Guest Newell White Posted September 18, 2008 Posted September 18, 2008 I have a workstation on our LAN running Windows XP SP3. Symptoms: 1) When I attempt to run a virus scan using McAfee Enterprise AV I get a popup telling me the virus recognition .DAT file is corrupt. 2) When I attempt to re-install from CD I get a popup during the install process telling me the file cabsd.w1.cab is missing or corrupt. There is no such file on the CD, which installs successfully on an identical workstation. 3) When (in Explorer) I try to copy autoruns.exe from a floppy to the C:\ drive, I get a popup telling me the copy fails because of a checksum error. I can run autoruns from the floppy using Start.. Run..., and can see nothing suspicious. 4) When I run RootKitRevealer in a similar manner, it shows nothing. 5) Running the September MS Malicious Software Removal tool from their website shows nothing. I am reluctant to flatten and rebuild as this workstation has been configured to run an expensive piece of production machinery. -- Regards, Newell White Quote
Guest What's in a Name? Posted September 18, 2008 Posted September 18, 2008 On Thu, 18 Sep 2008 11:01:02 -0400, Newell White <NewellWhite@discussions.microsoft.com> wrote: <span style="color:blue"> > I have a workstation on our LAN running Windows XP SP3. > Symptoms: > > 1) When I attempt to run a virus scan using McAfee Enterprise AV I get a > popup telling me the virus recognition .DAT file is corrupt. > > 2) When I attempt to re-install from CD I get a popup during the install > process telling me the file cabsd.w1.cab is missing or corrupt. There is > no > such file on the CD, which installs successfully on an identical > workstation. > > 3) When (in Explorer) I try to copy autoruns.exe from a floppy to the C: > drive, I get a popup telling me the copy fails because of a checksum > error. I > can run autoruns from the floppy using Start.. Run..., and can see > nothing > suspicious. > > 4) When I run RootKitRevealer in a similar manner, it shows nothing. > > 5) Running the September MS Malicious Software Removal tool from their > website shows nothing. > > I am reluctant to flatten and rebuild as this workstation has been > configured to run an expensive piece of production machinery. > ></span> You should be reluctant. Why don't you just restore from a known clean image? Oh,you didn't create one did you? One would think that an important workstation would be backed up. Tell your boss you need a image program today and then make a plan to image all workstations. Have you tried to download new dat files from McAfee? max -- Virus Removal http://max.shplink.com/removal.html Keep Clean http://max.shplink.com/keepingclean.html Change nomail.afraid.org to gmail.com to reply by email. nomail.afraid.org is setup for use in USENET by everyone Quote
Guest David H. Lipman Posted September 18, 2008 Posted September 18, 2008 From: "Newell White" <NewellWhite@discussions.microsoft.com> Replies are inline... | I have a workstation on our LAN running Windows XP SP3. | Symptoms: | 1) When I attempt to run a virus scan using McAfee Enterprise AV I get a | popup telling me the virus recognition .DAT file is corrupt. OK, these are the signature files. Just replace them with the DAT files from the lastest ZIP file or SuperDAT file. Is this Enterprise v8.5i ? | 2) When I attempt to re-install from CD I get a popup during the install | process | telling me the file cabsd.w1.cab is missing or corrupt. There is no | such file on the | CD, which installs successfully on an identical workstation. Why are you reinstalling ? The original message was about signatures files ( ,DAT files) not the application | 3) When (in Explorer) I | try to copy autoruns.exe from a floppy to the C:\ | drive, I get a popup telling me the | copy fails because of a checksum error. I | can run autoruns from the floppy using | Start.. Run..., and can see nothing | suspicious. | 4) When I run RootKitRevealer in a | similar manner, it shows nothing. | 5) Running the September MS Malicious Software | Removal tool from their | website shows nothing. | I am reluctant to flatten and rebuild | as this workstation has been | configured to run an expensive piece of production | machinery. Is this PC connected to the LAN and WAN ? If yes, then you should consider flattening the PC and NOT connecting it to the LAN if this is "...configured to run an expensive piece of production machinery. " Something this important should also have an image made in case of emergencies. This way if the PC gets corrupted you would only have to restore the image and the system would be back to normal. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Newell White Posted September 19, 2008 Posted September 19, 2008 "David H. Lipman" wrote: <span style="color:blue"> > From: "Newell White" <NewellWhite@discussions.microsoft.com> > > Replies are inline... > > | I have a workstation on our LAN running Windows XP SP3. > | Symptoms: > > | 1) When I attempt to run a virus scan using McAfee Enterprise AV I get a > | popup telling me the virus recognition .DAT file is corrupt. > > OK, these are the signature files. Just replace them with the DAT files from the lastest > ZIP file or SuperDAT file. > Is this Enterprise v8.5i ? > > > | 2) When I attempt to re-install from CD I get a popup during the install > | process > | telling me the file cabsd.w1.cab is missing or corrupt. There is no > | such file on the > | CD, which installs successfully on an identical workstation. > > Why are you reinstalling ? > The original message was about signatures files ( ,DAT files) not the application > > > | 3) When (in Explorer) I > | try to copy autoruns.exe from a floppy to the C: > | drive, I get a popup telling me the > | copy fails because of a checksum error. I > | can run autoruns from the floppy using > | Start.. Run..., and can see nothing > | suspicious. > > | 4) When I run RootKitRevealer in a > | similar manner, it shows nothing. > > | 5) Running the September MS Malicious Software > | Removal tool from their > | website shows nothing. > > | I am reluctant to flatten and rebuild > | as this workstation has been > | configured to run an expensive piece of production > | machinery. > > > Is this PC connected to the LAN and WAN ? > If yes, then you should consider flattening the PC and NOT connecting it to the LAN if > this is "...configured to run an expensive piece of production machinery. " > > Something this important should also have an image made in case of emergencies. This way > if the PC gets corrupted you would only have to restore the image and the system would be > back to normal. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Thanks for swift response, David. Mcafee AV 7.0 was installed. I attempted to install 8.0i after uninstalling 7.0. Plan was to update 8.0i from the McAfee web-site. I omitted to say in my previous post that the first thing that aroused my suspicion was that Start.. Run.. msconfig didn't work. This or an inability to run regedit are classic symptoms of malware infection. Machine is off the LAN while I investigate. Having reviewed use of the machine (domain logon and logoff scripts write to a log-file for each computer on the LAN) I believe that the most likely time and source of infection was the installation of the machinery control software by the supplier's field technicians. But I must be able to identify the malware to deduce date/time of infection before I can take this issue further. Is there any detection software which can run from a Bart PE disk? -- Regards, Newell White Quote
Guest David H. Lipman Posted September 19, 2008 Posted September 19, 2008 From: "Newell White" <NewellWhite@discussions.microsoft.com> | Thanks for swift response, David. | Mcafee AV 7.0 was installed. | I attempted to install 8.0i after uninstalling 7.0. Plan was to update 8.0i | from the McAfee web-site. | I omitted to say in my previous post that the first thing that aroused my | suspicion was that Start.. Run.. msconfig didn't work. | This or an inability to run regedit are classic symptoms of malware infection. | Machine is off the LAN while I investigate. | Having reviewed use of the machine (domain logon and logoff scripts write to | a log-file for each computer on the LAN) I believe that the most likely time | and source of infection was the installation of the machinery control | software by the supplier's field technicians. | But I must be able to identify the malware to deduce date/time of infection | before I can take this issue further. | Is there any detection software which can run from a Bart PE disk? | -- | Regards, | Newell White Not using the BartPE but you can try the following... Read the included PDF Help File on oh to use a one PC to download signature and port the Multi-AV to the affected PC. Download MULTI_AV.EXE from the URL -- http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe http://www.pctipp.ch/downloads/dl/35905.asp English: http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. Additional Instructions: http://pcdid.com/Multi_AV.htm Please report back your results -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Newell White Posted September 19, 2008 Posted September 19, 2008 "David H. Lipman" wrote: <span style="color:blue"> > From: "Newell White" <NewellWhite@discussions.microsoft.com> > > > > | Thanks for swift response, David. > > | Mcafee AV 7.0 was installed. > | I attempted to install 8.0i after uninstalling 7.0. Plan was to update 8.0i > | from the McAfee web-site. > > | I omitted to say in my previous post that the first thing that aroused my > | suspicion was that Start.. Run.. msconfig didn't work. > | This or an inability to run regedit are classic symptoms of malware infection. > > | Machine is off the LAN while I investigate. > | Having reviewed use of the machine (domain logon and logoff scripts write to > | a log-file for each computer on the LAN) I believe that the most likely time > | and source of infection was the installation of the machinery control > | software by the supplier's field technicians. > > | But I must be able to identify the malware to deduce date/time of infection > | before I can take this issue further. > > | Is there any detection software which can run from a Bart PE disk? > | -- > | Regards, > | Newell White > > Not using the BartPE but you can try the following... > > Read the included PDF Help File on oh to use a one PC to download signature and port the > Multi-AV to the affected PC. > > Download MULTI_AV.EXE from the URL -- > http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe > > http://www.pctipp.ch/downloads/dl/35905.asp > > English: > http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ > > To use this utility, perform the following... > Execute; Multi_AV.exe { Note: You must use the default folder C:AV-CLS } > Choose; Unzip > Choose; Close > > Execute; C:AV-CLSStartMenu.BAT > { or Double-click on 'Start Menu' in C:AV-CLS } > > NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your > FireWall to allow it to download the needed AV vendor related files. > > C:AV-CLSStartMenu.BAT -- { or Double-click on 'Start Menu' in C:AV-CLS} > This will bring up the initial menu of choices and should be executed in Normal Mode. > This way all the components can be downloaded from each AV vendor's web site. > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. > > You can choose to go to each menu item and just download the needed files or you can > download the files and perform a scan in Normal Mode. Once you have downloaded the files > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key > during boot] and re-run the menu again and choose which scanner you want to run in Safe > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. > > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help > file. > > Additional Instructions: > http://pcdid.com/Multi_AV.htm > > > Please report back your results > > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Haven't found the culprit yet, but have shrewd suspicion how it is working. Loaded the full AV-CLS folder (using robocopy in a .bat file) to the suspect from a clean imaged computer which I can restore afterwords. Started with Sophos and got a complaint of missing or corrupt .DAT files. So I removed inherited ACLs of the local Administrator account from C:\AV-CLS and repeated the robocopy - now Sophos is running. I don't suppose it would do any good to put a new strong password on the local Administrator account - I purchased a piece of software to reset that password for less than $10 a couple of years ago. Will let you know full results, probably on Monday -- Regards, Newell White Quote
Guest kalyan Posted September 22, 2008 Posted September 22, 2008 Hi 1.Uninstall Mcafee program 2.Reboot the pc 3.Install Microsoft Windows installer using below mentioned link http://www.microsoft.com/downloads/details...;displaylang=en 4.Reboot the pc &clean the temp files 5.Try to install Mcafee 6.Autoupdate the virus definitions -- Warm Regards Kalyan "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message news:579A2DD0-C5D8-462B-9C0C-9EB8DFD230A0@microsoft.com...<span style="color:blue"> >I have a workstation on our LAN running Windows XP SP3. > Symptoms: > > 1) When I attempt to run a virus scan using McAfee Enterprise AV I get a > popup telling me the virus recognition .DAT file is corrupt. > > 2) When I attempt to re-install from CD I get a popup during the install > process telling me the file cabsd.w1.cab is missing or corrupt. There is > no > such file on the CD, which installs successfully on an identical > workstation. > > 3) When (in Explorer) I try to copy autoruns.exe from a floppy to the C: > drive, I get a popup telling me the copy fails because of a checksum > error. I > can run autoruns from the floppy using Start.. Run..., and can see nothing > suspicious. > > 4) When I run RootKitRevealer in a similar manner, it shows nothing. > > 5) Running the September MS Malicious Software Removal tool from their > website shows nothing. > > I am reluctant to flatten and rebuild as this workstation has been > configured to run an expensive piece of production machinery. > > > -- > Regards, > Newell White </span> Quote
Guest Newell White Posted September 29, 2008 Posted September 29, 2008 > <span style="color:blue"> > Not using the BartPE but you can try the following... > > Read the included PDF Help File on oh to use a one PC to download signature and port the > Multi-AV to the affected PC. > > Download MULTI_AV.EXE from the URL -- > http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe > > http://www.pctipp.ch/downloads/dl/35905.asp > > English: > http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ > > To use this utility, perform the following... > Execute; Multi_AV.exe { Note: You must use the default folder C:AV-CLS } > Choose; Unzip > Choose; Close > > Execute; C:AV-CLSStartMenu.BAT > { or Double-click on 'Start Menu' in C:AV-CLS } > > NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your > FireWall to allow it to download the needed AV vendor related files. > > C:AV-CLSStartMenu.BAT -- { or Double-click on 'Start Menu' in C:AV-CLS} > This will bring up the initial menu of choices and should be executed in Normal Mode. > This way all the components can be downloaded from each AV vendor's web site. > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. > > You can choose to go to each menu item and just download the needed files or you can > download the files and perform a scan in Normal Mode. Once you have downloaded the files > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key > during boot] and re-run the menu again and choose which scanner you want to run in Safe > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. > > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help > file. > > Additional Instructions: > http://pcdid.com/Multi_AV.htm > > > Please report back your results > > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Mystery solved - sorry about the delay in reporting back. The machine does not flag up alarms in any of the anti-virus or rootkit tools. It suffered from two faults: 1) A sticky bit fairly high up in the 512Mbyte RAM chip. This affected only jobs using large buffers like file copy and verification, and unzipping. Hence various reports of corrupt files, and failure to copy install packages to the local hard-drive. I have now installed McAfee anti-virus successfully. 2) A malformed $PATH which meant that 'Run' could not find msconfig.exe. So I have added mtinst.exe (MS Windows memory diagnostic) and chkdsk.exe to my MultiAV CD. Thanks for your assistance, apologies for the false alarm. ---- Regards, Newell White Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.