Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Problems


  • Please log in to reply
4 replies to this topic

#1 leecher

leecher

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 03 May 2014 - 03:22 AM

Mod Edit:  Split from http://www.bleepingcomputer.com/forums/t/532864/explorerexe-pseudo-random-crashes/ - Hamluis.

 

Hi,

I have a machine that is experiencing the same problems. It also runs Office 2010 and random processes are crashing randomly (mustly due to heap corruption, as my crashdumps show), including explorer.exe

It's always related to the heap and the problem is occuring since Apri lthe 14th.

Could it be, that the bug is related to some Microsoft updates installed?

I already checked RAM -> No problems, even changed the RAM Module just to be sure.

I checked for viruses, but there weren't any viruses found on the system.

There were no new software installations except for the windows updates.

I'm really clueless what could be causing this. Any ideas? Maybe uninstall the M$ updates from Apri land see if the problem goes away?

 

One stacktrace of explorer.exe showed, that it was trying to send a LVM_GETITEMTEXT to some listview but the LVITEM-Pointer in LPARAM was pointing to a location on the Heap that didn't exist (anymore?) causing the crash, but as I said, the crahes have random causes, the only thing in common is that they are heap corruption errors.

 

Office 2010 (Word, Outlook) is always crashing with 0xc0000374 (Heap corruption)

 

Any help would be apreciated.


Edited by hamluis, 03 May 2014 - 07:26 PM.
PM sent new OP, moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,748 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:45 PM

Posted 03 May 2014 - 09:52 AM

Please download MiniToolBox  , save it to your desktop and run it.
 
Checkmark the following checkboxes:
  List last 10 Event Viewer log
  List Installed Programs
  List Users, Partitions and Memory size.
 
Click Go and paste the content into your next post.
 
Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.
 
Louis



#3 leecher

leecher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 03 May 2014 - 04:04 PM

Hi,

 

I think I was able to solve my problem. It turned out to be a variant of the ZBot trojan that the Virus scanner didn't recognize.

It injects itself into every process and it seems to be buggy, therefore causing crashes.

I found it using Process Monitor by Sysinternals and watching the file access of a new process (i.e. notepad.exe) on startup.

It was accessing an empty folder in %AppData%\Roaming and searching for some file there. I then had a look at the thread stack of the thread trying to create the file. It contained some unknown addresses in a low virtual memory area (seems to match the area where the invalid heap pointers pointed to in my WinDbg dumps), mostly between 00200000 and 00400000. I dumped the memory there and got an executable image which I uploaded to virustotal which finally told me that this must be a Virus.

I then found the .exe starting the trojan also in the %Appdata%\Roaming folder on another folder with a randomly created name.

It was started by HKCU\software\microsoft\windows\currentversion\run iirc, but was hiding the key.

Deleted the trojan and the registry key and hopefully everything is fine now again.

 

Regards



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:45 PM

Posted 03 May 2014 - 04:14 PM

ZBot is a Trojan horse that attempts to steal confidential information from the compromised computer.  This is one nasty and tenacious infection.  I would suggest opening a topic in Virus, Trojan, Spyware, and Malware Removal Logs forums to be certain you have cleaned this infection.

 
Before posting your topic there you will need to read and follow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
 
This forum is always busy, for this reason it may take a couple of days before a member of the Malware Removal Team will be able to get to your topic.  Do not add anything once you have posted your log.  The Malware Removal Team members look for topics which have not been addressed, if you post any additional information it will make it appear that the topic is being addressed.
 
After you have posted your new topic a Moderator will close this topic.  If after cleaning the infection it is determined that you have a software or hardware issue you can contact a Moderator to have your topic reopened.  

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 leecher

leecher
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 07 May 2014 - 02:36 PM

Problem should be solved, I already removed the virus, topic can be closed, thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users