[printerguru]

After updates on NT Server running Netshield from Network Associates and addition of Adaware SE and Spybot encountered the following:

Application Exception occurred:
APP:.\Release\Mcshield.exe
Exception number: C0000005(access violation) at Address 0x12029f77

AND then a

Application Exception Occurred:
APP:.\vstskmgr.exe
Exception Number: c0000005(access violation) at Address 0x12029f77

Logfile of HijackThis v1.99.0
Scan saved at 10:09:01 AM, on 1/21/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\llssrv.exe
C:\Program Files\Tripp Lite\PowerAlert\Server\portmgr.exe
C:\Program Files\Tripp Lite\PowerAlert\Server\paserver.exe
C:\Program Files\Tripp Lite\PowerAlert\Server\PAWebSvr.exe
c:\winnt\system32\pstores.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\DACONFIG.EXE
C:\WINNT\System32\loadwc.exe
C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE
C:\WINNT\System32\HPJETDSC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Tripp Lite\PowerAlert\Client\status.exe
C:\WINNT\System32\ddhelp.exe
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\WINNT\Profiles\Administrator\Desktop\spybotsearchanddestroy\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O1 - Hosts: 216.127.151.157 KITE # Ethernet I/O 1 = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [FcpEXE] "C:\Program Files\Network Associates\NetShield NT\fcp.exe"
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: Logview.lnk = C:\Program Files\Tripp Lite\PowerAlert\Server\logview.exe
O4 - Startup: PowerAlert Status.lnk = C:\Program Files\Tripp Lite\PowerAlert\Client\status.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PATTCO
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PATTCO
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 216.127.136.200 216.127.136.209
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 216.127.136.200 216.127.136.209
O23 - Service: Network Associates Alert Manager - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: Crystal Info Agent - Seagate Software Information Management Group, Inc. - D:\Crystal\winnt\ciagnt32.exe
O23 - Service: Crystal Info APS - Seagate Software Information Management Group, Inc. - D:\Crystal\winnt\aps32.exe
O23 - Service: Crystal Info Sentinel - Seagate Software Information Management Group, Inc. - D:\Crystal\winnt\sentnl32.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
O23 - Service: PowerAlert Enterprise Server - Unknown - C:\Program Files\Tripp Lite\PowerAlert\Server\mgrsvr.exe
O23 - Service: PowerAlert NAL Server - Unknown - C:\Program Files\Tripp Lite\PowerAlert\Server\netalert.exe
O23 - Service: PowerAlert Port Manager - Unknown - C:\Program Files\Tripp Lite\PowerAlert\Server\portmgr.exe
O23 - Service: PowerAlert Remote Shutdown - Unknown - C:\Program Files\Tripp Lite\PowerAlert\Server\remotesd.exe
O23 - Service: PowerAlert Server - Unknown - C:\Program Files\Tripp Lite\PowerAlert\Server\paserver.exe
O23 - Service: PowerAlert Web Server - Unknown - C:\Program Files\Tripp Lite\PowerAlert\Server\PAWebSvr.exe
O23 - Service: Provide Local CMD Redirect - Unknown - C:\WINNT\system32\RemoteNC.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

In my mind I have overlooked a step and I have either deleted or improperly executed a step after having scanned the system with newly installed Spybot or Adaware SE. both Mcshield.exe (187kb) and vstskmgr.exe (136kb)are still resident where they should be.

Killer help is required as our virus shield is down on our server.

Thanks in advance.

printerguru

[Advertisements]

I'm not noticing anything malicious in your log. Have your tried uninstalling, rebooting, and reinstalling Netshield?

[admin]

I'm not noticing anything malicious in your log. Have your tried uninstalling, rebooting, and reinstalling Netshield?

[printerguru]

Thanks for your insight!!!
Unfortunately, that is a catch 22. Our network administrator is no longer with us and the Netshield disk is apparently in a really safe place as no one has been able to locate it. As it is licensed, I am sure I can contact the factory for a new set. Ifind it curious that it happened after a Spybot and Adaware scan. Clearly one of them found something and I mistakenly deleted the quarantine file. Any other thoughts?
Printerguru

[printerguru]

Just another thought. Would a DRWATSON Tracelog help?
Printerguru

[admin]

Spybot and Adaware aren't designed to be run in an enterprise environment (they're for personal use). I wouldn't be terribly surprised if they removed something that maybe they shouldn't have.

Maybe someone else will have a recommendation for recovering without the install CD.

[printerguru]

Clearly I have made a mistake and the beating will continue until I have corrected it. I appreciate your assistance and candor. Any light that may be shared is greatly appreciated.

[printerguru]

I have loaded the latest SDAT file from Mcafee and it has resolved the problem. While I find this curious, the system was returned to service. One can draw your own conclusions.

[admin]

Thanks for the update. Somtimes it's the simplest things...

[printerguru]

Indeed.....thanks again!