mjcad
asked on
Spoolsv.exe application error - reboots machine automatically!
I got this error when just trying to load my machine.
Spoolsv.exe application error. The instruction at "0x00376B7" referenced memory at "0x003706B7" the memory could not be "written".
I can't even get my desktop to appear before my computer automatically reboots itself. I've tried to go in through safe mode but it automatically reboots as well. Any idea of how I can load my desktop to try to fix this issue? Also, any suggestions on a fix? Is this the spoolsv.exe worm?
Thanks so much for any assistance!
Spoolsv.exe application error. The instruction at "0x00376B7" referenced memory at "0x003706B7" the memory could not be "written".
I can't even get my desktop to appear before my computer automatically reboots itself. I've tried to go in through safe mode but it automatically reboots as well. Any idea of how I can load my desktop to try to fix this issue? Also, any suggestions on a fix? Is this the spoolsv.exe worm?
Thanks so much for any assistance!
ASKER
Thanks CT. Just an FYI, I don't even have a printer hooked up to my PC. So, I'm not sure why this error is popping up. That's why I'm thinking it might be a virus of some sort. Also, I tried selecting Last Known Configuration and VGA mode without luck. I don't have the recovery console so I am trying to get that installed now. I'll keep you updated.
Thanks again for you help.
Thanks again for you help.
Creating a live CD with Dr Web CureIt might help. You need to boot using this CD and do a virus scan from the CD itself. That should help!
http://www.freedrweb.com/livecd/
Don't forget to read the documentation that is available on: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf
Hope it helps.
Alternatively, you can slave it to another PC and do a full antivirus scan of it. MalwareBytes (www.malwarebytes.org) is also a scanner that you can use.
http://www.freedrweb.com/livecd/
Don't forget to read the documentation that is available on: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf
Hope it helps.
Alternatively, you can slave it to another PC and do a full antivirus scan of it. MalwareBytes (www.malwarebytes.org) is also a scanner that you can use.
ASKER
Hi warturle,
Thanks for the advice. I am having trouble getting the Cd with the iso file to boot up. I have the CD rom as the first option when booting up, but nothing happens. The Cd has this file on it "minDrWebLiveCD-5.0.0.iso"
Thanks for any assistance. :)
Thanks for the advice. I am having trouble getting the Cd with the iso file to boot up. I have the CD rom as the first option when booting up, but nothing happens. The Cd has this file on it "minDrWebLiveCD-5.0.0.iso"
Thanks for any assistance. :)
Hi,
Check the following MS support article:
http://support.microsoft.com/kb/810894
A Symantec Certified Specialist @ your service
Check the following MS support article:
http://support.microsoft.com/kb/810894
A Symantec Certified Specialist @ your service
Hmm.. I see. If you can see the iso file when you look at the CD in Windows Explorer that means that CD has not been burnt correctly. The iso file that you downloaded is an image and needs to be burnt as an image and not like a normal data CD. If you send me the name of the CD Writing program that you use, I'll look up for specific instructions and send them to you or you can search for 'Burn Image' or 'Burn Image to disk' on google along with the name of CD Writing program and can see the instructions yourself. You'll have to use another blank CD now.
If you burn the iso file on a CD as an image, then on opening this CD in explorer you'll see a lot of different files in it generally depending on the content of the CD.
If you burn the iso file on a CD as an image, then on opening this CD in explorer you'll see a lot of different files in it generally depending on the content of the CD.
Spoolsv.exe is the Windows Print Spooler service. Generally, this will happen if you have a corrupt or buggy printer driver.
Once you've run a virus and malware scan to show that this is the genuine executable, remove one printer driver at a time until your machine isn't rebooting.
If you have a number of print drivers installed, try disabling automatic system reboot and configure your PC to generate a kernel memory dump - post it here and it will aid troubleshooting.
HTH
Once you've run a virus and malware scan to show that this is the genuine executable, remove one printer driver at a time until your machine isn't rebooting.
If you have a number of print drivers installed, try disabling automatic system reboot and configure your PC to generate a kernel memory dump - post it here and it will aid troubleshooting.
HTH
ASKER
Thanks again to everyone for the great suggestions. Here is an update. I ran Dr Web CureIt and found a ton of viruses. Looks like I hit the virus motherload! Here are some of the ones it found:
backdoor.tdss.115
trojan.packed.191
trojan.packed.255
winlogqu.exe
After the scan completed I was able to log back into my computer but the same error message appeared. I ran ad-aware and tend micro anti-spyware. This found more viruses and "threats". Here are a few:
infostealer.gampass
trojan.fakeavalert
bloodhound.exploit.196
I tired to run Symantec antivirus and got this error message "Could not start scan. Scan engine returned error 0x20000058". I tried stopping the symantec service and restarting it but that did not solve the problem. I also renamed spoolsv.exe and ran SFC /SCANNOW from the commnd line as suggested by ComputerTechie above.
When I rebooted my computer the chkdsk utility started. Let me know if you need the report.
This time I got a whole new set of errors. The spoolsv.exe error was gone (probably since I renamed it) and in its place I got this:
logonui.exe application error
wmiprvse.exe application error
transferagent.exe app. error
The Data Execution Prevention popup keeps displaying for the Windows Logon UI and for Windows explorer.
I checked the system Event Viewer ad here is the error that keeps popping up:
"The wuausev Registry key denied access to SYSTEM account programs s the Service Control Managere took ownership of the Registry key.
Hopefully, that is enough info to get you started. Please let me know what else you need and I will provide it. Any idea what
So, as you can see I've still got serious issues. Any help is appreciated.
Thanks again!
backdoor.tdss.115
trojan.packed.191
trojan.packed.255
winlogqu.exe
After the scan completed I was able to log back into my computer but the same error message appeared. I ran ad-aware and tend micro anti-spyware. This found more viruses and "threats". Here are a few:
infostealer.gampass
trojan.fakeavalert
bloodhound.exploit.196
I tired to run Symantec antivirus and got this error message "Could not start scan. Scan engine returned error 0x20000058". I tried stopping the symantec service and restarting it but that did not solve the problem. I also renamed spoolsv.exe and ran SFC /SCANNOW from the commnd line as suggested by ComputerTechie above.
When I rebooted my computer the chkdsk utility started. Let me know if you need the report.
This time I got a whole new set of errors. The spoolsv.exe error was gone (probably since I renamed it) and in its place I got this:
logonui.exe application error
wmiprvse.exe application error
transferagent.exe app. error
The Data Execution Prevention popup keeps displaying for the Windows Logon UI and for Windows explorer.
I checked the system Event Viewer ad here is the error that keeps popping up:
"The wuausev Registry key denied access to SYSTEM account programs s the Service Control Managere took ownership of the Registry key.
Hopefully, that is enough info to get you started. Please let me know what else you need and I will provide it. Any idea what
So, as you can see I've still got serious issues. Any help is appreciated.
Thanks again!
Good, good, good! Finally, you can boot into your laptop again. I am going to suggest that you download ComboFix and run it in safe mode. It can be downloaded from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix . The same page also has instructions which I suggest that you read before you run ComboFix. I suggest downloading it and saving with a completely different name like jabba.exe and then disabling your antivirus and firewall and then running it. After ComboFix has finished and created a log, you can re-enable your antivirus and firewall. Please send that log to us.
The computer should be clean enough to let you install MalwareBytes Anti-Malware on your PC. It can be downloaded from: www.malwarebytes.org . Instal it, update the definitions then reboot your computer in safe mode and do a full scan with this. That should clean most of the infections. And send us that log as well. Its not a replacement for your antivirus product but a specialised utility to clean spyware which can sometimes trouble antiviruses and can escape detection by antiviruses as well.
The computer should be clean enough to let you install MalwareBytes Anti-Malware on your PC. It can be downloaded from: www.malwarebytes.org . Instal it, update the definitions then reboot your computer in safe mode and do a full scan with this. That should clean most of the infections. And send us that log as well. Its not a replacement for your antivirus product but a specialised utility to clean spyware which can sometimes trouble antiviruses and can escape detection by antiviruses as well.
After having suggested all of the above, I still cannot 100% guarantee that a Windows re-install is not an option, because you are getting errors on lots of Windows files, and it might be that they have been corrupted by a virus.
But best to do the above suggestions first and see what we can find on your PC and assess the amount of repair needed.
But best to do the above suggestions first and see what we can find on your PC and assess the amount of repair needed.
ASKER
Warturtle,
Looks like I'm in deep trouble! I tried downloading Combofix in safe mode and got this error:
ALERT It is not safe to continue
contents of combofix package have been compromised. Download a fresh copy. Note: You may be infected with a file patching virus (virut).
Do you recommend that I follow the directions here http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=3
??
Looks like I'm in deep trouble! I tried downloading Combofix in safe mode and got this error:
ALERT It is not safe to continue
contents of combofix package have been compromised. Download a fresh copy. Note: You may be infected with a file patching virus (virut).
Do you recommend that I follow the directions here http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=3
??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help warturtle! I appreciate you taking the time to work with me! I'm going to start the process of rebuilding my computer! :)
Thanks for the feedback. Always happy to help :)
If unable to still boot up try recovery console and rename spoolsv.exe in C:\WINDOWS\system32\spools
CT