spinewr
asked on
On Access Scanner from NetShield will not start v4.5 SP1
Hi,
I have recently cleaned up our server (w2k Advanced Svr) Spyware, etc was running on it. It is completely patched from Microsoft's website and needs no further critical updates. The problem is every time I reboot the server I cannot start the On Access Scanner for Netshield. I have tried starting services individually, Task Manager then McShield but it gives an error 1607 terminated unexpectedly. I have unistalled it completey, registry pieces and all then rebooted. I reinstalled it and added the service pack but it just wont start up. I have scanned this server with Alluria's spyware, Trojan Hunter and run anti-virus check from another w2k server (McAfee Netshield 4.5 SP1). I have been to the Network Associates website and have checked run commands in the registry to ensure nothing is running at startup.
If anyone has any ideas that I could try, save installing v7 or 8, because like I said it works great on the other w2k server running the same software.
I appreciate any help you can give. I would even greatly appreciate it if someone could tell me files, dates, and versions for the anti-virus package so I can double-check that I don't have a hi-jacker on the exe. Incidently, it SHSTAT.EXE. I also tried running it from a command line using "/enable" to no avail. I have also checked what is running using WinTask Pro utility, nothing suspicious found.
Because of the complexity of this question and the urgency of the matter, I am going to give it the full points allowed.
I have recently cleaned up our server (w2k Advanced Svr) Spyware, etc was running on it. It is completely patched from Microsoft's website and needs no further critical updates. The problem is every time I reboot the server I cannot start the On Access Scanner for Netshield. I have tried starting services individually, Task Manager then McShield but it gives an error 1607 terminated unexpectedly. I have unistalled it completey, registry pieces and all then rebooted. I reinstalled it and added the service pack but it just wont start up. I have scanned this server with Alluria's spyware, Trojan Hunter and run anti-virus check from another w2k server (McAfee Netshield 4.5 SP1). I have been to the Network Associates website and have checked run commands in the registry to ensure nothing is running at startup.
If anyone has any ideas that I could try, save installing v7 or 8, because like I said it works great on the other w2k server running the same software.
I appreciate any help you can give. I would even greatly appreciate it if someone could tell me files, dates, and versions for the anti-virus package so I can double-check that I don't have a hi-jacker on the exe. Incidently, it SHSTAT.EXE. I also tried running it from a command line using "/enable" to no avail. I have also checked what is running using WinTask Pro utility, nothing suspicious found.
Because of the complexity of this question and the urgency of the matter, I am going to give it the full points allowed.
ASKER
I appreciate your taking the time to research this for me.
None of the above errors are appearing.
Exact error when starting up the system is NO error. It just does not start the on access scanner. The exact error message when starting Mcshield in the Services MMC "Error 1067: The process terminated unexpectedly" The event viewer was event ID 5019, mcshield crash. Network Associates states to install the Service Pack for v4.5 of Netshield.
Thanks,
spinewr
None of the above errors are appearing.
Exact error when starting up the system is NO error. It just does not start the on access scanner. The exact error message when starting Mcshield in the Services MMC "Error 1067: The process terminated unexpectedly" The event viewer was event ID 5019, mcshield crash. Network Associates states to install the Service Pack for v4.5 of Netshield.
Thanks,
spinewr
What engine are you running?
You should be at least on 4.2.60 if not you'll need to update your engine.
acmp<><
You should be at least on 4.2.60 if not you'll need to update your engine.
acmp<><
ASKER
I can't tell what the engine is. checking the Netshield Activity Log - it does not say the last version installed, overwrites every 7 days :(.
I have tried bringing up the about box from both Console and the disabled On Access Scanner icon in the system tray. Both of these are being shut down. It appears I may have some latest and greatest worm of sorts. Do you recommend any other Trojan Hunter, or Virus detector. I have not found anything on Mcafee's site or even Sophos website in regards to a virus that shuts down anti-virus and cannot be detected. I have even run FPORT to find nothing unusual. I have downloaded and run the latest Stinger from McAfee (still nothing).
Where do we go from here?
Thanks,
Spinewr
I have tried bringing up the about box from both Console and the disabled On Access Scanner icon in the system tray. Both of these are being shut down. It appears I may have some latest and greatest worm of sorts. Do you recommend any other Trojan Hunter, or Virus detector. I have not found anything on Mcafee's site or even Sophos website in regards to a virus that shuts down anti-virus and cannot be detected. I have even run FPORT to find nothing unusual. I have downloaded and run the latest Stinger from McAfee (still nothing).
Where do we go from here?
Thanks,
Spinewr
ASKER
I just checked the files in C:\Program Files\Network Associates\NetShield between the server that works fine and this bad one. Found nothing different except of course, log files. The server that works great is running the 4.2.60 engine, so I am assuming that if the files are the same (date, version, etc..) then I am running 4.2.60 on the bad server.
Thanks,
Spinewr
Thanks,
Spinewr
How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363&Product=winsvr2003
This is a composite link put together by many of us on Spyware/Malware and related tools:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
XADM: "Error 1067" and Event ID 1000 Error Messages After You Install Exchange 2000 Server on Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;822884&Product=winsvr2003
Does running HijackThis on the problem to log help? Once the log is obtained, pasting the results to this HijackThis analyzer can be insightful
http://www.hijackthis.de/index.php?langselect=english
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363&Product=winsvr2003
This is a composite link put together by many of us on Spyware/Malware and related tools:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
XADM: "Error 1067" and Event ID 1000 Error Messages After You Install Exchange 2000 Server on Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;822884&Product=winsvr2003
Does running HijackThis on the problem to log help? Once the log is obtained, pasting the results to this HijackThis analyzer can be insightful
http://www.hijackthis.de/index.php?langselect=english
you can use the current superdat to updateNetshield 4.5, this will udate the engine too.
acmp<><
acmp<><
ASKER
astaec
Thanks for your input, the patches 036 and 039 are installed. The Q links within Experts-Exchange were helpful, but did not find anything. This server is not running Exchange. The HiJackThis website was nifty, again, one possible "Nasty" found and corrected - Still does not work properly.
acmp
thanks, but the superdat you are refering to is engine 4.2.60 and SP1 which is what is installed.
Thanks, I will keep trying, still looking to understand all files with the Anti-Virus package.
Thanks for your input, the patches 036 and 039 are installed. The Q links within Experts-Exchange were helpful, but did not find anything. This server is not running Exchange. The HiJackThis website was nifty, again, one possible "Nasty" found and corrected - Still does not work properly.
acmp
thanks, but the superdat you are refering to is engine 4.2.60 and SP1 which is what is installed.
Thanks, I will keep trying, still looking to understand all files with the Anti-Virus package.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for everyone's imput.
I felt the SuperDat with force switch helped me the most. It allowed the scan engine to start and immediately found the Bat/Mumu.worm.
Thanks
Spinewr
I felt the SuperDat with force switch helped me the most. It allowed the scan engine to start and immediately found the Bat/Mumu.worm.
Thanks
Spinewr
Fantastic! Hats off to acmp.
":0) Asta
":0) Asta
<humble mode>
Glad to be of service
</humble mode>
acmp<><
Glad to be of service
</humble mode>
acmp<><
At the moment I've not been locate an immediate solution to your problem. However I'm sure you're aware that if any trojan is resident in your computer this problem will surface as well. I've a few clients having such problems with Norton auto-protect, but this is the first time i come across with this. Allow me slightly more time to source for a solution for you.
anyway do you have the following error displayed?
Error: "Netshld-4.5 Unable to start Query Service"
Error: "This task is already in use. Search path not loaded - module NETSHLD.NLM - Unable to start Query Service"
NETSHLD.NLM will not load
Error: "An application error has occurred and an application error log is being generated."
Error: "Mcshield.exe, Exception: access violation (0xc0000005)"
Error: "VsTskMgr.exe, Exception: access violation (0xc0000005)"
Error: "scan32.exe, Exception: access violation (0xc0000005)"
Error after updating .DAT files
cheers,
Luis