http://www.slavasoft.com/fsum/index.htm
Z So basically you are going to have to know your patch level on that machine, and research the patches to see which one updates this DLL to 6.0.2900.5512 ( which you said yours is at) Then download that patch, extract the dll, and hash it and compare the hashes. If they are both the same then you know the file hasn't been modified, but if they aren't then you might be dealing with something rogue within the dll itself, which you would need visual studio/basic to disassemble the DLL and compare the guts of the DLL internals for both the downloaded dll and the system dll there to determine if there is some rogue code that is triggering it, or if it's a false positive by the Vipre. Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________ From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, January 06, 2010 9:18 AM To: NT System Admin Issues Subject: RE: SHDOCVW.DLL disappearing from Windows XP Pro (Vipre Enterprise) Thanks for the suggestion. I'll check it out. The version on my system (NOT the one having problems) is 6.0.2900.5512. I don't have the fsum app, so I can't say what the checksum is. Can you advise where to get that? From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Wednesday, January 06, 2010 9:12 AM To: NT System Admin Issues Subject: RE: SHDOCVW.DLL disappearing from Windows XP Pro (Vipre Enterprise) John, I am going to assume that you are running XP SP3, what is the version of that shdocvw.dll? I have 6.0.2900.5580 Its SHA1 hash is the following: C:\WINDOWS\system32>fsum -sha1 shdocvw.dll ; SlavaSoft Optimizing Checksum Utility - fsum 2.5 <www.slavasoft.com> ; ; Generated on 01/06/10 at 09:04:01 ; 557776093fc907a1efd708c5251969eec4a7d5d2 ?SHA1*shdocvw.dll Check the hash on your dll, and make sure it is the same. ( You will need a pristine system patched to the latest baseline) and verify it's the same. If it isn't, then something is going awry. The dll is the shell doc object and control library dll. Per the process explorer you can see which executables this dll is invoked in. By default its explorer.exe, Winword, outlook, mstsc ( remote desktop connection) I would also check these version and make sure they also hash the same way. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________ From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, January 06, 2010 8:50 AM To: NT System Admin Issues Subject: SHDOCVW.DLL disappearing from Windows XP Pro (Vipre Enterprise) I have Vipre Enterprise and on one of the client machines the critical system file shdocvw.dll (Windows XP Pro) has disappeared twice after Vipre detects SearchMiracle.EliteBar. I'm not sure the two are related, but it's awfully suspicious to me that this is happening. The first time it happened, I was out of the office and couldn't get to the machine until the next day, so the user lost the use of his computer for half a day. The second time (yesterday afternoon) the user notified me just about quitting time that Vipre was telling him it needed to reboot to finish cleaning itself of an infestation. I told him to reboot and when we tried to log in after it came back up, the desktop was bare - not even a taskbar. Fortunately, CTL+ALT+DEL worked and I was able to pull up a command prompt and repair the damage (again.) Anyone seen this behavior? Is it a false positive? Should I put that file in the "admin known good" section on the server so Vipre will leave it alone? FWIW, I posted a similar topic on the Vipre Enterprise support forum. Just thought I'd post it here as well so anyone who has a similar problem can fix it like I did - I copied the relevant file off my desktop machine and put it on the affected machine, and miracle of miracles, I was able to launch Explorer.exe and the desktop reappeared. :-) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>
