Solved

Application error on most executables after startup

Posted on 2008-06-20
10
1,605 Views
Last Modified: 2011-11-15
After removing a spyware, on startup I get multiple error messages like:
Application Error: The instruction at "....." referenced memory at "....". The memory could not be "read".
This happens on most executables, including explorer.exe, msconfig.exe, sfc.exe... here is a list of some executables, with the instruction address and the memory address:

verclsid   0x0040a54b   0x000a6000
explorer   0x0040a54b  0x000aa000
sfc   0x0040a54b   0x000a9000
skype   0x0014a54b   0x001b7000
firefox   0x0014a54b   0x001a7000
regedit   0x0040a54b   0x00b9000

Strangely, this does not happen on some executable if they are launched early, but only after some time into the startup: for example: skype starts normally when at startup, but if I close and reopen it, it won't start and give me the error.
Some programs start normally at startup, ZoneAlarm Antivirus is among these.

This happened after I have removed a malware infection:
this morning at startup I had a popup in the lower right corner, telling that my pc was infected and i needed an antispyware. I have ZoneAlarm Antivirus and Firewall installed, but ZoneAlarm's TrueVector service had been disabled by this malicious software, and Spybot would not start either. ZoneAlarm Antivirus' update did not work. This malicious software autonomously downloaded and installed a so-called antispyware named XPSecurityCenter, which is surely spyware itself.
I had some Windows automatic updates left pending, and I installed them: among them there was the Windows Malware Removal Tool.
After rebooting, the popup was gone, and i saw a brief message stating that some malware had been removed (I think the windows removal tool removed this spyware, but I'm not sure). ZoneAlarm started working again.
I rebooted again and this time all those messages started to show up.

At this time, I can't run quite anything on my PC. Can somebody please help me?

Thank you
0
Comment
Question by:francescoba
  • 4
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:francescoba
ID: 21832425
P.S. I noticed that many instruction adresses are the same, this makes me think that there are a few core executables or dlls who cause this problem
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 21832960
Download memtest from www.memtest.org and run the tool to test your memory.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21833030
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:francescoba
ID: 21837221
Thank you for your replies, I'm trying to test your solutions: I have the additional problem that my CD drive is not working, so I'll have to obtain an external CD or floppy drive in order to run memtest86. I'll post the results when i've done it.

Regarding Hijackthis: this morning I tried to run HJTInstall, and it didn't go, giving the same error as the other executables, then after some minuten ZoneAlarm reported a virus (in aspimgr.exe), and put it in quarantine.
After the virus was put in quarantine, all the executables start normally, including Hijackthis, so I run it.
During the scan, Hijackthis gave me an error, that I am attaching to this post together with the log.

Also, I forgot to mention one thing yesterday: after the initial infection I got a windows message stating that some system files had been replaced by different versions, and I should restore them from the windows CD (I could not do this because the cd drive is not working)
HJTerr.jpg
ZAreport.jpg
hijackthis.log
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 21837325
Download and Run ComboFix (by sUBs) from one of the links below. You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21846182
While IndiGenus helps you get cleaned up, I might suggest backing up ANY important files, getting them off that machine and getting ready for a system format and reinstall.  Sounds also like you may have some hardware issues as well, if you have lost your CD drive and now your Memory is showing issues.
0
 

Author Comment

by:francescoba
ID: 21891314
Thank you all for your help, now I got ComboFix and I scanned my PC, and I am posting the log here, with a new Hijackthis log. After the ComboFix scan my PC began to work normally. I also did a scan with Spybot and with ZoneAlarm Antivirus. I have been using it for some days now without problems. As for the backup, I had already done that, thank you. I am going to check the RAM too, as soon as I get a working Cd drive. I always thought that the cd drive problem is due to mechanical damage, since I transport my laptop by car a lot, for work, and sometimes it got some hits. Anyway, how could I check that?

ComboFix.txt
hijackthis.log
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21891547
"Anyway, how could I check that?"
Do you have a replacement you could test it out with?  Perhaps if you could burn a LiveCD of a Linux distro you could insert that and boot to it and see if it runs.  But what error do you get currently when you insert a disk to it?
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21893884
Do you have ANY idea what these are ?
O4 - Startup: Script.ahk
O4 - Startup: Start.vbs


In Hijack This, fix these.
       F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
       O4 - Global Startup: Snippy.lnk = C:\Programmi\Snippy\Snippy.exe
O9 - Extra button: LookWAYup - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://lookwayup.com/lwu.htm (file missing)
       O9 - Extra 'Tools' menuitem: LookWAYup - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://lookwayup.com/lwu.htm (file missing)

Check these and see if you know them. If not Fix in HIJackthis
      O8 - Extra context menu item: LookWAYup - http://lookWAYup.com/lwu.htm


O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8680DA2-873A-11D4-928C-0050DAC7E112} (CTI_RECORDER) - http://fwbox.fastwebnet.it/webmail/comp/recorder_explorer.cab
O16 - DPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} (wodTelnetDLX Class) - https://62.149.174.230:4643/vz/ssh/wodTelnetDLX.cab
0
 

Author Comment

by:francescoba
ID: 21898381
The F2 entry is due to a virus, but it is not present anymore, I think it was removed in the antivirus scans I did after ComboFix. The other entries are all legitimate programs.
The cd drive has mechanical issues: no boot possible (I checked with the bootable memtest86+ iso).
Anyway, since I had no more memory errors after the ComboFix scan, I assume that my RAM is ok and I'll give up the memtest86 scan: the errors were given by the viruses, which were removed by ComboFix.

Thank you all for helping me to solve this problem!
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question