[TIP] Strange 0xc0000005 issue (solution)

[Kirby]

Twice in the last couple of weeks I've had a Windows 7 computer come in with a strange issue where when I try to start some programs, some just won't do anything and others will give me a 0xC0000005 error. My memory is really bad, so even though I had it just 2 or 3 weeks ago, I did an hour of diagnostics again before I remembered doing it recently and, thus the solution. Hopefully typing it out here will keep it fresh in my mind if I see it again.

First, a little background. Not all programs give the error, but most do. But everything runs just fine in Safe Mode, in as much as they would normally run in Safe Mode anyway. So the first time around after Googling and wracking my brain I finally decided to us MSConfig to disable things and re-enable them a few at a time to see if I could narrow it down. And that worked. With all non-Microsoft services and all programs disabled, no error. The weird thing is, the issue never came back, even after re-enabling everything. So this time after disabling everything I checked that Chrome would open, then enabled all programs and rebooted. I checked Chrome again, then enabled all services and rebooted. For some reason, disabling and then enabling everything fixed this issue for me twice now.

One note, if you have Avast installed be sure not to disable the aswbIDSAgent service. It will not re-enable and you have to repair Avast to fix it.

I hope this turns a ridiculous issue into a simple fix for someone out there. And I hope I remember it the next time I see it so I don't waste so much time on it next time.

 

[HFultzjr]

Thanks for the tip!

 

[GTP]

Avast! is "numero uno" at the top of my hit list! Closely followed by McCrappy, Norton and AVG.
My new policy is If a client insists on using Avast!, they are politely told to go elsewhere.
I am sick and tired of trying to diagnose/fix issues with this garbage software only to have the client complain that "you didn't fix it!" and have to do it again for free.

 

[Kirby]

Yeah, I'm not a big Avast fan myself. I had a customer who bought it, it ran out and he bought it again and didn't know how to activate it, so I told him to call their support. A half hour later he got me on a 3 way call with the guy and I heard the tech tell him that he had some major issues with his computer (it had just been in my shop for a minimal charge because there was nothing serious wrong with it). The tech told him, while I listened, that Avast wouldn't work on his system, no antivirus would until he paid the guy $300 to get the problems taken care of. I told the customer that the guy was a liar, this was a scam, there was nothing wrong with his computer and to bring it in and it would take me 2 minutes to get it going. I logged onto his email, downloaded the license and plugged it into Avast and that's all it took.

So what free antivirus are you guys using now?

 

[cypress]

So what free antivirus are you guys using now?

Windows Defender.

 

[Kirby]

Really? Windows Defender? Back when it was still Microsoft Security Essentials I remember it having a detection rate right up there with ClamWin.

 

[Kirby]

So it used to be nothing special, therefore it can't have improved since? Unusual reasoning! If you look at event AV Comparatives or, better still, give it a try yourself you might be pleasantly surprised.

It's not reasoning of any sort. It's asking a question.

 

[Kirby]

In that case let me reply: Windows Defender - it's not as bad as you probably think it is! Go on, give it a try!

Really? Because I just looked it up on AV-Comparatives.org as you suggested and it is hands-down the lowest rated antivirus in the summary chart on page 9 for December 2016, having a single "2" rating out of three possible and the rest all "1". The next lowest rated antivirus, Sophos, has three "2" ratings. It seems to me like it is exactly as I remember it to be.

 

[GTP]

In that case let me reply: Windows Defender - it's not as bad as you probably think it is! Go on, give it a try!

Really?
Only yesterday had a Dell AIO with Win 10 infected with 406 "malware components." It's only defence was Windows Defender!
Took 13 minutes to boot, 8 minutes to open Chrome with it's 11 new "toolbars," and would still be running after I tried to shut it down had I not manually stopped it!
I initially scanned with Emsisoft Antimalware, which identified them all, then with KAV Rescue just to compare. KAV found 388 and flagged the rest as "suspect."
Defender said all was "hunky dory!"

 

[NYJimbo]

Defender + Malwarebytes + AdBlock Plus

 

[GTP]

The headline number doesn't mean a lot by itself as many AV products routinely report minor irritants such as tracking cookies as if they've just found a cache of Nazi gold. It's a way of reminding the owner that they're a good little watchdog and to keep the kibble coming. CCleaner and Malwarebytes are both guilty of that to some extent.

However...

This is impressive - I haven't seen a machine that badly infected for a while. (Our record was over 500,000 infected files on one machine, and the moral is that you shouldn't let your kids use your computer when you're away for the weekend. But I digress.) Of course, that might be because we encourage our clients not to install anything that they don't need, not to click on things they don't recognize or are not expecting, and generally to be cautious to the point of paranoia. I expect you do this too.

I'm pretty sure those eleven toolbars didn't all install by themselves, and at some point the user clicked on something they really shouldn't have. Anti-virus software by itself is only part of the solution - user training and a bit of common sense are at least as important. (Yes, I know some users can't be trained or can't be bothered - that's why we offer a range of AV solutions.)

To revisit the car analogy: All the safety equipment in the world won't keep you as safe as a couple of defensive driving lessons, and the best way to survive an accident is not to be part of it in the first place.

I just got a little Toshiba given to me by a client who bought a new one (because it was slow!) When I told him it was infected he almost dropped it and wouldn't touch it! It was like he thought he might catch something! He stammered "keep it!" "Keep it!" "I don't want it!" It almost breaks my record! At present its just passed 1043 "malware components" and counting.

I'm scanning with Emsisoft Antimalware, but I've set it to "report only" as I want to scan with MalwareBytes and some others to get reports on what they find.
This thing has all sorts of crapware, like Uniblue Registry Booster, PC Tune Up Utilities, Slimware Cleaner, Slimware Utilities, PC Protector, SurfGuard, MyWebSearch, Activaris Antivirus, etc etc. plus 9 "toolbars!"
I'm interested in the results to see which program gets what.
If anyone is interested I'll post results here.

 

[red12049]

Really?
Only yesterday had a Dell AIO with Win 10 infected with 406 "malware components." It's only defence was Windows Defender!
Took 13 minutes to boot, 8 minutes to open Chrome with it's 11 new "toolbars," and would still be running after I tried to shut it down had I not manually stopped it!
I initially scanned with Emsisoft Antimalware, which identified them all, then with KAV Rescue just to compare. KAV found 388 and flagged the rest as "suspect."
Defender said all was "hunky dory!"

I see this frequently here. The machines involved have had the range of antivirus, from Symantec corporate, to the consumer versions of all the paid AV's, to a turned off Defender. Not a one of those AV's STOPPED the installations from happening, most complained about them after that fact.

Based on my own (admittedly anecdotal) testing, I've started recommending the new Malwarebytes. It's the only thing I've seen that consistently tries to stop such crap before installation. MB and Defender, and they're usually good to go.

Rick

 

[GTP]

People keep giving you nice things - first a 27" iMac and now this. What's your secret?

In the last 6 months or so, 27" iMac, a Macbook Pro with damaged power connector easily fixed, Lenovo laptop (very, very nice unit) 3 x Toshiba Laptops, 1 Dell laptop, (new screen and we're good to go), 1 x Acer laptop (again, nice unit), 2 x desktops, (one with i7, 16gb ram, 2tb spinner, the other i5 4 gb, 1tb hdd), 2 x HP 24" AIO's, 1 x Lenovo 24" AIO, 1 x Dell 30"AIO, 2 x iPads (older models) 4 x mobile phones! All Free! I just smile and say thank you very much! (My customers love me....)

Edit:
Forgot the brand new HP Photo Printer still in the box but a couple of years old, the Epson Fax/Printer/Copier/Scanner, setup but unused, about 5 Monitors, (one was a brand new still-in -the-box, Toshiba!) the various routers, Hands Free Phones, External HDD's and numerous other "stuff we don't want! Can you use it?" things!

Anyway... since this thread has been hijacked, I will post results here unless OP objects?

Based on my own (admittedly anecdotal) testing, I've started recommending the new Malwarebytes.

I've had mixed results with Malwarebytes lately. No solid evidence to backup that statement, just my meagre observations.
Only have a handful of clients using it.

 

[cypress]

Really? Windows Defender? Back when it was still Microsoft Security Essentials I remember it having a detection rate right up there with ClamWin.

I used to like Avast a lot. The keyword being used to. I just can't recommend that product anymore. I am also not installing any Free Anti-virus anymore. I either recommend they go with my managed solution of Emsisoft or if not they can just get Windows Defender which is included. I note that in the invoice and ticket as well.

Had two last week. I offered Emsisoft but they refused it and just wanted something. I installed MSE since they were both Windows 7 and made a note of it. Should they come back infected that it now billable work.

 

[Kirby]

I used to like Avast a lot. The keyword being used to. I just can't recommend that product anymore. I am also not installing any Free Anti-virus anymore. I either recommend they go with my managed solution of Emsisoft or if not they can just get Windows Defender which is included. I note that in the invoice and ticket as well.

Had two last week. I offered Emsisoft but they refused it and just wanted something. I installed MSE since they were both Windows 7 and made a note of it. Should they come back infected that it now billable work.

This response makes sense. It is difficult to keep up on the free stuff. It's good today, tomorrow it starts installing the Ask Toolbar and hijacking your search settings, the day after that it wants to install a "Safe Price" extension. To give the customer the option to buy something, which makes me money and so I back it, get a standard product already built into Windows or figure it out themselves makes sense. I already have customers thinking my number is the customer support line for Microsoft, Br0derbund, Apple, HP, Dell, Google, Facebook, Mozilla and, for some reason, name a TV manufacturer.

 

[GTP]

Results of my (limited) malware scans on my Toshiba lappy!

DISCLAIMER: These are my observations only! I am not a "Malware Researcher! These are just scan and observe results and in no way should be taken as a measure of one malware scanners ability/inability to do it's job against others.
Results are posted here for education purposes only! Ok....

Scan logs are attached.

So, I ran Malwarebytes, UltraAdwareKiller, Adwcleaner, Emsisoft Antimalware, freefixer, KAV Rescue, BitDefender Rescue, RogueKiller, Vipre rescue, ESET Rescue Scanner, McAfee Security Scan Plus, MSRT and the built in Defender in Windows 7.

All the scans were done with as many options set as possible but trying to preserve the crapware by not selecting "remove, autoremove, autoclean, delete when finished" etc.

What I observed.

1. I ran Emsisoft Antimalware first. It found over 1100 "objects"

2. I ran McAfee Security Scan Plus. I know its not a full AV but it only found 2 issues.

3. I ran Malwarebytes. Malwarebytes was a bit "heavy handed" (not in a bad way I suppose) by just deleting stuff and giving me no option to keep it! (That I could find anyway) It kept complaining during the scan that "A reboot is needed to complete removal of blah blah!"
This is not necessarily bad, it's doing it's job after all! It's just annoying that I couldn't scan and report only.
The other thing that drove me crazy was that I had to click a box with the options "Ignore, Always Allow and Delete"
I had to click over a thousand boxes! Also Malwarebytes took over 7 hours to run. All the others were done in 2~3 hours.

4. I ran freefixer next.

5. I ran Microsoft's MSRT! It found nothing! (See screenshot 1 Microsoft.png) I thought your kidding! So I downloaded again through @AlexCa's excellent tool and ran it again. This time it found 5! Wow! (See pic MSRT.png) And it couldn't remove one of them! Well done Microsoft!

6. I ran the built in Defender in Win 7 and it found only a few more!

7. I ran ESET Emergency Disk.

8. Ran Bitdefender Rescue Scanner which only found 34 issues?? Ran it again to confirm and made sure settings were all at max and got same result?

9. Ran KAV Rescue, and it found 119 issues. I saved the report but can't open it. It's using a weird extension.

10. Ran RoguKiller.

11. Ran Vipre rescue.

12. ClamAV. Downloaded both the .msi version installer and the "portable" version of ClamAV, but they just refused to run! Even tried in Safe Mode, but no go! I'm not sure if it was being blocked?

13. Tried to run the installed Norton but it was totally trashed! Kept giving errors and crashing!

14. Ran Adwcleaner.

Would have liked to have run JRT but no option to report only!

There is a list of "plugins" that were in IE.
Reports as follows.

 

[GTP]

The rest of the scans and screenshots follows.

To read the Vipre rescue Scans file just change the extension back to .xml I had to change it to upload here.

 

[NJW]

So, I ran ...

I understand that this is just for curiosity purposes rather than a definitive test, but you should really be restoring the system between scans, even for 'scan & report'.

You also should bear in mind that these are very different scanning tools. For example, I wouldn't expect anti-virus tools to find all those installed toolbars and extensions – software that is rarely installed without notification of some sort, even if it's a tick-box that wasn't cleared before installing something else. However, AdwCleaner does look for those, so anti-virus + AdwCleaner – a commonly-used combination – would do pretty well.

Defender in Windows 7 is not much of a thing. Security Essentials would be a better starting point.

Emsisoft and ESET are inflating their figures, counting each file in a suspect folder, whereas, for example, AdwCleaner just lists the folder.

ClamAV (notwithstanding that you couldn't get it to run) is able to detect files with double extensions.

Rkill might have been useful to stop unwanted processes before scanning, but that's another example of running multiple tools in succession for a better result.

 

[GTP]

If I'd had more time.....
I would have imaged the drive and restored before each scan, separated Antimalware from Antivirus, run tools in tandem and a whole lot of other things. I would have liked to run the tools in full removal mode and compare each one to see what was left.
Example: Run Adwcleaner then, maybe ESET to see if it picked up something Adwcleaner missed and vice-versa. That would have taken a long time. And after all, this is why we have VirusTotal et al.
But those pesky customers keep calling and walking in taking up my time....