Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1164
  • Last Modified:

On Access Scanner from NetShield will not start v4.5 SP1

Hi,
I have recently cleaned up our server (w2k Advanced Svr) Spyware, etc was running on it.  It is completely patched from Microsoft's website and needs no further critical updates.  The problem is every time I reboot the server I cannot start the On Access Scanner for Netshield.  I have tried starting services individually, Task Manager then McShield but it gives an error 1607 terminated unexpectedly.  I have unistalled it completey, registry pieces and all then rebooted.  I reinstalled it and added the service pack but it just wont start up.  I have scanned this server with Alluria's spyware, Trojan Hunter and run anti-virus check from another w2k server (McAfee Netshield 4.5 SP1).  I have been to the Network Associates website and have checked run commands in the registry to ensure nothing is running at startup.

If anyone has any ideas that I could try, save installing v7 or 8, because like I said it works great on the other w2k server running the same software.

I appreciate any help you can give.  I would even greatly appreciate it if someone could tell me files, dates, and versions for the anti-virus package so I can double-check that I don't have a hi-jacker on the exe.  Incidently, it SHSTAT.EXE.  I also tried running it from a command line using "/enable" to no avail.  I have also checked what is running using WinTask Pro utility, nothing suspicious found.

Because of the complexity of this question and the urgency of the matter, I am going to give it the full points allowed.
0
spinewr
Asked:
spinewr
  • 5
  • 4
  • 2
  • +1
1 Solution
 
gemchestCommented:
Hi Spinewr,

At the moment I've not been locate an immediate solution to your problem. However I'm sure you're aware that if any trojan is resident in your computer this problem will surface as well. I've a few clients having such problems with Norton auto-protect, but this is the first time i come across with this. Allow me slightly more time to source for a solution for you.

anyway do you have the following error displayed?

Error: "Netshld-4.5 Unable to start Query Service"

Error: "This task is already in use. Search path not loaded - module NETSHLD.NLM - Unable to start Query Service"

NETSHLD.NLM will not load

Error: "An application error has occurred and an application error log is being generated."

Error: "Mcshield.exe, Exception: access violation (0xc0000005)"

Error: "VsTskMgr.exe, Exception: access violation (0xc0000005)"

Error: "scan32.exe, Exception: access violation (0xc0000005)"

Error after updating .DAT files

cheers,
Luis
0
 
spinewrAuthor Commented:
I appreciate your taking the time to research this for me.  
None of the above errors are appearing.

Exact error when starting up the system is NO error.  It just does not start the on access scanner.  The exact error message when starting Mcshield in the Services MMC "Error 1067: The process terminated unexpectedly"  The event viewer was event ID 5019, mcshield crash.  Network Associates states to install the Service Pack for v4.5 of Netshield.

Thanks,
spinewr
0
 
acmpCommented:
What engine are you running?

You should be at least on 4.2.60 if not you'll need to update your engine.

acmp<><
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
spinewrAuthor Commented:
I can't tell what the engine is.  checking the Netshield Activity Log - it does not say the last version installed, overwrites every 7 days :(.

I have tried bringing up the about box from both Console and the disabled On Access Scanner icon in the system tray.  Both of these are being shut down.  It appears I may have some latest and greatest worm of sorts.  Do you recommend any other Trojan Hunter, or Virus detector.  I have not found anything on Mcafee's site or even Sophos website in regards to a virus that shuts down anti-virus and cannot be detected.  I have even run FPORT to find nothing unusual.  I have downloaded and run the latest Stinger from McAfee (still nothing).

Where do we go from here?

Thanks,
Spinewr
0
 
spinewrAuthor Commented:
I just checked the files in C:\Program Files\Network Associates\NetShield between the server that works fine and this bad one.  Found nothing different except of course, log files.  The server that works great is running the 4.2.60 engine, so I am assuming that if the files are the same (date, version, etc..) then I am running 4.2.60 on the bad server.

Thanks,
Spinewr
0
 
Asta CuCommented:
How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363&Product=winsvr2003

This is a composite link put together by many of us on Spyware/Malware and related tools:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

XADM: "Error 1067" and Event ID 1000 Error Messages After You Install Exchange 2000 Server on Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;822884&Product=winsvr2003

Does running HijackThis on the problem to log help?  Once the log is obtained, pasting the results to this HijackThis analyzer can be insightful
http://www.hijackthis.de/index.php?langselect=english
0
 
acmpCommented:
you can use the current superdat to updateNetshield 4.5, this will udate the engine too.

acmp<><
0
 
spinewrAuthor Commented:
astaec
  Thanks for your input, the patches 036 and 039 are installed.  The Q links within Experts-Exchange were helpful, but did not find anything.  This server is not running Exchange.  The HiJackThis website was nifty, again, one possible "Nasty" found and corrected - Still does not work properly.

acmp
  thanks, but the superdat you are refering to is engine 4.2.60 and SP1 which is what is installed.

Thanks, I will keep trying, still looking to understand all files with the Anti-Virus package.  
0
 
acmpCommented:
Running hte Superdat with the /F switch (force) is still a good idea as it will ensure that the dat/engine files are correct, effectivly repairing any problems with them.

acmp<><
0
 
spinewrAuthor Commented:
Thanks for everyone's imput.

I felt the SuperDat with force switch helped me the most.  It allowed the scan engine to start and immediately found the Bat/Mumu.worm.

Thanks
Spinewr
0
 
Asta CuCommented:
Fantastic!  Hats off to acmp.
":0) Asta
0
 
acmpCommented:
<humble mode>
Glad to be of service
</humble mode>

acmp<><
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now