same old error message.

I downloaded Rootkitrevealer.exe. The scan result revealed that there were
no discrepancies found.

I accessed the virustotal website and send a message explaining my plight.
The message sent was identical to the one I sent to (you) the Discussion
Group. They responded that the (my) original message had no attachment.
I am at a loss here. I really don't know which attachment I could have send
to virustotal. The only evidence I have is the warning sign generated by
AntiVir. I guess I somehow could send them a screen print??

Thanks again for your patience.
With best regards,


David H. Lipman said:
From: "Kayman" <[email protected]>

| Hi David:
| Here are the scan results:-
| 1. TREND (F8 % clean boot):
| 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
| scanned (incl. files in archived), 0 files containing viruses, found 0
| viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
| 1a. TREND (normal mode):
| 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
| scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
| totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
|
| 2. SOPHOS (F8 & clean boot):
| 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
| noviruses discovered, 46 encrypted files were not checked; ending Spohos
| anti-Virus.
| 2a. SOPHOS (normal mode):
| 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
| discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
|
| 3. MCAFEE (both in F8 & clean boot and notmal mode):
| Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
| the following message appears:
| c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
|
| David, should I delete the McAfee folder and try to downlowd one more time?
|
| For you information, after scanning with Trend and Sophos, I clicked on to
| Spyware Doctor and the AntiVir Warning sign popped up again indicating that
| the SPR/Madtol.C program is still present, the number has changed to MC2104.
|
| With best regards,
|

The error message...
"update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
parsed for the verion information of the McAfee files. Without it the utility does not what
is the name of the Mcafee SuperDAT.

Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
FireWall.

Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
RotKit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html


There is also a possibility that this is a False Positive declaration.

There must be SOME file that is being flagged as having this.

Please submit the suspect file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.
Click to expand...
 
David, I just ran another RootkitRevealer scan which this time revealed 8
discrepancies. Don't know why the first scan did not reveal anything.
Details are as follwows:

1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
Description: Visible in Windows API but not in MFT or directory index.

2.Path:C:\Documents and Settings\Pattaya2005\Start
Menu\Rootkitrevealer.exe.Ink
Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
Description: Hidden from Windows API.

3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
Description: Visible in Windows API but not in MFT or directory index

4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
Description: Hiden from Windows API

5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
Description: Hidden from Windows API

6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
Description: Hidden from Windows API

7.Path:C:\System Volume
Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
Description: Hiden from Windows API

8.Path:C:\System Volume
Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
Description: Hidden from Windows API

Hope this helps.





Kayman said:
Hi David:
Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.

Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
McAfee. After reboot tried to scan without success, the same error message
popped up.

I then deleted the entire AV-CSL folder and started from scratch. I again
disabled my firewall prior downloading and left it disabled during the entire
download operation. (This time I downloaded McAfee first, Trend second and
Sophos third).
I am able to perform scans with Trend and Sophos.
McAfee however produces the same old error message.

I downloaded Rootkitrevealer.exe. The scan result revealed that there were
no discrepancies found.

I accessed the virustotal website and send a message explaining my plight.
The message sent was identical to the one I sent to (you) the Discussion
Group. They responded that the (my) original message had no attachment.
I am at a loss here. I really don't know which attachment I could have send
to virustotal. The only evidence I have is the warning sign generated by
AntiVir. I guess I somehow could send them a screen print??

Thanks again for your patience.
With best regards,


David H. Lipman said:
From: "Kayman" <[email protected]>

| Hi David:
| Here are the scan results:-
| 1. TREND (F8 % clean boot):
| 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
| scanned (incl. files in archived), 0 files containing viruses, found 0
| viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
| 1a. TREND (normal mode):
| 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
| scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
| totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
|
| 2. SOPHOS (F8 & clean boot):
| 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
| noviruses discovered, 46 encrypted files were not checked; ending Spohos
| anti-Virus.
| 2a. SOPHOS (normal mode):
| 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
| discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
|
| 3. MCAFEE (both in F8 & clean boot and notmal mode):
| Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
| the following message appears:
| c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
|
| David, should I delete the McAfee folder and try to downlowd one more time?
|
| For you information, after scanning with Trend and Sophos, I clicked on to
| Spyware Doctor and the AntiVir Warning sign popped up again indicating that
| the SPR/Madtol.C program is still present, the number has changed to MC2104.
|
| With best regards,
|

The error message...
"update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
parsed for the verion information of the McAfee files. Without it the utility does not what
is the name of the Mcafee SuperDAT.

Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
FireWall.

Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
RotKit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html


There is also a possibility that this is a False Positive declaration.

There must be SOME file that is being flagged as having this.

Please submit the suspect file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.
Click to expand...
Click to expand...
 
From: "Kayman" <[email protected]>

| David, I just ran another RootkitRevealer scan which this time revealed 8
| discrepancies. Don't know why the first scan did not reveal anything.
| Details are as follwows:
|
| 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
| Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
| Description: Visible in Windows API but not in MFT or directory index.
|
| 2.Path:C:\Documents and Settings\Pattaya2005\Start
| Menu\Rootkitrevealer.exe.Ink
| Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
| Description: Hidden from Windows API.
|
| 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
| Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
| Description: Visible in Windows API but not in MFT or directory index
|
| 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
| Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
| Description: Hiden from Windows API
|
| 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
| Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
| Description: Hidden from Windows API
|
| 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
| Description: Hidden from Windows API
|
| 7.Path:C:\System Volume
| Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
| Description: Hiden from Windows API
|
| 8.Path:C:\System Volume
| Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
| Description: Hidden from Windows API
|
| Hope this helps.
|
| "Kayman" wrote:

Kayman:

Unfortunately, nothing comes to mind except....
C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
C:\System Volume | Information\_restore\... is the System Restore cache. You can either
ignore this or if you think that in the near future you may restore a point from the System
Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
re-enable the System Restore cache. I also suggest a logical size of the ache something
like 600MB or so.

This may be the key...
C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink

Getting back to Mcafee....

Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
well be WinXP's FireWall blocking the FTP process.
 
From: "David H. Lipman" <[email protected]>



|
| Getting back to Mcafee....
|
| Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
| files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
| NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
| very well be WinXP's FireWall blocking the FTP process.
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

ADDENDUM:

Please read the thread...
"Windows Firewall and FTP Problem"

posted on...
Wednesday, July 13, 2005 9:37 AM
 
David, I made a typographical error, Cyptainer is misspelled and should read
Cryptainer.

Cryptainer LE Version 5.0.3 is an encryption software which is free to
download.

Sorry if my typo has caused inconvenience.
 
Dear David:

I am positively sure that the Windows firewall was disabled. You see when
disabling the Norton firewall a warning balloon pops up indicating that my
computer may be at risk because of disabling the security system. The balloon
would not appear if the windows Firewall was enabled. I always double check
that the windows firewall is disabled as I am aware that it is not
recommended to run 2 firewalls simultaneously. Also, I did not encounter any
problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.

I read the threads re: Windows Firewall and must say that all this is a bit
beyond my comprehension. Grateful if you could advise the following re:
Windows Firewall/Added Settings (FTP Settings):
a) Description of Service: ?
b) Name of IP address (for example 192.168.0.12) of the computer hosting
this service on your network: Where can I find this information?
c) External Port Number for this Service: ?
d) Internat Port Number for this Service: ?
e) Which box needs to be checked, TCP or UDP ?
After FTP Setting have been completed, do I have to delete and re-download
the McAfee Command Line Scanner?

Another Rootkitrevealer Scan revealed the following discrepancy:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
7/14/2005, 6:57, 80 bytes
Description: Data mismatch between Windows API and raw hive data

If this has to be removed I need to know how to access HKLM...
Regards,
 
From: "Kayman" <[email protected]>

Replies are inline....

| Dear David:
|
| I am positively sure that the Windows firewall was disabled. You see when
| disabling the Norton firewall a warning balloon pops up indicating that my
| computer may be at risk because of disabling the security system. The balloon
| would not appear if the windows Firewall was enabled. I always double check
| that the windows firewall is disabled as I am aware that it is not
| recommended to run 2 firewalls simultaneously. Also, I did not encounter any
| problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
|
| I read the threads re: Windows Firewall and must say that all this is a bit
| beyond my comprehension. Grateful if you could advise the following re:
| Windows Firewall/Added Settings (FTP Settings):
| a) Description of Service: ?

FTP


| b) Name of IP address (for example 192.168.0.12) of the computer hosting
| this service on your network: Where can I find this information?

ftp.nai.speedera.net


| c) External Port Number for this Service: ?

20 - 21

| d) Internat Port Number for this Service: ?

?


| e) Which box needs to be checked, TCP or UDP ?

TCP


| After FTP Setting have been completed, do I have to delete and re-download
| the McAfee Command Line Scanner?


Just choose McAfee from the Multi AV Vendor scanner menu


| Another Rootkitrevealer Scan revealed the following discrepancy:
| HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
| 7/14/2005, 6:57, 80 bytes
| Description: Data mismatch between Windows API and raw hive data
|
| If this has to be removed I need to know how to access HKLM...
| Regards,
|


Run Regedit

KKLM stands for; HKEY_LOCAL_MACHINE
Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
Seed=....

However, I doubt it is your problem and should be left alone !

Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
it AFTER the files have been obtained.
 
Dear David:

I disabled both both firewalls (Windows and Norton 2003). Then I downloaded
McAfee. During this download operation the following message was visble:-

ftp<open ftp.nai.speedera.net
connect to ftp.nai.speedera.net.
220-
220-ftp.nai.com FTP server <SFIPD>
220
User <ftp.nai.speedera.net:<none>>:
331 Password required for user.

230 User anonymous logged in.
ftp>
ftp> lcd c:\AV-CLS\McAfee
Local directory now c:\CLS\McAfee.
ftp< bin
200 TYPE set to I.
Hash mark printing On ftp: <2048 bytes/hash mark>.
ftp prompt
Interactive mode Off.
ftp> get/pub/antivirus/superdat/intel/sdat4535.exe
200 PORT commanf successful.
150 Opening BINARY mode data connection
for/pub/antivirus/superdat/intel/sdat4.
####################################################

During downloading operation An Error Message appeared: "SDStbRes.dll: The
specified module could not be found". This message however disappeared after
10 seconds or so.
After completion of download operation a small McAfee Command Line Scanner
window appeared: "Do you want to run a scan now"? "Yes" "No".
I clicked Yes. The scan did not run but the NT based OS AV Command Line
Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
Nothing happened.
I rebooted the computer, accessed the appropriate folder and after the NT
Based OS AV Command Line Scanners Menu appeared I hit #3 again.
The following error message was displayed:
c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]

I run another RootKitRevealer Scan which found one (1) discrepancy:
Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
Time Stamp 7/15/2005, 12:17PM, Size: 32KB
Description: Visible in Windows API but not in MFT or directory index.

Well David, I hope all this helps to come up with a solution, Thanks!!
 
From: "Kayman" <[email protected]>

< snip >

| During downloading operation An Error Message appeared: "SDStbRes.dll: The
| specified module could not be found". This message however disappeared after
| 10 seconds or so.
| After completion of download operation a small McAfee Command Line Scanner
| window appeared: "Do you want to run a scan now"? "Yes" "No".
| I clicked Yes. The scan did not run but the NT based OS AV Command Line
| Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
| is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
| Nothing happened.
| I rebooted the computer, accessed the appropriate folder and after the NT
| Based OS AV Command Line Scanners Menu appeared I hit #3 again.
| The following error message was displayed:
| c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
|
| I run another RootKitRevealer Scan which found one (1) discrepancy:
| Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
| Time Stamp 7/15/2005, 12:17PM, Size: 32KB
| Description: Visible in Windows API but not in MFT or directory index.
|
| Well David, I hope all this helps to come up with a solution, Thanks!!
|

Kayman:

That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
software.

In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
You may have to reboot prior to doing so asd the PC was have been less stable by said error.

However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
them again as it has been a few days and there are NEW signatures since the initial run and
ignore the McAfee section.

Then I would also suggest getting back to the ROOT of the problem as to what software
declared SPR/Madtol.C and in what file (fully quallified name and path).
 
Dear David:

I don't think using a retail version of McAfee VirusScan v6.
Early June I followed your recommendation to download CLEAN.EXE from the URL
www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
I don't have any other McAfee products installed to my computer, only
Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.

Here are the scan results I ran (after updating) today both in normal and
F8 & clean boot:-

McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
137602 viruses, trjans and variants: No Infections detected.

AV-CLS
1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
(104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.

2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
July 2005; Includes detection for 107005 viruses, trojans and worms: No
viruses were discovered.

3.Mcafee: Unable to run scans.

Best regards,

David H. Lipman said:
From: "Kayman" <[email protected]>

< snip >

| During downloading operation An Error Message appeared: "SDStbRes.dll: The
| specified module could not be found". This message however disappeared after
| 10 seconds or so.
| After completion of download operation a small McAfee Command Line Scanner
| window appeared: "Do you want to run a scan now"? "Yes" "No".
| I clicked Yes. The scan did not run but the NT based OS AV Command Line
| Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
| is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
| Nothing happened.
| I rebooted the computer, accessed the appropriate folder and after the NT
| Based OS AV Command Line Scanners Menu appeared I hit #3 again.
| The following error message was displayed:
| c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
|
| I run another RootKitRevealer Scan which found one (1) discrepancy:
| Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
| Time Stamp 7/15/2005, 12:17PM, Size: 32KB
| Description: Visible in Windows API but not in MFT or directory index.
|
| Well David, I hope all this helps to come up with a solution, Thanks!!
|

Kayman:

That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
software.

In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
You may have to reboot prior to doing so asd the PC was have been less stable by said error.

However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
them again as it has been a few days and there are NEW signatures since the initial run and
ignore the McAfee section.

Then I would also suggest getting back to the ROOT of the problem as to what software
declared SPR/Madtol.C and in what file (fully quallified name and path).
Click to expand...
 
From: "Kayman" <[email protected]>

| Dear David:
|
| I don't think using a retail version of McAfee VirusScan v6.
| Early June I followed your recommendation to download CLEAN.EXE from the URL
| www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
| Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
| I don't have any other McAfee products installed to my computer, only
| Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
|
| Here are the scan results I ran (after updating) today both in normal and
| F8 & clean boot:-
|
| McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
| 137602 viruses, trjans and variants: No Infections detected.
|
| AV-CLS
| 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
| Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
| (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
|
| 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
| July 2005; Includes detection for 107005 viruses, trojans and worms: No
| viruses were discovered.
|
| 3.Mcafee: Unable to run scans.
|
| Best regards,


Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
(clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
works and the other does not.

As I previously indicated....
I would suggest getting back to the ROOT of the problem as to what software declared
SPR/Madtol.C and in what file (fully quallified name and path).
 
Dear David:

Here is what I know:-
When clicking on to Spyware Doctor to run a scan a Warning message from
AntiVir (anti-virus free ware) popped up. The message indicates that:

C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
Contains signatures of the SPR/Madtol C.program

The warning sign now popped up pretty frequently during scanning with Sophos
and Trend.
The warning sign also pops up whenever when clicking on to Spyware Doctor
(prior Spyware Doctor is loading).

Please note that the number following MC changed from 27 to 2104. The latest
pop up indicated MC28.

My sincere apologies, but I really don't know what software declared this
problem, I just don't know where to look for.

I clicked Start -->Run and typed:
C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
clicked OK. A window popped up showing that Windows cannot find this name.

However when omitting the letters/numbers MC27.TMP some eight (8) files
appeared in the "drop-down" box. They are:

#1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
#2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
#3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
#4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
#5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
#6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
#7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
#8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat

When selecting #1 through #4 - a window pops up showing that Windows cannot
open this (these) file(s). To open this file, Window needs to know what
program created it.

When selecting #5 through #8 - a Widow pops up cautions that opening this
file could damage the system.

I require guidance as to handle all this.

Well David, that is really all information I am presently aware of and am
sorry that I could not work the McAfee download in the multi scanner facility.
Thanks again for your patience.

David H. Lipman said:
From: "Kayman" <[email protected]>

| Dear David:
|
| I don't think using a retail version of McAfee VirusScan v6.
| Early June I followed your recommendation to download CLEAN.EXE from the URL
| www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
| Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
| I don't have any other McAfee products installed to my computer, only
| Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
|
| Here are the scan results I ran (after updating) today both in normal and
| F8 & clean boot:-
|
| McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
| 137602 viruses, trjans and variants: No Infections detected.
|
| AV-CLS
| 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
| Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
| (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
|
| 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
| July 2005; Includes detection for 107005 viruses, trojans and worms: No
| viruses were discovered.
|
| 3.Mcafee: Unable to run scans.
|
| Best regards,


Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
(clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
works and the other does not.

As I previously indicated....
I would suggest getting back to the ROOT of the problem as to what software declared
SPR/Madtol.C and in what file (fully quallified name and path).
Click to expand...
 
From: "Kayman" <[email protected]>

| Dear David:
|
| Here is what I know:-
| When clicking on to Spyware Doctor to run a scan a Warning message from
| AntiVir (anti-virus free ware) popped up. The message indicates that:
|
| C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
| Contains signatures of the SPR/Madtol C.program
|
| The warning sign now popped up pretty frequently during scanning with Sophos
| and Trend.
| The warning sign also pops up whenever when clicking on to Spyware Doctor
| (prior Spyware Doctor is loading).
|
| Please note that the number following MC changed from 27 to 2104. The latest
| pop up indicated MC28.
|
| My sincere apologies, but I really don't know what software declared this
| problem, I just don't know where to look for.
|
| I clicked Start -->Run and typed:
| C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
| clicked OK. A window popped up showing that Windows cannot find this name.
|
| However when omitting the letters/numbers MC27.TMP some eight (8) files
| appeared in the "drop-down" box. They are:
|
| #1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
| #2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
| #3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
| #4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
| #5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
| #6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
| #7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
| #8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat
|
| When selecting #1 through #4 - a window pops up showing that Windows cannot
| open this (these) file(s). To open this file, Window needs to know what
| program created it.
|
| When selecting #5 through #8 - a Widow pops up cautions that opening this
| file could damage the system.
|
| I require guidance as to handle all this.
|
| Well David, that is really all information I am presently aware of and am
| sorry that I could not work the McAfee download in the multi scanner facility.
| Thanks again for your patience.
|


If I had patience, I'd be a Doctor ;-)

What I suggest is the following, take a suspect file such as
C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp and please "~DF31B3.tmp" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.
 
Dear David:

I transmitted eight (8) messages to Virus Total and attached one (1) file to
each message.

File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
attached file codification).

The results of seven (7) file scans by the various scan engines did not find
any viruses.
Best regards,
 
From: "Kayman" <[email protected]>

| Dear David:
|
| I transmitted eight (8) messages to Virus Total and attached one (1) file to
| each message.
|
| File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
| attached file codification).
|
| The results of seven (7) file scans by the various scan engines did not find
| any viruses.
| Best regards,
|
| "David H. Lipman" wrote:

Obviously if it is a 0 byte file it can be malware. You would have to submit a file where
the file handle is NOT in use so it can be uploaded or a file that is not empty.

Were all 8 submissions zero bytes ?
 
Dear David:

Only file ppv5exc.dat indicates 0 bytes.

Details of the other 7 files are as follows:

DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.

ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.

Sorry David, I would not know whether the file handle is or is not in use, I
don't even know what a file handle is. So I looked up "Using a File Handle"
in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
comprehend all this. The write up with respect to "File Basic Information" is
also way beyond my understanding.

When I submitted the files to (e-mail address removed) I don't think opening any
files. I just clicked the 'attach' button in Outlook Express and looked
for/inserted the appropriate attachment which I then submitted accordingly.
Kind regards,
 
Back
Top