kernel32.dll and ntdll.dll errors.

[LazyVampire]

When I right click almost anything I get the explorer has encountered a problem and has to close. always the faulting module kernel32.dll. Then immediately another box appears with the drwatson postmortem debugger has encountered a problem and needs to close, I then have to ctrl alt del to close the drwtsn.exe and get my desktop back.
I have been having problems in psp7 with ntdll being the faulting module.
I run the bare minimum start up programs and have ran all virus and spyware scans. I have googled this problem until I jusrt cant read anymore
T.I.A for any help
Im running windows xp pro sp2. AMD 2400
Have loads of disk space and plenty of free RAM.
LV.

 

[Rollin' Rog]

Run eventvwr.msc and look for the errors in the System or Applications logs. Use the copy icon and copy/paste them here.

Most "right click" problems have to do with the context menu. Use Mo's "track context menu" (post 9) file to create and upload the registry entries for the context menu in a text file:

http://forums.techguy.org/showthread.php?p=2290163

You can also go to C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

Open the Dr. Watson log and copy/paste just the most recent Dr. Watson error to a notepad file, save it, and upload it as an attachment. Don't try to copy/paste it to a reply, it will be too long.

 

[LazyVampire]

Is this what your looking for?
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 06/25/2005
Time: 13:27:14
User: N/A
Computer: HOME
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.2180, fault address 0x0001eb33.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6b 65 72 6e 65 in kerne
0038: 6c 33 32 2e 64 6c 6c 20 l32.dll
0040: 35 2e 31 2e 32 36 30 30 5.1.2600
0048: 2e 32 31 38 30 20 61 74 .2180 at
0050: 20 6f 66 66 73 65 74 20 offset
0058: 30 30 30 31 65 62 33 33 0001eb33
0060: 0d 0a ..


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 06/25/2005
Time: 13:27:23
User: N/A
Computer: HOME
Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 72 77 ure drw
0018: 74 73 6e 33 32 2e 65 78 tsn32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in
0030: 64 62 67 68 65 6c 70 2e dbghelp.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 32 31 38 2600.218
0048: 30 20 61 74 20 6f 66 66 0 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 32 39 35 64 295d


The dr watson log file folder was empty. Possibly because I ran a clean up after uninstalling some stuff. Should I recreate the errors that cause it and try that? I did try recovering the file but it said it was too large a file to upload here.
Thanks
LV


This is the report text from the context menu thing.

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}
C:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- SafetyEncrypt
{B4811AA1-D7B4-11D1-880E-0080C86B2B6E}
C:\PenSoft\EMenu.Dll

Subkey --- ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4}


Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\WINZIP~1.0\WZSHLSTB.DLL

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

 

[LazyVampire]

The dr watson file attatched is from what started all this off, Clicking on an application and nothing happening. But noticing drwrsn.exe in task manager.
Now if I right click I am not getting any error report its just going black for a few seconds then back to desktop.
Thanks
LV

 

[Rollin' Rog]

The drwatson log identifies ntdll calling a particular function. I don't know what the function does.

But the "when" date of this is 6/25. Heck I'd just do a System Restore to before the error and see what gives then. Have you tried that?

The right click context menu shows a lot of non standard stuff. One of those programs could be the problem.

For example you would have to enlighten me on what programs installed these:

Subkey --- CopyToCD
Subkey --- Offline Files
Subkey --- Open With EncryptionMenu
Subkey --- SafetyEncrypt

Subkey --- ScanMenu (no file path shown here, so this is especially suspect.)

None of these are default context menu items

 

[LazyVampire]

The DrWatson log I created on purpose by causing the error because all previous logs had been deleted , Thats why its got the date 25/6. But yes I have tried to system restore. But on someone elses advice i temporarily disabled it. So there was no choice of restore dates. There is very little I havent tried. In the search for a solution to the ntdll problem I came accross what I was led to believe was a rootkit virus but thats another pro0blem I cant get to the bottom of even with a rootkit revealer.
The ntdll problem first appeared several weeks ago and I have tried just about everything I can find on the subject. Nothing so far has worked
The kernel32 problem just appeared yesterday morning but that I felt was more serious as I could avoid the ndtll problem by not opening gradients in paintshop, whereas I cant delete or rename files with this kernel32 problem.

The only thing I recognise is the CopytoCD that is part of CopyToDVD by vso as I was having problems burning off data to DVDs. Havent used it in a while. Could any of those other things be anything to do with this rootkit virus I think is there.
There is just so much I havent got a clue about so Im kinda blindly following whatever advice I can get along the way. Then Im not able to remember half of it unfortunately. Just like a bad dream.
I really appreciate you trying to help and Im sorry if Im not being much assistance to you, I am trying to be but Im out of my depth by miles here.

 

[Rollin' Rog]

1 > Tell me more about the "rootkit" virus you think you have -- how you believe you detected it, what tools were used to try to diagnose or clean it.

If there is a thread on another site where you tried to address the "rootkit" problem, point me to it so I can see what was done.

2 > Run regedit and navigate to:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Select File > Export. Name the key anything you like and "export" (save) it some place convenient, such as in My Documents.

Then navigate to these "subkeys" you don't recognize and right click on and delete them.

3 > Let me see a HijackThis Scanlog:

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

4 > run the "rootkitrevealer" from System Internals. Save the log it creates and upload that as an attachment.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

[LazyVampire]

The reason I suspected a rootkit problem was every time I ran reg seeker, This came up no matter how often I fixed it.
HkeyRoot WINWORD.EXE. after searching google I found this

http://securityresponse.symantec.com/avcenter/venc/data/trojan.drivus.html

I was unable to find any of the other stuff it mentions and I followed their instructions.
It didnt work but I ran the rootkit revealer and it says simply no discrepancies found. If I reboot my pc I guarantee it will be back again.

This is getting worse, I shut down my msn and got an error saying encountered a problem and has to close etc etc and the box came up with "more info" but when I tried to view that I got another error now that I believe is conected to when I had firefox because firefox wouldnt let me view the online crash analysis site with IE. Infact ive had many problems since getting rid of firefox.

Logfile of HijackThis v1.99.1
Scan saved at 07:06:04, on 06/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://couronne.proboards20.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JOANNE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.128.15:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://members.imagehost.biz/ImageUploader3.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Again I appreciate everything you are doing to help.
LV.

 

[Rollin' Rog]

There is no such entry in your current scanlog. However some rootkit entries do not show up in "normal" mode.

Try restarting in Safe Mode and provide a HijackThis scanlog made in Safe Mode in your current User Profile (do not select the "Administrator" account).

Also while in Safe Mode see if any of the "right click" or other problems you are encountering persist there.

Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

You can check and fix these items in the Scanlog, just for housecleaning purposes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

And if you are having problems on TSG right now, so is everyone else.

By the way, what exactly is this application referenced in the drwatson log:

jpemu250.exe

and is the error occuring with anything else? All zipped programs or just some?

 

[LazyVampire]

Im sorry to seem ignorant here but is this what you think I should delete. subkeys I mean
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SafetyEncrypt
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ScanMenu

I dont know whats legit in those and whats not except of course the one with no name and just numbers and "bad" right in amongst them. lol is that telling me something or just coincidence.
LV

 

[Rollin' Rog]

First test to see whether the problem occurs in Safe Mode. If it does, delete those sub keys. If not, they probably are not involved.

Do NOT delete this:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

You can restore them, if necessary, either by double clicking and merging the saved .reg file, or through a System Restore.

 

[LazyVampire]

Okay Im being a bit dumb again here CURRENT USER ? not admin. When I log on I am the only user/ administrator so it comes up as log on Jo. I put my password in and it starts up. There isnt any other users on this. So how do I log on as just current user.?
LV

 

[LazyVampire]

I deleted all those subkeys except
open with
avg
yahoo
winzip.
Instinct told me the open with one wasnt to be deleted. .
.

 

[Rollin' Rog]

I'm not sure if you saw post 9 from me.

My advice there was to reboot in Safe Mode and test the problem there before doing anything. In a Safe Mode boot you should be presented with two logon choices. One says "administrator" (only) and the other is your User Name which will have Administrative Rights. I wanted you to log in with your User Name, not the formal "administrator" account.

Also create a HijackThis Scanlog in Safe Mode and post that on return.

Let me know more about the ntdll error you get. Is it just with zipped files, just with that one file you unzipped or tried to run that is referenced in the drwatson log, or what? Or does it occur everytime you right click regardless of the action taken?

 

[LazyVampire]

I am so sorry to have taken so long but I did what you said and then I saw the two choices of log in yes. The problem had gone so I did the hijackthis and restarted my computer to access the net and post but unfortunately it wouldnt allow me to boot up in any way at all. saying windows confin/sys/ file was missing or corrupt so I had to wait til pc world opened and go and buy the Windows xp pro. They only had the upgrade version so I got that and I got as far as administrator password and have no clue what that is its been so long but I just hit exit to restart and hey presto it booted up normally and I have all my settings etc. I right clicked the file on desktop and no problem.

So what do you suggest? Should I just leave things as they are or carry on investigating this. or wait to see if any problems appear?
Just seeing as you asked the ntdll problem was with paintshop pro it appeared every time I clicked on a gradient. And then when trying to run jpemu file it wouldnt start and as you see in the dr watson log ntdll is mentioned there too.
Thanks for your help and advice I will check back later after a much needed sleep and see what you suggest.
LV.