Jerry-B

Member
  • Content Count

    6
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Jerry-B

  • Rank
    New Member
  1. Looks like I've found it myself. Spybot S&D (a well known on-demand scanner) hooks itself within memory even when inactive — and places a hook for Emsisoft EEK. Funny and strange enough only after the Windows v1709 update; no problems whatsoever on v1703 as told above. After excluding the Spybot dir from scans and updating EEK to the latest version everything run well again (no EEK crash) on three computers I've got access to. Anyway, thanks for your support!
  2. Here we go: // Loading program Executable search path is: ModLoad: 00000000`00400000 00000000`00dbe000 a2emergencykit.exe ModLoad: 00007ffd`7b120000 00007ffd`7b300000 ntdll.dll ModLoad: 00007ffd`789f0000 00007ffd`78a9e000 C:\WINDOWS\System32\KERNEL32.DLL ModLoad: 00007ffd`77e70000 00007ffd`780d6000 C:\WINDOWS\System32\KERNELBASE.dll ModLoad: 00007ffd`7b020000 00007ffd`7b0e5000 C:\WINDOWS\System32\oleaut32.dll ModLoad: 00007ffd`77520000 00007ffd`775bb000 C:\WINDOWS\System32\msvcp_win.dll ModLoad: 00007ffd`775c0000 00007ffd`776b6000 C:\WINDOWS\System32\ucrtbase.dll ModLoad: 00007ffd`78b80000 00007ffd`78e88000 C:\WINDOWS\System32\combase.dll ModLoad: 00007ffd`79760000 00007ffd`7987f000 C:\WINDOWS\System32\RPCRT4.dll ModLoad: 00007ffd`78520000 00007ffd`78592000 C:\WINDOWS\System32\bcryptPrimitives.dll ModLoad: 00007ffd`795b0000 00007ffd`79651000 C:\WINDOWS\System32\advapi32.dll ModLoad: 00007ffd`78950000 00007ffd`789ed000 C:\WINDOWS\System32\msvcrt.dll ModLoad: 00007ffd`792e0000 00007ffd`7933b000 C:\WINDOWS\System32\sechost.dll ModLoad: 00007ffd`7ae90000 00007ffd`7b01e000 C:\WINDOWS\System32\user32.dll ModLoad: 00007ffd`780e0000 00007ffd`78100000 C:\WINDOWS\System32\win32u.dll ModLoad: 00007ffd`78650000 00007ffd`78678000 C:\WINDOWS\System32\GDI32.dll ModLoad: 00007ffd`78380000 00007ffd`78514000 C:\WINDOWS\System32\gdi32full.dll ModLoad: 00007ffd`787f0000 00007ffd`78939000 C:\WINDOWS\System32\ole32.dll ModLoad: 00007ffd`6a530000 00007ffd`6a547000 C:\WINDOWS\SYSTEM32\netapi32.dll ModLoad: 00007ffd`75df0000 00007ffd`75dfa000 C:\WINDOWS\SYSTEM32\version.dll ModLoad: 00007ffd`6abf0000 00007ffd`6ac0b000 C:\WINDOWS\SYSTEM32\mpr.dll ModLoad: 00007ffd`79a20000 00007ffd`7ae57000 C:\WINDOWS\System32\shell32.dll ModLoad: 00007ffd`785a0000 00007ffd`785ea000 C:\WINDOWS\System32\cfgmgr32.dll ModLoad: 00007ffd`78ab0000 00007ffd`78b56000 C:\WINDOWS\System32\shcore.dll ModLoad: 00007ffd`77720000 00007ffd`77e67000 C:\WINDOWS\System32\windows.storage.dll ModLoad: 00007ffd`78680000 00007ffd`786d1000 C:\WINDOWS\System32\shlwapi.dll ModLoad: 00007ffd`774e0000 00007ffd`774f1000 C:\WINDOWS\System32\kernel.appcore.dll ModLoad: 00007ffd`77490000 00007ffd`774dc000 C:\WINDOWS\System32\powrprof.dll ModLoad: 00007ffd`77470000 00007ffd`7748b000 C:\WINDOWS\System32\profapi.dll ModLoad: 00007ffd`78100000 00007ffd`782ce000 C:\WINDOWS\System32\crypt32.dll ModLoad: 00007ffd`69db0000 00007ffd`6a019000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.19_none_cc92fab02215da61\comctl32.dll ModLoad: 00007ffd`77500000 00007ffd`77512000 C:\WINDOWS\System32\MSASN1.dll ModLoad: 00007ffd`776c0000 00007ffd`77718000 C:\WINDOWS\System32\WINTRUST.DLL ModLoad: 00007ffd`786e0000 00007ffd`787ea000 C:\WINDOWS\System32\comdlg32.dll ModLoad: 00007ffd`71360000 00007ffd`713e6000 C:\WINDOWS\SYSTEM32\winspool.drv ModLoad: 00007ffd`773a0000 00007ffd`773c9000 C:\WINDOWS\SYSTEM32\USERENV.DLL ModLoad: 00000000`03ea0000 00000000`03f26000 C:\WINDOWS\SYSTEM32\winspool.drv ModLoad: 00007ffd`61f90000 00007ffd`61f9c000 C:\WINDOWS\SYSTEM32\secur32.dll ModLoad: 00007ffd`76a90000 00007ffd`76ac9000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL ModLoad: 00007ffd`76fd0000 00007ffd`76ff5000 C:\WINDOWS\SYSTEM32\bcrypt.dll ModLoad: 00007ffd`31d00000 00007ffd`31df6000 C:\WINDOWS\SYSTEM32\ddraw.dll ModLoad: 00007ffd`762e0000 00007ffd`7638f000 C:\WINDOWS\SYSTEM32\dxgi.dll ModLoad: 00007ffd`657f0000 00007ffd`657f8000 C:\WINDOWS\SYSTEM32\DCIMAN32.dll ModLoad: 00007ffd`77370000 00007ffd`773a0000 C:\WINDOWS\SYSTEM32\SSPICLI.DLL (88fc.7188): Break instruction exception - code 80000003 (first chance) ntdll!LdrpDoDebuggerBreak+0x30: 00007ffd`7b1f2e9c cc int 3 0:000> g ModLoad: 00007ffd`7ae60000 00007ffd`7ae8d000 C:\WINDOWS\System32\IMM32.DLL ModLoad: 00007ffd`72310000 00007ffd`72327000 C:\WINDOWS\SYSTEM32\wkscli.dll ModLoad: 00007ffd`5c260000 00007ffd`5c272000 C:\WINDOWS\SYSTEM32\cscapi.dll ModLoad: 00007ffd`75300000 00007ffd`75395000 C:\WINDOWS\system32\uxtheme.dll ModLoad: 00000001`80000000 00000001`8001b000 C:\Tools\Medien\AnyDVD\ADvdDiscHlp64.dll ModLoad: 00007ffd`793c0000 00007ffd`79527000 C:\WINDOWS\System32\MSCTF.dll ModLoad: 00007ffd`75610000 00007ffd`7563a000 C:\WINDOWS\system32\dwmapi.dll ModLoad: 00007ffd`725c0000 00007ffd`725d3000 C:\WINDOWS\SYSTEM32\wtsapi32.dll ModLoad: 00007ffd`76620000 00007ffd`76675000 C:\WINDOWS\SYSTEM32\WINSTA.dll ModLoad: 00007ffd`76060000 00007ffd`76228000 C:\WINDOWS\SYSTEM32\Dbghelp.dll ModLoad: 00007ffd`62060000 00007ffd`62089000 C:\WINDOWS\SYSTEM32\dbgcore.DLL ModLoad: 00007ffd`78940000 00007ffd`78948000 C:\WINDOWS\System32\PSAPI.dll ModLoad: 00007ffd`78b60000 00007ffd`78b7d000 C:\WINDOWS\System32\imagehlp.dll ModLoad: 00007ffd`76ec0000 00007ffd`76ed7000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll ModLoad: 00007ffd`76910000 00007ffd`76943000 C:\WINDOWS\system32\rsaenh.dll ModLoad: 00007ffd`76ee0000 00007ffd`76eeb000 C:\WINDOWS\SYSTEM32\CRYPTBASE.dll ModLoad: 00000000`06b90000 00000000`0724d000 C:\Tools\AntiVirus\Emsisoft\bin64\a2framework.dll ModLoad: 00000000`06b90000 00000000`0724d000 C:\Tools\AntiVirus\Emsisoft\bin64\a2framework.dll ModLoad: 00000000`07250000 00000000`07253000 C:\WINDOWS\SYSTEM32\sfc.dll ModLoad: 00000000`07250000 00000000`07253000 C:\WINDOWS\SYSTEM32\sfc.dll ModLoad: 00007ffd`57eb0000 00007ffd`57ec3000 C:\WINDOWS\SYSTEM32\sfc_os.DLL ModLoad: 00007ffd`71f20000 00007ffd`71f38000 C:\WINDOWS\SYSTEM32\SAMCLI.DLL ModLoad: 00007ffd`76b90000 00007ffd`76b9e000 C:\WINDOWS\SYSTEM32\NETUTILS.DLL ModLoad: 00007ffd`722d0000 00007ffd`7230f000 C:\WINDOWS\SYSTEM32\LOGONCLI.DLL ModLoad: 00007ffd`765b0000 00007ffd`765e1000 C:\WINDOWS\SYSTEM32\ntmarta.dll ModLoad: 00000000`075a0000 00000000`07c54000 C:\Tools\AntiVirus\Emsisoft\bin64\a2update.dll ModLoad: 00000000`075a0000 00000000`07c54000 C:\Tools\AntiVirus\Emsisoft\bin64\a2update.dll ModLoad: 00007ffd`54180000 00007ffd`541c4000 C:\Tools\AntiVirus\Emsisoft\bin64\evcdiff.dll ModLoad: 00000000`58600000 00000000`58831000 C:\Tools\AntiVirus\Emsisoft\bin64\libeay32.dll ModLoad: 00007ffd`79350000 00007ffd`793bc000 C:\WINDOWS\System32\WS2_32.dll ModLoad: 00000000`58590000 00000000`585f2000 C:\Tools\AntiVirus\Emsisoft\bin64\ssleay32.dll ModLoad: 00000000`07570000 00000000`07573000 C:\WINDOWS\SYSTEM32\security.dll ModLoad: 00000000`07570000 00000000`07573000 C:\WINDOWS\SYSTEM32\security.dll ModLoad: 00007ffd`49900000 00007ffd`49995000 C:\WINDOWS\SYSTEM32\RICHED20.DLL ModLoad: 00007ffd`2e7b0000 00007ffd`2e7e8000 C:\WINDOWS\SYSTEM32\msls31.dll ModLoad: 00007ffd`659b0000 00007ffd`659c9000 C:\WINDOWS\SYSTEM32\USP10.dll ModLoad: 00007ffd`796c0000 00007ffd`7975e000 C:\WINDOWS\System32\clbcatq.dll ModLoad: 00007ffd`57490000 00007ffd`574df000 C:\WINDOWS\system32\dataexchange.dll ModLoad: 00007ffd`740e0000 00007ffd`743c2000 C:\WINDOWS\system32\d3d11.dll ModLoad: 00007ffd`74b80000 00007ffd`74cc2000 C:\WINDOWS\system32\dcomp.dll ModLoad: 00007ffd`75760000 00007ffd`758db000 C:\WINDOWS\system32\twinapi.appcore.dll ModLoad: 00007ffd`75710000 00007ffd`75730000 C:\WINDOWS\system32\RMCLIENT.dll ModLoad: 00007ffd`48f40000 00007ffd`48f66000 C:\Tools\AntiVirus\Emsisoft\bin64\bdcore.dll ModLoad: 00007ffd`3ddb0000 00007ffd`3de70000 C:\Tools\AntiVirus\Emsisoft\bin64\epplib.dll ModLoad: 00007ffd`6e810000 00007ffd`6e81a000 C:\WINDOWS\SYSTEM32\FLTLIB.DLL ModLoad: 00007ffd`2c1b0000 00007ffd`2c4a0000 C:\Tools\AntiVirus\Emsisoft\bin64\a2engine.dll ModLoad: 00007ffd`3dd10000 00007ffd`3dda3000 C:\Tools\AntiVirus\Emsisoft\bin64\emutils.dll (88fc.7188): Unknown exception - code 484d4445 (first chance) (88fc.7188): Unknown exception - code 484d4445 (first chance) ... (88fc.7188): Unknown exception - code 484d4445 (first chance) ModLoad: 00007ffd`4eab0000 00007ffd`4ef43000 C:\WINDOWS\system32\explorerframe.dll ModLoad: 00007ffd`34bc0000 00007ffd`34d06000 C:\Tools\AntiVirus\Emsisoft\bin64\clean.dll (88fc.7188): C++ EH exception - code e06d7363 (first chance) FilterLoad = -2147023840Final result for FilterLoad = 0FilterLoad = -2147023840Final result for FilterLoad = 0ModLoad: 00007ffd`65e90000 00007ffd`65f28000 C:\WINDOWS\System32\TextInputFramework.dll ModLoad: 00007ffd`74990000 00007ffd`74a6d000 C:\WINDOWS\System32\CoreMessaging.dll ModLoad: 00007ffd`706b0000 00007ffd`7099e000 C:\WINDOWS\System32\CoreUIComponents.dll ModLoad: 00000000`0f770000 00000000`0f8a6000 C:\WINDOWS\SYSTEM32\wintypes.dll ModLoad: 00000000`0f630000 00000000`0f766000 C:\WINDOWS\SYSTEM32\wintypes.dll ModLoad: 00007ffd`737d0000 00007ffd`73906000 C:\WINDOWS\SYSTEM32\wintypes.dll (88fc.7960): Unknown exception - code 484d4445 (first chance) (88fc.7960): Unknown exception - code 484d4445 (first chance) ... (88fc.7960): Unknown exception - code 484d4445 (first chance) ModLoad: 00007ffd`6f610000 00007ffd`6f680000 C:\WINDOWS\SYSTEM32\Fwpuclnt.dll ModLoad: 00007ffd`72af0000 00007ffd`72af7000 C:\WINDOWS\SYSTEM32\IdnDL.dll ModLoad: 00007ffd`79340000 00007ffd`79348000 C:\WINDOWS\System32\Normaliz.dll ModLoad: 00007ffd`76d00000 00007ffd`76d66000 C:\WINDOWS\system32\mswsock.dll ModLoad: 00007ffd`76ad0000 00007ffd`76b86000 C:\WINDOWS\SYSTEM32\DNSAPI.dll ModLoad: 00007ffd`78aa0000 00007ffd`78aa8000 C:\WINDOWS\System32\NSI.dll ModLoad: 00000000`5bcf0000 00000000`5bd16000 C:\Program Files\Bonjour\mdnsNSP.dll ModLoad: 00007ffd`6f570000 00007ffd`6f57a000 C:\Windows\System32\rasadhlp.dll ModLoad: 00007ffd`6a2f0000 00007ffd`6a316000 C:\WINDOWS\SYSTEM32\srvcli.dll (88fc.8be0): Unknown exception - code 0eedfade (first chance) (88fc.88e8): Unknown exception - code 0eedfade (first chance) (88fc.7ef8): Unknown exception - code 484d4445 (first chance) (88fc.7ef8): Unknown exception - code 484d4445 (first chance) ... (88fc.7ef8): Unknown exception - code 484d4445 (first chance) // The dots (...) represent an awful lot of equal lines with the unknown exception given above. // Executing memory scan (88fc.7430): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Tools\AntiVirus\Emsisoft\bin64\a2engine.dll - a2engine!InstallDdaDriver+0x876d: 00007ffd`2c343e8d 664439420c cmp word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=???? 0:023> g (88fc.7430): Access violation - code c0000005 (!!! second chance !!!) a2engine!InstallDdaDriver+0x876d: 00007ffd`2c343e8d 664439420c cmp word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=???? 0:023> g (88fc.7430): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. a2engine!InstallDdaDriver+0x876d: 00007ffd`2c343e8d 664439420c cmp word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=???? 0:023> g (88fc.7430): Access violation - code c0000005 (!!! second chance !!!) a2engine!InstallDdaDriver+0x876d: 00007ffd`2c343e8d 664439420c cmp word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=???? 0:023> g // ad infinitum; further 'Go' commands (F5) within the debugger reproduce the above two access violation steps. The EEK window shows it's just scanning an Adobe Acrobat tool (SendAsLinkAddin.DEU). However this may not be up to date. As expected excluding the Adobe dirs from scan doesn't change anything.
  3. Standard scanner is simply MS Defender ... Just as a try I excluded both the x32 and x64 versions from the memory scan. Scan started and then crashed without further notice. I'm just downloading the Windows Debugger (from the SDK) and let you know should it deliver further inside in what exactly is going on there.
  4. At least not knowingly. The reg key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages does NOT exist. Even when I add this DWORD and set it to '0' EEK still crashes at memory scan. The Exploit Protection window also tells me that Address Space-Layout-Randomization is standardly deactivated. Thus ASLR definitely shouldn't be the cause. In the meantime I know of at least three computers where EEK crashes when trying to perform the memory scan after the Windows v1709 update. On all of them EEK was beautifully performing at v1703. Deleting and reinstalling EEK does not help. Other on demand scanners checking processes in system memory don't crash even after the v1709 update. Conclusion: Microsoft has introduced 'something new' within memory with the v1709 update. And in contrast to several other scanners EEK can't handle that.
  5. No dialog, as far as I could see the crash happened whilst setting up the list of files to scan during the standard malware scan. Then a Windows popup telling the program crashed. Event Log (German, but should be understandable) tells: Name der fehlerhaften Anwendung: a2emergencykit.exe, Version: 2017.8.0.7904, Zeitstempel: 0x599f0871 Name des fehlerhaften Moduls: a2engine.dll, Version: 4.0.1.883, Zeitstempel: 0x58fee2f8 Ausnahmecode: 0xc0000005 Fehleroffset: 0x0000000000193e8d ID des fehlerhaften Prozesses: 0x3794 Startzeit der fehlerhaften Anwendung: 0x01d34f58adc5fdd2 Pfad der fehlerhaften Anwendung: C:\Tools\AntiVirus\EEK\bin64\a2emergencykit.exe Pfad des fehlerhaften Moduls: C:\Tools\AntiVirus\EEK\bin64\a2engine.dll Berichtskennung: eadb17ae-081e-4c8a-90c2-9bcd7af28d2d Vollständiger Name des fehlerhaften Pakets: Anwendungs-ID, die relativ zum fehlerhaften Paket ist: It only happened after updating to Windows 10 x64 v1709. It was working perfectly on v1703. I'm just doing some custom scans with only one scan component (rootkit, memory, ...) checked to see if I can narrow it down. Please let me know how to get the memory dump. Update: It happens during setting up the file list for a memory scan. The event log doesn't tell anything new.
  6. Same for me — EEK crashes during Scan. Where do I find the report?