M
Matt Montag
Here's the summary: my system can not read or write any files with
"COM.DLL" anywhere in the file name. I cannot save a text file with
the string "COM.DLL" in the file name. Not with admin privileges, not
from a console, not in safe mode. I *can* however rename, move, and
delete these files. I assume thats becasue those are file table
operations and they don't involve any access to the actual file
contents.
Here is the complete story:
I'm running Windows 2000 SP4. I started getting the Sasser
NT AUTHORITY SYSTEM shut down timer yesterday. It
has happened about 6 times total. However, I do not have
"avserve.exe" or other files referenced by antivirus sites on my
system.
I have tried to use several sasser/blaster removal tools and complete
system virus scans and they all come up clean without removing
anything.
Trendmicro's sysclean package reports Error -94 on any files with
COM.DLL in the name, and I'm sure the other av programs are having
the same problem reading these files:
VSCANTM Ver 1.0
Reading virus pattern from C:\lpt$vpn.879(187900) (2004/05/01)
(187900)
Scanning c:\program files\Common Files\Microsoft...\REPCOM.DLL->
<<ERROR (-94)>>
Scanning c:\program files\Common Files\Koda...\IEKCPS_DCOM.dll->
<<ERROR (-94)>>
Scanning c:\program files\Common Files\Crystal D...\u2lcom.dll->
<<ERROR (-94)>>
Scanning c:\program files\NetMeeting\nmcom.dll-> <<ERROR (-94)>>
Scanning c:\program files\Netscape\Netscape 6\xpcom.dll-> <<ERROR
(-94)>>
Scanning c:\program files\CyberLink\PowerDVD\AppBarCom.dll-> <<ERROR
(-94)>>
I can install every windows update except for the critical 835732
update. I get a file error, and I have found that it is because
NMCOM.DLL (a Netmeeting support file included in the update) is locked
and inaccessible. It makes the update impossible. I need someone
awesome to tell me all about how and why this is happening.
I have already tried:
-Symantec sasser worm removal tool in safe mode (sasser not found)
-McAffee "stinger" virus scan in safe mode (clean system)
-Trendmicro sysclean package in safe mode (clean system)
-AVG 6.0 virus scan (clean system)
-AdAware 6
-HijackThis
-Spybot Search & Destroy
-CWShredder 1.57
(persistent infection with CWS.Searchx variant. is this the problem?)
-Safe mode (file error still occurs)
-Terminating every possible service and process (file error still
occurs)
DETAILS ABOUT COM.DLL BEING PROHIBITED...
When i run windows2000-kb835732-x86-enu.exe, i get an error:
"Extraction Failed! File is corrupt" message box, because it can't
write nmcom.dll to my disk. So I had a friend extract the windows
update for me, and send the unzipped files thru AIM. My AIM client
has an error when it tries to write nmcom.dll to my drive. I had him
rename the DLL to nmcom.x. This worked, then I renamed nmcom.x to
nmcom.dll. Then I ran the update setup file. It errored out, saying
"The file nmcom.dll is missing from the KB835732 installation. The
file must be present for KB835732 Setup to continue."
I checked the properties of nmcom.dll and the box no longer showed a
Version tab. It showed a file size, attributes, etc. but i believe it
was just reading information from the file table on the hard drive
(and had error when i tried to change attributes). So yes, the file
was virtually gone.
Then I tried creating a new text document (containing "hello
dsaffasdf") and I renamed it to nmcom.dll. The file was then
inaccessible. When I renamed it to nmcom.txt, the contents were
readable again - *the file contents remained intact*. A series of
tests
renaming my text file and dragging it back into notepad revealed the
following: any files of the form *com.dll* were unreadable.
NMCOM.DLL = bad
NMCOM.DL = ok
NMCOM.DLLX = bad
XOM.DLL = ok
COM.DLL = bad
HELLO.ABCOM.DLL.TXT = bad
This behavior is exhibited in the same way on my FAT32 and NTFS
partitions, and the problem is beyond NTFS security settings.
I just want to know how this is possible. If you know of any forums
where I'd have better luck with this, please tell me.
Thanks,
Matt
"COM.DLL" anywhere in the file name. I cannot save a text file with
the string "COM.DLL" in the file name. Not with admin privileges, not
from a console, not in safe mode. I *can* however rename, move, and
delete these files. I assume thats becasue those are file table
operations and they don't involve any access to the actual file
contents.
Here is the complete story:
I'm running Windows 2000 SP4. I started getting the Sasser
NT AUTHORITY SYSTEM shut down timer yesterday. It
has happened about 6 times total. However, I do not have
"avserve.exe" or other files referenced by antivirus sites on my
system.
I have tried to use several sasser/blaster removal tools and complete
system virus scans and they all come up clean without removing
anything.
Trendmicro's sysclean package reports Error -94 on any files with
COM.DLL in the name, and I'm sure the other av programs are having
the same problem reading these files:
VSCANTM Ver 1.0
Reading virus pattern from C:\lpt$vpn.879(187900) (2004/05/01)
(187900)
Scanning c:\program files\Common Files\Microsoft...\REPCOM.DLL->
<<ERROR (-94)>>
Scanning c:\program files\Common Files\Koda...\IEKCPS_DCOM.dll->
<<ERROR (-94)>>
Scanning c:\program files\Common Files\Crystal D...\u2lcom.dll->
<<ERROR (-94)>>
Scanning c:\program files\NetMeeting\nmcom.dll-> <<ERROR (-94)>>
Scanning c:\program files\Netscape\Netscape 6\xpcom.dll-> <<ERROR
(-94)>>
Scanning c:\program files\CyberLink\PowerDVD\AppBarCom.dll-> <<ERROR
(-94)>>
I can install every windows update except for the critical 835732
update. I get a file error, and I have found that it is because
NMCOM.DLL (a Netmeeting support file included in the update) is locked
and inaccessible. It makes the update impossible. I need someone
awesome to tell me all about how and why this is happening.
I have already tried:
-Symantec sasser worm removal tool in safe mode (sasser not found)
-McAffee "stinger" virus scan in safe mode (clean system)
-Trendmicro sysclean package in safe mode (clean system)
-AVG 6.0 virus scan (clean system)
-AdAware 6
-HijackThis
-Spybot Search & Destroy
-CWShredder 1.57
(persistent infection with CWS.Searchx variant. is this the problem?)
-Safe mode (file error still occurs)
-Terminating every possible service and process (file error still
occurs)
DETAILS ABOUT COM.DLL BEING PROHIBITED...
When i run windows2000-kb835732-x86-enu.exe, i get an error:
"Extraction Failed! File is corrupt" message box, because it can't
write nmcom.dll to my disk. So I had a friend extract the windows
update for me, and send the unzipped files thru AIM. My AIM client
has an error when it tries to write nmcom.dll to my drive. I had him
rename the DLL to nmcom.x. This worked, then I renamed nmcom.x to
nmcom.dll. Then I ran the update setup file. It errored out, saying
"The file nmcom.dll is missing from the KB835732 installation. The
file must be present for KB835732 Setup to continue."
I checked the properties of nmcom.dll and the box no longer showed a
Version tab. It showed a file size, attributes, etc. but i believe it
was just reading information from the file table on the hard drive
(and had error when i tried to change attributes). So yes, the file
was virtually gone.
Then I tried creating a new text document (containing "hello
dsaffasdf") and I renamed it to nmcom.dll. The file was then
inaccessible. When I renamed it to nmcom.txt, the contents were
readable again - *the file contents remained intact*. A series of
tests
renaming my text file and dragging it back into notepad revealed the
following: any files of the form *com.dll* were unreadable.
NMCOM.DLL = bad
NMCOM.DL = ok
NMCOM.DLLX = bad
XOM.DLL = ok
COM.DLL = bad
HELLO.ABCOM.DLL.TXT = bad
This behavior is exhibited in the same way on my FAT32 and NTFS
partitions, and the problem is beyond NTFS security settings.
I just want to know how this is possible. If you know of any forums
where I'd have better luck with this, please tell me.
Thanks,
Matt