Argh.
Every time I try to use Windows Explorer (to open a folder, for example), I get the same error:
The instruction at “0x10040065” referenced memory at “0x00000000”. Memory can not be “written”.
And then, Windows Explorer crashes and restarts. This is very annoying as I have folders that I’d like to be able to open. Anybody know how to fix this?
Which OS are you using?
This is in Windows XP.
Is that the entirety of the error message?
Here’re similar error messages
http://support.microsoft.com/default.aspx?scid=kb;en-us;243668
OR
http://support.microsoft.com/default.aspx?scid=kb;en-us;840114
?
That error isn’t very informative. Have you installed any new hardware or software recently?
The first troubleshooting step I would take would be to run the System File Checker. It will scan Windows’ system files and replace any that are damaged. To do this, go to the command prompt and type sfc /scannow. It may ask you to insert your Windows CD.
I haven’t added anything new… at least not intentionally. I just got some new spyware/adware that I’m trying to remove, but nothing less than Hijack This seems to have worked, so now I’m busy trying to figure out H.T., which is just made more frustrating by not being able to use Explorer.
I don’t have the Windows CD, since this is my office computer and Windows was installed by the computer people who didn’t leave a CD with me.
Okay, here’s the result. I know that the R1’s are bad, but they come back every time I remove them. I’ve tried to remove the O15’s once (but I probably forgot to close my browser windows that time). And I think the last O23 is bad (probably part of a malicious CWS thingy).
Logfile of HijackThis v1.99.1
Scan saved at 6:05:11 PM, on 2/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\simacdonald\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {064FECF5-41EB-24D9-4618-B80CDA730938} - C:\WINDOWS\appqb32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM…\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM…\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM…\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM…\Run: [HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe”
O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM…\Run: [netud32.exe] C:\WINDOWS
etud32.exe
O4 - HKLM…\Run: [tibs5] C:\WINDOWS\system32 ibs5.exe
O4 - HKLM…\RunOnce: [addma32.exe] C:\WINDOWS\system32\addma32.exe
O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS
pqtplugin.dll
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12c3ef7769b10ccbd000/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = una.edu
O17 - HKLM\Software…\Telephony: DomainName = una.edu
O17 - HKLM\System\CCS\Services\Tcpip…{18FA037F-CCA5-490B-B539-7B52D1001F0F}: Domain = una.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = una.edu
O17 - HKLM\System\CS1\Services\Tcpip…{18FA037F-CCA5-490B-B539-7B52D1001F0F}: Domain = una.edu
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\addkh.exe (file missing)
Yes, unfortunately.
Download the latest editions of CWShredder (the stand-alone version) and AboutBuster and run them in Safe Mode. Then, while still in Safe Mode, run HijackThis and remove the following lines if they’re still present:
**
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\skkhp.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {064FECF5-41EB-24D9-4618-B80CDA730938} - C:\WINDOWS\appqb32.dll
O4 - HKLM…\Run: [netud32.exe] C:\WINDOWS
etud32.exe
O4 - HKLM…\Run: [tibs5] C:\WINDOWS\system32 ibs5.exe
O4 - HKLM…\RunOnce: [addma32.exe] C:\WINDOWS\system32\addma32.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\addkh.exe (file missing)**
Then manually delete or rename the following files if they’re still there:
C:\WINDOWS\skkhp.dll
C:\WINDOWS\appqb32.dll
C:\WINDOWS
etud32.exe
C:\WINDOWS\system32 ibs5.exe
C:\WINDOWS\system32\addma32.exe
C:\WINDOWS\system32\addkh.exe
Reboot in Normal Mode, run HijackThis again, and see if any of the malicious items have returned.
Okay, thanks so much. After doing all of that, I can now use Windows Explorer again! And my home page (which had been hijacked) is now mine again! (I was also getting occasional extra popups… I’ll have to wait and see if those return.)
However, one malicious item still remains:
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\addkh.exe (file missing)**
I’m not sure how worried I should be about this, since all the symptoms again.
Anyway, thanks again. That helped a lot.
Oops, I meant all they symptoms “are gone”.
As long as that file really isn’t there then it should be ok.
I’m glad to hear things are working.