
  • Thread starter Thread starter Guest
  • Start date Start date

Thanks for the advice. I use sophos, not McAfee. Do I need McAfee to
perfrom the fix?

From: "Bill Suen" <[email protected]>

| David,
| Thanks for the advice. I use sophos, not McAfee. Do I need McAfee to
| perfrom the fix?
| Bill

No. It will download the McAfee command line scanner and it does not have to pre-exist on
the PC.

That DLL is associated with a few pieces of malware and tghis uility targets the DLL as well
as the malware associated with it.

I ran the fix and it didn not work. I was watching the scan and there were
a lot of files the fix could not open. Now I cannot even got my explorer
working in my own sign on, so I am using a guest signon to get on here. Hope
you can give me further advice. Here is the log file:

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4666 created Jan 03 2006
Scanning for 168508 viruses, trojans and variants.

Virus Scan Results

01/04/2006 18:01:54


Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet
Files\Content.IE5\A9S3YT65\systemwarning[1].htm ... Found potentially
unwanted program Adware-SpySheriff.
The file or process has been deleted.

Summary report on C:\*.*
Total files: ........... 229892
Clean: ................. 229863
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

Time: 00:50.16

Some pages are now blocked and the message says: block by adware of your pc,
download spy trooper:

Is this geniune?

Many thanks.

Bill Suen

I found this notepad on my screen. Does it help you diagnosing the problem?
# An unexpected error has been detected by HotSpot Virtual Machine:
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x7c9010f3, pid=228, tid=3060
# Java VM: Java HotSpot(TM) Client VM (1.5.0_04-b05 mixed mode, sharing)
# Problematic frame:
# C [ntdll.dll+0x10f3]

--------------- T H R E A D ---------------

Current thread (0x08192ff8): JavaThread "thread applet-FreeVideo.class"
[_thread_in_native, id=3060]

siginfo: ExceptionCode=0xc0000005, writing address 0x04273f54

EAX=0x00000000, EBX=0x2b464d30, ECX=0x0870f7b4, EDX=0x04273f4c
ESP=0x0870f7c4, EBP=0x0870f7fc, ESI=0x04273f38, EDI=0x04273f4c
EIP=0x7c9010f3, EFLAGS=0x00010246

Top of Stack: (sp=0x0870f7c4)
0x0870f7c4: 6d0d7af2 04273f4c 08192ff8 081930b4
0x0870f7d4: 6d0c7eb3 08192ff8 2ac11f18 2b464d30
0x0870f7e4: 21393b28 00000000 0870f7d8 0870fae4
0x0870f7f4: 6d0f33a0 00000000 0870f830 0531899c
0x0870f804: 081930b4 0870f840 00000001 21393b28
0x0870f814: 0870f80c 00000000 0870f840 2b465c90
0x0870f824: 00000000 2b464d30 0870f840 0870f860
0x0870f834: 05312923 00000000 05316449 21393b28

Instructions: (pc=0x7c9010f3)
0x7c9010e3: 24 00 00 00 00 90 90 90 90 90 8b 54 24 04 33 c0
0x7c9010f3: ff 4a 08 75 26 89 42 0c f0 ff 4a 04 7d 03 c2 04

Stack: [0x08610000,0x08710000), sp=0x0870f7c4, free space=1021k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native
C [ntdll.dll+0x10f3]
j java.awt.Component.removeNotify()V+211
j java.awt.Container.removeNotify()V+67
j java.awt.Container.remove(I)V+43
j java.awt.Container.remove(Ljava/awt/Component;)V+45
v ~StubRoutines::call_stub
V [jvm.dll+0x82696]
V [jvm.dll+0xd6fd9]
V [jvm.dll+0x82567]
V [jvm.dll+0x822c4]
V [jvm.dll+0x9d216]
V [jvm.dll+0x101489]
V [jvm.dll+0x101457]
C [msvcrt.dll+0x2a3b0]
C [kernel32.dll+0xb50b]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j java.awt.Component.removeNotify()V+211
j java.awt.Container.removeNotify()V+67
j java.awt.Container.remove(I)V+43
j java.awt.Container.remove(Ljava/awt/Component;)V+45
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x0424fcf0 JavaThread "AWT-EventQueue-33" [_thread_blocked, id=2668]
0x042539f8 JavaThread "Thread-180" [_thread_blocked, id=3312]
0x0424de60 JavaThread "Thread-179" [_thread_blocked, id=488]
0x081d9310 JavaThread "Image Fetcher 0" daemon [_thread_blocked, id=2900]
0x04251a48 JavaThread "Thread-178" [_thread_blocked, id=588]
0x081d96b8 JavaThread "Thread-175" [_thread_in_native, id=2664]
0x08126760 JavaThread "AWT-EventQueue-32" [_thread_blocked, id=3584]
=>0x08192ff8 JavaThread "thread applet-FreeVideo.class" [_thread_in_native,
0x08199650 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=1748]
0x04230450 JavaThread "AWT-Shutdown" [_thread_blocked, id=1664]
0x011f1e30 JavaThread "traceMsgQueueThread" daemon [_thread_blocked,
0x042308c8 JavaThread "AWT-Windows" daemon [_thread_in_native, id=1340]
0x0422f620 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=2380]
0x011f4d30 JavaThread "Low Memory Detector" daemon [_thread_blocked,
0x011e4ff0 JavaThread "CompilerThread0" daemon [_thread_blocked, id=2600]
0x011e4e70 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1832]
0x011df3b0 JavaThread "Finalizer" daemon [_thread_blocked, id=324]
0x04160048 JavaThread "Reference Handler" daemon [_thread_blocked, id=1404]
0x011d8a28 JavaThread "main" [_thread_blocked, id=3436]

Other Threads:
0x011e1cd0 VMThread [id=2564]
0x011f09d0 WatcherThread [id=2764]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

def new generation total 576K, used 2K [0x20b90000, 0x20c30000, 0x212f0000)
eden space 512K, 0% used [0x20b90000, 0x20b90800, 0x20c10000)
from space 64K, 0% used [0x20c20000, 0x20c20000, 0x20c30000)
to space 64K, 0% used [0x20c10000, 0x20c10000, 0x20c20000)
tenured generation total 1408K, used 713K [0x212f0000, 0x21450000,
the space 1408K, 50% used [0x212f0000, 0x213a2448, 0x213a2600, 0x21450000)
compacting perm gen total 8192K, used 1321K [0x26b90000, 0x27390000,
the space 8192K, 16% used [0x26b90000, 0x26cda600, 0x26cda600, 0x27390000)
ro space 8192K, 62% used [0x2ab90000, 0x2b0993f0, 0x2b099400, 0x2b390000)
rw space 12288K, 46% used [0x2b390000, 0x2b91fe20, 0x2b920000,

Dynamic libraries:
0x00400000 - 0x00419000 C:\Program Files\Internet Explorer\iexplore.exe
0x7c900000 - 0x7c9b0000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f4000 C:\WINDOWS\system32\kernel32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x77d40000 - 0x77dd0000 C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f56000 C:\WINDOWS\system32\GDI32.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f01000 C:\WINDOWS\system32\RPCRT4.dll
0x77760000 - 0x778cc000 C:\WINDOWS\system32\SHDOCVW.dll
0x77a80000 - 0x77b14000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x754d0000 - 0x75550000 C:\WINDOWS\system32\CRYPTUI.dll
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x77120000 - 0x771ac000 C:\WINDOWS\system32\OLEAUT32.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x5b860000 - 0x5b8b4000 C:\WINDOWS\system32\NETAPI32.dll
0x771b0000 - 0x77256000 C:\WINDOWS\system32\WININET.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x629c0000 - 0x629c9000 C:\WINDOWS\system32\LPK.DLL
0x74d90000 - 0x74dfb000 C:\WINDOWS\system32\USP10.dll
0x773d0000 - 0x774d2000
0x7c9c0000 - 0x7d1d4000 C:\WINDOWS\system32\SHELL32.dll
0x5d090000 - 0x5d127000 C:\WINDOWS\system32\comctl32.dll
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
0x75f80000 - 0x7607d000 C:\WINDOWS\system32\BROWSEUI.dll
0x20000000 - 0x20012000 C:\WINDOWS\system32\browselc.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\appHelp.dll
0x76fd0000 - 0x7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 - 0x77115000 C:\WINDOWS\system32\COMRes.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x77260000 - 0x772fe000 C:\WINDOWS\system32\urlmon.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x77a20000 - 0x77a74000 C:\WINDOWS\System32\cscui.dll
0x76600000 - 0x7661d000 C:\WINDOWS\System32\CSCDLL.dll
0x77920000 - 0x77a13000 C:\WINDOWS\system32\SETUPAPI.dll
0x68000000 - 0x68051000 C:\Program
0x71ad0000 - 0x71ad9000 C:\WINDOWS\system32\WSOCK32.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x10000000 - 0x1000e000 C:\Program Files\Adobe\Acrobat
0x7c340000 - 0x7c396000 C:\WINDOWS\system32\MSVCR71.dll
0x01110000 - 0x0112f000 C:\WINDOWS\system32\dla\tfswshx.dll
0x01130000 - 0x0113f000 C:\WINDOWS\system32\tfswapi.dll
0x01140000 - 0x0117b000 C:\WINDOWS\system32\dla\tfswcres.dll
0x75e90000 - 0x75f40000 C:\WINDOWS\system32\SXS.DLL
0x012e0000 - 0x01368000 C:\WINDOWS\system32\shdoclc.dll
0x01370000 - 0x01635000 C:\WINDOWS\system32\xpsp2res.dll
0x75cf0000 - 0x75d81000 C:\WINDOWS\system32\mlang.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\system32\mswsock.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.DLL
0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll
0x77c70000 - 0x77c93000 C:\WINDOWS\system32\msv1_0.dll
0x76d60000 - 0x76d79000 C:\WINDOWS\system32\iphlpapi.dll
0x745e0000 - 0x748a6000 C:\WINDOWS\system32\msi.dll
0x722b0000 - 0x722b5000 C:\WINDOWS\system32\sensapi.dll
0x769c0000 - 0x76a73000 C:\WINDOWS\system32\USERENV.dll
0x0ffd0000 - 0x0fff8000 C:\WINDOWS\system32\rsaenh.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x7d4a0000 - 0x7d786000 C:\WINDOWS\system32\mshtml.dll
0x01680000 - 0x016a7000 C:\WINDOWS\system32\msls31.dll
0x02300000 - 0x0232a000 C:\WINDOWS\system32\msimtf.dll
0x02330000 - 0x0237b000 C:\WINDOWS\system32\MSCTF.dll
0x75c50000 - 0x75cbe000 C:\WINDOWS\system32\jscript.dll
0x66e50000 - 0x66e90000 C:\WINDOWS\system32\iepeers.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x5a620000 - 0x5a67d000 C:\WINDOWS\system32\inetcpl.cpl
0x667d0000 - 0x667ed000 C:\WINDOWS\system32\inetcplc.dll
0x66000000 - 0x6601f000 C:\Program
0x65000000 - 0x6502b000 C:\Program
0x5f050000 - 0x5f06a000 C:\WINDOWS\system32\OCCache.DLL
0x71b20000 - 0x71b32000 C:\WINDOWS\system32\MPR.dll
0x75f60000 - 0x75f67000 C:\WINDOWS\System32\drprov.dll
0x71c10000 - 0x71c1e000 C:\WINDOWS\System32\ntlanman.dll
0x71cd0000 - 0x71ce7000 C:\WINDOWS\System32\NETUI0.dll
0x71c90000 - 0x71cd0000 C:\WINDOWS\System32\NETUI1.dll
0x71c80000 - 0x71c87000 C:\WINDOWS\System32\NETRAP.dll
0x71bf0000 - 0x71c03000 C:\WINDOWS\System32\SAMLIB.dll
0x75f70000 - 0x75f79000 C:\WINDOWS\System32\davclnt.dll
0x75970000 - 0x75a67000 C:\WINDOWS\system32\MSGINA.dll
0x76360000 - 0x76370000 C:\WINDOWS\system32\WINSTA.dll
0x74320000 - 0x7435d000 C:\WINDOWS\system32\ODBC32.dll
0x763b0000 - 0x763f9000 C:\WINDOWS\system32\comdlg32.dll
0x025d0000 - 0x025e7000 C:\WINDOWS\system32\odbcint.dll
0x73ba0000 - 0x73bb3000 C:\WINDOWS\system32\sti.dll
0x74ae0000 - 0x74ae7000 C:\WINDOWS\system32\CFGMGR32.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
0x76200000 - 0x76271000 C:\WINDOWS\system32\mshtmled.dll
0x04460000 - 0x04607000 C:\WINDOWS\system32\macromed\flash\Flash.ocx
0x6d430000 - 0x6d43a000 C:\WINDOWS\system32\ddrawex.dll
0x73760000 - 0x737a9000 C:\WINDOWS\system32\DDRAW.dll
0x73bc0000 - 0x73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
0x76820000 - 0x76834000 C:\WINDOWS\system32\HLINK.DLL
0x6d590000 - 0x6d5a1000 C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
0x5edd0000 - 0x5ede7000 C:\WINDOWS\system32\OLEPRO32.DLL
0x6d400000 - 0x6d417000 C:\Program Files\Java\jre1.5.0_04\bin\jpiexp32.dll
0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
0x6d450000 - 0x6d468000 C:\Program Files\Java\jre1.5.0_04\bin\jpishare.dll
0x6d640000 - 0x6d7c9000 C:\PROGRA~1\Java\JRE15~2.0_0\bin\client\jvm.dll
0x6d280000 - 0x6d288000 C:\PROGRA~1\Java\JRE15~2.0_0\bin\hpi.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x6d610000 - 0x6d61c000 C:\PROGRA~1\Java\JRE15~2.0_0\bin\verify.dll
0x6d300000 - 0x6d31d000 C:\PROGRA~1\Java\JRE15~2.0_0\bin\java.dll
0x6d630000 - 0x6d63f000 C:\PROGRA~1\Java\JRE15~2.0_0\bin\zip.dll
0x6d000000 - 0x6d167000 C:\Program Files\Java\jre1.5.0_04\bin\awt.dll
0x73940000 - 0x73a10000 C:\WINDOWS\system32\D3DIM700.DLL
0x6d240000 - 0x6d27d000 C:\Program Files\Java\jre1.5.0_04\bin\fontmanager.dll
0x6d1f0000 - 0x6d203000 C:\Program Files\Java\jre1.5.0_04\bin\deploy.dll
0x6d5d0000 - 0x6d5ed000 C:\Program Files\Java\jre1.5.0_04\bin\RegUtils.dll
0x6d3e0000 - 0x6d3f4000 C:\Program Files\Java\jre1.5.0_04\bin\jpicom32.dll
0x6d4c0000 - 0x6d4d3000 C:\Program Files\Java\jre1.5.0_04\bin\net.dll
0x6d4e0000 - 0x6d4e9000 C:\Program Files\Java\jre1.5.0_04\bin\nio.dll
0x6d3c0000 - 0x6d3df000 C:\Program Files\Java\jre1.5.0_04\bin\jpeg.dll
0x5ff20000 - 0x5ff46000 C:\WINDOWS\system32\MSRATING.dll
0x5ff50000 - 0x5ff61000 C:\WINDOWS\system32\msratelc.dll

VM Arguments:
-Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote
-Djavaplugin.version=1.5.0_04 -Djavaplugin.nodotversion=150_04
-Dbrowser=sun.plugin -DtrustProxy=true
-Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote
-Djavaplugin.version=1.5.0_04 -Djavaplugin.nodotversion=150_04
-Dbrowser=sun.plugin -DtrustProxy=true
-Dapplication.home=C:\PROGRA~1\Java\JRE15~2.0_0 vfprintf
java_command: <unknown>

Environment Variables:
PATH=C:\PROGRA~1\Java\JRE15~2.0_0\bin;C:\Program Files\Internet
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel

--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 2

CPU:total 1 family 15, cmov, cx8, fxsr, mmx, sse, sse2, ht

Memory: 4k page, physical 1046512k(596680k free), swap 2522548k(2184096k free)

vm_info: Java HotSpot(TM) Client VM (1.5.0_04-b05) for windows-x86, built on
Jun 3 2005 02:10:41 by "java_re" with MS VC++ 6.0

I dont even know I have anything to do with "HotSpot"

Bill Suen

Bill Suen said:

I ran the fix and it didn not work. I was watching the scan and there were
a lot of files the fix could not open. Now I cannot even got my explorer
working in my own sign on, so I am using a guest signon to get on here. Hope
you can give me further advice. Here is the log file:

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4666 created Jan 03 2006
Scanning for 168508 viruses, trojans and variants.

Virus Scan Results

01/04/2006 18:01:54


Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet
Files\Content.IE5\A9S3YT65\systemwarning[1].htm ... Found potentially
unwanted program Adware-SpySheriff.
The file or process has been deleted.

Summary report on C:\*.*
Total files: ........... 229892
Clean: ................. 229863
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

Time: 00:50.16

Some pages are now blocked and the message says: block by adware of your pc,
download spy trooper:

Is this geniune?

Many thanks.

Bill Suen

David H. Lipman said:
From: "Bill Suen" <[email protected]>

| I have a similar problem:
| I work a lot from my home PC for a university and has sophos loaded in it.
| The regular daily scan on Monday revealed that I have a Troj/spyaks-B
| infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
| went in via command prompt and deleted the infected file but the home page
| still set to a security centre page. Yesterday I followed the sophos
| instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
| command prompt via F8 re-start. I am running Window XP 2002 home service
| pack 2, and it will not let me get onto safe mode with command prompt at
| restart, so I cannot run the fix on my PC.

Download SmitFraud.exe from the URL --

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your

* * * Please report back your results * * *
From: "Bill Suen" <[email protected]>

| Dave,
| I ran the fix and it didn not work. I was watching the scan and there were
| a lot of files the fix could not open. Now I cannot even got my explorer
| working in my own sign on, so I am using a guest signon to get on here. Hope
| you can give me further advice. Here is the log file:

< snip >

You are still infected.

Part 1

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe counter/click.php?id=1

Part 2

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

I don't understand what you mean by "Now I cannot even got my explorer working in my own
sign on..."
Please elaborate...

What happens ?
From: "Bill Suen" <[email protected]>

| David,
| I found this notepad on my screen. Does it help you diagnosing the problem?
| # An unexpected error has been detected by HotSpot Virtual Machine:
| #
| # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x7c9010f3, pid=228, tid=3060
| #
| # Java VM: Java HotSpot(TM) Client VM (1.5.0_04-b05 mixed mode, sharing)
| # Problematic frame:
| # C [ntdll.dll+0x10f3]
| #

< snip >

Nope. Useless data...

Many thanks for your advice again. I will try it tonight when I get home
and let you know what happens.

After my last scan my IE did not work (would not get to my usual home page,
nor to the hidjacked page, just frozen) and the screen settings were all
changed. I had to log on as a "guest" on my multiple user- PC to use IE.
But afterwards, I manually changed back all my settings and the IE worked
again under my logon.

Hope I will give you good news tonight.
From: "Bill Suen" <[email protected]>

| Dave,
| Many thanks for your advice again. I will try it tonight when I get home
| and let you know what happens.
| After my last scan my IE did not work (would not get to my usual home page,
| nor to the hidjacked page, just frozen) and the screen settings were all
| changed. I had to log on as a "guest" on my multiple user- PC to use IE.
| But afterwards, I manually changed back all my settings and the IE worked
| again under my logon.
| Hope I will give you good news tonight.

Use *all* the tools I provided you whn using the affected account. The issue is in that
user's Registry. You have to be logged in as that user for that Registery to be fixed.
From: "cquirke (MVP Windows shell/user)"
| I've downloaded it and read the HTML, but haven't used it yet - I'm
| interested in seeing if it can be adapted to more formal use.
| I'm working on a scanning wizard for Bart PE CDR boot that will run a
| sequence of 5 av scanners with a minimum of stop/go interaction, so I
| was interested in how Dave's worked.
Any time you'd like to discuss my tool(s), you have my email address.

Thanks - I'll pursue when I'm focussed!

Meantime,this is of interest for data recovery... DataRecovery iRecover.exe at...
While you mention booting from a Bart PE, the included PDF file does provide instructions
for creating a DOS Boot Disk or DOS Boot Disk with NTFS4DOS for outside the OS scanning.

Thanks, that's useful for < 137G systems. I haven't tried NTFS with,
say, ScanPM.exe, but I found F-Prot for DOS ineffective under such
circumstances; it does run in the low DOS memory conditions inflicted
by the NTFS driver, but fails to traverse the volume's dir tree.

---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
Before that, cquirke wrote:
The only reason it needs to be on a drive is to expand the definitions
and create the log files - at least it appears that way.

That applies to Bart as well, for tools that have to write to
themselves. What I do in such cases is sling them into %Temp% and run
them from there... when Bart-booted, there is a RAM drive B: which is
defined as %Temp%, but I've added a facility to re-direct this to a
selected location on a HD volume for greater space.

So my normal "dodgy PC" SOP is:
- diskette booted RAM diags; bail out if bad
- Bart CDR boot:
- HD Tune to check physical HD
- ChkDsk to check file system
- create a directory on a HD volume
- map Bart's %Temp% to this
- start virus scanning wizard:
- F-Prot CLI detect-only C:, save log
- ScanPM detect-only all HD, save log
- Trend SysClean ++ detect&clean, save log
- AntiVir 6 ** ++, save log
- McAfee Stinger ++, save log
- AdAware SE **, detect-only, save log
- Spybot 1.4, detect-only, save log
- HiJackThis **, save log

** Using RunScanner to access HD registry.
++ Run from Temp, as requires writable base location.

After the above comes other tests to taste, followed by AdAware and
Spybot detect-and-clean scans from Safe Mode, etc. I do the cleaning
from Windows boot so that the changes can be undone (i.e. stored and
accessible within the Windows installation).

It would be nice to do all the above from a single CDR, but I haven't
been able to "shell" Bart so it can share the same CDR with the RAM
test diagnostics. What I can do, is spawn these RAM diagnostic 1.44M
boot diskettes from the Bart CDR boot; I can't burn these to CDR as
the Bart-booted session dies if the Bart CDR is ejected.

---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony

I cannot get into safe mode with command prompt, so I ran SmitRem.exe in
normal mode. Then I ran part 2 (Secured2K'....) and it appeared to work and
I gained back control of my homepage etc.

Tried again to reboot via F8 and still cannot get in Safe mode or safe mode
with command prompt. The safe mode appears in blue on the bottom left of the
screen by on top it only allows proceeding with "normal window statrt up". Am
I still infected? Or is this a fault/feature of Window XP 2002 home SP2?

I appraciate your further advice....and thank you for helping me fix
(apparently) the problem, Much appreciated.

Bill Suen

Further to my last post, my sophos just reported picking up another
Troj/Dropper-DK in C:\system volume. So my underlying problem still exists.
And I still cannot get into safe mode command prompt, so cannot run sophos
trojan fix. Hope you can help getting to the bottom of this.

Many thanks.

Bill Suen
From: "Bill Suen" <[email protected]>

| Dave,
| Further to my last post, my sophos just reported picking up another
| Troj/Dropper-DK in C:\system volume. So my underlying problem still exists.
| And I still cannot get into safe mode command prompt, so cannot run sophos
| trojan fix. Hope you can help getting to the bottom of this.
| Many thanks.

That's the System Restore cache.

Disable the System Restore cache and reboot the PC.

Re-enable the System Restore Cache and then create a new restore point.

I don't know what to tell you about your Safe Mode problem. It has many roots and the
majority aren't malware related.