UserDump File Debug for WinXP SP3?

[cluberti]

Hrmm.. Are you familiar with the concept of K.I.S.S???

Always a good method. However, knowing that this is a dll unload failure causing the crash, and that a debugger attached resolves the issue, I'm *pretty* confident that it's the .dll for spysweeper misbehaving. A quick google search brings up others with the same types of problem, with this particular .dll, as well.

[neowillendit]

Hey cluberti,

Still can't replicate my problem in order to get any other dump files for you to very graciously and kindly look over, but I'm wondering...would you please recommend an alternate to Spy Sweeper? I need something with active protection, very effective and very seamless (very un-intrusive), that works with NOD32 v.3 and Outpost Firewall Pro.

I've scoured for two days now, and found SUPERAntiSpyware and it doesn't look very reputable...CounterSpy looks promising but I think it could be overkill...Windows Defender seems weak on definitions and it hasn't had a source engine update since May 2007...and the only other big AntiSpyware Software I can think of is Ad-Aware SE and people say it takes over your system...I'm lost once again...would you offer your opinion?

Thank you in advance!!

[cluberti]

Personally using Windows Defender on Vista with no issues, all scans with major tools come up clean regularly. It does it's job, regardless of engine age (the engine is minimal).

[neowillendit]

Do you say that you have no issues with Windows Defender because you have very safe and limited internet practices? I ask because even though I do, have very safe and restrictive internet practices, I want something that can stand up to something unsafe (should I stray from my trusted sites and into the realm of darkness...).

Thank you again cluberti!! B)

[cluberti]

It should work just fine. Windows Defender used to be Giant Antispyware, one of the best products out there (at the time it was purchased), and is part of Windows Live OneCare (a non-free product), which does quite well.

[neowillendit]

Horrible news cluberti,

I had my laptop up for five and a half hours straight tonight (the longest amount of time in a VERY long time), had disabled Spy Sweeper's Context Menu (so that SCCXTMNU.DLL wouldn't load), and as soon as I click a link to a website inside of EVEREST Ultimate and Internet Explorer opened...I got the explorer.exe error again...Offset: 03a95b90

All I had done within that five and a half hours is listen to MP3s with WMP v.10, play Assassin's Creed, do a lot right-clicking to organize some files and folders, then lastly open EVEREST Ultimate and then...the error.

Would you be so kind as to take a quick look through this user.dmp, minidump.dmp and drwtsn32.log I've archived into a RAR file and posted to RapidShare? This would only be to see if it's the same exact problem as before. I was still trying to get Windows Defender and the definitions package downloaded and installed before I uninstalled Spy Sweeper...so that's why you're going to see that low-down SCCXTMNU.DLL loaded in memory that I didn't know still loaded (I read the Dr. Watson Log to find it).

http://rapidshare.com/files/144298549/Expl..._Error.rar.html

Anyway's, thank you again SO much...and have a good night!!

[cluberti]

Same. And I don't know why you don't wish to uninstall to test:

0:011> lmvm SSCtxMnu
start	end		module name
02c70000 02ced000   SSCtxMnu   (deferred)			 
	Image path: C:\Program Files\Spy Sweeper\SSCtxMnu.dll
	Image name: SSCtxMnu.dll
	Timestamp:		Fri Jun 19 18:22:17 1992 (2A425E19)
	CheckSum:		 00078464
	ImageSize:		0007D000
	File version:	 5.5.7.124
	Product version:  5.5.0.0
	File flags:	   8 (Mask 3F) Private
	File OS:		  0 Unknown Base
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0000.04b0 0000.04e4 0409.04b0 0409.04e4

It is still loaded and running.

[neowillendit]

Thank you for this again cluberti. I do wish to uninstall Spy Sweeper, and I will now, I only wanted AntiSpyware continuity on my machine...which will be Windows Defender.

Thank you my friend.

[neowillendit]

In re-reading your last post cluberti, did you read my whole post from 1am CST this morning and verify the error dumps, that the dll being unloaded was the same problem as before, (or did you only notice that the .dll was still there and stop reading the dump to tell me)?

I hope I don't sound like I'm questioning you, I would just like to make sure...as always, I appreciate your time and knowledge, and it means a lot to me that you care about us (and our computers).

Edited September 11, 2008 by neowillendit

[CharlotteTheHarlot]

OK CharlotteTheHarlott, got the results for the RootkitRevealer.

I had one Rootkit for BioShock, and two Rootkits for Window's Password.

Nothing for Spy Sweeper yet, haven't tried to uninstall yet...can't get it to do the freakin' error again with the debugger monitoring it...this sucks!!

Interesting. Maybe Webroot is exploting ADS instead. If you are familiar with command line utilities there is a tool that is useful to security minded folks called LADS. It is capable of creating a filelist of every alternate data stream on an NTFS disk.

The BioShock thing is actually a copy protection according to several contentious Slashdot and Digg articles. Sony never learns.

But you mentioned Windows Password. Do you mean the HKLM\Security\Policy\Secrets\SAC and \SAI with embedded nulls? I just checked a couple of WinXP Pro machines and have no 'Windows Password' rootkits myself. Google turned up nothing obvious on 3 pages. Suspicious I'd say.

Anyway, its been awhile since I saw SpySweeper in person, and I cannot even remember what version it was. I blasted it away with the partition it was crawling around on. I'll let Cluberti continue the fine work he is doing. I'd suggest you follow his advice and remove that shell extension DLL since that is likely to be SpySweepers shoehorn into Explorer. VERY Likely candidate for crashes. Only suggestion is that after you remove the program, you should dump the registry to a file and text search for SSCtxMnu and see if any references remain. They will need to be killed as well.

Oh, one other thing ... I believe this thread helps illustrate the irony of anti-spyware behaving as bad as spyware/viruses. Myself, like many others do NOT run active anti-spyware. Instead, periodically I manually run a freshly updated SpybotSD. To prevent realtime spyware exposure I use Opera for web access. IMHO, its best to use MSIE only for Windows Updates and maybe those increasingly rare MSIE-only sites. However, if you are on broadband and do not have a hardware firewall, you *will* need some realtime anti-virus. And since most such security suites do include realtime anti-spyware, well, Webroot SpySweeper and its ilk becomes completely un-necessary.

[CharlotteTheHarlot]

Just bumping the thread to see how it all turned out.

How did it go neowillendit? or