Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Application error on most executables after startup

Posted on 2008-06-20
10
Medium Priority
?
1,610 Views
Last Modified: 2011-11-15
After removing a spyware, on startup I get multiple error messages like:
Application Error: The instruction at "....." referenced memory at "....". The memory could not be "read".
This happens on most executables, including explorer.exe, msconfig.exe, sfc.exe... here is a list of some executables, with the instruction address and the memory address:

verclsid   0x0040a54b   0x000a6000
explorer   0x0040a54b  0x000aa000
sfc   0x0040a54b   0x000a9000
skype   0x0014a54b   0x001b7000
firefox   0x0014a54b   0x001a7000
regedit   0x0040a54b   0x00b9000

Strangely, this does not happen on some executable if they are launched early, but only after some time into the startup: for example: skype starts normally when at startup, but if I close and reopen it, it won't start and give me the error.
Some programs start normally at startup, ZoneAlarm Antivirus is among these.

This happened after I have removed a malware infection:
this morning at startup I had a popup in the lower right corner, telling that my pc was infected and i needed an antispyware. I have ZoneAlarm Antivirus and Firewall installed, but ZoneAlarm's TrueVector service had been disabled by this malicious software, and Spybot would not start either. ZoneAlarm Antivirus' update did not work. This malicious software autonomously downloaded and installed a so-called antispyware named XPSecurityCenter, which is surely spyware itself.
I had some Windows automatic updates left pending, and I installed them: among them there was the Windows Malware Removal Tool.
After rebooting, the popup was gone, and i saw a brief message stating that some malware had been removed (I think the windows removal tool removed this spyware, but I'm not sure). ZoneAlarm started working again.
I rebooted again and this time all those messages started to show up.

At this time, I can't run quite anything on my PC. Can somebody please help me?

Thank you
0
Comment
Question by:francescoba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:francescoba
ID: 21832425
P.S. I noticed that many instruction adresses are the same, this makes me think that there are a few core executables or dlls who cause this problem
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 21832960
Download memtest from www.memtest.org and run the tool to test your memory.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21833030
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:francescoba
ID: 21837221
Thank you for your replies, I'm trying to test your solutions: I have the additional problem that my CD drive is not working, so I'll have to obtain an external CD or floppy drive in order to run memtest86. I'll post the results when i've done it.

Regarding Hijackthis: this morning I tried to run HJTInstall, and it didn't go, giving the same error as the other executables, then after some minuten ZoneAlarm reported a virus (in aspimgr.exe), and put it in quarantine.
After the virus was put in quarantine, all the executables start normally, including Hijackthis, so I run it.
During the scan, Hijackthis gave me an error, that I am attaching to this post together with the log.

Also, I forgot to mention one thing yesterday: after the initial infection I got a windows message stating that some system files had been replaced by different versions, and I should restore them from the windows CD (I could not do this because the cd drive is not working)
HJTerr.jpg
ZAreport.jpg
hijackthis.log
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 2000 total points
ID: 21837325
Download and Run ComboFix (by sUBs) from one of the links below. You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21846182
While IndiGenus helps you get cleaned up, I might suggest backing up ANY important files, getting them off that machine and getting ready for a system format and reinstall.  Sounds also like you may have some hardware issues as well, if you have lost your CD drive and now your Memory is showing issues.
0
 

Author Comment

by:francescoba
ID: 21891314
Thank you all for your help, now I got ComboFix and I scanned my PC, and I am posting the log here, with a new Hijackthis log. After the ComboFix scan my PC began to work normally. I also did a scan with Spybot and with ZoneAlarm Antivirus. I have been using it for some days now without problems. As for the backup, I had already done that, thank you. I am going to check the RAM too, as soon as I get a working Cd drive. I always thought that the cd drive problem is due to mechanical damage, since I transport my laptop by car a lot, for work, and sometimes it got some hits. Anyway, how could I check that?

ComboFix.txt
hijackthis.log
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21891547
"Anyway, how could I check that?"
Do you have a replacement you could test it out with?  Perhaps if you could burn a LiveCD of a Linux distro you could insert that and boot to it and see if it runs.  But what error do you get currently when you insert a disk to it?
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21893884
Do you have ANY idea what these are ?
O4 - Startup: Script.ahk
O4 - Startup: Start.vbs


In Hijack This, fix these.
       F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
       O4 - Global Startup: Snippy.lnk = C:\Programmi\Snippy\Snippy.exe
O9 - Extra button: LookWAYup - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://lookwayup.com/lwu.htm (file missing)
       O9 - Extra 'Tools' menuitem: LookWAYup - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://lookwayup.com/lwu.htm (file missing)

Check these and see if you know them. If not Fix in HIJackthis
      O8 - Extra context menu item: LookWAYup - http://lookWAYup.com/lwu.htm


O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8680DA2-873A-11D4-928C-0050DAC7E112} (CTI_RECORDER) - http://fwbox.fastwebnet.it/webmail/comp/recorder_explorer.cab
O16 - DPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} (wodTelnetDLX Class) - https://62.149.174.230:4643/vz/ssh/wodTelnetDLX.cab
0
 

Author Comment

by:francescoba
ID: 21898381
The F2 entry is due to a virus, but it is not present anymore, I think it was removed in the antivirus scans I did after ComboFix. The other entries are all legitimate programs.
The cd drive has mechanical issues: no boot possible (I checked with the bootable memtest86+ iso).
Anyway, since I had no more memory errors after the ComboFix scan, I assume that my RAM is ok and I'll give up the memtest86 scan: the errors were given by the viruses, which were removed by ComboFix.

Thank you all for helping me to solve this problem!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question