"File is corrupt" when installing KB 835732 - virus locks certain file names??

From: Matt Montag (mmontag_at_iastate.edu)
Date: 05/03/04 

Date: 2 May 2004 18:39:33 -0700

I'm running Windows 2000 SP4 on the Iowa State campus nework. I
started getting the NT AUTHORITY SYSTEM shut down timer yesterday. It
has happened about 6 times total. However, I do not have
"avserve.exe" or other files referenced by antivirus sites on my
system.

I have tried to use several sasser/blaster removal tools and complete
system virus scans and they all come up clean without removing
anything.

Trendmicro's sysclean package reports Error -94 on any files with
COM.DLL in the name, and I'm sure the other av programs are having the
same problem reading these files:

VSCANTM Ver 1.0
Reading virus pattern from C:\lpt$vpn.879(187900) (2004/05/01)
(187900)
Scanning c:\program files\Common Files\Microsoft...\REPCOM.DLL->
<<ERROR (-94)>>
Scanning c:\program files\Common Files\Koda...\IEKCPS_DCOM.dll->
<<ERROR (-94)>>
Scanning c:\program files\Common Files\Crystal D...\u2lcom.dll->
<<ERROR (-94)>>
Scanning c:\program files\NetMeeting\nmcom.dll-> <<ERROR (-94)>>
Scanning c:\program files\Netscape\Netscape 6\xpcom.dll-> <<ERROR
(-94)>>
Scanning c:\program files\CyberLink\PowerDVD\AppBarCom.dll-> <<ERROR
(-94)>>

I can install every windows update except for the critical 835732
update. I get a file error, and I have found that it is because
nmcom.dll (a Netmeeting support file included in the update) is locked
and inaccessible. It makes the update impossible. I need someone to
tell me all about how and why this is happening.

I have already tried:

-Symantec sasser worm removal tool (sasser not found)
-McAffee virus scan (clean system)
-Trendmicro sysclean package (clean system)
-AVG 6.0 virus scan (clean system)
-AdAware
-HijackThis
-Spybot Search & Destroy
-CWShredder (REMOVED SEARCHX VARIANT)
-Safe mode (file error still occurs)
-Terminating every possible service and process (file error still
occurs)

DETAILS ABOUT NMCOM.DLL BEING PROHIBITED...

When i run windows2000-kb835732-x86-enu.exe, i get an error:
"Extraction Failed! File is corrupt" message box, because it can't
write nmcom.dll to my disk. So I had a friend extract the windows
update for me, and send the unzipped files thru AIM. My AIM client
has an error when it tries to write nmcom.dll to my drive. I had him
rename the DLL to nmcom.x. This worked, then I renamed nmcom.x to
nmcom.dll. Then I ran the update setup file. It errored out, saying
"The file nmcom.dll is missing from the KB835732 installation. The
file must be present for KB835732 Setup to continue."

I checked the properties of nmcom.dll and the box no longer showed a
Version tab. It showed a file size, attributes, etc. but i believe it
was just reading information from the file table on the hard drive
(and had error when i tried to change attributes). So yes, the file
was virtually gone.

Then I tried creating a new text document (containing "hello
dsaffasdf") and I renamed it to nmcom.dll. The file was then
inaccessible. When I renamed it to nmcom.txt, the contents were
readable again. A series of tests renaming my text file and dragging
it back into notepad revealed the following: any files of the form
*com.dll* were unreadable.

NMCOM.DLL = bad
NMCOM.DLX = ok
NMCOM.DLLX = bad
XOM.DLL = ok
COM.DLL = bad
HELLO.ABCOM.DLL.TXT = bad

This behavior is exhibited in the same way on both my FAT32 and NTFS
partitions, and all NTFS security meddling is futile.

Relevant Pages
Quantcast