1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Memory Access Violation in Module Kernel32 @ . . .

Discussion in 'Virus & Other Malware Removal' started by evenstarjm, Sep 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. evenstarjm

    evenstarjm Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    21
    I get this message whenever I log on; try to run regedit or msconfig. I'm frustrated trying to find out what the problem is...can you help???

    Each time the @ # is different...i.e., ". . . in module kernel32 at 5443:91271892" these numbers change each login.

    I can't see what is running on startup because this message occurs and never goes into msconfig.

    HELP!!
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  3. evenstarjm

    evenstarjm Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    21
    is "hijack this scanlog" the subject? and where do I post it? Guess I'm running a bit slow this morning. Thanks for your quick answer, but give more details. THANKS....
     
  4. evenstarjm

    evenstarjm Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    21
    I found what you meant. Here it is:

    Logfile of HijackThis v1.97.2
    Scan saved at 11:47:25 AM, on 9/20/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\JJTROBD.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bresnan.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bresnan OnLine
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: (no name) - {5E8A1C00-35D3-11D7-A833-000AE61BC92A} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\SYSTEM\ASKBARAB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\NoUSB20.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ShellEx] C:\WINDOWS\SYSTEM\ShellEx.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [ggiin] jjtrobd.exe autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ask Jeeves Search - javascript:external.menuArguments.location.href="javascript:AskBarcommand='cmd-search-selection'"
    O8 - Extra context menu item: Dictionary Search - javascript:external.menuArguments.location.href="javascript:AskBarcommand='cmd-search-selection-word'"
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.bresnan.net
    O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.ea.com/downloads/games/common/ieell.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37724.2512152778
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/sportsgames/ssxtricky/ea/wtinst.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/aess6.cab
     
  5. evenstarjm

    evenstarjm Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    21
    I was reading the instructions for this worm on the security site. How do I restart my machine (Win98) in safe mode.....
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well, you have multiple issues there including this trojan/worm:

    http://www.symantec.com/avcenter/venc/data/backdoor.anakha.html

    Start by checking the following entries in HijackThis and click fix checked:

    O4 - HKLM\..\Run: [ShellEx] C:\WINDOWS\SYSTEM\ShellEx.exe

    O4 - HKLM\..\Run: [ggiin] jjtrobd.exe autorun

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    Then you need to follow the instructions in the swen link on my first post.

    You will need to reboot to Safe Mode to carry them out. Read them carefully, download the repair.txt attachment to your desktop and rename it repair.reg

    I would also suggest you download to your desktop the exefix08.inf and the regfile.inf files from this link to your desktop for extra insurance.

    http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

    If you have trouble with the Symantec Instructions to do the modifications in Folder Options > File types you can right click on those files and select "Install"

    After doing that you MUST right click on repair.reg and select "merge".

    Run HijackThis in Safe Mode also and make sure the indicated registry entries do not return.

    When done, post a StartupList rather than a Scanlog, to do that run HijackThis and click Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist.

    Print out any instructions you need, or copy them to Notepad before goint to Safe Mode.

    >>>>To start in Safe Mode first shutdown completely and wait about 20 seconds. Press the ctrl key promptly on restart and select Safe Mode from the boot menu.

    When done you are going to want to delete this file in c:\windows:

    JJTROBD.EXE

    and this file in c:\windows\system:

    ShellEx.exe

    Make sure you have repaired the registry first. When doubleclicking the repair.reg file you should get a prompt to merge to the registry and then a confirmation of the successful merge. After that you can delete those files. Be in Safe Mode to do these things.

    >> I'm going to be offline for a few hours but will be back in the afternoon my time to see how things are going, good luck.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Memory Access Violation
  1. asma
    Replies:
    5
    Views:
    445
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166159

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice