Solved

On Access Scanner from NetShield will not start v4.5 SP1

Posted on 2004-08-31
12
1,141 Views
Last Modified: 2012-05-05
Hi,
I have recently cleaned up our server (w2k Advanced Svr) Spyware, etc was running on it.  It is completely patched from Microsoft's website and needs no further critical updates.  The problem is every time I reboot the server I cannot start the On Access Scanner for Netshield.  I have tried starting services individually, Task Manager then McShield but it gives an error 1607 terminated unexpectedly.  I have unistalled it completey, registry pieces and all then rebooted.  I reinstalled it and added the service pack but it just wont start up.  I have scanned this server with Alluria's spyware, Trojan Hunter and run anti-virus check from another w2k server (McAfee Netshield 4.5 SP1).  I have been to the Network Associates website and have checked run commands in the registry to ensure nothing is running at startup.

If anyone has any ideas that I could try, save installing v7 or 8, because like I said it works great on the other w2k server running the same software.

I appreciate any help you can give.  I would even greatly appreciate it if someone could tell me files, dates, and versions for the anti-virus package so I can double-check that I don't have a hi-jacker on the exe.  Incidently, it SHSTAT.EXE.  I also tried running it from a command line using "/enable" to no avail.  I have also checked what is running using WinTask Pro utility, nothing suspicious found.

Because of the complexity of this question and the urgency of the matter, I am going to give it the full points allowed.
0
Comment
Question by:spinewr
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 4

Expert Comment

by:gemchest
ID: 11949175
Hi Spinewr,

At the moment I've not been locate an immediate solution to your problem. However I'm sure you're aware that if any trojan is resident in your computer this problem will surface as well. I've a few clients having such problems with Norton auto-protect, but this is the first time i come across with this. Allow me slightly more time to source for a solution for you.

anyway do you have the following error displayed?

Error: "Netshld-4.5 Unable to start Query Service"

Error: "This task is already in use. Search path not loaded - module NETSHLD.NLM - Unable to start Query Service"

NETSHLD.NLM will not load

Error: "An application error has occurred and an application error log is being generated."

Error: "Mcshield.exe, Exception: access violation (0xc0000005)"

Error: "VsTskMgr.exe, Exception: access violation (0xc0000005)"

Error: "scan32.exe, Exception: access violation (0xc0000005)"

Error after updating .DAT files

cheers,
Luis
0
 

Author Comment

by:spinewr
ID: 11952412
I appreciate your taking the time to research this for me.  
None of the above errors are appearing.

Exact error when starting up the system is NO error.  It just does not start the on access scanner.  The exact error message when starting Mcshield in the Services MMC "Error 1067: The process terminated unexpectedly"  The event viewer was event ID 5019, mcshield crash.  Network Associates states to install the Service Pack for v4.5 of Netshield.

Thanks,
spinewr
0
 
LVL 6

Expert Comment

by:acmp
ID: 11953260
What engine are you running?

You should be at least on 4.2.60 if not you'll need to update your engine.

acmp<><
0
 

Author Comment

by:spinewr
ID: 11954176
I can't tell what the engine is.  checking the Netshield Activity Log - it does not say the last version installed, overwrites every 7 days :(.

I have tried bringing up the about box from both Console and the disabled On Access Scanner icon in the system tray.  Both of these are being shut down.  It appears I may have some latest and greatest worm of sorts.  Do you recommend any other Trojan Hunter, or Virus detector.  I have not found anything on Mcafee's site or even Sophos website in regards to a virus that shuts down anti-virus and cannot be detected.  I have even run FPORT to find nothing unusual.  I have downloaded and run the latest Stinger from McAfee (still nothing).

Where do we go from here?

Thanks,
Spinewr
0
 

Author Comment

by:spinewr
ID: 11954292
I just checked the files in C:\Program Files\Network Associates\NetShield between the server that works fine and this bad one.  Found nothing different except of course, log files.  The server that works great is running the 4.2.60 engine, so I am assuming that if the files are the same (date, version, etc..) then I am running 4.2.60 on the bad server.

Thanks,
Spinewr
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11959521
How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363&Product=winsvr2003

This is a composite link put together by many of us on Spyware/Malware and related tools:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

XADM: "Error 1067" and Event ID 1000 Error Messages After You Install Exchange 2000 Server on Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;822884&Product=winsvr2003

Does running HijackThis on the problem to log help?  Once the log is obtained, pasting the results to this HijackThis analyzer can be insightful
http://www.hijackthis.de/index.php?langselect=english
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:acmp
ID: 11961622
you can use the current superdat to updateNetshield 4.5, this will udate the engine too.

acmp<><
0
 

Author Comment

by:spinewr
ID: 11966361
astaec
  Thanks for your input, the patches 036 and 039 are installed.  The Q links within Experts-Exchange were helpful, but did not find anything.  This server is not running Exchange.  The HiJackThis website was nifty, again, one possible "Nasty" found and corrected - Still does not work properly.

acmp
  thanks, but the superdat you are refering to is engine 4.2.60 and SP1 which is what is installed.

Thanks, I will keep trying, still looking to understand all files with the Anti-Virus package.  
0
 
LVL 6

Accepted Solution

by:
acmp earned 500 total points
ID: 11987759
Running hte Superdat with the /F switch (force) is still a good idea as it will ensure that the dat/engine files are correct, effectivly repairing any problems with them.

acmp<><
0
 

Author Comment

by:spinewr
ID: 11989609
Thanks for everyone's imput.

I felt the SuperDat with force switch helped me the most.  It allowed the scan engine to start and immediately found the Bat/Mumu.worm.

Thanks
Spinewr
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11990118
Fantastic!  Hats off to acmp.
":0) Asta
0
 
LVL 6

Expert Comment

by:acmp
ID: 11994864
<humble mode>
Glad to be of service
</humble mode>

acmp<><
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now