Tech Support Guy banner
Status
Not open for further replies.
1 - 20 of 77 Posts

·
Registered
Joined
·
103 Posts
Discussion Starter · #1 ·
When I right click almost anything I get the explorer has encountered a problem and has to close. always the faulting module kernel32.dll. Then immediately another box appears with the drwatson postmortem debugger has encountered a problem and needs to close, I then have to ctrl alt del to close the drwtsn.exe and get my desktop back.
I have been having problems in psp7 with ntdll being the faulting module.
I run the bare minimum start up programs and have ran all virus and spyware scans. I have googled this problem until I jusrt cant read anymore
T.I.A for any help
Im running windows xp pro sp2. AMD 2400
Have loads of disk space and plenty of free RAM.
LV.
 

·
Registered
Joined
·
45,855 Posts
Run eventvwr.msc and look for the errors in the System or Applications logs. Use the copy icon and copy/paste them here.

Most "right click" problems have to do with the context menu. Use Mo's "track context menu" (post 9) file to create and upload the registry entries for the context menu in a text file:

http://forums.techguy.org/showthread.php?p=2290163

You can also go to C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

Open the Dr. Watson log and copy/paste just the most recent Dr. Watson error to a notepad file, save it, and upload it as an attachment. Don't try to copy/paste it to a reply, it will be too long.
 

Attachments

·
Registered
Joined
·
103 Posts
Discussion Starter · #3 ·
Is this what your looking for?
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 06/25/2005
Time: 13:27:14
User: N/A
Computer: HOME
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.2180, fault address 0x0001eb33.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6b 65 72 6e 65 in kerne
0038: 6c 33 32 2e 64 6c 6c 20 l32.dll
0040: 35 2e 31 2e 32 36 30 30 5.1.2600
0048: 2e 32 31 38 30 20 61 74 .2180 at
0050: 20 6f 66 66 73 65 74 20 offset
0058: 30 30 30 31 65 62 33 33 0001eb33
0060: 0d 0a ..

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 06/25/2005
Time: 13:27:23
User: N/A
Computer: HOME
Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 72 77 ure drw
0018: 74 73 6e 33 32 2e 65 78 tsn32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in
0030: 64 62 67 68 65 6c 70 2e dbghelp.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 32 31 38 2600.218
0048: 30 20 61 74 20 6f 66 66 0 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 32 39 35 64 295d

The dr watson log file folder was empty. Possibly because I ran a clean up after uninstalling some stuff. Should I recreate the errors that cause it and try that? I did try recovering the file but it said it was too large a file to upload here.
Thanks
LV

This is the report text from the context menu thing.

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}
C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- SafetyEncrypt
{B4811AA1-D7B4-11D1-880E-0080C86B2B6E}
C:\PenSoft\EMenu.Dll

Subkey --- ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4}

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\WINZIP~1.0\WZSHLSTB.DLL

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #4 ·
The dr watson file attatched is from what started all this off, Clicking on an application and nothing happening. But noticing drwrsn.exe in task manager.
Now if I right click I am not getting any error report its just going black for a few seconds then back to desktop.
Thanks
LV
 

Attachments

·
Registered
Joined
·
45,855 Posts
The drwatson log identifies ntdll calling a particular function. I don't know what the function does.

But the "when" date of this is 6/25. Heck I'd just do a System Restore to before the error and see what gives then. Have you tried that?

The right click context menu shows a lot of non standard stuff. One of those programs could be the problem.

For example you would have to enlighten me on what programs installed these:

Subkey --- CopyToCD
Subkey --- Offline Files
Subkey --- Open With EncryptionMenu
Subkey --- SafetyEncrypt

Subkey --- ScanMenu (no file path shown here, so this is especially suspect.)

None of these are default context menu items
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #6 ·
The DrWatson log I created on purpose by causing the error because all previous logs had been deleted , Thats why its got the date 25/6. But yes I have tried to system restore. But on someone elses advice i temporarily disabled it. So there was no choice of restore dates. There is very little I havent tried. In the search for a solution to the ntdll problem I came accross what I was led to believe was a rootkit virus but thats another pro0blem I cant get to the bottom of even with a rootkit revealer.
The ntdll problem first appeared several weeks ago and I have tried just about everything I can find on the subject. Nothing so far has worked
The kernel32 problem just appeared yesterday morning but that I felt was more serious as I could avoid the ndtll problem by not opening gradients in paintshop, whereas I cant delete or rename files with this kernel32 problem.

The only thing I recognise is the CopytoCD that is part of CopyToDVD by vso as I was having problems burning off data to DVDs. Havent used it in a while. Could any of those other things be anything to do with this rootkit virus I think is there.
There is just so much I havent got a clue about so Im kinda blindly following whatever advice I can get along the way. Then Im not able to remember half of it unfortunately. Just like a bad dream.
I really appreciate you trying to help and Im sorry if Im not being much assistance to you, I am trying to be but Im out of my depth by miles here.
 

·
Registered
Joined
·
45,855 Posts
1 > Tell me more about the "rootkit" virus you think you have -- how you believe you detected it, what tools were used to try to diagnose or clean it.

If there is a thread on another site where you tried to address the "rootkit" problem, point me to it so I can see what was done.

2 > Run regedit and navigate to:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Select File > Export. Name the key anything you like and "export" (save) it some place convenient, such as in My Documents.

Then navigate to these "subkeys" you don't recognize and right click on and delete them.

3 > Let me see a HijackThis Scanlog:

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

4 > run the "rootkitrevealer" from System Internals. Save the log it creates and upload that as an attachment.

http://www.sysinternals.com/Utilities/RootkitRevealer.html
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #8 ·
The reason I suspected a rootkit problem was every time I ran reg seeker, This came up no matter how often I fixed it.
HkeyRoot WINWORD.EXE. after searching google I found this

http://securityresponse.symantec.com/avcenter/venc/data/trojan.drivus.html

I was unable to find any of the other stuff it mentions and I followed their instructions.
It didnt work but I ran the rootkit revealer and it says simply no discrepancies found. If I reboot my pc I guarantee it will be back again.

This is getting worse, I shut down my msn and got an error saying encountered a problem and has to close etc etc and the box came up with "more info" but when I tried to view that I got another error now that I believe is conected to when I had firefox because firefox wouldnt let me view the online crash analysis site with IE. Infact ive had many problems since getting rid of firefox.

Logfile of HijackThis v1.99.1
Scan saved at 07:06:04, on 06/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://couronne.proboards20.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JOANNE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.128.15:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://members.imagehost.biz/ImageUploader3.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Again I appreciate everything you are doing to help.
LV.
 

·
Registered
Joined
·
45,855 Posts
There is no such entry in your current scanlog. However some rootkit entries do not show up in "normal" mode.

Try restarting in Safe Mode and provide a HijackThis scanlog made in Safe Mode in your current User Profile (do not select the "Administrator" account).

Also while in Safe Mode see if any of the "right click" or other problems you are encountering persist there.

Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

You can check and fix these items in the Scanlog, just for housecleaning purposes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

And if you are having problems on TSG right now, so is everyone else.

By the way, what exactly is this application referenced in the drwatson log:

jpemu250.exe

and is the error occuring with anything else? All zipped programs or just some?
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #10 ·
Im sorry to seem ignorant here but is this what you think I should delete. subkeys I mean
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SafetyEncrypt
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ScanMenu

I dont know whats legit in those and whats not except of course the one with no name and just numbers and "bad" right in amongst them. lol is that telling me something or just coincidence.
LV
 

·
Registered
Joined
·
45,855 Posts
First test to see whether the problem occurs in Safe Mode. If it does, delete those sub keys. If not, they probably are not involved.

Do NOT delete this:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

You can restore them, if necessary, either by double clicking and merging the saved .reg file, or through a System Restore.
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #12 ·
Okay Im being a bit dumb again here CURRENT USER ? not admin. When I log on I am the only user/ administrator so it comes up as log on Jo. I put my password in and it starts up. There isnt any other users on this. So how do I log on as just current user.?
LV
 

·
Registered
Joined
·
45,855 Posts
I'm not sure if you saw post 9 from me.

My advice there was to reboot in Safe Mode and test the problem there before doing anything. In a Safe Mode boot you should be presented with two logon choices. One says "administrator" (only) and the other is your User Name which will have Administrative Rights. I wanted you to log in with your User Name, not the formal "administrator" account.

Also create a HijackThis Scanlog in Safe Mode and post that on return.

Let me know more about the ntdll error you get. Is it just with zipped files, just with that one file you unzipped or tried to run that is referenced in the drwatson log, or what? Or does it occur everytime you right click regardless of the action taken?
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #15 ·
I am so sorry to have taken so long but I did what you said and then I saw the two choices of log in yes. The problem had gone so I did the hijackthis and restarted my computer to access the net and post but unfortunately it wouldnt allow me to boot up in any way at all. saying windows confin/sys/ file was missing or corrupt so I had to wait til pc world opened and go and buy the Windows xp pro. They only had the upgrade version so I got that and I got as far as administrator password and have no clue what that is its been so long but I just hit exit to restart and hey presto it booted up normally and I have all my settings etc. I right clicked the file on desktop and no problem.

So what do you suggest? Should I just leave things as they are or carry on investigating this. or wait to see if any problems appear?
Just seeing as you asked the ntdll problem was with paintshop pro it appeared every time I clicked on a gradient. And then when trying to run jpemu file it wouldnt start and as you see in the dr watson log ntdll is mentioned there too.
Thanks for your help and advice I will check back later after a much needed sleep and see what you suggest.
LV.
 

·
Registered
Joined
·
45,855 Posts
Sheesh, you may have gotten lucky. Normally that "config" error means there is registry corruption, and while it is possible to repair it in some cases, it is very difficult.

When you boot in Safe Mode you are asked for a password. If you never created one all you need to do is hit "enter" and the boot will continue. But I'm not sure what you are seeing with the "upgrade" CD, perhaps that is all you needed to do.

I don't know what you want to do with your upgrade "investment". But for now I would just see how things go and if you are not encountering any errors you may want to use the Thread Tools tab here to mark the problem "Solved".
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #17 ·
Well I am kinda reluctant to start digging incase I mess things up, but the original problem of clicking on certain exe files and getting absoloutley nothing but finding dr watson in my task manager is still there. And that WINWORD.EXE is back in my registry. I ran reg seeker out of curiosity and yup there it was. But the rootkit revealer from systernals doesnt show it.

Booting in safe mode at first was ok but after that i couldnt boot up
at all. The upgrade cd did fix that problem. I havent tried paintshop pro yet to see if the ntdll problem is still there.
Im wary now of trying anything Im just so glad to have things running so I may plug in my external hard drive and start copying as much as possible onto that as a back up. Just incase.
But I think I will carry on and see how things go.
Should I still close this with problem solved ?

PS thanks again your time and expertise is very much appreciated.
LV.
 

·
Registered
Joined
·
45,855 Posts
I guess I misunderstood your last post. I thought the "upgrade" had not completed successfully.

As for the "exes" you are having problems with, what are they? I have no idea what jpemu is. The PSP problem may need to be addressed separately, perhaps in another forum where folks who use it extensively can offer better help.

Also can you copy/paste whatever you are seeing about "winword.exe"? It's not in the location covered in the Symantec article, and you may just be seeing something that is not actually running or being loaded or may be the legitimate Microsoft application.

If you can upload the rootkit revealer log as an attachment I'd like to see that too.
 

·
Registered
Joined
·
103 Posts
Discussion Starter · #19 ·
When I run reg seeker the first thing that comes up is "unused open with entry" HKRoot WINWORD.EXE. So I check it to be fixed and it goes away but if i reboot it comes back. Ive also looked for it manually with regedit and deleted it. But it comes back after every boot up.
There is no log for rootkit revealer it comes up "No discrepancies found"

As for the exes jpemu is a fruit machine emulator and it happened with another unrelated exe and for the life of me i cant remember which one. It is something that I can do without. For now anyway it isnt causing problems so I will leave that and not bother trying to get that going.
The winword thing is bothering me. I dont use any office products. I have microsoft works I think but its not been used for long time, I dont have office or anything like that.
LV
 

·
Registered
Joined
·
45,855 Posts
I wouldn't worry about winword.exe, reg seeker is not identifying it as a trojan or anything else. The entry is almost certainly a legitimate Microsoft one that is being automatically replaced inspite of reg seeker's in ability to identify its association properly. It comes with Microsoft Works and other office products. While you may not have Word, you must have some document type extension associated with it. That would be indicated in entry telling you what is supposed to open with winword.exe

The problems you appear to be having now are as far as I can tell all related to 3rd party software. Emulators are not supported with tech help here as they are almost all the product of questionable attempts to bypass copyright restrictions. Moreover you put your computer at risk in installing these or any other software that does not come from an established reputable site.

Feel free to mark the thread "Solved" if you are comfortable with the current status of Windows XP programs and processes.
 
1 - 20 of 77 Posts
Status
Not open for further replies.
Top