"attempt to access invalid address"

Discussion in 'adware, spyware & hijack cleaning' started by knowlwk, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. knowlwk

    knowlwk Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    2
    Anyone seen this.. I've got a customer that contracted several spywares a day or two ago. At about the same time, when trying to run various dos applications, an error pops up that says "Attempt to access invalid address". The apps live on a 2000 server and are run from a mapped drive on an XP Pro workstation. It doesn't matter if I use the shortcut on the desktop, go directly to the exe on the mapped drive, go directly to the exe using Network Places, or use the command line to run it from the mapped drive.

    I've google'd it, dejanews'd it, knowledgebase'd it, etc... Several folks with the problem, no incite as to the cause or the fix. I will most likely just choose a restore point, but figured if it was caused by spyware, I'll see it again soon.

    It may not be due to spyware, but did happen about the same time as picking up a few critters. I don't have a hijack log, and didn't keep many notes as I was removing stuff.. I was pcanywhere'd through a third box to get there and had other things to worry about. I do remember bridge.dll, as well as alchem.ini, several other .exe's and .dll's in the \windows and \windows\system32 directories, if that helps.

    Thanks,
     
  2. knowlwk

    knowlwk Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    2
    UPDATE: "attempt to access invalid address"

    OK, turns out it was a bit of software known as "BKDR_HAXDOOR.O" and/or "Backdoor.Haxdoor.B". Stumbled on it when event viewer mention problems with "keboot" and "kesdm" services. Other files involved were:

    w32_ss.exe
    Boot32.sys
    C3.dll
    C3.sys
    C4.sys
    Sdmapi.sys
    Debugg.dll
    P2.ini
    klogini.dll

    Although is is more of a trojan/virus... finding it was very similar to hunting down VX2 components...

    It seems as the components running in memory were locking out the address spaces reserved for Dos apps in XP Pro.
     
Thread Status:
Not open for further replies.