Trouble reinstalling virus software after virus !

[jcfrasco]

We're running McAffee Total Virus Defense Suite on all our computers. One of our salesman managed to get a virus on his computer but didn't know it utill the icons on his desktop starting disappearing. Before he could shut it down it crashed the operating system. When I got a chance to look at it I disconnected it from the network and tried to start it. When it got to the point where it loads the operating system it displayed a message that the NTLDR file was missing. Since I had no choice but reload the operating system I reformatted the hard drive and did a new install with Win 2000. The operating system installed without any problems and additional programs installed as easy. But, when I attempted to reinstall the virus software it continues to fail half way through and gives a message that it couldn't install the Scan32 common libraries. Also, it prevents me from removing the files it already installed due to the installation not being complete.

Is there something else I should do besides just reformatting the hard drive to insure all traces of a virus are removed? Or, is there possibly something else I'm overlooking?

Thank you for any assistance,
jcfrasco

 

[Guest_imported]

No solution but just some info:

That is weird i got the same problem when i was infected by the W32/klez e@m virus

Did you had the same experience?

I also deleted everything from mcafee but i couldnt reinstall their software caused by that cannot load common libraries

After that i used regmon and filemon from

http://www.sysinternals.com

and i stil dont know what is causing the problem, but i noticed that virus did some weird things with common shared dlls it points very important dlls like mfc42.dll to c:\temp\etc... instead of c:\windows\system (in case of my w98 system) I need a solution too so can someone help me too?

 

[linney]

Just some ideas to try not 100% sure myself. Did you ever identify the virus in the first place. Have you contacted Mcafee Help to see what they say. Here are a couple of links which may or may not be relevant.

http://www.mcafeeb2b.com/avert/avert-research-center/virus-glossary/boot-sector-infector.asp

Do you have a drive manager or overlay like EZ-Drive for a large hard drive? fdisk /mbr is going to have a problem with that.

How to repair a virus when using a dynamic drive overlay or a disk compression utility

http://service1.symantec.com/SUPPOR...3fb30e8ad48e469988256a220027258d?OpenDocument

 

[Guest_imported]

Check yr knwon dllsregistry entry and check if every dll is present in your windows\system dir.

lz32.dll wasnt present i placed et volia it works (scan32)

 

[Guest_imported]

check yr knowndll registry entry and verify the existence of every named dll, if missing: get from other same adress and place it in c:\windows\system

Cy

scan32.exe doesnt give any cannot load common dlls anymore!

 

[FatesWebb]

TRY ALL OF THESE STEPS TO ENSURE YOU HAVE FULLY RESOLVED YOUR ISSUE, SOME STEPS MAY NOT APPLY, SOME STEPS MAY BE SLIGHTLY DIFFERENT IN YOUR OPERATING SYSTEM.

Removing McAfee.com ActiveShield
From ADD/Remove software choose to remove McAfee.com ActiveShield.
Reboot
Go to the start | Run | Programs | McAfee.com Agent
Choose Uninstall
Reboot.
Delete %windir%\mcbin folder and [%windir%\program files\mcafee.com (unless they have or firewall and like it)].
Delete the McAfee.com programs from %windir%\downloaded program files.
Open regedt32.
Remove HKEY_LOCAL_MACHINE\software\mcafee.com (unless other Mcaffee.com software installed.
Select HKEY_LOCAL_MACHINE\system\CurrentControlSet\enum\root\legacy_mcshield and choose security. Give everyone full control. Delete the registry key once you have changed the permissions on the registry key.
Select HKEY_LOCAL_MACHINE\system\CurrentControlSet\enum\root\legacy_NAIFiltr and choose security. Give everyone full control. Delete the registry key once you have changed the permissions on the registry key.
Select HKEY_LOCAL_MACHINE\system\CurrentControlSet\enum\root\legacy_NAIFsRec and choose security. Give everyone full control. Delete the registry key once you have changed the permissions on the registry key.
Remove HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\NAIFsRec
Remove HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\NAIFiltr


Remove the legacy keys following the steps below:
NOTE: The below keys are not installed nor removed by McAfee's software. The effects of removing them cannot be guaranteed by Network Associates.



Select Start | Run, type REGEDT32 and click Ok
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_Avsynmgr
From the Security menu, select Permissions
From the Registry Key Permissions dialog box, select the Everyone Group
Place a check within 'Replace Permissions on Existing Subkeys'
In the Type of Access menu, select Full Control
Select OK
Answer YES to dialog box "Do you want to replace permissions on all existing Subkeys within LEGACY_xxxxx"
From the Edit menu, select Delete
Follow steps 3 through 9 for these keys also:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_Naifilter
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_NAIFsRec
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_McShield


Cannot do automatic uninstall of virusscan

Backup the registry.

Open the VirusScan control panel applet.
Click the stop button. (if button says ·Start· then the services is stopped. Do not click button).
Confirm that the service has stopped by the VShield icon and VirusScan console icon missing from the Systray in the opposite side of the start menu bar from the Start button.

Run the MSIzap batch program "Remove.bat".
You can get the Microsoft Clean Up Utility from Q238413 ("OFF2000: Windows Installer CleanUp Utility&quot
"

http://support.microsoft.com/support/kb/articles/Q238/4/13.asp"

Install the Cleanup Utility.
Go to Start | Run and browse to C:\Program Files\Windows Cleanup Utility (the default directory) or the directory to which you installed the utility.
Select MSIZAP.EXE and click open.
At the end of the path statement in the Run box, type a space and then the following
McAfee VirusScan 4.5.1 English:
T {87AEFD84-BC0D-11D4-B885-00508B022A51}

NOTE: Your Run line should end up looking similar to this, including the quotes:
"C:\Program Files\Windows Cleanup Utility\MSIZAP.EXE" T {87AEFD84-BC0D-11D4-B885-00508B022A51}

Click OK to Run the utility.

When completed, reboot the system.

Select MSIZAP.EXE and click open.
At the end of the path statement in the Run box, type a space and then the following: T {63CB7620-B423-4BF1-A7E4-75BB8B64740E}

NOTE: Your Run line should end up looking similar to this, including the quotes:
"C:\Program Files\Windows Cleanup Utility\MSIZAP.EXE" T {63CB7620-B423-4BF1-A7E4-75BB8B64740E}


Click OK to Run the utility.

When completed, reboot the system.

Open Regedit
Click the plus sign (+) next to HKEY_LOCAL_MACHINE.
Click the plus sign (+) next to Software.
Click once on the Network Associates folder icon.
Select the TVD key and press the Delete key on the keyboard.
A "Confirm" Key Delete window will appear with the question, "Are you sure you want to delete this key?" Click the Yes button to delete the key.
Click the plus sign (+) next to Microsoft.
Scroll down and click the plus sign (+) next to Windows.
Click the plus sign (+) next to CurrentVersion.
Click the folder icon next to Run services.
On the right side of the window, locate and delete the following entry:
Mcafee VirusScan Service
On the left side of the window, click the folder icon next to SharedDLLs.
On the right side of the window, locate and delete ONLY the following entries:

c:\WIN98SE\SYSTEM\Avsmcpa.cpl
c:\WIN98SE\SYSTEM\Inetwh32.dll
c:\WIN98SE\SYSTEM\MCKRNL.VXD
c:\WIN98SE\SYSTEM\MCSCAN32.VXD
c:\WIN98SE\SYSTEM\MCUTIL.VXD
c:\WIN98SE\SYSTEM\VSHIELD.VXD
c:\WIN98SE\SYSTEM\VSHINIT.VXD

(Your "path" may vary)

On the left side of the window, click the plus sign (+) next to Uninstall.
Locate and delete the 63CB7620-B423-4BF1-A7E4-75BB8B64740E folder under the Uninstall key.
If VirusScan 4.5 was installed with MAPI mail scanning (MS Exchange or Outlook), do the following, otherwise skip to the next step:

Scroll back up and look under the Microsoft key from step 7.
Click the plus sign (+) next to Exchange
Click the plus sign (+) next to Client
Click the plus sign (+) next to Extensions
On the right side of the window, locate and delete Exchange Scan

Scroll back up and look under the Software key from step 3.
Click the plus sign (+) next to Network Associates.
If they exist, locate and delete ONLY the following keys under Network Associates:
Ecare
McAfee VirusScan
SendVir
VirusScan
McAfee WebScanX

Some others may exist ( PGP or Management edition). Do not delete.
Close the Registry Editor by clicking on the X in the upper right hand corner.

Click on Start. The Start menu will appear.
Click on Run in the menu.
Type SYSEDIT in the Open field.
Click the OK button. The System Configuration Editor window will appear. The top window will be labeled C:\AUTOEXEC.BAT
If they exist, delete the following lines by highlighting the line and then pushing the Delete button on the keyboard:
C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX
@IF ERRORLEVEL 1 PAUSE
Save the file by clicking on File on the menu and select Save.
Close the System Configuration Editor by clicking on the X in the upper right hand corner of the large window.
Delete McAfee VirusScan Files:
Click on Start|Run.
In the 'Open:' field, type ·C:\Program Files\Network Associates· (with the "&quot and click 'OK'.
Delete the VirusScan folder
Close this window.
Click on Start|Run.
In the Open field, type ·C:\Program Files\common files· (with the "&quot and click 'OK'
Delete the Network Associates folder.
Close all windows
Click on Start|Run.
In the Open field, type X:\%windows%\system and hit return. (where X is the drive letter your windows directory exits and "%windows% is the name of your Windows directory.) and click 'OK'
Delete the following files:
Avsmcpa.cpl
Inetwh32.dll
MCKRNL.VXD
MCSCAN32.VXD
MCUTIL.VXD
VSHIELD.VXD
VSHI