Re: SPR/Madtol.C program
From: Kayman (Kayman_at_discussions.microsoft.com)
Date: Fri, 15 Jul 2005 04:20:02 -0700
I disabled both both firewalls (Windows and Norton 2003). Then I downloaded
McAfee. During this download operation the following message was visble:-
connect to ftp.nai.speedera.net.
220-ftp.nai.com FTP server <SFIPD>
331 Password required for user.
230 User anonymous logged in.
ftp> lcd c:\AV-CLS\McAfee
Local directory now c:\CLS\McAfee.
200 TYPE set to I.
Hash mark printing On ftp: <2048 bytes/hash mark>.
Interactive mode Off.
200 PORT commanf successful.
150 Opening BINARY mode data connection
During downloading operation An Error Message appeared: "SDStbRes.dll: The
specified module could not be found". This message however disappeared after
10 seconds or so.
After completion of download operation a small McAfee Command Line Scanner
window appeared: "Do you want to run a scan now"? "Yes" "No".
I clicked Yes. The scan did not run but the NT based OS AV Command Line
Scanners Menu appeared instead. Well, I pressed the #3 key on my keyboard (#3
is to run McAfee, #2 is to run Trend and #1 is to run Sophos).
I rebooted the computer, accessed the appropriate folder and after the NT
Based OS AV Command Line Scanners Menu appeared I hit #3 again.
The following error message was displayed:
c:\AV-CSL\McAfee\update.ini not opened for READ, error code 
I run another RootKitRevealer Scan which found one (1) discrepancy:
Path: C:\Document and Settings\Pattaya2005\LocalSettings\Temp\~DFEE6C.tmp
Time Stamp 7/15/2005, 12:17PM, Size: 32KB
Description: Visible in Windows API but not in MFT or directory index.
Well David, I hope all this helps to come up with a solution, Thanks!!
"David H. Lipman" wrote:
> From: "Kayman" <Kayman@discussions.microsoft.com>
> Replies are inline....
> | Dear David:
> | I am positively sure that the Windows firewall was disabled. You see when
> | disabling the Norton firewall a warning balloon pops up indicating that my
> | computer may be at risk because of disabling the security system. The balloon
> | would not appear if the windows Firewall was enabled. I always double check
> | that the windows firewall is disabled as I am aware that it is not
> | recommended to run 2 firewalls simultaneously. Also, I did not encounter any
> | problems when recently I downloaded McAfee Virus Cleaner and Removal Tool.
> | I read the threads re: Windows Firewall and must say that all this is a bit
> | beyond my comprehension. Grateful if you could advise the following re:
> | Windows Firewall/Added Settings (FTP Settings):
> | a) Description of Service: ?
> | b) Name of IP address (for example 192.168.0.12) of the computer hosting
> | this service on your network: Where can I find this information?
> | c) External Port Number for this Service: ?
> 20 - 21
> | d) Internat Port Number for this Service: ?
> | e) Which box needs to be checked, TCP or UDP ?
> | After FTP Setting have been completed, do I have to delete and re-download
> | the McAfee Command Line Scanner?
> Just choose McAfee from the Multi AV Vendor scanner menu
> | Another Rootkitrevealer Scan revealed the following discrepancy:
> | HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
> | 7/14/2005, 6:57, 80 bytes
> | Description: Data mismatch between Windows API and raw hive data
> | If this has to be removed I need to know how to access HKLM...
> | Regards,
> Run Regedit
> KKLM stands for; HKEY_LOCAL_MACHINE
> Then follow the path; SOFTWARE\Microsoft\Cryptography\RNG
> However, I doubt it is your problem and should be left alone !
> Unfortunately, I don't have a WinXP SP2 box in front of me so I can't provide specific
> FireWall information. The EASIEST way to deal with the FireWall issue is to DISABLE the
> FireWall prior to choosing "McAfee" from the Multi AV Vendor scanner menu then re-enabling
> it AFTER the files have been obtained.