1 2 Previous Next 12 Replies Latest reply on Nov 19, 2009 10:13 AM by sbgospe

    Winxp boot files detected as virus on remote disk?

      Hi.  I have an older version of virus scan (4.5.1, I think).  It's at least 3-4 years old.  I had a nasty bout with something called Windows Defender, that, quite frankly, my Mcafee product could not take care of.  I loaded Malwarbytes and it took care of it.  I then decided to re-scan my disk with Macafee, just to be sure.


      My system is a dual boot system (I use System Commander to manage the OS booting options).  So, I have two instances of Windows XP, on two different partitions. Here is my problem:  The problem with System Defender (which Malware removed) was on my second partition.  I booted into my 1st partition, and asked Mcafee to scan my 2nd partition that I made visible to the first partition. It found MANY problems, and I set the default to "delete."  Now I can no longer login into WinXP on the second partition:  it logs me on/logs me off immediately.  There are a number of posts on the web for how to get around this problem. In essence, they suggest restoring a file called "system userinit.exe" to the \system32 sub-directory.  I did verify that it is gone )(restoring did not help). I also verified that there are roughly320 executable files that are no longer listed under my system32 directory on the partition that I'm unable to login to. The good news is that I should be able to easily replace every, single one from the working partition.


      Here is my issue/question:  When I look through my log file (attached) I see pointers that show userinit.exe, but the location is underneath something called:  windows service packes.  I'm 99% sure the McAfee virus scan deleted all of these programs under system32 off of the windows directory, but the login file does not say anything about those, specific files.  Why?  Is there some other log file I should have?  Is the reason why it is not a good idea to scan a mounted drive with an OS (like WinXP) loaded on it when not booted into that actual OS on that partition?  Clearly there must be. What should I do to recover, other than re-load Winxp (risky, as I say, this is a multiple boot OS....and I don't want to screw up the partition that does work!)





        • 1. Re: Winxp boot files detected as virus on remote disk?
          Peter M

          Assuming you are talking about home products here VirusScan 4 hasn't been supported in years.  Only this years model (13) and last years (12) are supported.  In Enterprise only version 8 is supported.


          I can't even begin to tell you what to do other than get up to date protection as we no longer even have the help files available.  If that model had a quarantine folder it's possible that those files can be restored from it back to where they came from?  Or perhaps a System Restore if it was set to backup all partitions?

          • 2. Re: Winxp boot files detected as virus on remote disk?

            Thanks for your response.  Well, the dat files still update-so I continue to use the product.


            I do have a quaratine folder.   Even if it is an out of date program, can you explain how the quaratine process works?  How does one "un-quaratine" and restore?


            I can not use system restore.  I turned it off when I scanned! I didn't expect to damage my system, and thought that some virus's can still hide that way.


            Irrespective of how old the program is, I'd still like to understand if my conjecture is right:  would scanning a drive with all of those winxp OS files potentially cause the program to find and delete them?


            Anyway, thanks for the help.  Anyone else have a thought before I blinding start to pretty much copy everything from my first partition under c:\windows\system32 to my partition with the no longer booting WinXP OS?



            • 3. Re: Winxp boot files detected as virus on remote disk?
              Peter M

              As I realise now that VirusScan 4.5.1 was an Enterprise product I'm moving this to that section.  I will alert internally to have someone qualified to look at this.

              • 5. Re: Winxp boot files detected as virus on remote disk?

                The short answer to your problem is that your engine is most likely out of date. With an older Engine, newer DATs will report whitelisted and artemis detections as false positives.


                You might be able to use a current SuperDAT to update your engine. If it says your product is no longer supported (it's not, since it's End of Life), you can try to manually install the engine files. Remember there is no official support for these outdated products.


                End of Life -> http://www.mcafee.com/us/enterprise/products/end_life.html

                End of Life for more Recent products -> http://www.mcafee.com/us/enterprise/support/customer_service/end_life.html

                • 6. Re: Winxp boot files detected as virus on remote disk?

                  Hi Mark:


                  Just want to be sure I follow:  You are saying that all of these executables that actually should not have been deleted could have shown up as false positives, but because the engine was out of date....and because I said to delete anything found, they were deleted.  Is this correct?


                  I understand the product is no longer supported, so you suggestions are appreciated.    I just wish there was a log file that told me exactly what was deleted....I could just replace each of those files. It was about 200 some odd files!



                  • 7. Re: Winxp boot files detected as virus on remote disk?


                    You are correct in your understanding of what happened. To be even more clear, the current 5400 engine added whitelisting (do not scan well known windows files) to enhance scanning performance. There also was artemis and heuristic technology added in the 5300 series engine. As these new detections were added to the DATs, the newer engine knows to pick up these detections and report them appropriately. However, the older engine has no idea and will mistakenly report those files as viruses.

                    It has been so many years since I've used VSE 4.5.x but usually the VSE products keep a quarantine (backup) copy of files detected and removed. You might be able to to restore the files through that interface if it exists.

                    The best option overall to use in VirusScan for repair is "Clean".

                    You might be able to update the engine manually by getting a copy of the 5400 engine EPO package ZIP file (epo5400eng.zip -> engmin.zip) and extracting the contents of that file to the location of the current engine (Files: McScan32.dll, License.dat, Messages.dat)

                    http://www.mcafee.com/apps/downloads/security_updates/engines.asp?region=us&segm ent=enterprise

                    http://download.nai.com/products/licensed/superdat/engine/intel/5400/epo5400eng. zip

                    Again, this is all not supported or even tested by me. The results of the scanner working or its detection abilities is not guaranteed at all.

                    If you do decide to give it a try, I would be interested in your results. Be sure to test your detection abilities with eicar ( http://www.eicar.org/anti_virus_test_file.htm ) at least.

                    I suggest you upgrade to VSE 8.7i.



                    Message was edited by: Mark (secured2k) on 11/18/09 4:48 PM
                    • 8. Re: Winxp boot files detected as virus on remote disk?

                      A side note: The log you posted indicates what was deleted. Your VSE attempted to delete some files twice and the second time generated the error since the file was already deleted. It would also be helpful to provide the MalwareBytes log to see if it deleted any key files.

                      • 9. Re: Winxp boot files detected as virus on remote disk?



                        I don't think it's as simple as that.. In order to update the scan engine on the older versions of VirusScan, such as VS 4.5.1 SP1, there were two different files that needed to be extracted from the engine superdat and copied to the appropriate directory.. Yes, "mcscan32.dll" was required as it's the main engine file...but "mcscan32.vxd" (usually in the "C\Windows\System" folder) was also needed.. Unfortunately, with previous efforts to manually update the older version, we found it necessary to mix and match those files depending on the operating system and it wasn't always successful.. And although I haven't checked recently, I don't think the .vxd file is included in the superdat package any longer.


                        Hope this helps.



                        1 2 Previous Next