SPR/Madtol.C program

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
from one of my anti virus programs (AntiVir) popped up displaying the
following message:

C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
Contains signature of the SPR/Madtol.C program

The AntiVir program provided sevaral option as to what to do with this file,
I opted for deletion.

When clicking afterward on to Spyware doctor the AntiVir Warning sign
reappears displaying almost the same message ( instead of MC27 it shows
MC28). I again deleted this file.

The warning sign only appears when clicking on to Spyware Doctor which by
the way I installed some 6 months ago. But the problem only has started
yesteday.

I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
but none of the scans indicated the presence of this file.

Would somebody know and advise a proper elimination procedures of this file.

Thank you in advance for your attention and kind assistance.
23 answers Last reply
More about madtol program
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
    | from one of my anti virus programs (AntiVir) popped up displaying the
    | following message:
    |
    | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
    | Contains signature of the SPR/Madtol.C program
    |
    | The AntiVir program provided sevaral option as to what to do with this file,
    | I opted for deletion.
    |
    | When clicking afterward on to Spyware doctor the AntiVir Warning sign
    | reappears displaying almost the same message ( instead of MC27 it shows
    | MC28). I again deleted this file.
    |
    | The warning sign only appears when clicking on to Spyware Doctor which by
    | the way I installed some 6 months ago. But the problem only has started
    | yesteday.
    |
    | I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
    | Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
    | but none of the scans indicated the presence of this file.
    |
    | Would somebody know and advise a proper elimination procedures of this file.
    |
    | Thank you in advance for your attention and kind assistance.

    This could very well be a RootKit !
    http://www.sysinternals.com/utilities/rootkitrevealer.html


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
    (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
    viruses and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode. This
    way all the components can be downloaded from each AV vendor’s web site.
    The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
    through your FireWall to allow them to download the needed AV vendor related files.

    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi David:
    Here are the scan results:-
    1. TREND (F8 % clean boot):
    33303 files read, 33303 files checked, 29440 files scanned, 39817 files
    scanned (incl. files in archived), 0 files containing viruses, found 0
    viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
    1a. TREND (normal mode):
    33205 files read, 33205 files checked, 29891 files scanned, 38760 files
    scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
    totally, mayby 0 viruses totally; scan time 17 min. 37 sec.

    2. SOPHOS (F8 & clean boot):
    40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
    noviruses discovered, 46 encrypted files were not checked; ending Spohos
    anti-Virus.
    2a. SOPHOS (normal mode):
    40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
    discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.

    3. MCAFEE (both in F8 & clean boot and notmal mode):
    Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
    the following message appears:
    c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]

    David, should I delete the McAfee folder and try to downlowd one more time?

    For you information, after scanning with Trend and Sophos, I clicked on to
    Spyware Doctor and the AntiVir Warning sign popped up again indicating that
    the SPR/Madtol.C program is still present, the number has changed to MC2104.

    With best regards,

    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
    > | from one of my anti virus programs (AntiVir) popped up displaying the
    > | following message:
    > |
    > | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
    > | Contains signature of the SPR/Madtol.C program
    > |
    > | The AntiVir program provided sevaral option as to what to do with this file,
    > | I opted for deletion.
    > |
    > | When clicking afterward on to Spyware doctor the AntiVir Warning sign
    > | reappears displaying almost the same message ( instead of MC27 it shows
    > | MC28). I again deleted this file.
    > |
    > | The warning sign only appears when clicking on to Spyware Doctor which by
    > | the way I installed some 6 months ago. But the problem only has started
    > | yesteday.
    > |
    > | I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
    > | Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
    > | but none of the scans indicated the presence of this file.
    > |
    > | Would somebody know and advise a proper elimination procedures of this file.
    > |
    > | Thank you in advance for your attention and kind assistance.
    >
    > This could very well be a RootKit !
    > http://www.sysinternals.com/utilities/rootkitrevealer.html
    >
    >
    > Download MULTI_AV.EXE from the URL --
    > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
    >
    > It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    > http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
    > (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    > simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
    > viruses and various other malware.
    >
    > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    > This will bring up the initial menu of choices and should be executed in Normal Mode. This
    > way all the components can be downloaded from each AV vendor’s web site.
    > The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
    >
    > You can choose to go to each menu item and just download the needed files or you can
    > download the files and perform a scan in Normal Mode. Once you have downloaded the files
    > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    > during boot] and re-run the menu again and choose which scanner you want to run in Safe
    > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
    >
    > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    > file.
    >
    > To use this utility, perform the following...
    > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    > Choose; Unzip
    > Choose; Close
    >
    > Execute; C:\AV-CLS\StartMenu.BAT
    > { or Double-click on 'Start Menu' in C:\AV-CLS }
    >
    > NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
    > through your FireWall to allow them to download the needed AV vendor related files.
    >
    > * * * Please report back your results * * *
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | Hi David:
    | Here are the scan results:-
    | 1. TREND (F8 % clean boot):
    | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
    | scanned (incl. files in archived), 0 files containing viruses, found 0
    | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
    | 1a. TREND (normal mode):
    | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
    | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
    | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
    |
    | 2. SOPHOS (F8 & clean boot):
    | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
    | noviruses discovered, 46 encrypted files were not checked; ending Spohos
    | anti-Virus.
    | 2a. SOPHOS (normal mode):
    | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
    | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
    |
    | 3. MCAFEE (both in F8 & clean boot and notmal mode):
    | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
    | the following message appears:
    | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
    |
    | David, should I delete the McAfee folder and try to downlowd one more time?
    |
    | For you information, after scanning with Trend and Sophos, I clicked on to
    | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
    | the SPR/Madtol.C program is still present, the number has changed to MC2104.
    |
    | With best regards,
    |

    The error message...
    "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
    unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
    parsed for the verion information of the McAfee files. Without it the utility does not what
    is the name of the Mcafee SuperDAT.

    Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
    Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
    FireWall.

    Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
    RotKit Revealer
    http://www.sysinternals.com/utilities/rootkitrevealer.html


    There is also a possibility that this is a False Positive declaration.

    There must be SOME file that is being flagged as having this.

    Please submit the suspect file to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against several different AV vendor's scanners.

    Another way to submit is to send the suspect file to the following email address
    scan<at>virustotal.com
    { replace <at> with @ } with only the word SCAN as the subject.

    Please post back the EXACT results.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi David:
    Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
    system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.

    Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
    McAfee. After reboot tried to scan without success, the same error message
    popped up.

    I then deleted the entire AV-CSL folder and started from scratch. I again
    disabled my firewall prior downloading and left it disabled during the entire
    download operation. (This time I downloaded McAfee first, Trend second and
    Sophos third).
    I am able to perform scans with Trend and Sophos.
    McAfee however produces the same old error message.

    I downloaded Rootkitrevealer.exe. The scan result revealed that there were
    no discrepancies found.

    I accessed the virustotal website and send a message explaining my plight.
    The message sent was identical to the one I sent to (you) the Discussion
    Group. They responded that the (my) original message had no attachment.
    I am at a loss here. I really don't know which attachment I could have send
    to virustotal. The only evidence I have is the warning sign generated by
    AntiVir. I guess I somehow could send them a screen print??

    Thanks again for your patience.
    With best regards,


    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | Hi David:
    > | Here are the scan results:-
    > | 1. TREND (F8 % clean boot):
    > | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
    > | scanned (incl. files in archived), 0 files containing viruses, found 0
    > | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
    > | 1a. TREND (normal mode):
    > | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
    > | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
    > | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
    > |
    > | 2. SOPHOS (F8 & clean boot):
    > | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
    > | noviruses discovered, 46 encrypted files were not checked; ending Spohos
    > | anti-Virus.
    > | 2a. SOPHOS (normal mode):
    > | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
    > | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
    > |
    > | 3. MCAFEE (both in F8 & clean boot and notmal mode):
    > | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
    > | the following message appears:
    > | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
    > |
    > | David, should I delete the McAfee folder and try to downlowd one more time?
    > |
    > | For you information, after scanning with Trend and Sophos, I clicked on to
    > | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
    > | the SPR/Madtol.C program is still present, the number has changed to MC2104.
    > |
    > | With best regards,
    > |
    >
    > The error message...
    > "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
    > unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
    > parsed for the verion information of the McAfee files. Without it the utility does not what
    > is the name of the Mcafee SuperDAT.
    >
    > Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
    > Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
    > FireWall.
    >
    > Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
    > RotKit Revealer
    > http://www.sysinternals.com/utilities/rootkitrevealer.html
    >
    >
    > There is also a possibility that this is a False Positive declaration.
    >
    > There must be SOME file that is being flagged as having this.
    >
    > Please submit the suspect file to Virus Total --
    > http://www.virustotal.com/flash/index_en.html
    > The submission will then be tested against several different AV vendor's scanners.
    >
    > Another way to submit is to send the suspect file to the following email address
    > scan<at>virustotal.com
    > { replace <at> with @ } with only the word SCAN as the subject.
    >
    > Please post back the EXACT results.
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    David, I just ran another RootkitRevealer scan which this time revealed 8
    discrepancies. Don't know why the first scan did not reveal anything.
    Details are as follwows:

    1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
    Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
    Description: Visible in Windows API but not in MFT or directory index.

    2.Path:C:\Documents and Settings\Pattaya2005\Start
    Menu\Rootkitrevealer.exe.Ink
    Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
    Description: Hidden from Windows API.

    3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
    Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
    Description: Visible in Windows API but not in MFT or directory index

    4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
    Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
    Description: Hiden from Windows API

    5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
    Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
    Description: Hidden from Windows API

    6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
    Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
    Description: Hidden from Windows API

    7.Path:C:\System Volume
    Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
    Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
    Description: Hiden from Windows API

    8.Path:C:\System Volume
    Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
    Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
    Description: Hidden from Windows API

    Hope this helps.





    "Kayman" wrote:

    > Hi David:
    > Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
    > system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.
    >
    > Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
    > McAfee. After reboot tried to scan without success, the same error message
    > popped up.
    >
    > I then deleted the entire AV-CSL folder and started from scratch. I again
    > disabled my firewall prior downloading and left it disabled during the entire
    > download operation. (This time I downloaded McAfee first, Trend second and
    > Sophos third).
    > I am able to perform scans with Trend and Sophos.
    > McAfee however produces the same old error message.
    >
    > I downloaded Rootkitrevealer.exe. The scan result revealed that there were
    > no discrepancies found.
    >
    > I accessed the virustotal website and send a message explaining my plight.
    > The message sent was identical to the one I sent to (you) the Discussion
    > Group. They responded that the (my) original message had no attachment.
    > I am at a loss here. I really don't know which attachment I could have send
    > to virustotal. The only evidence I have is the warning sign generated by
    > AntiVir. I guess I somehow could send them a screen print??
    >
    > Thanks again for your patience.
    > With best regards,
    >
    >
    > "David H. Lipman" wrote:
    >
    > > From: "Kayman" <Kayman@discussions.microsoft.com>
    > >
    > > | Hi David:
    > > | Here are the scan results:-
    > > | 1. TREND (F8 % clean boot):
    > > | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
    > > | scanned (incl. files in archived), 0 files containing viruses, found 0
    > > | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
    > > | 1a. TREND (normal mode):
    > > | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
    > > | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
    > > | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
    > > |
    > > | 2. SOPHOS (F8 & clean boot):
    > > | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
    > > | noviruses discovered, 46 encrypted files were not checked; ending Spohos
    > > | anti-Virus.
    > > | 2a. SOPHOS (normal mode):
    > > | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
    > > | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
    > > |
    > > | 3. MCAFEE (both in F8 & clean boot and notmal mode):
    > > | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
    > > | the following message appears:
    > > | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
    > > |
    > > | David, should I delete the McAfee folder and try to downlowd one more time?
    > > |
    > > | For you information, after scanning with Trend and Sophos, I clicked on to
    > > | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
    > > | the SPR/Madtol.C program is still present, the number has changed to MC2104.
    > > |
    > > | With best regards,
    > > |
    > >
    > > The error message...
    > > "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
    > > unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
    > > parsed for the verion information of the McAfee files. Without it the utility does not what
    > > is the name of the Mcafee SuperDAT.
    > >
    > > Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
    > > Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
    > > FireWall.
    > >
    > > Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
    > > RotKit Revealer
    > > http://www.sysinternals.com/utilities/rootkitrevealer.html
    > >
    > >
    > > There is also a possibility that this is a False Positive declaration.
    > >
    > > There must be SOME file that is being flagged as having this.
    > >
    > > Please submit the suspect file to Virus Total --
    > > http://www.virustotal.com/flash/index_en.html
    > > The submission will then be tested against several different AV vendor's scanners.
    > >
    > > Another way to submit is to send the suspect file to the following email address
    > > scan<at>virustotal.com
    > > { replace <at> with @ } with only the word SCAN as the subject.
    > >
    > > Please post back the EXACT results.
    > >
    > >
    > > --
    > > Dave
    > > http://www.claymania.com/removal-trojan-adware.html
    > > http://www.ik-cs.com/got-a-virus.htm
    > >
    > >
    > >
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | David, I just ran another RootkitRevealer scan which this time revealed 8
    | discrepancies. Don't know why the first scan did not reveal anything.
    | Details are as follwows:
    |
    | 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
    | Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
    | Description: Visible in Windows API but not in MFT or directory index.
    |
    | 2.Path:C:\Documents and Settings\Pattaya2005\Start
    | Menu\Rootkitrevealer.exe.Ink
    | Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
    | Description: Hidden from Windows API.
    |
    | 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
    | Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
    | Description: Visible in Windows API but not in MFT or directory index
    |
    | 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
    | Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
    | Description: Hiden from Windows API
    |
    | 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
    | Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
    | Description: Hidden from Windows API
    |
    | 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
    | Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
    | Description: Hidden from Windows API
    |
    | 7.Path:C:\System Volume
    | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
    | Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
    | Description: Hiden from Windows API
    |
    | 8.Path:C:\System Volume
    | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
    | Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
    | Description: Hidden from Windows API
    |
    | Hope this helps.
    |
    | "Kayman" wrote:

    Kayman:

    Unfortunately, nothing comes to mind except....
    C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
    C:\System Volume | Information\_restore\... is the System Restore cache. You can either
    ignore this or if you think that in the near future you may restore a point from the System
    Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
    re-enable the System Restore cache. I also suggest a logical size of the ache something
    like 600MB or so.

    This may be the key...
    C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink

    Getting back to Mcafee....

    Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
    files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
    I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
    well be WinXP's FireWall blocking the FTP process.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>


    |
    | Getting back to Mcafee....
    |
    | Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
    | files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
    | NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
    | very well be WinXP's FireWall blocking the FTP process.
    |
    | --
    | Dave
    | http://www.claymania.com/removal-trojan-adware.html
    | http://www.ik-cs.com/got-a-virus.htm
    |

    ADDENDUM:

    Please read the thread...
    "Windows Firewall and FTP Problem"

    posted on...
    Wednesday, July 13, 2005 9:37 AM

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    David, I made a typographical error, Cyptainer is misspelled and should read
    Cryptainer.

    Cryptainer LE Version 5.0.3 is an encryption software which is free to
    download.

    Sorry if my typo has caused inconvenience.

    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | David, I just ran another RootkitRevealer scan which this time revealed 8
    > | discrepancies. Don't know why the first scan did not reveal anything.
    > | Details are as follwows:
    > |
    > | 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
    > | Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
    > | Description: Visible in Windows API but not in MFT or directory index.
    > |
    > | 2.Path:C:\Documents and Settings\Pattaya2005\Start
    > | Menu\Rootkitrevealer.exe.Ink
    > | Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
    > | Description: Hidden from Windows API.
    > |
    > | 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
    > | Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
    > | Description: Visible in Windows API but not in MFT or directory index
    > |
    > | 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
    > | Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
    > | Description: Hiden from Windows API
    > |
    > | 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
    > | Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
    > | Description: Hidden from Windows API
    > |
    > | 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
    > | Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
    > | Description: Hidden from Windows API
    > |
    > | 7.Path:C:\System Volume
    > | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
    > | Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
    > | Description: Hiden from Windows API
    > |
    > | 8.Path:C:\System Volume
    > | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
    > | Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
    > | Description: Hidden from Windows API
    > |
    > | Hope this helps.
    > |
    > | "Kayman" wrote:
    >
    > Kayman:
    >
    > Unfortunately, nothing comes to mind except....
    > C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
    > C:\System Volume | Information\_restore\... is the System Restore cache. You can either
    > ignore this or if you think that in the near future you may restore a point from the System
    > Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
    > re-enable the System Restore cache. I also suggest a logical size of the ache something
    > like 600MB or so.
    >
    > This may be the key...
    > C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
    >
    > Getting back to Mcafee....
    >
    > Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
    > files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
    > I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
    > well be WinXP's FireWall blocking the FTP process.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear David:

    I am positively sure that the Windows firewall was disabled. You see when
    disabling the Norton firewall a warning balloon pops up indicating that my
    computer may be at risk because of disabling the security system. The balloon
    would not appear if the windows Firewall was enabled. I always double check
    that the windows firewall is disabled as I am aware that it is not
    recommended to run 2 firewalls simultaneously. Also, I did not encounter any
    problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.

    I read the threads re: Windows Firewall and must say that all this is a bit
    beyond my comprehension. Grateful if you could advise the following re:
    Windows Firewall/Added Settings (FTP Settings):
    a) Description of Service: ?
    b) Name of IP address (for example 192.168.0.12) of the computer hosting
    this service on your network: Where can I find this information?
    c) External Port Number for this Service: ?
    d) Internat Port Number for this Service: ?
    e) Which box needs to be checked, TCP or UDP ?
    After FTP Setting have been completed, do I have to delete and re-download
    the McAfee Command Line Scanner?

    Another Rootkitrevealer Scan revealed the following discrepancy:
    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
    7/14/2005, 6:57, 80 bytes
    Description: Data mismatch between Windows API and raw hive data

    If this has to be removed I need to know how to access HKLM...
    Regards,


    "David H. Lipman" wrote:

    > From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
    >
    >
    >
    > |
    > | Getting back to Mcafee....
    > |
    > | Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
    > | files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
    > | NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
    > | very well be WinXP's FireWall blocking the FTP process.
    > |
    > | --
    > | Dave
    > | http://www.claymania.com/removal-trojan-adware.html
    > | http://www.ik-cs.com/got-a-virus.htm
    > |
    >
    > ADDENDUM:
    >
    > Please read the thread...
    > "Windows Firewall and FTP Problem"
    >
    > posted on...
    > Wednesday, July 13, 2005 9:37 AM
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  10. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    Replies are inline....

    | Dear David:
    |
    | I am positively sure that the Windows firewall was disabled. You see when
    | disabling the Norton firewall a warning balloon pops up indicating that my
    | computer may be at risk because of disabling the security system. The balloon
    | would not appear if the windows Firewall was enabled. I always double check
    | that the windows firewall is disabled as I am aware that it is not
    | recommended to run 2 firewalls simultaneously. Also, I did not encounter any
    | problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
    |
    | I read the threads re: Windows Firewall and must say that all this is a bit
    | beyond my comprehension. Grateful if you could advise the following re:
    | Windows Firewall/Added Settings (FTP Settings):
    | a) Description of Service: ?

    FTP


    | b) Name of IP address (for example 192.168.0.12) of the computer hosting
    | this service on your network: Where can I find this information?

    ftp.nai.speedera.net


    | c) External Port Number for this Service: ?

    20 - 21

    | d) Internat Port Number for this Service: ?

    ?


    | e) Which box needs to be checked, TCP or UDP ?

    TCP


    | After FTP Setting have been completed, do I have to delete and re-download
    | the McAfee Command Line Scanner?


    Just choose McAfee from the Multi AV Vendor scanner menu


    | Another Rootkitrevealer Scan revealed the following discrepancy:
    | HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
    | 7/14/2005, 6:57, 80 bytes
    | Description: Data mismatch between Windows API and raw hive data
    |
    | If this has to be removed I need to know how to access HKLM...
    | Regards,
    |


    Run Regedit

    KKLM stands for; HKEY_LOCAL_MACHINE
    Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
    Seed=....

    However, I doubt it is your problem and should be left alone !

    Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
    FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
    FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
    it AFTER the files have been obtained.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  11. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear David:

    I disabled both both firewalls (Windows and Norton 2003). Then I downloaded
    McAfee. During this download operation the following message was visble:-

    ftp<open ftp.nai.speedera.net
    connect to ftp.nai.speedera.net.
    220-
    220-ftp.nai.com FTP server <SFIPD>
    220
    User <ftp.nai.speedera.net:<none>>:
    331 Password required for user.

    230 User anonymous logged in.
    ftp>
    ftp> lcd c:\AV-CLS\McAfee
    Local directory now c:\CLS\McAfee.
    ftp< bin
    200 TYPE set to I.
    Hash mark printing On ftp: <2048 bytes/hash mark>.
    ftp prompt
    Interactive mode Off.
    ftp> get/pub/antivirus/superdat/intel/sdat4535.exe
    200 PORT commanf successful.
    150 Opening BINARY mode data connection
    for/pub/antivirus/superdat/intel/sdat4.
    ####################################################

    During downloading operation An Error Message appeared: "SDStbRes.dll: The
    specified module could not be found". This message however disappeared after
    10 seconds or so.
    After completion of download operation a small McAfee Command Line Scanner
    window appeared: "Do you want to run a scan now"? "Yes" "No".
    I clicked Yes. The scan did not run but the NT based OS AV Command Line
    Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
    is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
    Nothing happened.
    I rebooted the computer, accessed the appropriate folder and after the NT
    Based OS AV Command Line Scanners Menu appeared I hit #3 again.
    The following error message was displayed:
    c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]

    I run another RootKitRevealer Scan which found one (1) discrepancy:
    Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
    Time Stamp 7/15/2005, 12:17PM, Size: 32KB
    Description: Visible in Windows API but not in MFT or directory index.

    Well David, I hope all this helps to come up with a solution, Thanks!!




    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > Replies are inline....
    >
    > | Dear David:
    > |
    > | I am positively sure that the Windows firewall was disabled. You see when
    > | disabling the Norton firewall a warning balloon pops up indicating that my
    > | computer may be at risk because of disabling the security system. The balloon
    > | would not appear if the windows Firewall was enabled. I always double check
    > | that the windows firewall is disabled as I am aware that it is not
    > | recommended to run 2 firewalls simultaneously. Also, I did not encounter any
    > | problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
    > |
    > | I read the threads re: Windows Firewall and must say that all this is a bit
    > | beyond my comprehension. Grateful if you could advise the following re:
    > | Windows Firewall/Added Settings (FTP Settings):
    > | a) Description of Service: ?
    >
    > FTP
    >
    >
    > | b) Name of IP address (for example 192.168.0.12) of the computer hosting
    > | this service on your network: Where can I find this information?
    >
    > ftp.nai.speedera.net
    >
    >
    > | c) External Port Number for this Service: ?
    >
    > 20 - 21
    >
    > | d) Internat Port Number for this Service: ?
    >
    > ?
    >
    >
    > | e) Which box needs to be checked, TCP or UDP ?
    >
    > TCP
    >
    >
    > | After FTP Setting have been completed, do I have to delete and re-download
    > | the McAfee Command Line Scanner?
    >
    >
    > Just choose McAfee from the Multi AV Vendor scanner menu
    >
    >
    > | Another Rootkitrevealer Scan revealed the following discrepancy:
    > | HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
    > | 7/14/2005, 6:57, 80 bytes
    > | Description: Data mismatch between Windows API and raw hive data
    > |
    > | If this has to be removed I need to know how to access HKLM...
    > | Regards,
    > |
    >
    >
    > Run Regedit
    >
    > KKLM stands for; HKEY_LOCAL_MACHINE
    > Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
    > Seed=....
    >
    > However, I doubt it is your problem and should be left alone !
    >
    > Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
    > FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
    > FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
    > it AFTER the files have been obtained.
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  12. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    < snip >

    | During downloading operation An Error Message appeared: "SDStbRes.dll: The
    | specified module could not be found". This message however disappeared after
    | 10 seconds or so.
    | After completion of download operation a small McAfee Command Line Scanner
    | window appeared: "Do you want to run a scan now"? "Yes" "No".
    | I clicked Yes. The scan did not run but the NT based OS AV Command Line
    | Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
    | is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
    | Nothing happened.
    | I rebooted the computer, accessed the appropriate folder and after the NT
    | Based OS AV Command Line Scanners Menu appeared I hit #3 again.
    | The following error message was displayed:
    | c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
    |
    | I run another RootKitRevealer Scan which found one (1) discrepancy:
    | Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
    | Time Stamp 7/15/2005, 12:17PM, Size: 32KB
    | Description: Visible in Windows API but not in MFT or directory index.
    |
    | Well David, I hope all this helps to come up with a solution, Thanks!!
    |

    Kayman:

    That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
    needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
    Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
    dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
    software.

    In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
    You may have to reboot prior to doing so asd the PC was have been less stable by said error.

    However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
    them again as it has been a few days and there are NEW signatures since the initial run and
    ignore the McAfee section.

    Then I would also suggest getting back to the ROOT of the problem as to what software
    declared SPR/Madtol.C and in what file (fully quallified name and path).

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  13. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear David:

    I don't think using a retail version of McAfee VirusScan v6.
    Early June I followed your recommendation to download CLEAN.EXE from the URL
    www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
    Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
    I don't have any other McAfee products installed to my computer, only
    Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.

    Here are the scan results I ran (after updating) today both in normal and
    F8 & clean boot:-

    McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
    137602 viruses, trjans and variants: No Infections detected.

    AV-CLS
    1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
    Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
    (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.

    2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
    July 2005; Includes detection for 107005 viruses, trojans and worms: No
    viruses were discovered.

    3.Mcafee: Unable to run scans.

    Best regards,

    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > < snip >
    >
    > | During downloading operation An Error Message appeared: "SDStbRes.dll: The
    > | specified module could not be found". This message however disappeared after
    > | 10 seconds or so.
    > | After completion of download operation a small McAfee Command Line Scanner
    > | window appeared: "Do you want to run a scan now"? "Yes" "No".
    > | I clicked Yes. The scan did not run but the NT based OS AV Command Line
    > | Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
    > | is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
    > | Nothing happened.
    > | I rebooted the computer, accessed the appropriate folder and after the NT
    > | Based OS AV Command Line Scanners Menu appeared I hit #3 again.
    > | The following error message was displayed:
    > | c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
    > |
    > | I run another RootKitRevealer Scan which found one (1) discrepancy:
    > | Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
    > | Time Stamp 7/15/2005, 12:17PM, Size: 32KB
    > | Description: Visible in Windows API but not in MFT or directory index.
    > |
    > | Well David, I hope all this helps to come up with a solution, Thanks!!
    > |
    >
    > Kayman:
    >
    > That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
    > needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
    > Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
    > dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
    > software.
    >
    > In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
    > You may have to reboot prior to doing so asd the PC was have been less stable by said error.
    >
    > However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
    > them again as it has been a few days and there are NEW signatures since the initial run and
    > ignore the McAfee section.
    >
    > Then I would also suggest getting back to the ROOT of the problem as to what software
    > declared SPR/Madtol.C and in what file (fully quallified name and path).
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  14. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | Dear David:
    |
    | I don't think using a retail version of McAfee VirusScan v6.
    | Early June I followed your recommendation to download CLEAN.EXE from the URL
    | www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
    | Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
    | I don't have any other McAfee products installed to my computer, only
    | Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
    |
    | Here are the scan results I ran (after updating) today both in normal and
    | F8 & clean boot:-
    |
    | McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
    | 137602 viruses, trjans and variants: No Infections detected.
    |
    | AV-CLS
    | 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
    | Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
    | (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
    |
    | 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
    | July 2005; Includes detection for 107005 viruses, trojans and worms: No
    | viruses were discovered.
    |
    | 3.Mcafee: Unable to run scans.
    |
    | Best regards,


    Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
    (clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
    used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
    works and the other does not.

    As I previously indicated....
    I would suggest getting back to the ROOT of the problem as to what software declared
    SPR/Madtol.C and in what file (fully quallified name and path).

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  15. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear David:

    Here is what I know:-
    When clicking on to Spyware Doctor to run a scan a Warning message from
    AntiVir (anti-virus free ware) popped up. The message indicates that:

    C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
    Contains signatures of the SPR/Madtol C.program

    The warning sign now popped up pretty frequently during scanning with Sophos
    and Trend.
    The warning sign also pops up whenever when clicking on to Spyware Doctor
    (prior Spyware Doctor is loading).

    Please note that the number following MC changed from 27 to 2104. The latest
    pop up indicated MC28.

    My sincere apologies, but I really don't know what software declared this
    problem, I just don't know where to look for.

    I clicked Start -->Run and typed:
    C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
    clicked OK. A window popped up showing that Windows cannot find this name.

    However when omitting the letters/numbers MC27.TMP some eight (8) files
    appeared in the "drop-down" box. They are:

    #1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
    #2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
    #3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
    #4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
    #5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
    #6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
    #7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
    #8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat

    When selecting #1 through #4 - a window pops up showing that Windows cannot
    open this (these) file(s). To open this file, Window needs to know what
    program created it.

    When selecting #5 through #8 - a Widow pops up cautions that opening this
    file could damage the system.

    I require guidance as to handle all this.

    Well David, that is really all information I am presently aware of and am
    sorry that I could not work the McAfee download in the multi scanner facility.
    Thanks again for your patience.

    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | Dear David:
    > |
    > | I don't think using a retail version of McAfee VirusScan v6.
    > | Early June I followed your recommendation to download CLEAN.EXE from the URL
    > | www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
    > | Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
    > | I don't have any other McAfee products installed to my computer, only
    > | Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
    > |
    > | Here are the scan results I ran (after updating) today both in normal and
    > | F8 & clean boot:-
    > |
    > | McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
    > | 137602 viruses, trjans and variants: No Infections detected.
    > |
    > | AV-CLS
    > | 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
    > | Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
    > | (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
    > |
    > | 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
    > | July 2005; Includes detection for 107005 viruses, trojans and worms: No
    > | viruses were discovered.
    > |
    > | 3.Mcafee: Unable to run scans.
    > |
    > | Best regards,
    >
    >
    > Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
    > (clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
    > used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
    > works and the other does not.
    >
    > As I previously indicated....
    > I would suggest getting back to the ROOT of the problem as to what software declared
    > SPR/Madtol.C and in what file (fully quallified name and path).
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  16. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | Dear David:
    |
    | Here is what I know:-
    | When clicking on to Spyware Doctor to run a scan a Warning message from
    | AntiVir (anti-virus free ware) popped up. The message indicates that:
    |
    | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
    | Contains signatures of the SPR/Madtol C.program
    |
    | The warning sign now popped up pretty frequently during scanning with Sophos
    | and Trend.
    | The warning sign also pops up whenever when clicking on to Spyware Doctor
    | (prior Spyware Doctor is loading).
    |
    | Please note that the number following MC changed from 27 to 2104. The latest
    | pop up indicated MC28.
    |
    | My sincere apologies, but I really don't know what software declared this
    | problem, I just don't know where to look for.
    |
    | I clicked Start -->Run and typed:
    | C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
    | clicked OK. A window popped up showing that Windows cannot find this name.
    |
    | However when omitting the letters/numbers MC27.TMP some eight (8) files
    | appeared in the "drop-down" box. They are:
    |
    | #1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
    | #2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
    | #3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
    | #4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
    | #5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
    | #6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
    | #7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
    | #8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat
    |
    | When selecting #1 through #4 - a window pops up showing that Windows cannot
    | open this (these) file(s). To open this file, Window needs to know what
    | program created it.
    |
    | When selecting #5 through #8 - a Widow pops up cautions that opening this
    | file could damage the system.
    |
    | I require guidance as to handle all this.
    |
    | Well David, that is really all information I am presently aware of and am
    | sorry that I could not work the McAfee download in the multi scanner facility.
    | Thanks again for your patience.
    |


    If I had patience, I'd be a Doctor ;-)

    What I suggest is the following, take a suspect file such as
    C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp and please "~DF31B3.tmp" to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against 18 different AV vendor's scanners.

    Another way to submit is to send the suspect file to the following email address
    scan<at>virustotal.com
    { replace <at> with @ } with only the word SCAN as the subject.

    Please post back the EXACT results.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  17. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear David:

    I transmitted eight (8) messages to Virus Total and attached one (1) file to
    each message.

    File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
    attached file codification).

    The results of seven (7) file scans by the various scan engines did not find
    any viruses.
    Best regards,

    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | Dear David:
    > |
    > | Here is what I know:-
    > | When clicking on to Spyware Doctor to run a scan a Warning message from
    > | AntiVir (anti-virus free ware) popped up. The message indicates that:
    > |
    > | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
    > | Contains signatures of the SPR/Madtol C.program
    > |
    > | The warning sign now popped up pretty frequently during scanning with Sophos
    > | and Trend.
    > | The warning sign also pops up whenever when clicking on to Spyware Doctor
    > | (prior Spyware Doctor is loading).
    > |
    > | Please note that the number following MC changed from 27 to 2104. The latest
    > | pop up indicated MC28.
    > |
    > | My sincere apologies, but I really don't know what software declared this
    > | problem, I just don't know where to look for.
    > |
    > | I clicked Start -->Run and typed:
    > | C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
    > | clicked OK. A window popped up showing that Windows cannot find this name.
    > |
    > | However when omitting the letters/numbers MC27.TMP some eight (8) files
    > | appeared in the "drop-down" box. They are:
    > |
    > | #1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
    > | #2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
    > | #3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
    > | #4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
    > | #5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
    > | #6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
    > | #7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
    > | #8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat
    > |
    > | When selecting #1 through #4 - a window pops up showing that Windows cannot
    > | open this (these) file(s). To open this file, Window needs to know what
    > | program created it.
    > |
    > | When selecting #5 through #8 - a Widow pops up cautions that opening this
    > | file could damage the system.
    > |
    > | I require guidance as to handle all this.
    > |
    > | Well David, that is really all information I am presently aware of and am
    > | sorry that I could not work the McAfee download in the multi scanner facility.
    > | Thanks again for your patience.
    > |
    >
    >
    > If I had patience, I'd be a Doctor ;-)
    >
    > What I suggest is the following, take a suspect file such as
    > C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp and please "~DF31B3.tmp" to Virus Total --
    > http://www.virustotal.com/flash/index_en.html
    > The submission will then be tested against 18 different AV vendor's scanners.
    >
    > Another way to submit is to send the suspect file to the following email address
    > scan<at>virustotal.com
    > { replace <at> with @ } with only the word SCAN as the subject.
    >
    > Please post back the EXACT results.
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  18. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | Dear David:
    |
    | I transmitted eight (8) messages to Virus Total and attached one (1) file to
    | each message.
    |
    | File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
    | attached file codification).
    |
    | The results of seven (7) file scans by the various scan engines did not find
    | any viruses.
    | Best regards,
    |
    | "David H. Lipman" wrote:

    Obviously if it is a 0 byte file it can be malware. You would have to submit a file where
    the file handle is NOT in use so it can be uploaded or a file that is not empty.

    Were all 8 submissions zero bytes ?

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  19. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dear David:

    Only file ppv5exc.dat indicates 0 bytes.

    Details of the other 7 files are as follows:

    DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.

    ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.

    Sorry David, I would not know whether the file handle is or is not in use, I
    don't even know what a file handle is. So I looked up "Using a File Handle"
    in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
    comprehend all this. The write up with respect to "File Basic Information" is
    also way beyond my understanding.

    When I submitted the files to scan@virustotal.com I don't think opening any
    files. I just clicked the 'attach' button in Outlook Express and looked
    for/inserted the appropriate attachment which I then submitted accordingly.
    Kind regards,

    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | Dear David:
    > |
    > | I transmitted eight (8) messages to Virus Total and attached one (1) file to
    > | each message.
    > |
    > | File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
    > | attached file codification).
    > |
    > | The results of seven (7) file scans by the various scan engines did not find
    > | any viruses.
    > | Best regards,
    > |
    > | "David H. Lipman" wrote:
    >
    > Obviously if it is a 0 byte file it can be malware. You would have to submit a file where
    > the file handle is NOT in use so it can be uploaded or a file that is not empty.
    >
    > Were all 8 submissions zero bytes ?
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  20. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | Dear David:
    |
    | Only file ppv5exc.dat indicates 0 bytes.
    |
    | Details of the other 7 files are as follows:
    |
    | DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.
    |
    | ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.
    |
    | Sorry David, I would not know whether the file handle is or is not in use, I
    | don't even know what a file handle is. So I looked up "Using a File Handle"
    | in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
    | comprehend all this. The write up with respect to "File Basic Information" is
    | also way beyond my understanding.
    |
    | When I submitted the files to scan@virustotal.com I don't think opening any
    | files. I just clicked the 'attach' button in Outlook Express and looked
    | for/inserted the appropriate attachment which I then submitted accordingly.
    | Kind regards,
    |
    | "David H. Lipman" wrote:

    The concept of the "file handle being open" just means that a program or the Operating
    System is presently using that file exclusively and will not other activity access said
    file. If you try to submit a file like this, it will be of zero bytes. If you try to copy
    a file like this you will get "access denied", if you try to scan a file like this the AV
    scanner will generate an error message indicating it can't scan the file.

    OK, back to the problem...

    So the other files that were submitted to Virus Total, were not zero byte files, were
    flagged by AntiVir to have the "SPR/Madtol C" and Virus Total showed NO anti Virus vendor
    could find anything and all vendors indicated "No Virus Found" ?

    If that is the case, it sounds like AntiVir is declaring a False Positive !

    I have found another poster in a non-Microsoft News Group indicating that has indicated --
    "...i get a message from the AntiVir program that i have a problem and it's name is
    Spr/madtol.c i also ran AVG and it does not come up on that at all"

    I have a strong feeling this is a False Positive declaration.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  21. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks Dave.
    Some new developments.
    I clicked on Spyware Doctor and prior loading the AntiVir warning sign
    popped up again. Like several times before the number (following"MC") has
    changed, this time to "2C". I immediately clicked Start=>Run and typed
    C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for.
    For the first time this file showed up!
    I accessed VirusTotal, attached the file but was unable to send off the
    message. Without my doing, the computer then behaved somewhat erratic, making
    several "clicking" sounds in quick repetitions (identical sounds/noises when
    using the mouse). A window popped up displaying a message that it the message
    could not be send (these are not the exact words as the window disappeared
    very quickly). Many more of the AntiVir warning signs and New Message signs
    from Outlook Express popped up in quick successions and for a short while my
    computer "froze". Again, without my doing the, message to scan@ virustotal
    was saved in the Outlook Express Outbox but without attachment.
    I again clicked Start=>Run and typed
    C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for but
    this time the file has disappeared.

    Also, while the AntiVir warning sign is showing it seems to be the dominant
    display on my desktop - it always will stay on top - for example when opening
    VirusTotal or click Start=>Run these applications can not be moved on the top
    of the Warning sign but stay underneath.

    Coming back to your response. If this is a False Positive declaration,
    should I just leave everything as is and ignore the AntiVir Warning sign?
    Or is there anything else I could do like deleting the AntiVir and Spyware
    Doctor Programms and the files I had sent to VirusTotal?
    Is a False Positive declaration something I should be concerned with and if
    so, is there a program commercially available for removing this?
    If you wish I could send you a screenshot which shows the AntiVir Warning
    sign.
    I also wish to confirm that none of the 20 Anti Virus vendors found any
    viruses in the files sent to VirusTotal.
    Best regards,


    "David H. Lipman" wrote:

    > From: "Kayman" <Kayman@discussions.microsoft.com>
    >
    > | Dear David:
    > |
    > | Only file ppv5exc.dat indicates 0 bytes.
    > |
    > | Details of the other 7 files are as follows:
    > |
    > | DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.
    > |
    > | ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.
    > |
    > | Sorry David, I would not know whether the file handle is or is not in use, I
    > | don't even know what a file handle is. So I looked up "Using a File Handle"
    > | in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
    > | comprehend all this. The write up with respect to "File Basic Information" is
    > | also way beyond my understanding.
    > |
    > | When I submitted the files to scan@virustotal.com I don't think opening any
    > | files. I just clicked the 'attach' button in Outlook Express and looked
    > | for/inserted the appropriate attachment which I then submitted accordingly.
    > | Kind regards,
    > |
    > | "David H. Lipman" wrote:
    >
    > The concept of the "file handle being open" just means that a program or the Operating
    > System is presently using that file exclusively and will not other activity access said
    > file. If you try to submit a file like this, it will be of zero bytes. If you try to copy
    > a file like this you will get "access denied", if you try to scan a file like this the AV
    > scanner will generate an error message indicating it can't scan the file.
    >
    > OK, back to the problem...
    >
    > So the other files that were submitted to Virus Total, were not zero byte files, were
    > flagged by AntiVir to have the "SPR/Madtol C" and Virus Total showed NO anti Virus vendor
    > could find anything and all vendors indicated "No Virus Found" ?
    >
    > If that is the case, it sounds like AntiVir is declaring a False Positive !
    >
    > I have found another poster in a non-Microsoft News Group indicating that has indicated --
    > "...i get a message from the AntiVir program that i have a problem and it's name is
    > Spr/madtol.c i also ran AVG and it does not come up on that at all"
    >
    > I have a strong feeling this is a False Positive declaration.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  22. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Kayman" <Kayman@discussions.microsoft.com>

    | Thanks Dave.
    | Some new developments.
    | I clicked on Spyware Doctor and prior loading the AntiVir warning sign
    | popped up again. Like several times before the number (following"MC") has
    | changed, this time to "2C". I immediately clicked Start=>Run and typed
    | C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for.
    | For the first time this file showed up!
    | I accessed VirusTotal, attached the file but was unable to send off the
    | message. Without my doing, the computer then behaved somewhat erratic, making
    | several "clicking" sounds in quick repetitions (identical sounds/noises when
    | using the mouse). A window popped up displaying a message that it the message
    | could not be send (these are not the exact words as the window disappeared
    | very quickly). Many more of the AntiVir warning signs and New Message signs
    | from Outlook Express popped up in quick successions and for a short while my
    | computer "froze". Again, without my doing the, message to scan@ virustotal
    | was saved in the Outlook Express Outbox but without attachment.
    | I again clicked Start=>Run and typed
    | C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for but
    | this time the file has disappeared.
    |
    | Also, while the AntiVir warning sign is showing it seems to be the dominant
    | display on my desktop - it always will stay on top - for example when opening
    | VirusTotal or click Start=>Run these applications can not be moved on the top
    | of the Warning sign but stay underneath.
    |
    | Coming back to your response. If this is a False Positive declaration,
    | should I just leave everything as is and ignore the AntiVir Warning sign?
    | Or is there anything else I could do like deleting the AntiVir and Spyware
    | Doctor Programms and the files I had sent to VirusTotal?
    | Is a False Positive declaration something I should be concerned with and if
    | so, is there a program commercially available for removing this?
    | If you wish I could send you a screenshot which shows the AntiVir Warning
    | sign.
    | I also wish to confirm that none of the 20 Anti Virus vendors found any
    | viruses in the files sent to VirusTotal.
    | Best regards,

    If none of the AV vendors found anything on a file declared to have the SPR/Madtol.C, and is
    what not a zero byte file than I strongly think it is a False Poistive declaration.

    I am waiting for another poster to send his file(s) to Virus Total. If he too finds a
    report where "where no virus found" is indicated for all the AV vendors, then AntiVir has a
    definite False Positive declaration problem. That poster also noted the file flagged was a
    ..TMP file ( mc22.tmp ). Not unlike your file.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  23. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Kayman" wrote:

    > I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
    > from one of my anti virus programs (AntiVir) popped up displaying the
    > following message:
    >
    > C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
    > Contains signature of the SPR/Madtol.C program
    >
    > The AntiVir program provided sevaral option as to what to do with this file,
    > I opted for deletion.
    >
    > When clicking afterward on to Spyware doctor the AntiVir Warning sign
    > reappears displaying almost the same message ( instead of MC27 it shows
    > MC28). I again deleted this file.
    >
    > The warning sign only appears when clicking on to Spyware Doctor which by
    > the way I installed some 6 months ago. But the problem only has started
    > yesteday.
    >
    > I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
    > Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
    > but none of the scans indicated the presence of this file.
    >
    > Would somebody know and advise a proper elimination procedures of this file.
    >
    > Thank you in advance for your attention and kind assistance.
Ask a new question

Read More

Spyware Windows XP