If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
'attempt to access invalid address' error when running dos software in xp
I've a customer who has the same problem and I've waiting
to see if someone replied to this post for a fix. The customer had a trojan removed from their PC and then started receiving the same message whenever they tried to run a dos program. When I started the machine in safe mode everything worked fine. Today the PWSteal.Banker.B trojan was reported by norton's on this computer which I removed. This trojan was only discovered on June 17 and is not supposed to affect XP. I decided to try running command.com and sysedit to see if removing the trojan had any effect on this problem. Much too my surprise and relief it did. Hopefully this might help you if you go to symantec's sight they have the information needed to remove the virus. The file that the virus creates is lsd_f3.dll in the system32 folder. Let me know if this helps. -----Original Message----- I apologize for the lengthy post. System: I'm running win xp pro (system came with win xp, I upgraded immediately to win xp pro. This current problem has nothing to do with the upgrade to win xp pro, which was done over a year ago) on an e-machine T2625 AMD Athlon xp 2600+ 2.12GHz, 1GB RAM. Note: My computer came with the primary partition (system partition, C: drive) configured to NTFS. All other partitions that I have created on that physical hard drive and on other physical hard drives are FAT32. Problem: A week ago, I had just finished fully cleaning my system (a long process) and then went to play tetris and BAM! A new problem. How nice. I have a number of dos programs, including tetris.exe, some old astronomy dos software, etc. which have worked fine on win xp pro for quite some time until recently (the last week) when they collectively began to fail with an "attempt to access invalid address" error. I cannot ascertain the exact time at which this problem began since I only use the DOS programs infrequently. Information which may be helpful: The first thing I did was Google search with the following string: "attempt to access invalid address" xp dos. This search brought some (perhaps) useful info, which I will relay he From: http://www.computing.net/windows2000...d/forum/58304. html "Andrew" on June 02, 2004 said "Todays morning, after one hour of work I needed to restart computer becouse I was not able to disconnect from internet. There was no activity but it was not disconnecting. After that I can't start any DOS program on this computer, any dclick in icon to program is giving error: "Attempt to access invalid address". When I try to run DOS program from command prompt window I see : "Cannot execute program". I scan comp. for viruses - it did not find anything. Any sug.? " "Bill Mason" on June 08, 2004 said "I currently have a similar problem to what you descibed. I found that if I start Windows in the "safe" mode I can then access what I need to. This is not a satisfactory solution for me. I would greatly appreciate any better cures if you are now aware of any. Thanks! " "Christopher" on June 15, 2004 said "Same symptoms, XP Pro. User reported a few xxx popups while downloading NAV2004 just prior to problem. Checked her index.dat file and found NO record of browsing anything but okay sites. Tried NAV2004, Adaware, Spybot, TrojanHunter, turning off servies, msconfig, logged in as Administrator, checked config.nt and autoexec.nt, nothing worked. Finally had to use XP system restore and roll back 3 days. Maybe something nailed the Environment Variables ? Didn't think to check those until after restore. " "manu (by manu24)" on June 30, 2004 said "same prob. here with win xp home, but sometime back i turned off my system restore for some reason and forget to turned it on, so now i cannot roll back, so what do now? any suggestions. manu " end of thread from: http://www.techimo.com/forum/t111831.html "akinsey " on June 7th, 2004 said " I have a user who is running XP Home on a newer HP Pavilion, which had a bad hard drive and was replaced a week ago under warranty at Best Buy. She cannot use any DOS programs under XP, even using any of the available compatibility modes. HOWEVER, there was no problem with ANY DOS programs running under XP prior to the drive being replaced. 1) MS KB searches on DOS Compatibility Problems in XP point to NTVDM configuration problems. I.E.: When you have problems with MS-DOS programs: Test the NTVDM (Windows Virtual DOS Machine) subsystem: 1. Start / Run / Command.com / OK. 2. If a C:\Windows\System32\Command.com session does NOT open, the NTVDM is misconfigured. Check the Config.nt and Autoexec.nt files in the %SystemRoot%\System32 folder for non-standard entries... [snip] Start-run-command.com (enter) yields the error "attempt to access invalid address". (see attachment, error.JPG) command.com Ntio.sys Ntdos.sys Ntvdm.exe Ntvdmd.dll Redir.exe All appear in the windows\system32 folder. I looked at the config.nt and autoexec.nt files and they're pure, exactly as extracted from the XP cd. Suggestions?" "Paladisious" on July 1st, 2004 said "The exact same thing is happening to me in Win XP Home, except I formated my machine, and since then I've reinstalled windows and all those lovely classic DOS games, but that 'invalid adress' error keeps coming up when I try to run them." "noseBleeD " on July 1st, 2004 said "I am fairly sure when it says the address is invalid, it means it has gone beyond the end of the memory registers that are assigned to the program you are trying to run. Does this happen in safe mode? This could be caused by a memory leak. This could be caused by a bad virus that harmed your hdd, and ram, or video ram, or more. I would verify the above posts like you said concerning the winXp version first, then try safe mode and see if problem still exist. I would then boot into recovery console and run chkdsk /f command. I would the test memory with other known good memory and if good, add more." end of thread From: http://www.annoyances.org/exec/forum/win2000/1087416706 "fcoen " on June 16, 2004 said "I have recently re- installed windows 2000 server, but now all the dos programs that used to work on it give an error: "attempt to access invalid address". Not only that but things like the edit command give the same error. Any suggestions. Thanks. " "MaddMaxx" on June 16, 2004 said "Did you switch from FAT32 to NTFS?" "fcoen " on June 17, 2004 said "yes..." end of thread From: http://www.experts- exchange.com/Operating_Systems/WinXP/Q_21020181.html "stevewdindas" on 06/09/2004 said "I have notebook that has had and repaired a number of viruses. However, even though it is reporting clean after several different scans whenever I try to run most .exe applications it reports the error "Attempt to access invalid address". I have tried the programme in safe mode and it works. Any suggestions?" end of thread From: http://computing.net/windows2000/www...rum/58739.html "manu (by manu24)" on July 01, 2004 said "Hi, my comp got hijacked with some xxx dialer n dl.html file etc and some trojans. i got rid of those now i m facing this problem when ever i click some dos application like my turbo c++.exe or some other dos application i got this error"Attempt to access invalid address". unfortunately some time back i turned off my system restore so i m unable to rool back my system. plz help me, ne suggestion will br g8tly appreciated. Manu using win xp" end of thread. The most useful fact which I gathered from these threads is that this is a recent problem (Note the dates of the posts), since I have tried many other searches on Google, other search engines, and usenet groups such as this and found no other references to this problem. Therefore the only references to this problem are recent. This indicates to me that we are dealing with a virus, trojan, or malware which has began to show its effects only in the last month or so. Further evidence for this being a recent virus is that none of the above referenced threads includes any definite answers or solutions, just people trying to find answers to (roughly) the same problem at (roughly) the same time, indicating (to me) that this is a new virus or a new version of an old one. MY Hijackthis log is clean: "Logfile of HijackThis v1.97.7 Scan saved at 9:15:56 AM, on 7/2/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Speed Disk\nopdb.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32 \NeroCheck.exe O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe" -minimized O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32 \ctfmon.exe O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...01/housecall.t rendmicro.com/house call/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab" I have already performed all of the usual tasks associated with a difficult problem: 1. Ran online panda-antivirus, trend micro, ranta- antivirus, downloaded and ran free AVG antivirus, then uninstalled it, and then downloaded and ran free AntiVir. Ran all of these again in safe mode except for AVG free, which doesn't like winXP safe mode and can't find core driver. That's nine virus scans which found nothing (due to the fact that, just prior to noticing the current problem, I had just run all of these scans and more as part of monthly maintenance). 2. In safe mode, and then again in regular mode, deleted all files in the following directories: Temporary Internet Files (for all users, verifying it to be empty, verifying that Content.IE5 was either empty or deleted, for each user and Admin and 'All usuers' and 'default user' and localservices and networkservices); Cookies; Windows/Temp; Windows/Downloaded program files (except for those downloaded program files associated with the online virus scanners); windows/prefetch; Windows/web; C:\recycler (except for S-1-5-21-760979014-647424850-2722162428-1005, the actual recycle bin, which it won't let me delete); and then ran accessories|system tools|disk cleanup on all drives, in both regular and safe mode, deleting everything which I could (but everything was empty by then - in, fact, everything had already been empty because I had already done all of this just prior to noticing the problem). 3. Ran SpyBot search and destroy and Ad-Aware in regular and safe mode. Already clean. Some things of note: 1. Since my primary partition (system c: drive) came as NTFS, I have never been able to access it directly when in DOS mode or when booted from a DOS floppy, since DOS can't recognize NTFS, so recently, having finally grown annoyed enough to do something about it, I searched the net and downloaded 'ntfsdos', a DOS program which acts as a file system driver for DOS/Windows and that is able to recognize and mount NTFS drives for transparent access. It makes NTFS drives appear indistinguishable from standard FAT drives, providing the ability to navigate, view and execute programs on them from DOS. It is an older program which was apparently necessary in the days when FAt32 windows couldn't recognize NTFS. I mention this merely for the sake of completeness, since none of the other people in the above referenced threads mentioned this ntfsdos program, which is a relatively rare program, and it is unlikely that it would be present on any of their systems, and therefore unrelated to the present problem. However, one post asked if the person had changed from FAT32 to NTFS, but didn't explain why he thought this might be important, and although I didn't change from FAT32 to NTFS, I just thought I'd mention that I ran this NTFSDOS program so as to be able to access NTFS C: drive from DOS. 2. As suggested in one of the above-mentioned posts, I ran Command.com, but got the error "attempt to access invalid address". All the usual dos programs and associated files are present in system32 folder, and config.nt and autoexec.nt appear to be fine. 3. My DOs stuff works fine in safe mode. 4. I don't seem to have the recovery console, or at least I don't see it listed when booting. 5. A month ago when last cleaning the system, I turned off system restore before running the virus scans, as always, but forgot to turn it back on, so if I want to restore windows I'll have to go back at least a month. I'd rather avoid that. Sorry for the long post. Any help is appreciated. . |
Ads |
Thread Tools | |
Display Modes | |
|
|