SPR/Madtol.C program

I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
from one of my anti virus programs (AntiVir) popped up displaying the
following message:

C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
Contains signature of the SPR/Madtol.C program

The AntiVir program provided sevaral option as to what to do with this file,
I opted for deletion.

When clicking afterward on to Spyware doctor the AntiVir Warning sign
reappears displaying almost the same message ( instead of MC27 it shows
MC28). I again deleted this file.

The warning sign only appears when clicking on to Spyware Doctor which by
the way I installed some 6 months ago. But the problem only has started
yesteday.

I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
but none of the scans indicated the presence of this file.

Would somebody know and advise a proper elimination procedures of this file.

Thank you in advance for your attention and kind assistance.

From: "Kayman" <Kayman@discussions.microsoft.com>

| I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
| from one of my anti virus programs (AntiVir) popped up displaying the
| following message:
|
| C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
| Contains signature of the SPR/Madtol.C program
|
| The AntiVir program provided sevaral option as to what to do with this file,
| I opted for deletion.
|
| When clicking afterward on to Spyware doctor the AntiVir Warning sign
| reappears displaying almost the same message ( instead of MC27 it shows
| MC28). I again deleted this file.
|
| The warning sign only appears when clicking on to Spyware Doctor which by
| the way I installed some 6 months ago. But the problem only has started
| yesteday.
|
| I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
| Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
| but none of the scans indicated the presence of this file.
|
| Would somebody know and advise a proper elimination procedures of this file.
|
| Thank you in advance for your attention and kind assistance.

This could very well be a RootKit !
http://www.sysinternals.com/utilitie...trevealer.html


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi David:
Here are the scan results:-
1. TREND (F8 % clean boot):
33303 files read, 33303 files checked, 29440 files scanned, 39817 files
scanned (incl. files in archived), 0 files containing viruses, found 0
viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
1a. TREND (normal mode):
33205 files read, 33205 files checked, 29891 files scanned, 38760 files
scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
totally, mayby 0 viruses totally; scan time 17 min. 37 sec.

2. SOPHOS (F8 & clean boot):
40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
noviruses discovered, 46 encrypted files were not checked; ending Spohos
anti-Virus.
2a. SOPHOS (normal mode):
40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.

3. MCAFEE (both in F8 & clean boot and notmal mode):
Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
the following message appears:
c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]

David, should I delete the McAfee folder and try to downlowd one more time?

For you information, after scanning with Trend and Sophos, I clicked on to
Spyware Doctor and the AntiVir Warning sign popped up again indicating that
the SPR/Madtol.C program is still present, the number has changed to MC2104.

With best regards,

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
> | from one of my anti virus programs (AntiVir) popped up displaying the
> | following message:
> |
> | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
> | Contains signature of the SPR/Madtol.C program
> |
> | The AntiVir program provided sevaral option as to what to do with this file,
> | I opted for deletion.
> |
> | When clicking afterward on to Spyware doctor the AntiVir Warning sign
> | reappears displaying almost the same message ( instead of MC27 it shows
> | MC28). I again deleted this file.
> |
> | The warning sign only appears when clicking on to Spyware Doctor which by
> | the way I installed some 6 months ago. But the problem only has started
> | yesteday.
> |
> | I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
> | Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
> | but none of the scans indicated the presence of this file.
> |
> | Would somebody know and advise a proper elimination procedures of this file.
> |
> | Thank you in advance for your attention and kind assistance.
>
> This could very well be a RootKit !
> http://www.sysinternals.com/utilitie...trevealer.html
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Kayman" <Kayman@discussions.microsoft.com>

| Hi David:
| Here are the scan results:-
| 1. TREND (F8 % clean boot):
| 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
| scanned (incl. files in archived), 0 files containing viruses, found 0
| viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
| 1a. TREND (normal mode):
| 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
| scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
| totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
|
| 2. SOPHOS (F8 & clean boot):
| 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
| noviruses discovered, 46 encrypted files were not checked; ending Spohos
| anti-Virus.
| 2a. SOPHOS (normal mode):
| 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
| discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
|
| 3. MCAFEE (both in F8 & clean boot and notmal mode):
| Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
| the following message appears:
| c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
|
| David, should I delete the McAfee folder and try to downlowd one more time?
|
| For you information, after scanning with Trend and Sophos, I clicked on to
| Spyware Doctor and the AntiVir Warning sign popped up again indicating that
| the SPR/Madtol.C program is still present, the number has changed to MC2104.
|
| With best regards,
|

The error message...
"update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
parsed for the verion information of the McAfee files. Without it the utility does not what
is the name of the Mcafee SuperDAT.

Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
FireWall.

Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
RotKit Revealer
http://www.sysinternals.com/utilitie...trevealer.html


There is also a possibility that this is a False Positive declaration.

There must be SOME file that is being flagged as having this.

Please submit the suspect file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi David:
Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.

Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
McAfee. After reboot tried to scan without success, the same error message
popped up.

I then deleted the entire AV-CSL folder and started from scratch. I again
disabled my firewall prior downloading and left it disabled during the entire
download operation. (This time I downloaded McAfee first, Trend second and
Sophos third).
I am able to perform scans with Trend and Sophos.
McAfee however produces the same old error message.

I downloaded Rootkitrevealer.exe. The scan result revealed that there were
no discrepancies found.

I accessed the virustotal website and send a message explaining my plight.
The message sent was identical to the one I sent to (you) the Discussion
Group. They responded that the (my) original message had no attachment.
I am at a loss here. I really don't know which attachment I could have send
to virustotal. The only evidence I have is the warning sign generated by
AntiVir. I guess I somehow could send them a screen print??

Thanks again for your patience.
With best regards,


"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Hi David:
> | Here are the scan results:-
> | 1. TREND (F8 % clean boot):
> | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
> | scanned (incl. files in archived), 0 files containing viruses, found 0
> | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
> | 1a. TREND (normal mode):
> | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
> | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
> | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
> |
> | 2. SOPHOS (F8 & clean boot):
> | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
> | noviruses discovered, 46 encrypted files were not checked; ending Spohos
> | anti-Virus.
> | 2a. SOPHOS (normal mode):
> | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
> | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
> |
> | 3. MCAFEE (both in F8 & clean boot and notmal mode):
> | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
> | the following message appears:
> | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
> |
> | David, should I delete the McAfee folder and try to downlowd one more time?
> |
> | For you information, after scanning with Trend and Sophos, I clicked on to
> | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
> | the SPR/Madtol.C program is still present, the number has changed to MC2104.
> |
> | With best regards,
> |
>
> The error message...
> "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
> unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
> parsed for the verion information of the McAfee files. Without it the utility does not what
> is the name of the Mcafee SuperDAT.
>
> Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
> Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
> FireWall.
>
> Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
> RotKit Revealer
> http://www.sysinternals.com/utilitie...trevealer.html
>
>
> There is also a possibility that this is a False Positive declaration.
>
> There must be SOME file that is being flagged as having this.
>
> Please submit the suspect file to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against several different AV vendor's scanners.
>
> Another way to submit is to send the suspect file to the following email address
> scan<at>virustotal.com
> { replace <at> with @ } with only the word SCAN as the subject.
>
> Please post back the EXACT results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David, I just ran another RootkitRevealer scan which this time revealed 8
discrepancies. Don't know why the first scan did not reveal anything.
Details are as follwows:

1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
Description: Visible in Windows API but not in MFT or directory index.

2.Path:C:\Documents and Settings\Pattaya2005\Start
Menu\Rootkitrevealer.exe.Ink
Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
Description: Hidden from Windows API.

3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
Description: Visible in Windows API but not in MFT or directory index

4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
Description: Hiden from Windows API

5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
Description: Hidden from Windows API

6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
Description: Hidden from Windows API

7.Path:C:\System Volume
Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
Description: Hiden from Windows API

8.Path:C:\System Volume
Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
Description: Hidden from Windows API

Hope this helps.





"Kayman" wrote:

> Hi David:
> Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
> system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.
>
> Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
> McAfee. After reboot tried to scan without success, the same error message
> popped up.
>
> I then deleted the entire AV-CSL folder and started from scratch. I again
> disabled my firewall prior downloading and left it disabled during the entire
> download operation. (This time I downloaded McAfee first, Trend second and
> Sophos third).
> I am able to perform scans with Trend and Sophos.
> McAfee however produces the same old error message.
>
> I downloaded Rootkitrevealer.exe. The scan result revealed that there were
> no discrepancies found.
>
> I accessed the virustotal website and send a message explaining my plight.
> The message sent was identical to the one I sent to (you) the Discussion
> Group. They responded that the (my) original message had no attachment.
> I am at a loss here. I really don't know which attachment I could have send
> to virustotal. The only evidence I have is the warning sign generated by
> AntiVir. I guess I somehow could send them a screen print??
>
> Thanks again for your patience.
> With best regards,
>
>
> "David H. Lipman" wrote:
>
> > From: "Kayman" <Kayman@discussions.microsoft.com>
> >
> > | Hi David:
> > | Here are the scan results:-
> > | 1. TREND (F8 % clean boot):
> > | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
> > | scanned (incl. files in archived), 0 files containing viruses, found 0
> > | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
> > | 1a. TREND (normal mode):
> > | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
> > | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
> > | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
> > |
> > | 2. SOPHOS (F8 & clean boot):
> > | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
> > | noviruses discovered, 46 encrypted files were not checked; ending Spohos
> > | anti-Virus.
> > | 2a. SOPHOS (normal mode):
> > | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
> > | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
> > |
> > | 3. MCAFEE (both in F8 & clean boot and notmal mode):
> > | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
> > | the following message appears:
> > | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
> > |
> > | David, should I delete the McAfee folder and try to downlowd one more time?
> > |
> > | For you information, after scanning with Trend and Sophos, I clicked on to
> > | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
> > | the SPR/Madtol.C program is still present, the number has changed to MC2104.
> > |
> > | With best regards,
> > |
> >
> > The error message...
> > "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
> > unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
> > parsed for the verion information of the McAfee files. Without it the utility does not what
> > is the name of the Mcafee SuperDAT.
> >
> > Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
> > Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
> > FireWall.
> >
> > Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
> > RotKit Revealer
> > http://www.sysinternals.com/utilitie...trevealer.html
> >
> >
> > There is also a possibility that this is a False Positive declaration.
> >
> > There must be SOME file that is being flagged as having this.
> >
> > Please submit the suspect file to Virus Total --
> > http://www.virustotal.com/flash/index_en.html
> > The submission will then be tested against several different AV vendor's scanners.
> >
> > Another way to submit is to send the suspect file to the following email address
> > scan<at>virustotal.com
> > { replace <at> with @ } with only the word SCAN as the subject.
> >
> > Please post back the EXACT results.
> >
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
> >

From: "Kayman" <Kayman@discussions.microsoft.com>

| David, I just ran another RootkitRevealer scan which this time revealed 8
| discrepancies. Don't know why the first scan did not reveal anything.
| Details are as follwows:
|
| 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
| Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
| Description: Visible in Windows API but not in MFT or directory index.
|
| 2.Path:C:\Documents and Settings\Pattaya2005\Start
| Menu\Rootkitrevealer.exe.Ink
| Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
| Description: Hidden from Windows API.
|
| 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
| Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
| Description: Visible in Windows API but not in MFT or directory index
|
| 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
| Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
| Description: Hiden from Windows API
|
| 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
| Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
| Description: Hidden from Windows API
|
| 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
| Description: Hidden from Windows API
|
| 7.Path:C:\System Volume
| Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
| Description: Hiden from Windows API
|
| 8.Path:C:\System Volume
| Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
| Description: Hidden from Windows API
|
| Hope this helps.
|
| "Kayman" wrote:

Kayman:

Unfortunately, nothing comes to mind except....
C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
C:\System Volume | Information\_restore\... is the System Restore cache. You can either
ignore this or if you think that in the near future you may restore a point from the System
Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
re-enable the System Restore cache. I also suggest a logical size of the ache something
like 600MB or so.

This may be the key...
C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink

Getting back to Mcafee....

Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
well be WinXP's FireWall blocking the FTP process.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>



|
| Getting back to Mcafee....
|
| Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
| files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
| NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
| very well be WinXP's FireWall blocking the FTP process.
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

ADDENDUM:

Please read the thread...
"Windows Firewall and FTP Problem"

posted on...
Wednesday, July 13, 2005 9:37 AM

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David, I made a typographical error, Cyptainer is misspelled and should read
Cryptainer.

Cryptainer LE Version 5.0.3 is an encryption software which is free to
download.

Sorry if my typo has caused inconvenience.

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | David, I just ran another RootkitRevealer scan which this time revealed 8
> | discrepancies. Don't know why the first scan did not reveal anything.
> | Details are as follwows:
> |
> | 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
> | Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
> | Description: Visible in Windows API but not in MFT or directory index.
> |
> | 2.Path:C:\Documents and Settings\Pattaya2005\Start
> | Menu\Rootkitrevealer.exe.Ink
> | Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
> | Description: Hidden from Windows API.
> |
> | 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
> | Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
> | Description: Visible in Windows API but not in MFT or directory index
> |
> | 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
> | Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
> | Description: Hiden from Windows API
> |
> | 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
> | Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
> | Description: Hidden from Windows API
> |
> | 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
> | Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
> | Description: Hidden from Windows API
> |
> | 7.Path:C:\System Volume
> | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
> | Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
> | Description: Hiden from Windows API
> |
> | 8.Path:C:\System Volume
> | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
> | Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
> | Description: Hidden from Windows API
> |
> | Hope this helps.
> |
> | "Kayman" wrote:
>
> Kayman:
>
> Unfortunately, nothing comes to mind except....
> C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
> C:\System Volume | Information\_restore\... is the System Restore cache. You can either
> ignore this or if you think that in the near future you may restore a point from the System
> Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
> re-enable the System Restore cache. I also suggest a logical size of the ache something
> like 600MB or so.
>
> This may be the key...
> C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
>
> Getting back to Mcafee....
>
> Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
> files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
> I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
> well be WinXP's FireWall blocking the FTP process.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Dear David:

I am positively sure that the Windows firewall was disabled. You see when
disabling the Norton firewall a warning balloon pops up indicating that my
computer may be at risk because of disabling the security system. The balloon
would not appear if the windows Firewall was enabled. I always double check
that the windows firewall is disabled as I am aware that it is not
recommended to run 2 firewalls simultaneously. Also, I did not encounter any
problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.

I read the threads re: Windows Firewall and must say that all this is a bit
beyond my comprehension. Grateful if you could advise the following re:
Windows Firewall/Added Settings (FTP Settings):
a) Description of Service: ?
b) Name of IP address (for example 192.168.0.12) of the computer hosting
this service on your network: Where can I find this information?
c) External Port Number for this Service: ?
d) Internat Port Number for this Service: ?
e) Which box needs to be checked, TCP or UDP ?
After FTP Setting have been completed, do I have to delete and re-download
the McAfee Command Line Scanner?

Another Rootkitrevealer Scan revealed the following discrepancy:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
7/14/2005, 6:57, 80 bytes
Description: Data mismatch between Windows API and raw hive data

If this has to be removed I need to know how to access HKLM...
Regards,




"David H. Lipman" wrote:

> From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
>
>
>
> |
> | Getting back to Mcafee....
> |
> | Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
> | files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
> | NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
> | very well be WinXP's FireWall blocking the FTP process.
> |
> | --
> | Dave
> | http://www.claymania.com/removal-trojan-adware.html
> | http://www.ik-cs.com/got-a-virus.htm
> |
>
> ADDENDUM:
>
> Please read the thread...
> "Windows Firewall and FTP Problem"
>
> posted on...
> Wednesday, July 13, 2005 9:37 AM
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Kayman" <Kayman@discussions.microsoft.com>

Replies are inline....

| Dear David:
|
| I am positively sure that the Windows firewall was disabled. You see when
| disabling the Norton firewall a warning balloon pops up indicating that my
| computer may be at risk because of disabling the security system. The balloon
| would not appear if the windows Firewall was enabled. I always double check
| that the windows firewall is disabled as I am aware that it is not
| recommended to run 2 firewalls simultaneously. Also, I did not encounter any
| problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
|
| I read the threads re: Windows Firewall and must say that all this is a bit
| beyond my comprehension. Grateful if you could advise the following re:
| Windows Firewall/Added Settings (FTP Settings):
| a) Description of Service: ?

FTP


| b) Name of IP address (for example 192.168.0.12) of the computer hosting
| this service on your network: Where can I find this information?

ftp.nai.speedera.net


| c) External Port Number for this Service: ?

20 - 21

| d) Internat Port Number for this Service: ?

?


| e) Which box needs to be checked, TCP or UDP ?

TCP


| After FTP Setting have been completed, do I have to delete and re-download
| the McAfee Command Line Scanner?


Just choose McAfee from the Multi AV Vendor scanner menu


| Another Rootkitrevealer Scan revealed the following discrepancy:
| HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
| 7/14/2005, 6:57, 80 bytes
| Description: Data mismatch between Windows API and raw hive data
|
| If this has to be removed I need to know how to access HKLM...
| Regards,
|


Run Regedit

KKLM stands for; HKEY_LOCAL_MACHINE
Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
Seed=....

However, I doubt it is your problem and should be left alone !

Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
it AFTER the files have been obtained.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dear David:

I disabled both both firewalls (Windows and Norton 2003). Then I downloaded
McAfee. During this download operation the following message was visble:-

ftp<open ftp.nai.speedera.net
connect to ftp.nai.speedera.net.
220-
220-ftp.nai.com FTP server <SFIPD>
220
User <ftp.nai.speedera.net:<none>>:
331 Password required for user.

230 User anonymous logged in.
ftp>
ftp> lcd c:\AV-CLS\McAfee
Local directory now c:\CLS\McAfee.
ftp< bin
200 TYPE set to I.
Hash mark printing On ftp: <2048 bytes/hash mark>.
ftp prompt
Interactive mode Off.
ftp> get/pub/antivirus/superdat/intel/sdat4535.exe
200 PORT commanf successful.
150 Opening BINARY mode data connection
for/pub/antivirus/superdat/intel/sdat4.
####################################################

During downloading operation An Error Message appeared: "SDStbRes.dll: The
specified module could not be found". This message however disappeared after
10 seconds or so.
After completion of download operation a small McAfee Command Line Scanner
window appeared: "Do you want to run a scan now"? "Yes" "No".
I clicked Yes. The scan did not run but the NT based OS AV Command Line
Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
Nothing happened.
I rebooted the computer, accessed the appropriate folder and after the NT
Based OS AV Command Line Scanners Menu appeared I hit #3 again.
The following error message was displayed:
c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]

I run another RootKitRevealer Scan which found one (1) discrepancy:
Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
Time Stamp 7/15/2005, 12:17PM, Size: 32KB
Description: Visible in Windows API but not in MFT or directory index.

Well David, I hope all this helps to come up with a solution, Thanks!!





"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> Replies are inline....
>
> | Dear David:
> |
> | I am positively sure that the Windows firewall was disabled. You see when
> | disabling the Norton firewall a warning balloon pops up indicating that my
> | computer may be at risk because of disabling the security system. The balloon
> | would not appear if the windows Firewall was enabled. I always double check
> | that the windows firewall is disabled as I am aware that it is not
> | recommended to run 2 firewalls simultaneously. Also, I did not encounter any
> | problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
> |
> | I read the threads re: Windows Firewall and must say that all this is a bit
> | beyond my comprehension. Grateful if you could advise the following re:
> | Windows Firewall/Added Settings (FTP Settings):
> | a) Description of Service: ?
>
> FTP
>
>
> | b) Name of IP address (for example 192.168.0.12) of the computer hosting
> | this service on your network: Where can I find this information?
>
> ftp.nai.speedera.net
>
>
> | c) External Port Number for this Service: ?
>
> 20 - 21
>
> | d) Internat Port Number for this Service: ?
>
> ?
>
>
> | e) Which box needs to be checked, TCP or UDP ?
>
> TCP
>
>
> | After FTP Setting have been completed, do I have to delete and re-download
> | the McAfee Command Line Scanner?
>
>
> Just choose McAfee from the Multi AV Vendor scanner menu
>
>
> | Another Rootkitrevealer Scan revealed the following discrepancy:
> | HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
> | 7/14/2005, 6:57, 80 bytes
> | Description: Data mismatch between Windows API and raw hive data
> |
> | If this has to be removed I need to know how to access HKLM...
> | Regards,
> |
>
>
> Run Regedit
>
> KKLM stands for; HKEY_LOCAL_MACHINE
> Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
> Seed=....
>
> However, I doubt it is your problem and should be left alone !
>
> Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
> FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
> FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
> it AFTER the files have been obtained.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Kayman" <Kayman@discussions.microsoft.com>

< snip >

| During downloading operation An Error Message appeared: "SDStbRes.dll: The
| specified module could not be found". This message however disappeared after
| 10 seconds or so.
| After completion of download operation a small McAfee Command Line Scanner
| window appeared: "Do you want to run a scan now"? "Yes" "No".
| I clicked Yes. The scan did not run but the NT based OS AV Command Line
| Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
| is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
| Nothing happened.
| I rebooted the computer, accessed the appropriate folder and after the NT
| Based OS AV Command Line Scanners Menu appeared I hit #3 again.
| The following error message was displayed:
| c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
|
| I run another RootKitRevealer Scan which found one (1) discrepancy:
| Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
| Time Stamp 7/15/2005, 12:17PM, Size: 32KB
| Description: Visible in Windows API but not in MFT or directory index.
|
| Well David, I hope all this helps to come up with a solution, Thanks!!
|

Kayman:

That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
software.

In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
You may have to reboot prior to doing so asd the PC was have been less stable by said error.

However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
them again as it has been a few days and there are NEW signatures since the initial run and
ignore the McAfee section.

Then I would also suggest getting back to the ROOT of the problem as to what software
declared SPR/Madtol.C and in what file (fully quallified name and path).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dear David:

I don't think using a retail version of McAfee VirusScan v6.
Early June I followed your recommendation to download CLEAN.EXE from the URL
www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
I don't have any other McAfee products installed to my computer, only
Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.

Here are the scan results I ran (after updating) today both in normal and
F8 & clean boot:-

McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
137602 viruses, trjans and variants: No Infections detected.

AV-CLS
1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
(104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.

2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
July 2005; Includes detection for 107005 viruses, trojans and worms: No
viruses were discovered.

3.Mcafee: Unable to run scans.

Best regards,

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> < snip >
>
> | During downloading operation An Error Message appeared: "SDStbRes.dll: The
> | specified module could not be found". This message however disappeared after
> | 10 seconds or so.
> | After completion of download operation a small McAfee Command Line Scanner
> | window appeared: "Do you want to run a scan now"? "Yes" "No".
> | I clicked Yes. The scan did not run but the NT based OS AV Command Line
> | Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
> | is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
> | Nothing happened.
> | I rebooted the computer, accessed the appropriate folder and after the NT
> | Based OS AV Command Line Scanners Menu appeared I hit #3 again.
> | The following error message was displayed:
> | c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
> |
> | I run another RootKitRevealer Scan which found one (1) discrepancy:
> | Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
> | Time Stamp 7/15/2005, 12:17PM, Size: 32KB
> | Description: Visible in Windows API but not in MFT or directory index.
> |
> | Well David, I hope all this helps to come up with a solution, Thanks!!
> |
>
> Kayman:
>
> That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
> needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
> Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
> dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
> software.
>
> In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
> You may have to reboot prior to doing so asd the PC was have been less stable by said error.
>
> However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
> them again as it has been a few days and there are NEW signatures since the initial run and
> ignore the McAfee section.
>
> Then I would also suggest getting back to the ROOT of the problem as to what software
> declared SPR/Madtol.C and in what file (fully quallified name and path).
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
|
| I don't think using a retail version of McAfee VirusScan v6.
| Early June I followed your recommendation to download CLEAN.EXE from the URL
| www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
| Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
| I don't have any other McAfee products installed to my computer, only
| Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
|
| Here are the scan results I ran (after updating) today both in normal and
| F8 & clean boot:-
|
| McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
| 137602 viruses, trjans and variants: No Infections detected.
|
| AV-CLS
| 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
| Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
| (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
|
| 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
| July 2005; Includes detection for 107005 viruses, trojans and worms: No
| viruses were discovered.
|
| 3.Mcafee: Unable to run scans.
|
| Best regards,


Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
(clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
works and the other does not.

As I previously indicated....
I would suggest getting back to the ROOT of the problem as to what software declared
SPR/Madtol.C and in what file (fully quallified name and path).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm