Multi-AV

The Multi-AV Scanning Tool is distributed in a self-extracting ZIP file ( Multi_AV.exe ) that uses the KiXtart Script Interpreter { http://kixtart.org Kixtart is CareWare } and incorporates multiple batch files, multiple KiXtart scripts, one Link ( .LNK ) file, a PDF instruction help file and two utilities; UNZIP.EXE and WGET.EXE . Other files, such as UNRAR.EXE, will be downloaded as needed.

Download Multi-AV Scanning Tool
***NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to enable the utility to download the needed AV vendor related files.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Navigate to and execute C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}

This will bring up the initial *menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each anti malware vendor's web site. The choices are; Sophos, Trend Micro, Avira, Kaspersky and Emsisoft , Exit this menu and Reboot the PC ..


multiav01

 

* When the menu is displayed hitting 'H' or 'h' will bring up the included PDF help file.

Sophos, Trend, Avira, Emsisoft and Kaspersky Modules

To perform a scan using these vendor's scanners choose the number on the menu corresponding to the Anti Virus scanner you wish to run. The scripts will automatically obtain the respective vendor's files for you. You don't need to have them already resident on your computer. The Multi-AV Scanning Tool defaults to the assumption that the PC has an Internet connection. If an alternate PC is used to download the needed files and then the The Multi-AV Scanning Tool is ported to an infected PC that is NOT connected to the Internet you can hit "N" on the menu to indicate the PC is not connected to the Internet. This procedure is explained in the "Using an alternate computer to download needed anti virus module files" section of this document.

After the files have been downloaded to your computer and have been made ready to use, you will get a prompt if you want to run the scanner or not. If you do want to perform a scan then click on " Yes " if you do not want to perform a scan (for example if you want to perform the scan in Safe Mode ) choose " No ". If you choose No or ignore the prompt it will return you back to the main menu. An example prompt for the Sophos scanner is shown below.

 

SCLS1

If you choose to perform a scan then you will be prompted to see if you want to perform the scan of a particular folder or location. An example prompt for the Sophos scanner is shown below.


SCLS2

If you choose " No " then the anti malware scanner will proceed to perform a scan of all hard disks on the computer. If you choose " Yes " then you will be prompted to type in the path of the folder or the drive to be scanned. The scanner will then proceed to perform the scan of that location and all folders below it. If the drive or folder does not exist (for example a syntax error is made in typing the folder location) you will again be prompted to type in the path of the folder or the drive to be scanned.

On a Windows 95, Windows 98, Windows ME or a Windows NT4 PC you will get the following dialogue to enter the location to be scanned.

SCLS3

On Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 2003 Server and Windows 2008 Server you will get the following browsing dialogue to choose the location to be scanned.

SCLS4

Trend Micro Module

Choosing the number on the menu corresponding to Trend will automatically obtain the required Trend Micro Files. You do not need to have them already resident on your computer. Besides being able to clean traditional viruses and Trojans, the Trend Sysclean engine also has an Antispyware capability which you can choose to disable if you wish by un-checking in the "Enable Spyware Scan " button.

After the files have been downloaded to your computer and they have been made ready to use, you will see something similar to the following. By clicking on the " Advanced " button you can choose to scan a specified folder or drive. If it is not chosen then Sysclean will scan all hard disks.

trend1

The following is the Trend Sysclean view after clicking the " Advanced " button

trend2

Avira Module

The Avira module is much like the Sophos module in that you have a detect only mode and a removal mode. However the Avira module will query you as to the action to take on a given detection. The two queries are for direct Signature Detection and Heuristic Detection and then a subsequent action to take. The queries will show on the screen as well as be reported in the Avira ScanReport.txt log file.

 

1. Move

2. Rename

3. Delete file

4. Ignore

5. Disarm

 

Choose an action :

 

Apply selected action to :

 

1. This file only

2. All files infected with [ MALWARE_DETECTION_NAME ]

3. All infected files

 

Kaspersky Module

 

The Kaspersky module is based upon an older DOS scanner. Because it it not a Win32 or Win64 compliant application its use has become limited. It will work on Windows XP 32bit and below but seems to fail to load signatures properly under Windows Vista and Windows 7 and won't work under any 64bit OS. When the Multi-AV Scanning Tool is used under a problematic OS is will display ** Kaspersky not available ** as shown below.

kap1

Another limitation is the amount of files and folders to be scanned and the folder depth. It is suggested to use the Kaspersky module to scan sub-folders and not entire disks.

Because the Kaspersky scanner is a DOS scanner, all files and folders will be displayed and logged using 8.3 file notation.

Emsisoft Anti-Malware Engine Menu

The Emsisoft Anti-Malware sub-menu is different because it has been implemented to take full advantage of the scanner's quarantine capability. The Emsisoft Anti-Malware scanner also implements a NT Service that can be installed for limited accounts such that malware can be removed without having administrative rights under Windows Vista and Windows 7.

The Emsisoft Anti Malware scanner is different from the other scanners which more or less are file level scanners. The Emsisoft Anti Malware scanner uses a more holistic approach in that it doesn't just scan files and the Registry but will scan the Operating System from the standpoint of scanning running processes first.

Choosing the Emsisoft Anti-Malware Engine Menu from the main menu will provide the following.

 

emsoft1

 

From the above menu you can perform the scan, view the contents of the Emsisoft quarantine, delete quarantined files, restore quarantined files to their original locations or remove the Emsisoft Anti-Malware NT Service.

The Emsisoft Anti Malware module defaults to using the quarantine capability of this scanner. You can choose to not use the quarantine capability by hitting "D" from the Emsisoft menu. Consequently hitting "U" will re-enable the quarantine capability.

Choosing "1." from the Emsisoft menu will cause the latest engine and signature files to be downloaded.

After the files have been downloaded to your computer and have been made ready to use, you will get a prompt if you want to run the scanner or not. If you do want to perform a scan then choose "Yes" if you do not want to perform a scan (for example if you want to perform the scan in Safe Mode) choose "No". If you choose No or ignore the prompt it will return you back to the main menu. An example prompt for the Emsisoft Anti-Malware scanner is shown below.;

 

emsoft2

 

If you choose to perform a scan of a chosen location, the Emsisoft Anti-Malware Scanner will scan the memory and all running processes and loaded modules of the running processes prior to scanning files and sub-folders for a chosen folder or location. An example prompt for the Emsisoft Anti-Malware scanner is shown below.

 

emsoft3

 

If you choose " No " then the anti malware scanner will proceed to perform a scan of all hard disks on the computer. If you choose " Yes " then you will be prompted to type in the path of the folder or the drive to be scanned. The scanner will then proceed to perform the scan of that location and all folders below it. If the drive or folder does not exist (for example a syntax error is made in typing the folder location) you will again be prompted to type in the path of the folder or the drive to be scanned

 

Choosing "2." from the Emsisoft menu will allow you to view what is in the quarantine. A text file will be generated that will show and "ID" and associated "Object" . The object is the fully qualified name and path to the file that was quarantined and what it was detected as. The ID is a number that represents the quarantined Object The Object may be a disk file or a Registry entry. This ID number is to be used for the object's restoration.

 

Example from quarantine report. 20 Key: HKEY_LOCAL_MACHINE\software\Driver Robot detected: Trace.Registry.DriverRobot!A2

 

Choosing "3." from the Emsisoft menu will allow you to choose what "Object" is to be restored from quarantine by providing the ID number of the Object in quarantine.

Choosing "4." from the Emsisoft menu will allow you to delete singular objects from the Emsisoft quarantine. To delete all items within the quarantine, delete the folder; C:\AV-CLS\A2\quarantine

Choosing "5." from the Emsisoft menu will allow you to remove the Emsisoft Anti-Malware NT Service.

 

Additional information on the use of this tool

 

mav01

 

'Remove/Delete' and 'Detect Only' Modes of Operation.

 

There are two modes of operation; Remove/Delete and Detect Only.

 

The software defaults to the Remove/Delete mode which means that any files that are deemed to be infected will be automatically removed from the system if they can not be cleaned. If you desire to use the Multi-AV Scanning Tool just to detect and not delete malware, you can hit the letter " D " and place the software in a Detect Only mode of operation. Those files found to be infected by malware will be logged but not cleaned nor deleted from the system. You will either have to manually delete them [not suggested] or you will have to later use a selective scan and tell the scanner where the scan is to be performed based upon the previous logged entries. These two modes of operation are only for the Avira, Sophos and Kaspersky modules since the Trend Micro Sysclean utility has a GUI selection for detection with or without file deletion and Emsisoft has a quarantine facility.

 

Anti Malware Modules

 

You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode . Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode .

 

It would be helpful to read the following information…

 

"Perform a clean startup to determine whether background programs are interfering with your game or program" – http://support.microsoft.com/kb/331796

 

"How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7" – http://support.microsoft.com/kb/929135

 

NOTE: While in Safe Mode Shutdown as many applications as possible prior to running the scanners !

 

C:\AV-CLS\KAVCLEAN.BAT

 

C:\AV-CLS\SOFCLEAN.BAT -- For use on a Win9x/ME PC or on a Windows 2000, Windows XP PC that is using FAT32 after you have booted from an Emergency Boot Disk (EBD) or DOS disk and have already executed; C:\AV-CLS\StartMenu.BAT and already chose Kaspersky and/or Sophos from the menu. These batch files will execute the DOS Command Line Scanners. If needed DOS disk boot images can be obtained from; http://www.bootdisk.com/bootdisk.htm

 

Additionally on a Windows 2000, Windows XP, Windows Vista and Windows 7 the batch files can be executed in "Safe Mode with Command Prompt" .

 

If you are on a Windows NT4, Windows 2000, Windows XP, Windows Vista or Windows 7 you can obtain a free, personal, copy of Avira NTFS4DOS and create a NTFS compliant DOS boot disk. Alternatively you can purchase the full version for Windows 2003 and Windows 2008 Server.

 

Avira NTFS4DOS: http://www.free-av.com/down/windows/ntfs_h.exe

FreeDOS: http://www.freedos.org/ or http://sourceforge.net/projects/freedos/

After you boot from the DOS Boot Disk or are in "Safe Mode with Command Prompt" you would execute one or more of the following depending on what modules you previously chose to download in Normal Mode ;

 

C:\AV-CLS\KAVCLEAN.BAT – Kaspersky

 

C:\AV-CLS\SOFCLEAN.BAT – Sophos

 

 

Using a Proxy Server with the Multi-AV

 

There may be times when the Multi-AV Scanning Tool will need to be used in conjunction with a Proxy Server. The Multi-AV Scanning Tool has a file called Multi-AV.ini which is used to indicate whether or not to use a Proxy Server and assigns what the Server and Port are to be used for the Proxy Server.

 

Under the heading of; [ Proxy ] are the directives; enabled , server and port .

 

To enable the use of a Proxy Server set enabled=Yes

 

To disable the use of a Proxy Server set enabled=No (default setting)

 

Enter the IP Address of the Proxy Server by changing the value of server to the IP Address of the Proxy Server (or the name of the Proxy Server)

 

Examples:

server=172.24.196.38

or

server=proxy1.hstn.comcast.net

 

Enter the Port Number of the Proxy Server by changing the value of port to the Port Number of the Proxy Server

 

Examples:

port=8080

or

port=8118

 

 

Using an alternate computer to download needed anti virus module files

 

There may be times when you want to clean a PC that has no Internet connectivity or very slow Dial-Up Networking (DUN). The objective is to have the Multi-AV Scanning Tool installed on a PC with Internet connectivity.

 

1. Start the menu and choose each anti malware module. However, don't perform a scan in each anti virus module. Quit the module after the files have been downloaded and then exit from the Multi-AV Scanning Tool.

 

2. Copy the C:\AV-CLS folder to a Read-Write media such as a USB Flash Drive, ZIP Disk or Memory Card. Alternatively you could burn the C:\AV-CLS folder to a CD-ROM.

 

3. Insert the USB Flash Drive, ZIP Disk, Memory Card or CDROM in the affected computer and copy the .\ AV-CLS folder from that media to the " C: " drive [ Note: the destination on the affected computer must be the " C: " drive ]. If you are using a CD-ROM the CD-ROM is ONLY good for that day as the anti virus vendors will put out new signature files and/or engines and the files on the CD-ROM will quickly become out-of-date. Also note that if you use a CD-ROM the files copied from the CD-ROM will be marked as Read-Only files on the hard disk. After the files are copied to the " C: " drive you should Right-Click on the folder C:\AV-CLS and uncheck the Read-Only attribute and apply the changes to all files and sub-folders. Due to the Read-Only nature of CD-ROMs, it is suggested to use Read-Write media whenever possible.

 

4. Now that the Multi-AV Scanning Tool has been copied to the infected PC you can hit " N " on the menu to indicate the PC is not connected to the Internet. This will indicate to the software that the PC is not connected to the Internet and it can go straight to scanning the PC without obtaining needed engine and signature files. Now you can follow the normal instructions on the infected computer on running the menu in Normal Mode , Safe Mode , or using the batch files in Safe Mode with Command Prompt or using the batch files by booting from a DOS Disk or a DOS Disk with NTFS4DOS to clean the affected, non-Internet connected, computer.

 

Each Command Line Scanner (CLS) will subsequently create a log file of what has been done upon completion.

 

Sophos: The files for the Sophos CLS are located in; C:\AV-CLS\Sophos and the log file is called C:\AV-CLS\Sophos\ScanReport.TXT At the end of the scan, it will be displayed in your text editor, Notepad .

 

Kaspersky: The files for the Kaspersky CLS are located in; C:\AV-CLS\KAV and the log file is called C:\AV-CLS\KAV\ScanReport.TXT At the end of the scan, it will be displayed in your text editor, Notepad .

 

Trend: The files for the Trend Sysclean CLS are located in; C:\AV-CLS\Trend and the log file is called C:\AV-CLS\Trend\Sysclean.log At the end of the scan, it will be displayed in your text editor, Notepad .

 

Avira: The files for the Avira CLS are located in; C:\AV-CLS\antivir and the log file is called C:\AV-CLS\antivir\ScanReport.txt At the end of the scan, it will be displayed in your text editor, Notepad .

 

Emsisoft: The files for the Emsisoft CLS are located in; C:\AV-CLS\A2 and the log file is called C:\AV-CLS\A2\ScanReport.txt and the quarantine report file is called; C:\AV-CLS\A2\A2Quarantine.wri At the end of the scan, ScanReport.txt will be displayed in your text editor, Notepad and A2Quarantine.wri will be displayed in WordPad .

 

Note: It is strongly suggested that you move each respective report out of the vendor's folder to avoid them being overwritten by subsequent scans. C:\AV-CLS\<AV Vendor> or save a new copy of the report before performing another scan. It would also be good practice to scan in both Safe Mode and in Normal Mode and to save a copy of the report representing each session for later examination and comparison.

 

Multi-AV Scanning Tool's Running Process Killer

 

Included in the C:\AV-CLS folder is a file called *killproc.txt and is used to shutdown or kill running processes prior to scanning the platform. There are two processes already in the text file. Iexplore.exe (Internet Explorer) and firefox.exe (FireFox). The objective would be to add any more names in the text file making sure the last line is a blank line.

 

For example if the following files needed to be shutdown…

mszx23.exe , w32tm.exe , Tibs3.exe & rundll32.exe

 

mav02

 

They would be appended to the list in killproc.txt ensuring that the last line of the text file is a blank line. Then prior to scanning the platform, all of the processes listed in the text file will be shutdown (killed).

 

mav03

 

When the main menu is displayed hitting 'E' or 'e' will bring up Notepad and the killproc.txt text file for easy editing.

 

Utility Notes:

 

1. If a ' hosts ' file is found by this utility, it will be renamed from ' hosts ' to ' hosts.bak ' since malware has a tendency to modify the 'hosts' file to block access to anti virus vendor web sites. Thus possibly blocking the ability to download the needed anti malware module engine and signature files.

 

2. The directory C:\AV-CLS is hard coded and should not be changed. This is to make it easier for accessing files and folders in a DOS/Command Prompt (NO GUI) with a simple 8.3 naming convention and standard location.

 

3. Due to the fact that malware often modifies AUTOEXEC.NT and CONFIG.NT , these files will be renamed to have the .BAK extension and the OS default files restored. This will help to make sure that other software will run correctly and without errors when using those files.

 

4. You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the neededanti malware vendor related files. Allowing WGET.EXE to go through your FireWall is the preferred method. In Windows XP SP2 and above the Operating System should query the user if WGET.EXE sholuld be allowed to go through Operating System's embeddded FireWall.

 

5. On Win9x/ME platforms a backup of WIN.INI and SYSTEM.INI will be made (with the BAK extension) and both will be examined such that the SYSTEM.INI SHELL= statement is set to, shell=explorer.exe and the WIN.INI LOAD= and RUN= statements are set to null. If the SHELL= line is other than shell=explorer.exe, it will be set to shell=explorer.exe and if the LOAD= and/or RUN= lines are not set to null then they will be set to null since these are vectors for loading malware.

 

6. If you run the Sophos CLS from a DOS boot disk or from a DOS boot disk with NTFS4DOS, the log file will conform to the DOS 8.3 naming convention and the log file will be called; C:\AV-CLS\Sophos\AVReport.txt

 

7. If you run the Kaspersky CLS from a DOS boot disk or from a DOS boot disk with NTFS4DOS, the log file will conform to the DOS 8.3 naming convention and the log file will be called; C:\AV-CLS\KAV\AVReport.txt

 

8. Continued use of the respective anti malware scanners will keep them up to date since they will download the most recent signature and engine files for you.

 

9. If you are using Win9x/NT4 and the MULTI-AV SCANNING TOOL fails to run because Windows Management Instrumentation (WMI) is corrupt or missing, you can download v1.5 of the WMI files at… http://www.microsoft.com/downloads/details.aspx?familyid=AFE41F46-E213-4CBF-9C5B-FBF236E0E875&displaylang=en

 

10. The Kaspersky module will not work under Win64 based Operating Systems. Therefore it will not be available as a selection when the MULTI-AV SCANNING TOOL is used on a Win64 based Windows OS.

 

11. The Avira scanner defaults to "Low" Heuristic Detection level.

 

12. If the Avira license key is missing or has expired, the Avira module will indicate that trough a dialogue Pop-Up and then try to download a replacement license key. The PC needs to have Internet access to replace the license key.

 

13. The StartMenu.bat file copies the KiXtart script interpreter's executable, kix32.exe to kix32.com and then executes kix32.com to thwart malware that specifically blocks the execution of EXE files.

 

14. The KiXtart Script interpreter is used for the basis of this Command Line Scanner front-ended utility. The KiXtart utility does NOT allow one to close the Win32 console by choosing the close window "x" in the top right corner of the application window. Doing this will cause the KiXtart close and logoff the user. To exit the Multi-AV Scanning Tool you must choose the exit from the utility the "Quit/Exit" function from the Multi-AV Scanning Tool menu.

 

15. Under 64bit Windows 7 you may have to be logged on with an administrative account or Right-Click on the StartMenu.BAT or "Start Menu" link file and choose " Run as administrator " for the utilities to work.

 

ACKNOWLEDMENTS:

 

I want to acknowledge the participants of; A.C.V, A.C.A-V, M.P.S.V and other security and malware related Usenet News Groups and forums, Art Kopp for his inspiration, Ian Kenefick for all his assistance, Leythos for assistance on the SpyKiller web site, and in particular Ron Lewis (Aka; NTDOC and AdvancedSetup) for all his KiXtart programming assistance.

 

emsoftlogo1

Warm gratitude and thanks go out to Christian Mairoll [CEO] of Emsisoft for his expressed permission to use the Emsisoft Anti-Malware scanner in the Multi-AV Scanning Tool. http://www.emsisoft.com

 

aviralogo1

Gratitude also goes out to Stefan K. of Avira for his relentless efforts to obtain a special license key generated specifically for the Multi-AV Scanning Tool. Thank you Stefan. http://www.avira.com

kixstartlogo1

Finally and most importantly, Ruud van Velsen for the KiXtart interpreter. http://www.kixtart.org