Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Irritating errors, multiple machines.


  • Please log in to reply
8 replies to this topic

#1 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:00 AM

Posted 10 August 2015 - 06:35 PM

Hi everyone,

 

Got some irritating errors here happening across multiple machines in the same manner. Errors are not restricted to any particular software but feature heavily on Thunderbird, Word and Excel.

 

Example 1

Faulting application name: thunderbird.exe, version: 38.1.0.5666, time stamp: 0x559c1ed7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x289ff838
Faulting process id: 0x1938
Faulting application start time: 0x01d0cfc06bb9ae4b
Faulting application path: C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
Faulting module path: unknown
Report Id: a7c398f2-3bce-11e5-b879-00249b03bd8a

Example 2

Faulting application name: WINWORD.EXE, version: 12.0.6726.5000, time stamp: 0x559b6b88
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0ccafac2
Faulting process id: 0x1a14
Faulting application start time: 0x01d0d3aed60ff35e
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
Faulting module path: unknown
Report Id: 99c794f3-3fa2-11e5-bd22-00249b03bd8a

Related error, example 3

Faulting application name: WINWORD.EXE, version: 12.0.6726.5000, time stamp: 0x559b6b88
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000096
Fault offset: 0x0b51fbfe
Faulting process id: 0x1bbc
Faulting application start time: 0x01d0bf7daf105693
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
Faulting module path: unknown
Report Id: 648307c9-2b71-11e5-a981-00249b03bd8a

Example 4

Faulting application name: EXCEL.EXE, version: 12.0.6723.5000, time stamp: 0x5584c8e3
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x1489fbda
Faulting process id: 0x16f4
Faulting application start time: 0x01d0d3248e243579
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
Faulting module path: unknown
Report Id: 73c793b8-3f1d-11e5-bf25-a01d48a85edf

Related error, example 5

Faulting application name: EXCEL.EXE, version: 12.0.6723.5000, time stamp: 0x5584c8e3
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000096
Fault offset: 0x1542f83c
Faulting process id: 0xd80
Faulting application start time: 0x01d0d31c422752d7
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
Faulting module path: unknown
Report Id: 2613da46-3f11-11e5-bf25-a01d48a85edf

Example 6

Faulting application name: POWERPNT.EXE, version: 12.0.6600.1000, time stamp: 0x4de50c7e
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x148efb8e
Faulting process id: 0x574
Faulting application start time: 0x01d0d0d0057f0552
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE
Faulting module path: unknown
Report Id: 4faefda5-3cc6-11e5-afb4-a01d48a85edf

Errors cause lags and hangs, general poor performance

 

I have tried resetting system-wide registry and file permissions, removing and re-adding machines to domain, rebuild WMI repositories and uninstalling/reinstalling software. Checked the filesystems and disks for errors also.

 

Any ideas?


Edited by TsVk!, 10 August 2015 - 08:47 PM.


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:00 PM

Posted 11 August 2015 - 07:07 AM

Well, I can tell you that 0x5 error codes are "Access denied", which means that the process encountered an error due to not having enough permission on a certain task and it crashed. Does it happens across multiple userprofiles, or just one?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 54,847 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:00 PM

Posted 11 August 2015 - 07:14 AM

I would try the basics...chkdsk /r first, then sfc /scannow.

 

Although I usually think "malware/adware" when I see 05 STOP errors, that's an incorrect assumption on my part.  The 0xc0000096 errors are pretty general...so I would start with eliminating the obvious, file corruption.
 

I note that MS Office is the primary target...I would treat the Thunderbird situation as a different problem because I see no connection between Office and TB.

 

Louis



#4 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:00 AM

Posted 11 August 2015 - 04:18 PM

Good morning guys,

 

Well, I can tell you that 0x5 error codes are "Access denied", which means that the process encountered an error due to not having enough permission on a certain task and it crashed. Does it happens across multiple userprofiles, or just one?

Yes, it is across multiple machines even. (I mentioned that)

 

I would try the basics...chkdsk /r first, then sfc /scannow.

 

Although I usually think "malware/adware" when I see 05 STOP errors, that's an incorrect assumption on my part.  The 0xc0000096 errors are pretty general...so I would start with eliminating the obvious, file corruption.
 

I note that MS Office is the primary target...I would treat the Thunderbird situation as a different problem because I see no connection between Office and TB.

I did check for system file corruption as well as checking the disks. (I mentioned that too)

 

It occurred to me that it might have been malware also, after I had exhausted all my other guestimations, so I ran in depth scans for kits and malicious processes... nada.

 

The users are administration users so it doesn't surprise me that I'm not seeing these errors on other software as they don't really have any other software, besides web browsers.

 

I see the MS Office connection with Thunderbird being only that they are experiencing the same error on the same machines at the same time... this says to me there is some sort of system setting (or possibly a Windows flupdate) that is causing these programs to behave this way.

 

But what could this be?



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:00 PM

Posted 11 August 2015 - 04:19 PM

Who knows, you could have been testing on multiple machines, but only with one userprofile :P

Are these programs installed normally via their standard installers, or packaged?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:00 AM

Posted 11 August 2015 - 04:28 PM

Who knows, you could have been testing on multiple machines, but only with one userprofile :P

True... lol

 

 

Are these programs installed normally via their standard installers, or packaged?

They are installed as MSI's as part of a network deployment.

 

I'm going to start investigating the AV solution in place today. The breadcrumbs seem to go in that direction.

 

If you've got any other ideas that I could research I'm all ears mate.



#7 rammy5767

rammy5767

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 PM

Posted 11 August 2015 - 10:38 PM

Are the permission errors related to any devices that can't be accessed due to it running in another instance?



#8 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:00 AM

Posted 11 August 2015 - 10:44 PM

Are the permission errors related to any devices that can't be accessed due to it running in another instance?

I don't believe so. Single user machines.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:00 PM

Posted 12 August 2015 - 05:34 AM

What Antivirus are you using? Also, when Excel and Word crashes, are you working on any documents that are on a network share, or are they local on the system?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users