Question : Invalid access to memory location

I have one user experiencing the following error on his machine only:

The system cannot log you on due to the following error: Invalid access to memory location.

If I attempt to logon to the system with a Domain Account or any other account I get the following MS Error Code:

OxC00000BB

However, if I use the Domain Admin or non admin account to log on first then I may log on to the system, there is a major lag for log on though, but once I use the account in question, then the errors above kick in.

I have tested the users account on different machines and he is able to log on without issue.

We use a firstname.lastname user name convention.

This only happens on one specific system which is:

"      Dell D420 w/MS Windows XP SP3 and all High Priority Updates minus IE-8 which is not compatible with our MS CRM
"      Main Server  MS Server 2003 with all High Priority Updates
"      Using MS Exchange 2003 with AD to control the domain

I have done the following to try and correct the problem:

ComboFix  See attached output.  This user stated the problem started five days ago but did not say anything until today.  Last time I had to rebuild this users computer because he failed to inform me of problems in a timely manner.

Restart

Removed the computer from the domain and re-added it.

Attempted to Run Malwarebytes, but it keeps shutting down in both Safe and Normal modes.  It will run for about 10 seconds and then stop.

The MS Fix for this problem is related to using a Smart Card, we do not do that here, and also the drive is not encrypted.

The only fix I have found for this is to rebuild the system. I found one problem similar to this on Experts Exchange but it seems to have been adandoned.

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127:

ComboFix 09-11-09.01 - administrator 11/10/2009 11:45.2.2 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1754 [GMT -5:00] Running from: c:\documents and settings\administrator\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((( SnapShot@2009-11-10_15.47.54 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072] "IDTSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-09-06 405504] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000003}\_SC_Acrobat.exe [2009-2-2 295606] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-18 102448] . Contents of the 'Scheduled Tasks' folder 2009-11-10 c:\windows\Tasks\User_Feed_Synchronization-{CF145A7D-6216-41C4-B492-B78A5C7E7EBB}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 23:36] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-10 11:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\wininet.dll - - - - - - - > 'lsass.exe'(836) c:\windows\system32\wininet.dll - - - - - - - > 'explorer.exe'(1204) c:\windows\system32\WININET.dll . Completion time: 2009-11-10 11:53 ComboFix-quarantined-files.txt 2009-11-10 16:53 ComboFix2.txt 2009-11-10 15:49 Pre-Run: 60,109,774,848 bytes free Post-Run: 60,279,922,688 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 25B4A4C45A8708F03CD8A8AFD418BE0F

Open in New Window

Select All

Answer : Invalid access to memory location

I had already reimaged my machince but I will keep this for future use, I am on holiday and will distribute points when I return, only have mobile access right now.

Posted via EE Mobile