Network...are you talking about the Consumer products or the Enterprise products? What operating system and service pack is this appearing in and is it totally up to date, and did you run the Symantec removal tool before installing McAfee?
Just to add, previously we suspect conficker virus, but using separate antivirus tools, none of them report such and no other virus has been detected.
I am using the Enterprise product for my company. We are running Windows XP with Service pack 3. We have uninstall Symantec.
These are some of the thing that we have done:
1) Repair Windows.
2) Uninstall McAfee and reinstall it.
3) Shut down some unncessary windows services.
4) Apply whatever being recommended by Microsoft in regards to Conficker virus (we initially suspect this Conficker virus).
5) On those PCs that we can successfully install McAfee, no virus have been detected so I don't think there might be a worm in the network. We try to compare the differences between PC that is working and the PC with this problem but we are not able to identify any (yes, we don't perhaps do intensive comparison).
Dude, it's possible that your computers are infected with Sality which prevents installation of Mcafee as per our experience. I suggest for you to run the latest STINGER from the mcafee site (you can also try running the Conficker stinger just to be sure). Also, obtain the latest SDAT and perform a safe-mode scan. Because it's also possible that you guys are infected with a new variant of the conficker as to what happened to us just last week. Mcafee sent us an extra.dat for the variant of the conficker virus. I'm sure the latest DAT can cater to that already so you wouldn't need to have the extra.dat
Thanks darkshyre. I will try that. It now sounds like a virus.
Right now I am running McAfee Stinger version 10.0.1.688 built on Nov 24 2009
Virus data file v5000 created on Nov 23 2009.
I am not sure whether Stinger would be able to detect any virus.
My next step is to download the lastest DAT from McAfee and install this in the infected PC. Then try to run scan on this PC.
Question is if the pc is already infected with virus in which McAfee has been installed, would updating the dat and begin full scanning be all right or the virus would compromise this scanning too?
In the meantime, I will inform more findings.Thanks.
Stinger detected conficker.worm!job.
I will try to do a full scan now with the latest dat.
Yo! Im sorry if i didn't provide enough information. What i meant about obtain the latest SDAT and perform a safemode scan means that you are to use the SDAT itself as the scanner instead of updating your current installation of Mcafee and then performing a scan. This is because sometimes, AVs gets compromised by viruses and some viruses may even prevent installation of these security apps.
If you use the SDAT, it somewhat guarantees that you are using a "working" AV without having to install anything.
Since the SDAT has a HUGE size, it has other uses. My most recommended process is to do it in "safe-mode with command prompt only"
Here are the steps for your reference:
1) Download the SDAT
2) Put the SDAT on a single folder( i.e. SCAN <= name of the folder)
3) Extract the sdat by:
3.1) Open CMD
3.2) Browse to the directory of the SDAT (i.e C:\Scan)
3.3) Type in SDATxxxx.exe (where xxxx stands for the version) /e (i.e sdat5867.exe /e)
3.4) Wait for 2-3Minutes depending on the speed of the machine
3.5) Type in DIR and press enter
3.6) The total number of files in the SCAN folder (folder where you put the sdat) should be 19 (including the SDAT itself) - just repeat this step until the total number of files are 19
3.7) Right-CLick > properties the SCAN folder and set it to READ-ONLY
4) Ofcourse the basics:
4.1) Delete TEMP, CACHE, Cookies, etc
4.2) Disable System restore
5) Restart Computer
6) On bootup, quickly press F8 to launch a menu that will let you pick which mode of login do you want. Choose "SAFEMODE WITH COMMAND PROMPT ONLY"
7) Browse to the SCAN folder and then type in the following:
Scan.exe /clean /all /adl /winmem /program /unzip /analyze /report C:\Scan\report.txt /rptall
8) Once the scan is initiating you will see a lot of gibberish words / graphics, you can tell if the scan is finished by typing CLS. After typing CLS if it still looks like a running gibberish graphics, then that means the scan is still on going.
9) After the scan is finished, you can check the report.txt and see if anything has been detected, failed to clean, etc.
YOu could also post the logs here if you want if you need more assistance.
This process almost always works for us. THe only downside to this is you can only do this during long breaktimes or after office (OVERTIME oh no!!) since the end-user will not be able to use the computer during SAFEMODE W/ command prompt only
That's good, conficker requires a lot of reboots though. So you're gonna have to SCAN then reboot then SCAN again if nothing gets detected use stinger, if nothing gets detected use Microsoft's Malware removal tool, if nothing gets detected, use the Mcafee's Conficker Scanner tool wherein you can check your computers within the network which units are infected with the conficker virus.
This way you can immediately quarantine those machines and isolate them from the network to avoid further spreading to other clean machines.
Moved to General Malware Assistance > Corporate User Assistance.