spiderjohn

error message during scan

Recommended Posts

I am trying out Emsisoft Emergency kit and it keeps crashing with the following error:

"Crashed component: C:\EEK\bin64\a2emergencykit.exe 

Error source: Exception code EEDFADE

The program then crashes.

Version 2017.8.0.70

Windows 2008 Server

Command line scans work okay. I'd like to purchase but need to clear this first. Thanks!

Share this post


Link to post
Share on other sites

Windows Server 2008, or Windows Server 2008 R2? We don't officially support Windows Server 2008, and our software won't work right on it.

To clarify:

  • Windows Server 2008 = Windows Vista
  • Windows Server 2008 R2 = Windows 7

We officially support Windows 7, Windows 8.1, and Windows 10. Likewise we also officially support Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016.

Share this post


Link to post
Share on other sites

Were you able to submit the crash report when the Emergency Kit Scanner crashed?

Share this post


Link to post
Share on other sites

After the crash, a dialog should open asking if you want to report the crash (there will be a button at the bottom to send the report). If you're not seeing that, then let me know, and we can get a memory dump from the crashing process for our developers.

Share this post


Link to post
Share on other sites
Am 20.10.2017 um 21:59 schrieb GT500:

After the crash, a dialog should open asking if you want to report the crash (there will be a button at the bottom to send the report). If you're not seeing that, then let me know, and we can get a memory dump from the crashing process for our developers.

No dialog, as far as I could see the crash happened whilst setting up the list of files to scan during the standard malware scan. Then a Windows popup telling the program crashed.

Event Log (German, but should be understandable) tells:

Name der fehlerhaften Anwendung: a2emergencykit.exe, Version: 2017.8.0.7904, Zeitstempel: 0x599f0871
Name des fehlerhaften Moduls: a2engine.dll, Version: 4.0.1.883, Zeitstempel: 0x58fee2f8
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000193e8d
ID des fehlerhaften Prozesses: 0x3794
Startzeit der fehlerhaften Anwendung: 0x01d34f58adc5fdd2
Pfad der fehlerhaften Anwendung: C:\Tools\AntiVirus\EEK\bin64\a2emergencykit.exe
Pfad des fehlerhaften Moduls: C:\Tools\AntiVirus\EEK\bin64\a2engine.dll
Berichtskennung: eadb17ae-081e-4c8a-90c2-9bcd7af28d2d
Vollständiger Name des fehlerhaften Pakets: 
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: 

 

It only happened after updating to Windows 10 x64 v1709. It was working perfectly on v1703.

I'm just doing some custom scans with only one scan component (rootkit, memory, ...) checked to see if I can narrow it down.

Please let me know how to get the memory dump.

 

Update: It happens during setting up the file list for a memory scan. The event log doesn't tell anything new.

Edited by Jerry-B
Additional data.

Share this post


Link to post
Share on other sites

Did you turn on the option for "Mandatory ASLR" in the new exploit mitigation protection added in the Fall Creators Update (1709)? That will cause EEK to crash.

Share this post


Link to post
Share on other sites
Am 28.10.2017 um 04:34 schrieb GT500:

Did you turn on the option for "Mandatory ASLR" in the new exploit mitigation protection added in the Fall Creators Update (1709)? That will cause EEK to crash.

At least not knowingly.

The reg key 
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages
does NOT exist.

Even when I add this DWORD and set it to '0' EEK still crashes at memory scan. The Exploit Protection window also tells me that Address Space-Layout-Randomization is standardly deactivated. Thus ASLR definitely shouldn't be the cause.

In the meantime I know of at least three computers where EEK crashes when trying to perform the memory scan after the Windows v1709 update. On all of them EEK was beautifully performing at v1703. Deleting and reinstalling EEK does not help.

Other on demand scanners checking processes in system memory don't crash even after the v1709 update.

Conclusion: Microsoft has introduced 'something new' within memory with the v1709 update. And in contrast to several other scanners EEK can't handle that.

Share this post


Link to post
Share on other sites

Have you tried adding an exclusion for the EEK folder in whatever real-time protection you have installed on the computer? It's possible that a hook open to EEK is trigger the crashing (or at least somehow related to it).

Share this post


Link to post
Share on other sites

Standard scanner is simply MS Defender ...

Just as a try I excluded both the x32 and x64 versions from the memory scan.

Scan started and then crashed without further notice.

I'm just downloading the Windows Debugger (from the SDK) and let you know should it deliver further inside in what exactly is going on there.

Share this post


Link to post
Share on other sites

Here we go:

// Loading program

Executable search path is: 
ModLoad: 00000000`00400000 00000000`00dbe000   a2emergencykit.exe
ModLoad: 00007ffd`7b120000 00007ffd`7b300000   ntdll.dll
ModLoad: 00007ffd`789f0000 00007ffd`78a9e000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffd`77e70000 00007ffd`780d6000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffd`7b020000 00007ffd`7b0e5000   C:\WINDOWS\System32\oleaut32.dll
ModLoad: 00007ffd`77520000 00007ffd`775bb000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffd`775c0000 00007ffd`776b6000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffd`78b80000 00007ffd`78e88000   C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffd`79760000 00007ffd`7987f000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffd`78520000 00007ffd`78592000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffd`795b0000 00007ffd`79651000   C:\WINDOWS\System32\advapi32.dll
ModLoad: 00007ffd`78950000 00007ffd`789ed000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffd`792e0000 00007ffd`7933b000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffd`7ae90000 00007ffd`7b01e000   C:\WINDOWS\System32\user32.dll
ModLoad: 00007ffd`780e0000 00007ffd`78100000   C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffd`78650000 00007ffd`78678000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffd`78380000 00007ffd`78514000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffd`787f0000 00007ffd`78939000   C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffd`6a530000 00007ffd`6a547000   C:\WINDOWS\SYSTEM32\netapi32.dll
ModLoad: 00007ffd`75df0000 00007ffd`75dfa000   C:\WINDOWS\SYSTEM32\version.dll
ModLoad: 00007ffd`6abf0000 00007ffd`6ac0b000   C:\WINDOWS\SYSTEM32\mpr.dll
ModLoad: 00007ffd`79a20000 00007ffd`7ae57000   C:\WINDOWS\System32\shell32.dll
ModLoad: 00007ffd`785a0000 00007ffd`785ea000   C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffd`78ab0000 00007ffd`78b56000   C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffd`77720000 00007ffd`77e67000   C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffd`78680000 00007ffd`786d1000   C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffd`774e0000 00007ffd`774f1000   C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffd`77490000 00007ffd`774dc000   C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffd`77470000 00007ffd`7748b000   C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffd`78100000 00007ffd`782ce000   C:\WINDOWS\System32\crypt32.dll
ModLoad: 00007ffd`69db0000 00007ffd`6a019000   C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.19_none_cc92fab02215da61\comctl32.dll
ModLoad: 00007ffd`77500000 00007ffd`77512000   C:\WINDOWS\System32\MSASN1.dll
ModLoad: 00007ffd`776c0000 00007ffd`77718000   C:\WINDOWS\System32\WINTRUST.DLL
ModLoad: 00007ffd`786e0000 00007ffd`787ea000   C:\WINDOWS\System32\comdlg32.dll
ModLoad: 00007ffd`71360000 00007ffd`713e6000   C:\WINDOWS\SYSTEM32\winspool.drv
ModLoad: 00007ffd`773a0000 00007ffd`773c9000   C:\WINDOWS\SYSTEM32\USERENV.DLL
ModLoad: 00000000`03ea0000 00000000`03f26000   C:\WINDOWS\SYSTEM32\winspool.drv
ModLoad: 00007ffd`61f90000 00007ffd`61f9c000   C:\WINDOWS\SYSTEM32\secur32.dll
ModLoad: 00007ffd`76a90000 00007ffd`76ac9000   C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffd`76fd0000 00007ffd`76ff5000   C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 00007ffd`31d00000 00007ffd`31df6000   C:\WINDOWS\SYSTEM32\ddraw.dll
ModLoad: 00007ffd`762e0000 00007ffd`7638f000   C:\WINDOWS\SYSTEM32\dxgi.dll
ModLoad: 00007ffd`657f0000 00007ffd`657f8000   C:\WINDOWS\SYSTEM32\DCIMAN32.dll
ModLoad: 00007ffd`77370000 00007ffd`773a0000   C:\WINDOWS\SYSTEM32\SSPICLI.DLL
(88fc.7188): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffd`7b1f2e9c cc              int     3
0:000> g
ModLoad: 00007ffd`7ae60000 00007ffd`7ae8d000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffd`72310000 00007ffd`72327000   C:\WINDOWS\SYSTEM32\wkscli.dll
ModLoad: 00007ffd`5c260000 00007ffd`5c272000   C:\WINDOWS\SYSTEM32\cscapi.dll
ModLoad: 00007ffd`75300000 00007ffd`75395000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00000001`80000000 00000001`8001b000   C:\Tools\Medien\AnyDVD\ADvdDiscHlp64.dll
ModLoad: 00007ffd`793c0000 00007ffd`79527000   C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ffd`75610000 00007ffd`7563a000   C:\WINDOWS\system32\dwmapi.dll
ModLoad: 00007ffd`725c0000 00007ffd`725d3000   C:\WINDOWS\SYSTEM32\wtsapi32.dll
ModLoad: 00007ffd`76620000 00007ffd`76675000   C:\WINDOWS\SYSTEM32\WINSTA.dll
ModLoad: 00007ffd`76060000 00007ffd`76228000   C:\WINDOWS\SYSTEM32\Dbghelp.dll
ModLoad: 00007ffd`62060000 00007ffd`62089000   C:\WINDOWS\SYSTEM32\dbgcore.DLL
ModLoad: 00007ffd`78940000 00007ffd`78948000   C:\WINDOWS\System32\PSAPI.dll
ModLoad: 00007ffd`78b60000 00007ffd`78b7d000   C:\WINDOWS\System32\imagehlp.dll
ModLoad: 00007ffd`76ec0000 00007ffd`76ed7000   C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ffd`76910000 00007ffd`76943000   C:\WINDOWS\system32\rsaenh.dll
ModLoad: 00007ffd`76ee0000 00007ffd`76eeb000   C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
ModLoad: 00000000`06b90000 00000000`0724d000   C:\Tools\AntiVirus\Emsisoft\bin64\a2framework.dll
ModLoad: 00000000`06b90000 00000000`0724d000   C:\Tools\AntiVirus\Emsisoft\bin64\a2framework.dll
ModLoad: 00000000`07250000 00000000`07253000   C:\WINDOWS\SYSTEM32\sfc.dll
ModLoad: 00000000`07250000 00000000`07253000   C:\WINDOWS\SYSTEM32\sfc.dll
ModLoad: 00007ffd`57eb0000 00007ffd`57ec3000   C:\WINDOWS\SYSTEM32\sfc_os.DLL
ModLoad: 00007ffd`71f20000 00007ffd`71f38000   C:\WINDOWS\SYSTEM32\SAMCLI.DLL
ModLoad: 00007ffd`76b90000 00007ffd`76b9e000   C:\WINDOWS\SYSTEM32\NETUTILS.DLL
ModLoad: 00007ffd`722d0000 00007ffd`7230f000   C:\WINDOWS\SYSTEM32\LOGONCLI.DLL
ModLoad: 00007ffd`765b0000 00007ffd`765e1000   C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00000000`075a0000 00000000`07c54000   C:\Tools\AntiVirus\Emsisoft\bin64\a2update.dll
ModLoad: 00000000`075a0000 00000000`07c54000   C:\Tools\AntiVirus\Emsisoft\bin64\a2update.dll
ModLoad: 00007ffd`54180000 00007ffd`541c4000   C:\Tools\AntiVirus\Emsisoft\bin64\evcdiff.dll
ModLoad: 00000000`58600000 00000000`58831000   C:\Tools\AntiVirus\Emsisoft\bin64\libeay32.dll
ModLoad: 00007ffd`79350000 00007ffd`793bc000   C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00000000`58590000 00000000`585f2000   C:\Tools\AntiVirus\Emsisoft\bin64\ssleay32.dll
ModLoad: 00000000`07570000 00000000`07573000   C:\WINDOWS\SYSTEM32\security.dll
ModLoad: 00000000`07570000 00000000`07573000   C:\WINDOWS\SYSTEM32\security.dll
ModLoad: 00007ffd`49900000 00007ffd`49995000   C:\WINDOWS\SYSTEM32\RICHED20.DLL
ModLoad: 00007ffd`2e7b0000 00007ffd`2e7e8000   C:\WINDOWS\SYSTEM32\msls31.dll
ModLoad: 00007ffd`659b0000 00007ffd`659c9000   C:\WINDOWS\SYSTEM32\USP10.dll
ModLoad: 00007ffd`796c0000 00007ffd`7975e000   C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffd`57490000 00007ffd`574df000   C:\WINDOWS\system32\dataexchange.dll
ModLoad: 00007ffd`740e0000 00007ffd`743c2000   C:\WINDOWS\system32\d3d11.dll
ModLoad: 00007ffd`74b80000 00007ffd`74cc2000   C:\WINDOWS\system32\dcomp.dll
ModLoad: 00007ffd`75760000 00007ffd`758db000   C:\WINDOWS\system32\twinapi.appcore.dll
ModLoad: 00007ffd`75710000 00007ffd`75730000   C:\WINDOWS\system32\RMCLIENT.dll
ModLoad: 00007ffd`48f40000 00007ffd`48f66000   C:\Tools\AntiVirus\Emsisoft\bin64\bdcore.dll
ModLoad: 00007ffd`3ddb0000 00007ffd`3de70000   C:\Tools\AntiVirus\Emsisoft\bin64\epplib.dll
ModLoad: 00007ffd`6e810000 00007ffd`6e81a000   C:\WINDOWS\SYSTEM32\FLTLIB.DLL
ModLoad: 00007ffd`2c1b0000 00007ffd`2c4a0000   C:\Tools\AntiVirus\Emsisoft\bin64\a2engine.dll
ModLoad: 00007ffd`3dd10000 00007ffd`3dda3000   C:\Tools\AntiVirus\Emsisoft\bin64\emutils.dll
(88fc.7188): Unknown exception - code 484d4445 (first chance)
(88fc.7188): Unknown exception - code 484d4445 (first chance)
...

(88fc.7188): Unknown exception - code 484d4445 (first chance)
ModLoad: 00007ffd`4eab0000 00007ffd`4ef43000   C:\WINDOWS\system32\explorerframe.dll
ModLoad: 00007ffd`34bc0000 00007ffd`34d06000   C:\Tools\AntiVirus\Emsisoft\bin64\clean.dll
(88fc.7188): C++ EH exception - code e06d7363 (first chance)
FilterLoad = -2147023840Final result for FilterLoad = 0FilterLoad = -2147023840Final result for FilterLoad = 0ModLoad: 00007ffd`65e90000 00007ffd`65f28000   C:\WINDOWS\System32\TextInputFramework.dll
ModLoad: 00007ffd`74990000 00007ffd`74a6d000   C:\WINDOWS\System32\CoreMessaging.dll
ModLoad: 00007ffd`706b0000 00007ffd`7099e000   C:\WINDOWS\System32\CoreUIComponents.dll
ModLoad: 00000000`0f770000 00000000`0f8a6000   C:\WINDOWS\SYSTEM32\wintypes.dll
ModLoad: 00000000`0f630000 00000000`0f766000   C:\WINDOWS\SYSTEM32\wintypes.dll
ModLoad: 00007ffd`737d0000 00007ffd`73906000   C:\WINDOWS\SYSTEM32\wintypes.dll
(88fc.7960): Unknown exception - code 484d4445 (first chance)
(88fc.7960): Unknown exception - code 484d4445 (first chance)
...

(88fc.7960): Unknown exception - code 484d4445 (first chance)
ModLoad: 00007ffd`6f610000 00007ffd`6f680000   C:\WINDOWS\SYSTEM32\Fwpuclnt.dll
ModLoad: 00007ffd`72af0000 00007ffd`72af7000   C:\WINDOWS\SYSTEM32\IdnDL.dll
ModLoad: 00007ffd`79340000 00007ffd`79348000   C:\WINDOWS\System32\Normaliz.dll
ModLoad: 00007ffd`76d00000 00007ffd`76d66000   C:\WINDOWS\system32\mswsock.dll
ModLoad: 00007ffd`76ad0000 00007ffd`76b86000   C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffd`78aa0000 00007ffd`78aa8000   C:\WINDOWS\System32\NSI.dll
ModLoad: 00000000`5bcf0000 00000000`5bd16000   C:\Program Files\Bonjour\mdnsNSP.dll
ModLoad: 00007ffd`6f570000 00007ffd`6f57a000   C:\Windows\System32\rasadhlp.dll
ModLoad: 00007ffd`6a2f0000 00007ffd`6a316000   C:\WINDOWS\SYSTEM32\srvcli.dll
(88fc.8be0): Unknown exception - code 0eedfade (first chance)
(88fc.88e8): Unknown exception - code 0eedfade (first chance)
(88fc.7ef8): Unknown exception - code 484d4445 (first chance)
(88fc.7ef8): Unknown exception - code 484d4445 (first chance)
...

(88fc.7ef8): Unknown exception - code 484d4445 (first chance)

 

// The dots (...) represent an awful lot of equal lines with the unknown exception given above.

 

// Executing memory scan


(88fc.7430): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Tools\AntiVirus\Emsisoft\bin64\a2engine.dll - 
a2engine!InstallDdaDriver+0x876d:
00007ffd`2c343e8d 664439420c      cmp     word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=????
0:023> g
(88fc.7430): Access violation - code c0000005 (!!! second chance !!!)
a2engine!InstallDdaDriver+0x876d:
00007ffd`2c343e8d 664439420c      cmp     word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=????
0:023> g
(88fc.7430): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
a2engine!InstallDdaDriver+0x876d:
00007ffd`2c343e8d 664439420c      cmp     word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=????
0:023> g
(88fc.7430): Access violation - code c0000005 (!!! second chance !!!)
a2engine!InstallDdaDriver+0x876d:
00007ffd`2c343e8d 664439420c      cmp     word ptr [rdx+0Ch],r8w ds:00000000`40afb04c=????
0:023> g

// ad infinitum; further 'Go' commands (F5) within the debugger reproduce the above two access violation steps.

 

The EEK window shows it's just scanning an Adobe Acrobat tool (SendAsLinkAddin.DEU). However this may not be up to date. As expected excluding the Adobe dirs from scan doesn't change anything.

 

Share this post


Link to post
Share on other sites

OK, the best way to proceed is to get a memory dump, which you can do by following the instructions at the link below and then restarting your computer (on Windows 8.1 and Windows 10 you need to restart by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu):
https://helpdesk.emsisoft.com/Knowledgebase/Article/View/204/55/how-to-configure-automatic-crash-dumps-in-case-of-application-failures

Once you have automatic crash dumps enabled, simply run EEK and do whatever causes the crash to happen, and then you should have a memory dump in the following location:

  • C:\Users\Public\CrashDumps

Simply compress this memory dump (ZIP, RAR, 7z, etc. are all OK) and then see if you can send it to me in a private message. If it is too large, then you may need to use a file sharing service to upload it to and send me a link.

Share this post


Link to post
Share on other sites

Looks like I've found it myself.

Spybot S&D (a well known on-demand scanner) hooks itself within memory even when inactive — and places a hook for Emsisoft EEK. Funny and strange enough only after the Windows v1709 update; no problems whatsoever on v1703 as told above.

After excluding the Spybot dir from scans and updating EEK to the latest version everything run well again (no EEK crash) on three computers I've got access to.

Anyway, thanks for your support!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.