Qustion about Multi-AV update behaviour for David H. Lipman

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


David

I have been given a Windows XP Professional SP3 machine to clean.
I have warned the owners that I could only guarantee "clean" status by a
fresh install, but they wanted it disinfected.

Access to the internet was available so I downloaded Malwarebytes.
Malwarebytes found many occurrences of Rogue.EvidenceEliminator &
Rogue.ErrorFix, and removed them.


I then downloaded Multi_AV.exe which unzipped into C:\AV-CLS.
I then ran StartMenu.bat.
On selecting any of the 1..4 options a box pops up :
"The system is shutting down. Please save all work in progress and log off."
"Time before Shutdown 30" (counting down to 0).
"Message
Sophos scanner files were not found.
The computer is being shutdown so that you can download the needed Sophos
files in Normal Mode"
Similar messages are displayed for options 2..4.

I've tried pressing "N" & "I" but it will not download.

If I install the AV-CLS on a different machine and update (download) for all
4 tools, I can then transfer C:\AV-CLS back.
All four tools will then run, but NEVER update (again I've tried "N" & "I").

There appears to be no problem accessing the internet using IE8 & Outlook
Express.

I've tried repairing the IP stack.

Does this behaviour suggest anything to you ?

Thanks

Eric

--
Remove the dross to contact me directly



Re: Qustion about Multi-AV update behaviour for David H. Lipman




| David

| I have been given a Windows XP Professional SP3 machine to clean.
| I have warned the owners that I could only guarantee "clean" status by a
| fresh install, but they wanted it disinfected.

| Access to the internet was available so I downloaded Malwarebytes.
| Malwarebytes found many occurrences of Rogue.EvidenceEliminator &
| Rogue.ErrorFix, and removed them.


| I then downloaded Multi_AV.exe which unzipped into C:\AV-CLS.
| I then ran StartMenu.bat.
| On selecting any of the 1..4 options a box pops up :
| "The system is shutting down. Please save all work in progress and log off."
| "Time before Shutdown 30" (counting down to 0).
| "Message
| Sophos scanner files were not found.
| The computer is being shutdown so that you can download the needed Sophos
| files in Normal Mode"
| Similar messages are displayed for options 2..4.

| I've tried pressing "N" & "I" but it will not download.

| If I install the AV-CLS on a different machine and update (download) for all
| 4 tools, I can then transfer C:\AV-CLS back.
| All four tools will then run, but NEVER update (again I've tried "N" & "I").

| There appears to be no problem accessing the internet using IE8 & Outlook
| Express.

| I've tried repairing the IP stack.

| Does this behaviour suggest anything to you ?

| Thanks

| Eric

| --
| Remove the dross to contact me directly



Does it display at the top of the menu, 2cnd line...

Boot State= Normal boot


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Qustion about Multi-AV update behaviour for David H. Lipman




Quoted text here. Click to load it

Thanks for the quick response.

No it says :
"Boot State= "

What does this mean ?

--
Eric



Re: Qustion about Multi-AV update behaviour for David H. Lipman




Quoted text here. Click to load it

Thanks for the help David.
It's sorted now.
WMI was corrupt or disabled.
I re-installed it and all is behaving as expected.
Boot State= Normal Boot
and the pattern files update.

--
Eric
Remove the dross to contact me directly



Re: Qustion about Multi-AV update behaviour for David H. Lipman







| Thanks for the help David.
| It's sorted now.
| WMI was corrupt or disabled.
| I re-installed it and all is behaving as expected.
| Boot State= Normal Boot
| and the pattern files update.

| --
| Eric
| Remove the dross to contact me directly


Yepper.  WMI

What did you do to fix it ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Qustion about Multi-AV update behaviour for David H. Lipman




Quoted text here. Click to load it

rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf

Needed an XP CD that matched.

It also asked for napclientprov.mof but there is one locally in
Windows\system32\wbem

Thanks again

Eric



Re: Qustion about Multi-AV update behaviour for David H. Lipman









Quoted text here. Click to load it






| rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf

| Needed an XP CD that matched.

| It also asked for napclientprov.mof but there is one locally in
| Windows\system32\wbem

| Thanks again

| Eric


If you didn't have a solution, I would have had you create and run a batch file
from the
following script...

@echo on
 cd /d c:\temp
 if not exist %windir%\system32\wbem goto TryInstall
 cd /d %windir%\system32\wbem
 net stop winmgmt
 winmgmt /kill
 if exist Rep_bak rd Rep_bak /s /q
 rename Repository Rep_bak
 for %%i in (*.dll) do RegSvr32 -s %%i
 for %%i in (*.exe) do call :FixSrv %%i
 for %%i in (*.mof,*.mfl) do Mofcomp %%i
 net start winmgmt
 goto End

:FixSrv
 if /I (%1) == (wbemcntl.exe) goto SkipSrv
 if /I (%1) == (wbemtest.exe) goto SkipSrv
 if /I (%1) == (mofcomp.exe) goto SkipSrv
 %1 /RegServer

:SkipSrv
 goto End

:TryInstall
 if not exist wmicore.exe goto End
 wmicore /s
 net start winmgmt
:End


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Qustion about Multi-AV update behaviour for David H. Lipman




Quoted text here. Click to load it

Good to know for the future.

--
Eric



Re: Qustion about Multi-AV update behaviour for David H. Lipman




Quoted text here. Click to load it


I am sorry for being dense. But if you were doing a wipe and reinstall
I do not understand what all that other stuff is about. Can you please
explain why you would have instances of Rogue.EvidenceEliminator
when you are in the process of a fresh install?

--


Quoted text here. Click to load it



Re: Qustion about Multi-AV update behaviour for David H. Lipman




Quoted text here. Click to load it

The owner didn't want a reinstall, and preferred a "cleaning" instead.

"...I could only guarantee "clean" status by a  fresh install, but they
wanted it disinfected."



Re: Qustion about Multi-AV update behaviour for David H. Lipman



Has the owner been properly educated about this? Just because
they did not want the reinstall does not mean that was the correct
course of action.

--



Quoted text here. Click to load it



Re: Qustion about Multi-AV update behaviour for David H. Lipman



Indeed! I assume the OP has advised the owner, and the owner doesn't
have any backups (hence their concern about wipe/reinstall).

Proper backups make wipe/reinstall not only the *best* option, but also
the easiest.

Quoted text here. Click to load it



Site Timeline