Since it is Vipre try submitting it to Sunbelt for testing evaluation. They seem to be quick and accurate with fixes.
Jon On Wed, Jan 6, 2010 at 11:21 AM, Ziots, Edward <ezi...@lifespan.org> wrote: > http://www.slavasoft.com/fsum/index.htm > > > > Z > > > > So basically you are going to have to know your patch level on that > machine, and research the patches to see which one updates this DLL to > 6.0.2900.5512 ( which you said yours is at) > > > > Then download that patch, extract the dll, and hash it and compare the > hashes. If they are both the same then you know the file hasn’t been > modified, but if they aren’t then you might be dealing with something rogue > within the dll itself, which you would need visual studio/basic to > disassemble the DLL and compare the guts of the DLL internals for both the > downloaded dll and the system dll there to determine if there is some rogue > code that is triggering it, or if it’s a false positive by the Vipre. > > > > > > Edward Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + > > ezi...@lifespan.org > > Phone:401-639-3505 > ------------------------------ > > *From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com] > *Sent:* Wednesday, January 06, 2010 9:18 AM > > *To:* NT System Admin Issues > *Subject:* RE: SHDOCVW.DLL disappearing from Windows XP Pro (Vipre > Enterprise) > > > > Thanks for the suggestion. I’ll check it out. The version on my system > (NOT the one having problems) is 6.0.2900.5512. I don’t have the fsum app, > so I can’t say what the checksum is. Can you advise where to get that? > > > > [image: John-Aldrich][image: Tile-Tools] > > > > *From:* Ziots, Edward [mailto:ezi...@lifespan.org] > *Sent:* Wednesday, January 06, 2010 9:12 AM > *To:* NT System Admin Issues > *Subject:* RE: SHDOCVW.DLL disappearing from Windows XP Pro (Vipre > Enterprise) > > > > John, > > > > I am going to assume that you are running XP SP3, what is the version of > that shdocvw.dll? > > > > I have 6.0.2900.5580 > > Its SHA1 hash is the following: > > C:\WINDOWS\system32>fsum -sha1 shdocvw.dll > > > > ; SlavaSoft Optimizing Checksum Utility - fsum 2.5 <www.slavasoft.com> > > ; > > ; Generated on 01/06/10 at 09:04:01 > > ; > > 557776093fc907a1efd708c5251969eec4a7d5d2 ?SHA1*shdocvw.dll > > > > Check the hash on your dll, and make sure it is the same. ( You will need a > pristine system patched to the latest baseline) and verify it’s the same. If > it isn’t, then something is going awry. > > > > The dll is the shell doc object and control library dll. > > > > Per the process explorer you can see which executables this dll is invoked > in. > > > > By default its explorer.exe, Winword, outlook, mstsc ( remote desktop > connection) > > > > I would also check these version and make sure they also hash the same way. > > > > > Z > > > > Edward Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + > > ezi...@lifespan.org > > Phone:401-639-3505 > ------------------------------ > > *From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com] > *Sent:* Wednesday, January 06, 2010 8:50 AM > *To:* NT System Admin Issues > *Subject:* SHDOCVW.DLL disappearing from Windows XP Pro (Vipre Enterprise) > > > > I have Vipre Enterprise and on one of the client machines the critical > system file shdocvw.dll (Windows XP Pro) has disappeared twice after Vipre > detects SearchMiracle.EliteBar. I’m not sure the two are related, but it’s > awfully suspicious to me that this is happening. The first time it happened, > I was out of the office and couldn’t get to the machine until the next day, > so the user lost the use of his computer for half a day. The second time > (yesterday afternoon) the user notified me just about quitting time that > Vipre was telling him it needed to reboot to finish cleaning itself of an > infestation. I told him to reboot and when we tried to log in after it came > back up, the desktop was bare – not even a taskbar. Fortunately, CTL+ALT+DEL > worked and I was able to pull up a command prompt and repair the damage > (again.) > > > > Anyone seen this behavior? Is it a false positive? Should I put that file > in the “admin known good” section on the server so Vipre will leave it > alone? > > > > FWIW, I posted a similar topic on the Vipre Enterprise support forum. Just > thought I’d post it here as well so anyone who has a similar problem can fix > it like I did – I copied the relevant file off my desktop machine and put it > on the affected machine, and miracle of miracles, I was able to launch > Explorer.exe and the desktop reappeared. J > > > > [image: John-Aldrich][image: Tile-Tools] > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image002.jpg>>
<<image001.jpg>>
