Solved

Application error on most executables after startup

Posted on 2008-06-20
10
1,607 Views
Last Modified: 2011-11-15
After removing a spyware, on startup I get multiple error messages like:
Application Error: The instruction at "....." referenced memory at "....". The memory could not be "read".
This happens on most executables, including explorer.exe, msconfig.exe, sfc.exe... here is a list of some executables, with the instruction address and the memory address:

verclsid   0x0040a54b   0x000a6000
explorer   0x0040a54b  0x000aa000
sfc   0x0040a54b   0x000a9000
skype   0x0014a54b   0x001b7000
firefox   0x0014a54b   0x001a7000
regedit   0x0040a54b   0x00b9000

Strangely, this does not happen on some executable if they are launched early, but only after some time into the startup: for example: skype starts normally when at startup, but if I close and reopen it, it won't start and give me the error.
Some programs start normally at startup, ZoneAlarm Antivirus is among these.

This happened after I have removed a malware infection:
this morning at startup I had a popup in the lower right corner, telling that my pc was infected and i needed an antispyware. I have ZoneAlarm Antivirus and Firewall installed, but ZoneAlarm's TrueVector service had been disabled by this malicious software, and Spybot would not start either. ZoneAlarm Antivirus' update did not work. This malicious software autonomously downloaded and installed a so-called antispyware named XPSecurityCenter, which is surely spyware itself.
I had some Windows automatic updates left pending, and I installed them: among them there was the Windows Malware Removal Tool.
After rebooting, the popup was gone, and i saw a brief message stating that some malware had been removed (I think the windows removal tool removed this spyware, but I'm not sure). ZoneAlarm started working again.
I rebooted again and this time all those messages started to show up.

At this time, I can't run quite anything on my PC. Can somebody please help me?

Thank you
0
Comment
Question by:francescoba
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:francescoba
ID: 21832425
P.S. I noticed that many instruction adresses are the same, this makes me think that there are a few core executables or dlls who cause this problem
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 21832960
Download memtest from www.memtest.org and run the tool to test your memory.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21833030
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:francescoba
ID: 21837221
Thank you for your replies, I'm trying to test your solutions: I have the additional problem that my CD drive is not working, so I'll have to obtain an external CD or floppy drive in order to run memtest86. I'll post the results when i've done it.

Regarding Hijackthis: this morning I tried to run HJTInstall, and it didn't go, giving the same error as the other executables, then after some minuten ZoneAlarm reported a virus (in aspimgr.exe), and put it in quarantine.
After the virus was put in quarantine, all the executables start normally, including Hijackthis, so I run it.
During the scan, Hijackthis gave me an error, that I am attaching to this post together with the log.

Also, I forgot to mention one thing yesterday: after the initial infection I got a windows message stating that some system files had been replaced by different versions, and I should restore them from the windows CD (I could not do this because the cd drive is not working)
HJTerr.jpg
ZAreport.jpg
hijackthis.log
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 21837325
Download and Run ComboFix (by sUBs) from one of the links below. You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21846182
While IndiGenus helps you get cleaned up, I might suggest backing up ANY important files, getting them off that machine and getting ready for a system format and reinstall.  Sounds also like you may have some hardware issues as well, if you have lost your CD drive and now your Memory is showing issues.
0
 

Author Comment

by:francescoba
ID: 21891314
Thank you all for your help, now I got ComboFix and I scanned my PC, and I am posting the log here, with a new Hijackthis log. After the ComboFix scan my PC began to work normally. I also did a scan with Spybot and with ZoneAlarm Antivirus. I have been using it for some days now without problems. As for the backup, I had already done that, thank you. I am going to check the RAM too, as soon as I get a working Cd drive. I always thought that the cd drive problem is due to mechanical damage, since I transport my laptop by car a lot, for work, and sometimes it got some hits. Anyway, how could I check that?

ComboFix.txt
hijackthis.log
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21891547
"Anyway, how could I check that?"
Do you have a replacement you could test it out with?  Perhaps if you could burn a LiveCD of a Linux distro you could insert that and boot to it and see if it runs.  But what error do you get currently when you insert a disk to it?
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 21893884
Do you have ANY idea what these are ?
O4 - Startup: Script.ahk
O4 - Startup: Start.vbs


In Hijack This, fix these.
       F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
       O4 - Global Startup: Snippy.lnk = C:\Programmi\Snippy\Snippy.exe
O9 - Extra button: LookWAYup - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://lookwayup.com/lwu.htm (file missing)
       O9 - Extra 'Tools' menuitem: LookWAYup - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://lookwayup.com/lwu.htm (file missing)

Check these and see if you know them. If not Fix in HIJackthis
      O8 - Extra context menu item: LookWAYup - http://lookWAYup.com/lwu.htm


O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8680DA2-873A-11D4-928C-0050DAC7E112} (CTI_RECORDER) - http://fwbox.fastwebnet.it/webmail/comp/recorder_explorer.cab
O16 - DPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} (wodTelnetDLX Class) - https://62.149.174.230:4643/vz/ssh/wodTelnetDLX.cab
0
 

Author Comment

by:francescoba
ID: 21898381
The F2 entry is due to a virus, but it is not present anymore, I think it was removed in the antivirus scans I did after ComboFix. The other entries are all legitimate programs.
The cd drive has mechanical issues: no boot possible (I checked with the bootable memtest86+ iso).
Anyway, since I had no more memory errors after the ComboFix scan, I assume that my RAM is ok and I'll give up the memtest86 scan: the errors were given by the viruses, which were removed by ComboFix.

Thank you all for helping me to solve this problem!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question