Sign in with
Sign up | Sign in
Your question

SPR/Madtol.C program

Last response: in Windows XP
Share
Anonymous
July 10, 2005 4:27:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
from one of my anti virus programs (AntiVir) popped up displaying the
following message:

C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
Contains signature of the SPR/Madtol.C program

The AntiVir program provided sevaral option as to what to do with this file,
I opted for deletion.

When clicking afterward on to Spyware doctor the AntiVir Warning sign
reappears displaying almost the same message ( instead of MC27 it shows
MC28). I again deleted this file.

The warning sign only appears when clicking on to Spyware Doctor which by
the way I installed some 6 months ago. But the problem only has started
yesteday.

I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
but none of the scans indicated the presence of this file.

Would somebody know and advise a proper elimination procedures of this file.

Thank you in advance for your attention and kind assistance.

More about : spr madtol program

Anonymous
July 10, 2005 12:55:25 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
| from one of my anti virus programs (AntiVir) popped up displaying the
| following message:
|
| C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
| Contains signature of the SPR/Madtol.C program
|
| The AntiVir program provided sevaral option as to what to do with this file,
| I opted for deletion.
|
| When clicking afterward on to Spyware doctor the AntiVir Warning sign
| reappears displaying almost the same message ( instead of MC27 it shows
| MC28). I again deleted this file.
|
| The warning sign only appears when clicking on to Spyware Doctor which by
| the way I installed some 6 months ago. But the problem only has started
| yesteday.
|
| I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
| Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
| but none of the scans indicated the presence of this file.
|
| Would somebody know and advise a proper elimination procedures of this file.
|
| Thank you in advance for your attention and kind assistance.

This could very well be a RootKit !
http://www.sysinternals.com/utilities/rootkitrevealer.h...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 12, 2005 8:36:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi David:
Here are the scan results:-
1. TREND (F8 % clean boot):
33303 files read, 33303 files checked, 29440 files scanned, 39817 files
scanned (incl. files in archived), 0 files containing viruses, found 0
viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
1a. TREND (normal mode):
33205 files read, 33205 files checked, 29891 files scanned, 38760 files
scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
totally, mayby 0 viruses totally; scan time 17 min. 37 sec.

2. SOPHOS (F8 & clean boot):
40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
noviruses discovered, 46 encrypted files were not checked; ending Spohos
anti-Virus.
2a. SOPHOS (normal mode):
40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.

3. MCAFEE (both in F8 & clean boot and notmal mode):
Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
the following message appears:
c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]

David, should I delete the McAfee folder and try to downlowd one more time?

For you information, after scanning with Trend and Sophos, I clicked on to
Spyware Doctor and the AntiVir Warning sign popped up again indicating that
the SPR/Madtol.C program is still present, the number has changed to MC2104.

With best regards,

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
> | from one of my anti virus programs (AntiVir) popped up displaying the
> | following message:
> |
> | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
> | Contains signature of the SPR/Madtol.C program
> |
> | The AntiVir program provided sevaral option as to what to do with this file,
> | I opted for deletion.
> |
> | When clicking afterward on to Spyware doctor the AntiVir Warning sign
> | reappears displaying almost the same message ( instead of MC27 it shows
> | MC28). I again deleted this file.
> |
> | The warning sign only appears when clicking on to Spyware Doctor which by
> | the way I installed some 6 months ago. But the problem only has started
> | yesteday.
> |
> | I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
> | Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
> | but none of the scans indicated the presence of this file.
> |
> | Would somebody know and advise a proper elimination procedures of this file.
> |
> | Thank you in advance for your attention and kind assistance.
>
> This could very well be a RootKit !
> http://www.sysinternals.com/utilities/rootkitrevealer.h...
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Related resources
Anonymous
July 12, 2005 12:49:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Hi David:
| Here are the scan results:-
| 1. TREND (F8 % clean boot):
| 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
| scanned (incl. files in archived), 0 files containing viruses, found 0
| viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
| 1a. TREND (normal mode):
| 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
| scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
| totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
|
| 2. SOPHOS (F8 & clean boot):
| 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
| noviruses discovered, 46 encrypted files were not checked; ending Spohos
| anti-Virus.
| 2a. SOPHOS (normal mode):
| 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
| discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
|
| 3. MCAFEE (both in F8 & clean boot and notmal mode):
| Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
| the following message appears:
| c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
|
| David, should I delete the McAfee folder and try to downlowd one more time?
|
| For you information, after scanning with Trend and Sophos, I clicked on to
| Spyware Doctor and the AntiVir Warning sign popped up again indicating that
| the SPR/Madtol.C program is still present, the number has changed to MC2104.
|
| With best regards,
|

The error message...
"update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
parsed for the verion information of the McAfee files. Without it the utility does not what
is the name of the Mcafee SuperDAT.

Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
FireWall.

Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
RotKit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.h...


There is also a possibility that this is a False Positive declaration.

There must be SOME file that is being flagged as having this.

Please submit the suspect file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 13, 2005 6:21:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi David:
Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.

Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
McAfee. After reboot tried to scan without success, the same error message
popped up.

I then deleted the entire AV-CSL folder and started from scratch. I again
disabled my firewall prior downloading and left it disabled during the entire
download operation. (This time I downloaded McAfee first, Trend second and
Sophos third).
I am able to perform scans with Trend and Sophos.
McAfee however produces the same old error message.

I downloaded Rootkitrevealer.exe. The scan result revealed that there were
no discrepancies found.

I accessed the virustotal website and send a message explaining my plight.
The message sent was identical to the one I sent to (you) the Discussion
Group. They responded that the (my) original message had no attachment.
I am at a loss here. I really don't know which attachment I could have send
to virustotal. The only evidence I have is the warning sign generated by
AntiVir. I guess I somehow could send them a screen print??

Thanks again for your patience.
With best regards,


"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Hi David:
> | Here are the scan results:-
> | 1. TREND (F8 % clean boot):
> | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
> | scanned (incl. files in archived), 0 files containing viruses, found 0
> | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
> | 1a. TREND (normal mode):
> | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
> | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
> | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
> |
> | 2. SOPHOS (F8 & clean boot):
> | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
> | noviruses discovered, 46 encrypted files were not checked; ending Spohos
> | anti-Virus.
> | 2a. SOPHOS (normal mode):
> | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
> | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
> |
> | 3. MCAFEE (both in F8 & clean boot and notmal mode):
> | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
> | the following message appears:
> | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
> |
> | David, should I delete the McAfee folder and try to downlowd one more time?
> |
> | For you information, after scanning with Trend and Sophos, I clicked on to
> | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
> | the SPR/Madtol.C program is still present, the number has changed to MC2104.
> |
> | With best regards,
> |
>
> The error message...
> "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
> unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
> parsed for the verion information of the McAfee files. Without it the utility does not what
> is the name of the Mcafee SuperDAT.
>
> Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
> Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
> FireWall.
>
> Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
> RotKit Revealer
> http://www.sysinternals.com/utilities/rootkitrevealer.h...
>
>
> There is also a possibility that this is a False Positive declaration.
>
> There must be SOME file that is being flagged as having this.
>
> Please submit the suspect file to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against several different AV vendor's scanners.
>
> Another way to submit is to send the suspect file to the following email address
> scan<at>virustotal.com
> { replace <at> with @ } with only the word SCAN as the subject.
>
> Please post back the EXACT results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 13, 2005 9:42:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

David, I just ran another RootkitRevealer scan which this time revealed 8
discrepancies. Don't know why the first scan did not reveal anything.
Details are as follwows:

1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
Description: Visible in Windows API but not in MFT or directory index.

2.Path:C:\Documents and Settings\Pattaya2005\Start
Menu\Rootkitrevealer.exe.Ink
Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
Description: Hidden from Windows API.

3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
Description: Visible in Windows API but not in MFT or directory index

4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
Description: Hiden from Windows API

5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
Description: Hidden from Windows API

6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
Description: Hidden from Windows API

7.Path:C:\System Volume
Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
Description: Hiden from Windows API

8.Path:C:\System Volume
Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
Description: Hidden from Windows API

Hope this helps.





"Kayman" wrote:

> Hi David:
> Prior to downloading AV-CSL I definitely permitted my (Norton 2003) security
> system to let pass AV-CSL (Trend, Sophos and McAfee) through the firewall.
>
> Anyway, I deleted the McAfee folder, disabled my firewall and re-downloaded
> McAfee. After reboot tried to scan without success, the same error message
> popped up.
>
> I then deleted the entire AV-CSL folder and started from scratch. I again
> disabled my firewall prior downloading and left it disabled during the entire
> download operation. (This time I downloaded McAfee first, Trend second and
> Sophos third).
> I am able to perform scans with Trend and Sophos.
> McAfee however produces the same old error message.
>
> I downloaded Rootkitrevealer.exe. The scan result revealed that there were
> no discrepancies found.
>
> I accessed the virustotal website and send a message explaining my plight.
> The message sent was identical to the one I sent to (you) the Discussion
> Group. They responded that the (my) original message had no attachment.
> I am at a loss here. I really don't know which attachment I could have send
> to virustotal. The only evidence I have is the warning sign generated by
> AntiVir. I guess I somehow could send them a screen print??
>
> Thanks again for your patience.
> With best regards,
>
>
> "David H. Lipman" wrote:
>
> > From: "Kayman" <Kayman@discussions.microsoft.com>
> >
> > | Hi David:
> > | Here are the scan results:-
> > | 1. TREND (F8 % clean boot):
> > | 33303 files read, 33303 files checked, 29440 files scanned, 39817 files
> > | scanned (incl. files in archived), 0 files containing viruses, found 0
> > | viruses totally, maybe 0 viruses totally; scan time 24 min. 46 sec.
> > | 1a. TREND (normal mode):
> > | 33205 files read, 33205 files checked, 29891 files scanned, 38760 files
> > | scanned (incl. files archives), 0 fileas containing viruses, found 0 viruses
> > | totally, mayby 0 viruses totally; scan time 17 min. 37 sec.
> > |
> > | 2. SOPHOS (F8 & clean boot):
> > | 40199 files swept in 1 hour 27 min. 11 sec., 56 errors encountered,
> > | noviruses discovered, 46 encrypted files were not checked; ending Spohos
> > | anti-Virus.
> > | 2a. SOPHOS (normal mode):
> > | 40119 files swept in 59 min. 41 sec., 59 errors encountered, no viruses were
> > | discivered, 46 encrypted files were not checked; ending Sophos Anti-Virus.
> > |
> > | 3. MCAFEE (both in F8 & clean boot and notmal mode):
> > | Unable to perform scans. When hitting #3 in the AV Command Line Scanner Menu
> > | the following message appears:
> > | c:\AV-CLS\McAfee\update.ini not opened foe read, error code [0]
> > |
> > | David, should I delete the McAfee folder and try to downlowd one more time?
> > |
> > | For you information, after scanning with Trend and Sophos, I clicked on to
> > | Spyware Doctor and the AntiVir Warning sign popped up again indicating that
> > | the SPR/Madtol.C program is still present, the number has changed to MC2104.
> > |
> > | With best regards,
> > |
> >
> > The error message...
> > "update.ini not opened foe read, error code [0]" idicates that the FTP.EXE program was
> > unable to access the McAfee FTP site and downnload the needed files. The UPDATE.INI is
> > parsed for the verion information of the McAfee files. Without it the utility does not what
> > is the name of the Mcafee SuperDAT.
> >
> > Usually this error is caused by the FireWall blocking FTP.EXE from getting to the site.
> > Either the FireWall needs to be disabled or FTP.EXE needs to be allowed to go through the
> > FireWall.
> >
> > Since both Trend and Sophos come up clean... It could be well hidden andf only revealed via
> > RotKit Revealer
> > http://www.sysinternals.com/utilities/rootkitrevealer.h...
> >
> >
> > There is also a possibility that this is a False Positive declaration.
> >
> > There must be SOME file that is being flagged as having this.
> >
> > Please submit the suspect file to Virus Total --
> > http://www.virustotal.com/flash/index_en.html
> > The submission will then be tested against several different AV vendor's scanners.
> >
> > Another way to submit is to send the suspect file to the following email address
> > scan<at>virustotal.com
> > { replace <at> with @ } with only the word SCAN as the subject.
> >
> > Please post back the EXACT results.
> >
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
> >
Anonymous
July 13, 2005 1:40:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| David, I just ran another RootkitRevealer scan which this time revealed 8
| discrepancies. Don't know why the first scan did not reveal anything.
| Details are as follwows:
|
| 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
| Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
| Description: Visible in Windows API but not in MFT or directory index.
|
| 2.Path:C:\Documents and Settings\Pattaya2005\Start
| Menu\Rootkitrevealer.exe.Ink
| Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
| Description: Hidden from Windows API.
|
| 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
| Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
| Description: Visible in Windows API but not in MFT or directory index
|
| 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
| Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
| Description: Hiden from Windows API
|
| 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
| Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
| Description: Hidden from Windows API
|
| 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
| Description: Hidden from Windows API
|
| 7.Path:C:\System Volume
| Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
| Description: Hiden from Windows API
|
| 8.Path:C:\System Volume
| Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
| Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
| Description: Hidden from Windows API
|
| Hope this helps.
|
| "Kayman" wrote:

Kayman:

Unfortunately, nothing comes to mind except....
C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
C:\System Volume | Information\_restore\... is the System Restore cache. You can either
ignore this or if you think that in the near future you may restore a point from the System
Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
re-enable the System Restore cache. I also suggest a logical size of the ache something
like 600MB or so.

This may be the key...
C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink

Getting back to Mcafee....

Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
well be WinXP's FireWall blocking the FTP process.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 13, 2005 2:00:20 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>



|
| Getting back to Mcafee....
|
| Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
| files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
| NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
| very well be WinXP's FireWall blocking the FTP process.
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

ADDENDUM:

Please read the thread...
"Windows Firewall and FTP Problem"

posted on...
Wednesday, July 13, 2005 9:37 AM

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 13, 2005 6:38:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

David, I made a typographical error, Cyptainer is misspelled and should read
Cryptainer.

Cryptainer LE Version 5.0.3 is an encryption software which is free to
download.

Sorry if my typo has caused inconvenience.

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | David, I just ran another RootkitRevealer scan which this time revealed 8
> | discrepancies. Don't know why the first scan did not reveal anything.
> | Details are as follwows:
> |
> | 1.Path:C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
> | Time Stamp: 7/5/2005 4:16PM, Size: 772 bytes,
> | Description: Visible in Windows API but not in MFT or directory index.
> |
> | 2.Path:C:\Documents and Settings\Pattaya2005\Start
> | Menu\Rootkitrevealer.exe.Ink
> | Time Stamp: 7/13/2005 6:21 PM, Size: 741 bytes
> | Description: Hidden from Windows API.
> |
> | 3.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc15.Ink
> | Time Stamp: 7/10/2005 11:49PM, Size: 636 bytes,
> | Description: Visible in Windows API but not in MFT or directory index
> |
> | 4.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc41.Ink
> | Time Stamp: 7/13/2005 6:19PM, Size: 529 bytes,
> | Description: Hiden from Windows API
> |
> | 5.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc43.Ink
> | Time Stamp: 7/13/2005 6:20PM, Size: 772 bytes,
> | Description: Hidden from Windows API
> |
> | 6.Path:C:\Recycler\S-1-5-21-861567501-1614895754-725345543-1003\Dc44.Ink
> | Time Stamp: 7/13/2005 6:23PM, Size: 741 bytes,
> | Description: Hidden from Windows API
> |
> | 7.Path:C:\System Volume
> | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023597.Ink
> | Time Stamp: 7/13/2005 6:23PM, Size: 772 bytes
> | Description: Hiden from Windows API
> |
> | 8.Path:C:\System Volume
> | Information\_restore{EA5BC76B-1A04-48DE-988A-C5F4B6448A1B}\RP96\AA0023598.Ink
> | Time Stamp: 7/13/2005 6:23PM, Size: 636 bytes,
> | Description: Hidden from Windows API
> |
> | Hope this helps.
> |
> | "Kayman" wrote:
>
> Kayman:
>
> Unfortunately, nothing comes to mind except....
> C:\Recycler\... Refers to the Recycle/Trah bin. Just dump the contents.
> C:\System Volume | Information\_restore\... is the System Restore cache. You can either
> ignore this or if you think that in the near future you may restore a point from the System
> Restore cache then it would be a ggod idea to disable the System Restore Cache, reboot, then
> re-enable the System Restore cache. I also suggest a logical size of the ache something
> like 600MB or so.
>
> This may be the key...
> C:\Documents and Settings\Pattaya2005\Start Menu\Cyptainer.Ink
>
> Getting back to Mcafee....
>
> Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
> files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP NG
> I can presume that the have the WinXP FireWall enabled as well as Norton's and it may very
> well be WinXP's FireWall blocking the FTP process.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 13, 2005 11:09:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:

I am positively sure that the Windows firewall was disabled. You see when
disabling the Norton firewall a warning balloon pops up indicating that my
computer may be at risk because of disabling the security system. The balloon
would not appear if the windows Firewall was enabled. I always double check
that the windows firewall is disabled as I am aware that it is not
recommended to run 2 firewalls simultaneously. Also, I did not encounter any
problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.

I read the threads re: Windows Firewall and must say that all this is a bit
beyond my comprehension. Grateful if you could advise the following re:
Windows Firewall/Added Settings (FTP Settings):
a) Description of Service: ?
b) Name of IP address (for example 192.168.0.12) of the computer hosting
this service on your network: Where can I find this information?
c) External Port Number for this Service: ?
d) Internat Port Number for this Service: ?
e) Which box needs to be checked, TCP or UDP ?
After FTP Setting have been completed, do I have to delete and re-download
the McAfee Command Line Scanner?

Another Rootkitrevealer Scan revealed the following discrepancy:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
7/14/2005, 6:57, 80 bytes
Description: Data mismatch between Windows API and raw hive data

If this has to be removed I need to know how to access HKLM...
Regards,




"David H. Lipman" wrote:

> From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
>
>
>
> |
> | Getting back to Mcafee....
> |
> | Both Sophos and Trend use WGET.EXE and TCP port 80 to obtain their respective AV vendor
> | files. However, McAfee uses FTP.EXE using TCP ports 20 and 21. Since we are in a WinXP
> | NG I can presume that the have the WinXP FireWall enabled as well as Norton's and it may
> | very well be WinXP's FireWall blocking the FTP process.
> |
> | --
> | Dave
> | http://www.claymania.com/removal-trojan-adware.html
> | http://www.ik-cs.com/got-a-virus.htm
> |
>
> ADDENDUM:
>
> Please read the thread...
> "Windows Firewall and FTP Problem"
>
> posted on...
> Wednesday, July 13, 2005 9:37 AM
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 14, 2005 1:00:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

Replies are inline....

| Dear David:
|
| I am positively sure that the Windows firewall was disabled. You see when
| disabling the Norton firewall a warning balloon pops up indicating that my
| computer may be at risk because of disabling the security system. The balloon
| would not appear if the windows Firewall was enabled. I always double check
| that the windows firewall is disabled as I am aware that it is not
| recommended to run 2 firewalls simultaneously. Also, I did not encounter any
| problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
|
| I read the threads re: Windows Firewall and must say that all this is a bit
| beyond my comprehension. Grateful if you could advise the following re:
| Windows Firewall/Added Settings (FTP Settings):
| a) Description of Service: ?

FTP


| b) Name of IP address (for example 192.168.0.12) of the computer hosting
| this service on your network: Where can I find this information?

ftp.nai.speedera.net


| c) External Port Number for this Service: ?

20 - 21

| d) Internat Port Number for this Service: ?

?


| e) Which box needs to be checked, TCP or UDP ?

TCP


| After FTP Setting have been completed, do I have to delete and re-download
| the McAfee Command Line Scanner?


Just choose McAfee from the Multi AV Vendor scanner menu


| Another Rootkitrevealer Scan revealed the following discrepancy:
| HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
| 7/14/2005, 6:57, 80 bytes
| Description: Data mismatch between Windows API and raw hive data
|
| If this has to be removed I need to know how to access HKLM...
| Regards,
|


Run Regedit

KKLM stands for; HKEY_LOCAL_MACHINE
Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
Seed=....

However, I doubt it is your problem and should be left alone !

Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
it AFTER the files have been obtained.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 15, 2005 8:20:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:

I disabled both both firewalls (Windows and Norton 2003). Then I downloaded
McAfee. During this download operation the following message was visble:-

ftp<open ftp.nai.speedera.net
connect to ftp.nai.speedera.net.
220-
220-ftp.nai.com FTP server <SFIPD>
220
User <ftp.nai.speedera.net:<none>>:
331 Password required for user.

230 User anonymous logged in.
ftp>
ftp> lcd c:\AV-CLS\McAfee
Local directory now c:\CLS\McAfee.
ftp< bin
200 TYPE set to I.
Hash mark printing On ftp: <2048 bytes/hash mark>.
ftp prompt
Interactive mode Off.
ftp> get/pub/antivirus/superdat/intel/sdat4535.exe
200 PORT commanf successful.
150 Opening BINARY mode data connection
for/pub/antivirus/superdat/intel/sdat4.
####################################################

During downloading operation An Error Message appeared: "SDStbRes.dll: The
specified module could not be found". This message however disappeared after
10 seconds or so.
After completion of download operation a small McAfee Command Line Scanner
window appeared: "Do you want to run a scan now"? "Yes" "No".
I clicked Yes. The scan did not run but the NT based OS AV Command Line
Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
Nothing happened.
I rebooted the computer, accessed the appropriate folder and after the NT
Based OS AV Command Line Scanners Menu appeared I hit #3 again.
The following error message was displayed:
c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]

I run another RootKitRevealer Scan which found one (1) discrepancy:
Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
Time Stamp 7/15/2005, 12:17PM, Size: 32KB
Description: Visible in Windows API but not in MFT or directory index.

Well David, I hope all this helps to come up with a solution, Thanks!!





"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> Replies are inline....
>
> | Dear David:
> |
> | I am positively sure that the Windows firewall was disabled. You see when
> | disabling the Norton firewall a warning balloon pops up indicating that my
> | computer may be at risk because of disabling the security system. The balloon
> | would not appear if the windows Firewall was enabled. I always double check
> | that the windows firewall is disabled as I am aware that it is not
> | recommended to run 2 firewalls simultaneously. Also, I did not encounter any
> | problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
> |
> | I read the threads re: Windows Firewall and must say that all this is a bit
> | beyond my comprehension. Grateful if you could advise the following re:
> | Windows Firewall/Added Settings (FTP Settings):
> | a) Description of Service: ?
>
> FTP
>
>
> | b) Name of IP address (for example 192.168.0.12) of the computer hosting
> | this service on your network: Where can I find this information?
>
> ftp.nai.speedera.net
>
>
> | c) External Port Number for this Service: ?
>
> 20 - 21
>
> | d) Internat Port Number for this Service: ?
>
> ?
>
>
> | e) Which box needs to be checked, TCP or UDP ?
>
> TCP
>
>
> | After FTP Setting have been completed, do I have to delete and re-download
> | the McAfee Command Line Scanner?
>
>
> Just choose McAfee from the Multi AV Vendor scanner menu
>
>
> | Another Rootkitrevealer Scan revealed the following discrepancy:
> | HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
> | 7/14/2005, 6:57, 80 bytes
> | Description: Data mismatch between Windows API and raw hive data
> |
> | If this has to be removed I need to know how to access HKLM...
> | Regards,
> |
>
>
> Run Regedit
>
> KKLM stands for; HKEY_LOCAL_MACHINE
> Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
> Seed=....
>
> However, I doubt it is your problem and should be left alone !
>
> Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
> FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
> FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
> it AFTER the files have been obtained.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 15, 2005 3:52:00 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

< snip >

| During downloading operation An Error Message appeared: "SDStbRes.dll: The
| specified module could not be found". This message however disappeared after
| 10 seconds or so.
| After completion of download operation a small McAfee Command Line Scanner
| window appeared: "Do you want to run a scan now"? "Yes" "No".
| I clicked Yes. The scan did not run but the NT based OS AV Command Line
| Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
| is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
| Nothing happened.
| I rebooted the computer, accessed the appropriate folder and after the NT
| Based OS AV Command Line Scanners Menu appeared I hit #3 again.
| The following error message was displayed:
| c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
|
| I run another RootKitRevealer Scan which found one (1) discrepancy:
| Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
| Time Stamp 7/15/2005, 12:17PM, Size: 32KB
| Description: Visible in Windows API but not in MFT or directory index.
|
| Well David, I hope all this helps to come up with a solution, Thanks!!
|

Kayman:

That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
software.

In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
You may have to reboot prior to doing so asd the PC was have been less stable by said error.

However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
them again as it has been a few days and there are NEW signatures since the initial run and
ignore the McAfee section.

Then I would also suggest getting back to the ROOT of the problem as to what software
declared SPR/Madtol.C and in what file (fully quallified name and path).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 16, 2005 8:34:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:

I don't think using a retail version of McAfee VirusScan v6.
Early June I followed your recommendation to download CLEAN.EXE from the URL
www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
I don't have any other McAfee products installed to my computer, only
Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.

Here are the scan results I ran (after updating) today both in normal and
F8 & clean boot:-

McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
137602 viruses, trjans and variants: No Infections detected.

AV-CLS
1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
(104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.

2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
July 2005; Includes detection for 107005 viruses, trojans and worms: No
viruses were discovered.

3.Mcafee: Unable to run scans.

Best regards,

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> < snip >
>
> | During downloading operation An Error Message appeared: "SDStbRes.dll: The
> | specified module could not be found". This message however disappeared after
> | 10 seconds or so.
> | After completion of download operation a small McAfee Command Line Scanner
> | window appeared: "Do you want to run a scan now"? "Yes" "No".
> | I clicked Yes. The scan did not run but the NT based OS AV Command Line
> | Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
> | is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
> | Nothing happened.
> | I rebooted the computer, accessed the appropriate folder and after the NT
> | Based OS AV Command Line Scanners Menu appeared I hit #3 again.
> | The following error message was displayed:
> | c:\AV-CSL\McAfee\update.ini not opened for READ, error code [0]
> |
> | I run another RootKitRevealer Scan which found one (1) discrepancy:
> | Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
> | Time Stamp 7/15/2005, 12:17PM, Size: 32KB
> | Description: Visible in Windows API but not in MFT or directory index.
> |
> | Well David, I hope all this helps to come up with a solution, Thanks!!
> |
>
> Kayman:
>
> That is indicative that disabling both FireWalls was key to allowing FTP.EXE to download the
> needed files. On my McAfee VirusScan Enterprise v7.1 the file "SDStbRes.dll" was not found.
> Are you using the retail version McAfee VirusScan v6 ? My scripts and McAfee have NO
> dependency upon "SDStbRes.dll" which leads me to believe you do ahve this version of
> software.
>
> In any case, *IF* you do, disable McAfee v6.0 and the FireWalls and proceed to download.
> You may have to reboot prior to doing so asd the PC was have been less stable by said error.
>
> However, you ran Trend and Sophos OK and neither found anything. Yoy may want to just run
> them again as it has been a few days and there are NEW signatures since the initial run and
> ignore the McAfee section.
>
> Then I would also suggest getting back to the ROOT of the problem as to what software
> declared SPR/Madtol.C and in what file (fully quallified name and path).
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 16, 2005 1:11:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
|
| I don't think using a retail version of McAfee VirusScan v6.
| Early June I followed your recommendation to download CLEAN.EXE from the URL
| www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
| Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
| I don't have any other McAfee products installed to my computer, only
| Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
|
| Here are the scan results I ran (after updating) today both in normal and
| F8 & clean boot:-
|
| McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
| 137602 viruses, trjans and variants: No Infections detected.
|
| AV-CLS
| 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
| Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
| (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
|
| 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
| July 2005; Includes detection for 107005 viruses, trojans and worms: No
| viruses were discovered.
|
| 3.Mcafee: Unable to run scans.
|
| Best regards,


Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
(clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
works and the other does not.

As I previously indicated....
I would suggest getting back to the ROOT of the problem as to what software declared
SPR/Madtol.C and in what file (fully quallified name and path).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 16, 2005 10:14:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:

Here is what I know:-
When clicking on to Spyware Doctor to run a scan a Warning message from
AntiVir (anti-virus free ware) popped up. The message indicates that:

C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
Contains signatures of the SPR/Madtol C.program

The warning sign now popped up pretty frequently during scanning with Sophos
and Trend.
The warning sign also pops up whenever when clicking on to Spyware Doctor
(prior Spyware Doctor is loading).

Please note that the number following MC changed from 27 to 2104. The latest
pop up indicated MC28.

My sincere apologies, but I really don't know what software declared this
problem, I just don't know where to look for.

I clicked Start -->Run and typed:
C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
clicked OK. A window popped up showing that Windows cannot find this name.

However when omitting the letters/numbers MC27.TMP some eight (8) files
appeared in the "drop-down" box. They are:

#1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
#2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
#3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
#4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
#5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
#6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
#7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
#8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat

When selecting #1 through #4 - a window pops up showing that Windows cannot
open this (these) file(s). To open this file, Window needs to know what
program created it.

When selecting #5 through #8 - a Widow pops up cautions that opening this
file could damage the system.

I require guidance as to handle all this.

Well David, that is really all information I am presently aware of and am
sorry that I could not work the McAfee download in the multi scanner facility.
Thanks again for your patience.

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> |
> | I don't think using a retail version of McAfee VirusScan v6.
> | Early June I followed your recommendation to download CLEAN.EXE from the URL
> | www.ik-cs.com/programs/virtools/clean.exe I belive that the McAfee scan
> | Engine is v4.4.00 for Win32. I still run scans with this engine frequently.
> | I don't have any other McAfee products installed to my computer, only
> | Norton2003 and various other ad-aware, anti-spy and anti-virus freeware.
> |
> | Here are the scan results I ran (after updating) today both in normal and
> | F8 & clean boot:-
> |
> | McAfee v4.4.00, version data data file created Jul 15 2005; Scanning for
> | 137602 viruses, trjans and variants: No Infections detected.
> |
> | AV-CLS
> | 1.Trend Micro Sysclean Package (version 626) [success], VSAPI Engine
> | Version: 7.510-1002, VSCANTM Version: 1.1-1001, Virus Pattern Version: 731
> | (104621 Patterns) (2005/07/14) (273100): NIL Files containning viruses.
> |
> | 2.SophosAnti-Virus, Version 3.95.0 [Win32/Intel], Virus data version 3.95,
> | July 2005; Includes detection for 107005 viruses, trojans and worms: No
> | viruses were discovered.
> |
> | 3.Mcafee: Unable to run scans.
> |
> | Best regards,
>
>
> Both the Multi AV vendor scanner front end (Multi_AV.exe) and the McAfee Front End
> (clean.exe) were written by me. The code used in the Clean Tool (Clean.exe) was ultimately
> used in the Multi AV vendor scanner front end (Multi_AV.exe) and I don't uderstand why one
> works and the other does not.
>
> As I previously indicated....
> I would suggest getting back to the ROOT of the problem as to what software declared
> SPR/Madtol.C and in what file (fully quallified name and path).
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 17, 2005 3:14:59 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
|
| Here is what I know:-
| When clicking on to Spyware Doctor to run a scan a Warning message from
| AntiVir (anti-virus free ware) popped up. The message indicates that:
|
| C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
| Contains signatures of the SPR/Madtol C.program
|
| The warning sign now popped up pretty frequently during scanning with Sophos
| and Trend.
| The warning sign also pops up whenever when clicking on to Spyware Doctor
| (prior Spyware Doctor is loading).
|
| Please note that the number following MC changed from 27 to 2104. The latest
| pop up indicated MC28.
|
| My sincere apologies, but I really don't know what software declared this
| problem, I just don't know where to look for.
|
| I clicked Start -->Run and typed:
| C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
| clicked OK. A window popped up showing that Windows cannot find this name.
|
| However when omitting the letters/numbers MC27.TMP some eight (8) files
| appeared in the "drop-down" box. They are:
|
| #1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
| #2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
| #3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
| #4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
| #5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
| #6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
| #7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
| #8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat
|
| When selecting #1 through #4 - a window pops up showing that Windows cannot
| open this (these) file(s). To open this file, Window needs to know what
| program created it.
|
| When selecting #5 through #8 - a Widow pops up cautions that opening this
| file could damage the system.
|
| I require guidance as to handle all this.
|
| Well David, that is really all information I am presently aware of and am
| sorry that I could not work the McAfee download in the multi scanner facility.
| Thanks again for your patience.
|


If I had patience, I'd be a Doctor ;-)

What I suggest is the following, take a suspect file such as
C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp and please "~DF31B3.tmp" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 17, 2005 7:39:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:

I transmitted eight (8) messages to Virus Total and attached one (1) file to
each message.

File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
attached file codification).

The results of seven (7) file scans by the various scan engines did not find
any viruses.
Best regards,

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> |
> | Here is what I know:-
> | When clicking on to Spyware Doctor to run a scan a Warning message from
> | AntiVir (anti-virus free ware) popped up. The message indicates that:
> |
> | C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
> | Contains signatures of the SPR/Madtol C.program
> |
> | The warning sign now popped up pretty frequently during scanning with Sophos
> | and Trend.
> | The warning sign also pops up whenever when clicking on to Spyware Doctor
> | (prior Spyware Doctor is loading).
> |
> | Please note that the number following MC changed from 27 to 2104. The latest
> | pop up indicated MC28.
> |
> | My sincere apologies, but I really don't know what software declared this
> | problem, I just don't know where to look for.
> |
> | I clicked Start -->Run and typed:
> | C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC27.TMP into the space provided for and
> | clicked OK. A window popped up showing that Windows cannot find this name.
> |
> | However when omitting the letters/numbers MC27.TMP some eight (8) files
> | appeared in the "drop-down" box. They are:
> |
> | #1. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp
> | #2. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF4513.tmp
> | #3. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF981A.tmp
> | #4. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF9D21.tmp
> | #5. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppfile.dat
> | #6. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppinfo.dat
> | #7. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\pploc.dat
> | #8. C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\ppv5exc.dat
> |
> | When selecting #1 through #4 - a window pops up showing that Windows cannot
> | open this (these) file(s). To open this file, Window needs to know what
> | program created it.
> |
> | When selecting #5 through #8 - a Widow pops up cautions that opening this
> | file could damage the system.
> |
> | I require guidance as to handle all this.
> |
> | Well David, that is really all information I am presently aware of and am
> | sorry that I could not work the McAfee download in the multi scanner facility.
> | Thanks again for your patience.
> |
>
>
> If I had patience, I'd be a Doctor ;-)
>
> What I suggest is the following, take a suspect file such as
> C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\~DF31B3.tmp and please "~DF31B3.tmp" to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against 18 different AV vendor's scanners.
>
> Another way to submit is to send the suspect file to the following email address
> scan<at>virustotal.com
> { replace <at> with @ } with only the word SCAN as the subject.
>
> Please post back the EXACT results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 17, 2005 11:24:16 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
|
| I transmitted eight (8) messages to Virus Total and attached one (1) file to
| each message.
|
| File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
| attached file codification).
|
| The results of seven (7) file scans by the various scan engines did not find
| any viruses.
| Best regards,
|
| "David H. Lipman" wrote:

Obviously if it is a 0 byte file it can be malware. You would have to submit a file where
the file handle is NOT in use so it can be uploaded or a file that is not empty.

Were all 8 submissions zero bytes ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 18, 2005 6:41:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:

Only file ppv5exc.dat indicates 0 bytes.

Details of the other 7 files are as follows:

DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.

ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.

Sorry David, I would not know whether the file handle is or is not in use, I
don't even know what a file handle is. So I looked up "Using a File Handle"
in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
comprehend all this. The write up with respect to "File Basic Information" is
also way beyond my understanding.

When I submitted the files to scan@virustotal.com I don't think opening any
files. I just clicked the 'attach' button in Outlook Express and looked
for/inserted the appropriate attachment which I then submitted accordingly.
Kind regards,

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> |
> | I transmitted eight (8) messages to Virus Total and attached one (1) file to
> | each message.
> |
> | File <ppv5exc.dat> has 0 bytes and wasn't scanned (unsupported or malformed
> | attached file codification).
> |
> | The results of seven (7) file scans by the various scan engines did not find
> | any viruses.
> | Best regards,
> |
> | "David H. Lipman" wrote:
>
> Obviously if it is a 0 byte file it can be malware. You would have to submit a file where
> the file handle is NOT in use so it can be uploaded or a file that is not empty.
>
> Were all 8 submissions zero bytes ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 18, 2005 2:22:07 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
|
| Only file ppv5exc.dat indicates 0 bytes.
|
| Details of the other 7 files are as follows:
|
| DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.
|
| ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.
|
| Sorry David, I would not know whether the file handle is or is not in use, I
| don't even know what a file handle is. So I looked up "Using a File Handle"
| in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
| comprehend all this. The write up with respect to "File Basic Information" is
| also way beyond my understanding.
|
| When I submitted the files to scan@virustotal.com I don't think opening any
| files. I just clicked the 'attach' button in Outlook Express and looked
| for/inserted the appropriate attachment which I then submitted accordingly.
| Kind regards,
|
| "David H. Lipman" wrote:

The concept of the "file handle being open" just means that a program or the Operating
System is presently using that file exclusively and will not other activity access said
file. If you try to submit a file like this, it will be of zero bytes. If you try to copy
a file like this you will get "access denied", if you try to scan a file like this the AV
scanner will generate an error message indicating it can't scan the file.

OK, back to the problem...

So the other files that were submitted to Virus Total, were not zero byte files, were
flagged by AntiVir to have the "SPR/Madtol C" and Virus Total showed NO anti Virus vendor
could find anything and all vendors indicated "No Virus Found" ?

If that is the case, it sounds like AntiVir is declaring a False Positive !

I have found another poster in a non-Microsoft News Group indicating that has indicated --
"...i get a message from the AntiVir program that i have a problem and it's name is
Spr/madtol.c i also ran AVG and it does not come up on that at all"

I have a strong feeling this is a False Positive declaration.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
July 18, 2005 9:39:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks Dave.
Some new developments.
I clicked on Spyware Doctor and prior loading the AntiVir warning sign
popped up again. Like several times before the number (following"MC") has
changed, this time to "2C". I immediately clicked Start=>Run and typed
C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for.
For the first time this file showed up!
I accessed VirusTotal, attached the file but was unable to send off the
message. Without my doing, the computer then behaved somewhat erratic, making
several "clicking" sounds in quick repetitions (identical sounds/noises when
using the mouse). A window popped up displaying a message that it the message
could not be send (these are not the exact words as the window disappeared
very quickly). Many more of the AntiVir warning signs and New Message signs
from Outlook Express popped up in quick successions and for a short while my
computer "froze". Again, without my doing the, message to scan@ virustotal
was saved in the Outlook Express Outbox but without attachment.
I again clicked Start=>Run and typed
C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for but
this time the file has disappeared.

Also, while the AntiVir warning sign is showing it seems to be the dominant
display on my desktop - it always will stay on top - for example when opening
VirusTotal or click Start=>Run these applications can not be moved on the top
of the Warning sign but stay underneath.

Coming back to your response. If this is a False Positive declaration,
should I just leave everything as is and ignore the AntiVir Warning sign?
Or is there anything else I could do like deleting the AntiVir and Spyware
Doctor Programms and the files I had sent to VirusTotal?
Is a False Positive declaration something I should be concerned with and if
so, is there a program commercially available for removing this?
If you wish I could send you a screenshot which shows the AntiVir Warning
sign.
I also wish to confirm that none of the 20 Anti Virus vendors found any
viruses in the files sent to VirusTotal.
Best regards,


"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> |
> | Only file ppv5exc.dat indicates 0 bytes.
> |
> | Details of the other 7 files are as follows:
> |
> | DF31B3.temp, DF4513.temp, DF981A.temp and DF9D21 all have 32.0 KB.
> |
> | ppfile.dat =>499.0 KB, ppinfo.dat => 201 KB and pploc.dat => 553.0 KB.
> |
> | Sorry David, I would not know whether the file handle is or is not in use, I
> | don't even know what a file handle is. So I looked up "Using a File Handle"
> | in the Microsoft Knowledge Base (MSDN Library) but having a hard time to
> | comprehend all this. The write up with respect to "File Basic Information" is
> | also way beyond my understanding.
> |
> | When I submitted the files to scan@virustotal.com I don't think opening any
> | files. I just clicked the 'attach' button in Outlook Express and looked
> | for/inserted the appropriate attachment which I then submitted accordingly.
> | Kind regards,
> |
> | "David H. Lipman" wrote:
>
> The concept of the "file handle being open" just means that a program or the Operating
> System is presently using that file exclusively and will not other activity access said
> file. If you try to submit a file like this, it will be of zero bytes. If you try to copy
> a file like this you will get "access denied", if you try to scan a file like this the AV
> scanner will generate an error message indicating it can't scan the file.
>
> OK, back to the problem...
>
> So the other files that were submitted to Virus Total, were not zero byte files, were
> flagged by AntiVir to have the "SPR/Madtol C" and Virus Total showed NO anti Virus vendor
> could find anything and all vendors indicated "No Virus Found" ?
>
> If that is the case, it sounds like AntiVir is declaring a False Positive !
>
> I have found another poster in a non-Microsoft News Group indicating that has indicated --
> "...i get a message from the AntiVir program that i have a problem and it's name is
> Spr/madtol.c i also ran AVG and it does not come up on that at all"
>
> I have a strong feeling this is a False Positive declaration.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
July 19, 2005 3:05:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Thanks Dave.
| Some new developments.
| I clicked on Spyware Doctor and prior loading the AntiVir warning sign
| popped up again. Like several times before the number (following"MC") has
| changed, this time to "2C". I immediately clicked Start=>Run and typed
| C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for.
| For the first time this file showed up!
| I accessed VirusTotal, attached the file but was unable to send off the
| message. Without my doing, the computer then behaved somewhat erratic, making
| several "clicking" sounds in quick repetitions (identical sounds/noises when
| using the mouse). A window popped up displaying a message that it the message
| could not be send (these are not the exact words as the window disappeared
| very quickly). Many more of the AntiVir warning signs and New Message signs
| from Outlook Express popped up in quick successions and for a short while my
| computer "froze". Again, without my doing the, message to scan@ virustotal
| was saved in the Outlook Express Outbox but without attachment.
| I again clicked Start=>Run and typed
| C:\DOCUME~1\PATTAY~1\LOCALS~1\TEMP\MC2C.TMP into the space provided for but
| this time the file has disappeared.
|
| Also, while the AntiVir warning sign is showing it seems to be the dominant
| display on my desktop - it always will stay on top - for example when opening
| VirusTotal or click Start=>Run these applications can not be moved on the top
| of the Warning sign but stay underneath.
|
| Coming back to your response. If this is a False Positive declaration,
| should I just leave everything as is and ignore the AntiVir Warning sign?
| Or is there anything else I could do like deleting the AntiVir and Spyware
| Doctor Programms and the files I had sent to VirusTotal?
| Is a False Positive declaration something I should be concerned with and if
| so, is there a program commercially available for removing this?
| If you wish I could send you a screenshot which shows the AntiVir Warning
| sign.
| I also wish to confirm that none of the 20 Anti Virus vendors found any
| viruses in the files sent to VirusTotal.
| Best regards,

If none of the AV vendors found anything on a file declared to have the SPR/Madtol.C, and is
what not a zero byte file than I strongly think it is a False Poistive declaration.

I am waiting for another poster to send his file(s) to Virus Total. If he too finds a
report where "where no virus found" is indicated for all the AV vendors, then AntiVir has a
definite False Positive declaration problem. That poster also noted the file flagged was a
..TMP file ( mc22.tmp ). Not unlike your file.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
September 16, 2005 11:29:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Kayman" wrote:

> I clicked on to Spyware Doctor to run a periodic scan when a Warning Window
> from one of my anti virus programs (AntiVir) popped up displaying the
> following message:
>
> C:\DOCUME~1\PATTAYA~1\LOCALS~1\TEMP\MC27.TMP
> Contains signature of the SPR/Madtol.C program
>
> The AntiVir program provided sevaral option as to what to do with this file,
> I opted for deletion.
>
> When clicking afterward on to Spyware doctor the AntiVir Warning sign
> reappears displaying almost the same message ( instead of MC27 it shows
> MC28). I again deleted this file.
>
> The warning sign only appears when clicking on to Spyware Doctor which by
> the way I installed some 6 months ago. But the problem only has started
> yesteday.
>
> I run updated MS AntiSpyWare, Spybot S&D, Ad-Aware se, AntiVir, Spyware
> Doctor and McAfee Virus Cleaner & Removal Tool (in both F8 and normal mode)
> but none of the scans indicated the presence of this file.
>
> Would somebody know and advise a proper elimination procedures of this file.
>
> Thank you in advance for your attention and kind assistance.
!