WG: alarms, and one "thud..."

Discussion in 'WormGuard' started by SG1, Jun 8, 2003.

Thread Status:
Not open for further replies.
  1. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Am using WG trial ver. It tends to now and then spring to life, w/warnings over legit. programs: why is that?
    And first time or so I ran it, closed it, & got this msg.

    WGUARD caused an invalid page fault in
    module MSVBVM60.DLL at 0167:66015db2.
    Registers:
    EAX=018e151c CS=0167 EIP=66015db2 EFLGS=00010202
    EBX=6610f470 SS=016f ESP=0067fbdc EBP=0067fbf4
    ECX=012af3ec DS=016f ESI=012af378 FS=1137
    EDX=0000001e ES=016f EDI=00000000 GS=0000
    Bytes at CS:EIP:
    f6 40 3c 01 0f 85 ea 2a 02 00 8b 06 8b ce ff 50
    Stack dump:
    bff55836 00000000 ffffffff 010c47f4 011af114 00000000 0067fc30 660103a8 bff55836 00000000 ffffffff 00000000 00000020 0067f9c8 00000000 0067fc1c

    Any idea what the above crash was about?

    Thanks for info, SG1 (Pat)
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello SG1, What OS are you using? If it is XP or W2K my version MSVBVM6.dll shows as 6.0.92.37
     
  3. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    The dll file you mention is 6.00.8877, on this WIN98se box; it is in System DIR. Seems I put WG in a folder on the Desktop, which has related WG files in it, but not the .dll file you spoke of. Did I mess up big time here, w/botched install, and somehow separate files that should reside in same DIR?! If so, I'm a dingbat...
    Thanks for info, SG1 (Pat)
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Pat, Hmm, I would suggest that you uninstall & re-install - usually WG sits in the programmes directory.
    Not sure if the msvbvm60.dll in W98 is correct but hopefully Jooske will be along soon as she runs W98 and may be able to help.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Pat,
    i have that file in windows\system on win98se, my version is 6.00.9237, but the version you run should be ok.
    Are you also using TDS and if so without any problems?

    http://tds.diamondcs.com.au/index.php?page=files
    Here aer the required files for TDS, which should do for WG as well.

    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q192/4/61.asp&NoWebContent=1
    Here is the whole VB 6.0 SP5 to update Visual Basic runtimes just in case.

    You might like to have WG install default, not on your desktop anyway.
     
  6. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Jooske;
    Not using TDS. But, just wondered about the 1 crash or so of WG early on, and if I had a "pilot error" botched install by WG winding up where it did (and see my earlier post about that). But, you say the .dll file isn't too old, or shouldn't cause troubles? Should it be in same DIR as WG, perhaps?
    Thanks for info, SG1 (Pat)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again, we crossed posting.
    No, the msv...60.dll is a system file and it really belongs in windows\system.
    But i really wonder where you installed WG. I think the advice to uninstall and reinstall default in program files is a good place, unless WG now runs perfect.

    If there is a warning WG will popup with that and tell you what the warning is about, you can inspect it and view the source of the file in the safe mode and decide to stop or run it anyway.
    It will warn for double extensions and lots more.
     
  8. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Jooske;
    WG seems to run fine now, as near as I can tell, but for the periodic warning about what have been legit programs about to open (thus far).
    I'd guess that's better than being asleep on the job, but I wonder about those warnings; will crying wolf too many times dull our senses, and perhaps cause one to not pay attention "just once" & accept a file w/out checking closely enough? {That's just a face value query; I'm not here to badmouth WG, by any stretch of the imagination}.
    Thanks for info, SG1 (Pat)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It's hard to tell without examples?
    Which reasons does WG give you for stopping the programs?
    Do you know them, are you sure they're not infected, no double extensions?
    A program like wg.3.1.exe for instance would be called a double extension and might be stopped, or opening an email attachment like file.jpg.exe.eml would certainly gain a double extension and with that "exe" it would really need a closer look, etc.
    So the warnings differ, look what WG is saying about holding them, what you see in the source, etc.
    If you're really really 100% sure you can even put such files in the exclusions ("always allow") to avoid further warnings on them.
     
  10. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Jooske;
    Great advice, many thanks. It's our job, as it were, to pay very close att'n. to the man behind the curtain esp. if it is a double file ext., or something coming in via e-mail or the like.
    A while back, I'd (luckily) read about a virii or worm going around in e-mail, coming "from" support at microsoft... w/attachment, and line saying something like the answer or info, is *in* the attachment.
    Well, day or so later upon getting home late one night after work... guess what was in the mailbox?
    Had to laugh, knowing what it was - and I use program/s to look at mail and deal w/it, on the ISp's server - meaning almost none of it actually downloads after erasing (the) mostly spam.
    Thanks for info, SG1 (Pat)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome!
    In such cases i like to save the attachment to another place and scan it from there (you might like to zip it for extra security and delete the original and clean out the recycle bin) to see what my scanners have to say about it.
    Yes, i got them from the same sender, which by spamblockers fortunately now is seen as massmailing/spam and thus blocked or sent to the junkfolders in the webmail accounts.
    The WG blocked list you might like to edit with more names to block: it's no use if a trojan or worm is named XXX.trojan but it's working nasty executable YYY.exe to add the name XXX.trojan but just that exe name. WG doesn't really need those names as it looks for malicious code in the first place anyway.
     
Thread Status:
Not open for further replies.