Iexplore.exe errors [now looks like a spyware issue]

Greetings folks, this is my first post here after a week of vainlessly trying to resolve an error that forever haunts me and doesn't let me sleep. Here is the scope:

I have Windows XP Pro.
As of late, I constantly receive the following errors. Both errors are exactly the same, except they come in different formats depending on whether Error Reporting in Windows XP is turned On or Off.

The following errors occur on only SOME WEB PAGES! I'll click a link on any page, and suddenly the errors pop-up, and after clicking "Send/Don't Send Error Report" OR "OK ", Internet Explorer instantly terminates. Another thing is, interestingly, when my brother is on this machine and logs into his Hotmail account and clicks an email to open it, the following errors occur, BUT when I'm logged into MY hotmail account there are no errors at all! I believe it must be a technical issue residing on this machine, as my other machine with Windows XP on the same network can browse all the same pages just fine without a single error. After you read and evaluate the following errors, you will see that I have provided all the various procedures to help alleviate the problem. This will help you deduce things so that you can help me get to the bottom of this! I'M DETERMINED TO GET TO THE BOTTOM OF THIS!

Error with Error Reporting turned ON:


-------------------------------------------------------
Internet Explorer

Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.
---------------------------------------------------

At this point, I can click "Send Error Report" or "Don't Send ". Either of them will terminate the program. But for more detailed information, the following is displayed after I click "To see what data this error report contains, click here ":

-------------------------------------------------------
Error signature

AppName: iexplore.exe AppVer: 6.0.2900.2180 ModName: unknown
ModVer: 0.0.0.0 Offset: 454c474f
--------------------------------------------------------

Then, "To view techical information about the error report, click here ":

----------------------------------------------------------
Error Report Contents

The following information about your process will be reported:

[consists a whole bunch of lines of info, modules, etc.]

The following files will be included in this error report:

C:\DOCUME~1\Windows\LOCALS~1\Temp\8507_appcompat.txt
---------------------------------------------------------------

Error with Error Reporting OFF:


------------------------------------------------------
iexplore.exe - Application Error

The instruction at "0x41313143" referenced memory at "0x41313143 ". The memory could not be "read ".

Click OK to terminate the program.
Click on CANCEL to debug the program.
--------------------------------------------------------

I have verified that both of the above errors take place when clicking the SAME links throughout the web. They even occur at popular websites such as Expedia.com, and of course hotmail. This NEVER used to happen on ANY of these websites before!

Procedures taken in attempt to resolve the problem:

1. Ran a thorough updated Spybot Search & Destroy scan and removed all detected spyware.

2. Ran a thorough updated Ad-Aware SE Personal scan and removed all detected spyware.

3. Ran a thorough updated Microsoft AntiSpyware Beta1 scan and removed all detected spyware.

4. Ran a thorough virus scan using AVG Free Edition, detected about 4 backdoor Trojans, deleted them all.

5. Ran System Defgragmenter

6. Emptied all Temp Files, Temporary Internet Files, and Cookies

7. Performed Error-checking on Hard Drive

8. Completely ran System File Checker using "sfc /scannow "

9. Ran Microsoft Windows Memory Diagnostic, and did a thorough, extended, memory error check on Reboot using a floppy disk. There were NO errors found.

10. I have two DIMMS (2x512). I swapped DIMMS to see if maybe that would make a difference. No difference whatsoever.

11. I COMPLETELY UPDATED WINDOWS XP! There are absolutely NO "critical" or "recommended" updates left to update for Windows XP.

12. Ran Registry Mechanic and repaired all detected registry problems.

13. Uninstalled/Repaired Internet Explorer.

After performing all these tests to no avail, I decided it was time to come and get some help from you friendly folks. Here I have an AS in Computer Networking, build, repair, and troubleshoot computers, developing my own business, and EVEN I CAN'T FIGURE OUT THIS PATIENCE TESTING ERROR!

I pray that some of you will help me be able to resolve this issue. I'd hate to have to reformat this whole system over one error. But let me tell you, this one error is causing a wreck of problems and is preventing people from performming necessary work on this computer. It's also causing me to tie it up on them.

If we can nail this error and resolve it, I would say we have done a great accomplishment, and will be able to help any other person who suffers from it in the future.

Anyway, answer when you can, thanks.

Cheers!

Lysimachus

 

run one of those .dmp files that was created (probably \windows\minidump\mini020905-01.dmp or something) through the dump tool in my sig. Lets see what you got.

I can tell already its gonna be stack corruption, Your computer is trying to run a string "A11C" and "ELGO ", which is bogus.

 

Thanks, I will try that. I'll have to do it tomorrow morning however since it is late.

Bear in mind that I also tried uinstalling/repairing Internet Explorer in Add/Remove Programs>Add/Remove Windows Components and ran Registry Mechanics and repaired all detected registry problems.

Still nothing.

But tomorrow, I hope find out after performing your suggested steps.

In the meantime, I've had to resort to Mozilla Firefox

 

Here is the generated code!

Alright JoeHobart, here is the generated code from the log file. Please tell me if you see anything in there you recognize, and if you do spot a problem, show me how you interpreted it. Although I'm good in general at fixing/troubleshooting computers, I'm no pro at interpreting code. How do you interpret this stuff?:

P.S. BTW, I simply selected the latest dmp file: C:\WINDOWS\Minidump\Mini012805-01.dmp

Could perhaps some .dmp files give different results compared to others?

-----------------------------------------------------------

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini012805-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Fri Jan 28 09:50:12.694 2005 (GMT-6)
System Uptime: 0 days 2:00:08.272
Loading Kernel Symbols
...............................................................................................................................
Loading unloaded module list
........
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {fffdd6ec, 1, bf83aed2, 0}


Could not read faulting driver name
Probably caused by : win32k.sys ( win32k!xxxCallHook2+24b )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffdd6ec, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: bf83aed2, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS: fffdd6ec

FAULTING_IP:
win32k!xxxCallHook2+24b
bf83aed2 897820 mov [eax+0x20],edi

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from bf83b0b7 to bf83aed2

STACK_TEXT:
f4000c88 bf83b0b7 03ebada0 00000000 00000001 win32k!xxxCallHook2+0x24b
f4000ca4 bf801a55 00000000 00000001 00000000 win32k!xxxCallHook+0x26
f4000cec bf80f106 f4000d18 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264
f4000d4c 804df06b 0012fc14 00000000 00000000 win32k!NtUserGetMessage+0x27
f4000d4c 7c90eb94 0012fc14 00000000 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fb94 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
win32k!xxxCallHook2+24b
bf83aed2 897820 mov [eax+0x20],edi

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!xxxCallHook2+24b

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0x50_W_win32k!xxxCallHook2+24b

BUCKET_ID: 0x50_W_win32k!xxxCallHook2+24b

Followup: MachineOwner
---------

eax=fffdd6cc ebx=00000000 ecx=bbd10000 edx=bbebada0 esi=e2d82a60 edi=bbebada0
eip=bf83aed2 esp=f4000c28 ebp=f4000c88 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
win32k!xxxCallHook2+0x24b:
bf83aed2 897820 mov [eax+0x20],edi ds:0023:fffdd6ec=????????
ChildEBP RetAddr Args to Child
f4000c88 bf83b0b7 03ebada0 00000000 00000001 win32k!xxxCallHook2+0x24b (FPO: [Non-Fpo])
f4000ca4 bf801a55 00000000 00000001 00000000 win32k!xxxCallHook+0x26 (FPO: [Non-Fpo])
f4000cec bf80f106 f4000d18 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264 (FPO: [Non-Fpo])
f4000d4c 804df06b 0012fc14 00000000 00000000 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo])
f4000d4c 7c90eb94 0012fc14 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f4000d64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fb94 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name
804d7000 806eb780 nt ntoskrnl.exe Wed Aug 04 01:19:48 2004 (41108004)
806ec000 806ffd80 hal halacpi.dll Wed Aug 04 00:59:04 2004 (41107B28)
bf000000 bf011580 dxg dxg.sys Wed Aug 04 01:00:51 2004 (41107B93)
bf012000 bf425a80 nv4_disp nv4_disp.dll Wed Aug 04 02:57:11 2004 (411096D7)
bf800000 bf9c0380 win32k win32k.sys Wed Aug 04 01:17:30 2004 (41107F7A)
bffa0000 bffe5c00 ATMFD ATMFD.DLL Wed Aug 04 02:56:56 2004 (411096C8)
f32ac000 f32ec380 HTTP HTTP.sys Wed Aug 04 01:00:09 2004 (41107B69)
f372d000 f3756f00 kmixer kmixer.sys Wed Aug 04 01:07:46 2004 (41107D32)
f377a000 f378e400 wdmaud wdmaud.sys Wed Aug 04 01:15:03 2004 (41107EE7)
f3f8f000 f3fb1000 RDPWD RDPWD.SYS Wed Aug 04 00:59:01 2004 (41107B25)
f40c9000 f40ec000 Fastfat Fastfat.SYS Wed Aug 04 01:14:15 2004 (41107EB7)
f440c000 f445e180 srv srv.sys Wed Aug 04 01:14:44 2004 (41107ED4)
f454f000 f457b400 mrxdav mrxdav.sys Wed Aug 04 01:00:49 2004 (41107B91)
f4fac000 f4fdd500 TmXPFlt TmXPFlt.sys Tue Mar 30 03:35:10 2004 (40693F4E)
f4fde000 f50c0fa0 Vsapint Vsapint.sys Tue Mar 30 03:12:36 2004 (40693A04)
f50dd000 f50e0280 ndisuio ndisuio.sys Wed Aug 04 01:03:10 2004 (41107C1E)
f5399000 f53a5fa0 PCC_PFW PCC_PFW.sys Mon Oct 27 00:34:30 2003 (3F9CBC76)
f6061000 f6078480 dump_atapi dump_atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f61cd000 f61edf00 ipnat ipnat.sys Wed Sep 29 17:28:36 2004 (415B3714)
f61ee000 f625b680 mrxsmb mrxsmb.sys Wed Oct 27 20:14:16 2004 (418047E8)
f6284000 f62aea00 rdbss rdbss.sys Wed Oct 27 20:13:57 2004 (418047D5)
f62af000 f62d0d00 afd afd.sys Wed Aug 04 01:14:13 2004 (41107EB5)
f62d1000 f62f8c00 netbt netbt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f62f9000 f6350a80 tcpip tcpip.sys Wed Aug 04 01:14:39 2004 (41107ECF)
f6351000 f6363400 ipsec ipsec.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f754c000 f757f200 update update.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7580000 f75b0100 rdpdr rdpdr.sys Wed Aug 04 01:01:10 2004 (41107BA6)
f75b1000 f75c1e00 psched psched.sys Wed Aug 04 01:04:16 2004 (41107C60)
f75c2000 f75d8680 ndiswan ndiswan.sys Wed Aug 04 01:14:30 2004 (41107EC6)
f75d9000 f75ec900 parport parport.sys Wed Aug 04 00:59:04 2004 (41107B28)
f75ed000 f760fe80 USBPORT USBPORT.SYS Wed Aug 04 01:08:34 2004 (41107D62)
f7bb5000 f7bd7680 ks ks.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f7bd8000 f7bfb980 portcls portcls.sys Wed Aug 04 01:15:47 2004 (41107F13)
f7bfc000 f7c41500 emu10k1m emu10k1m.sys Fri Aug 03 21:36:34 2001 (3B6B5FB2)
f7c42000 f7c55780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 01:07:04 2004 (41107D08)
f7c56000 f7e253c0 nv4_mini nv4_mini.sys Wed Apr 07 21:30:48 2004 (4074B958)
f7e2e000 f7e31c80 mssmbios mssmbios.sys Wed Aug 04 01:07:47 2004 (41107D33)
f7e46000 f7e48580 ndistapi ndistapi.sys Fri Aug 17 15:55:29 2001 (3B7D84C1)
f7e4a000 f7e4dc80 serenum serenum.sys Wed Aug 04 00:59:06 2004 (41107B2A)
f82ac000 f82aeb80 IPFilter IPFilter.sys Thu Apr 11 13:47:22 2002 (3CB5DA3A)
f82b0000 f82b2f80 mouhid mouhid.sys Fri Aug 17 15:47:57 2001 (3B7D82FD)
f82b4000 f82b6580 hidusb hidusb.sys Fri Aug 17 16:02:16 2001 (3B7D8658)
f82dc000 f82f6580 Mup Mup.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f82f7000 f8323a80 NDIS NDIS.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f8324000 f83b0480 Ntfs Ntfs.sys Wed Aug 04 01:15:06 2004 (41107EEA)
f83b1000 f83c7780 KSecDD KSecDD.sys Wed Aug 04 00:59:45 2004 (41107B51)
f83c8000 f83d9f00 sr sr.sys Wed Aug 04 01:06:22 2004 (41107CDE)
f83da000 f83f8780 fltmgr fltmgr.sys Wed Aug 04 01:01:17 2004 (41107BAD)
f83f9000 f8410480 atapi atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f8411000 f8436700 dmio dmio.sys Wed Aug 04 01:07:13 2004 (41107D11)
f8437000 f8455880 ftdisk ftdisk.sys Fri Aug 17 15:52:41 2001 (3B7D8419)
f8456000 f8466a80 pci pci.sys Wed Aug 04 01:07:45 2004 (41107D31)
f8467000 f8494d80 ACPI ACPI.sys Wed Aug 04 01:07:35 2004 (41107D27)
f84b6000 f84bec00 isapnp isapnp.sys Fri Aug 17 15:58:01 2001 (3B7D8559)
f84c6000 f84d0500 MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
f84d6000 f84e2c80 VolSnap VolSnap.sys Wed Aug 04 01:00:14 2004 (41107B6E)
f84e6000 f84eee00 disk disk.sys Wed Aug 04 00:59:53 2004 (41107B59)
f84f6000 f8502200 CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
f8506000 f8510e80 uagp35 uagp35.sys Wed Aug 04 01:07:43 2004 (41107D2F)
f8536000 f8544b80 drmk drmk.sys Wed Aug 04 01:07:54 2004 (41107D3A)
f8546000 f854ee80 sfmanm sfmanm.sys Fri Aug 03 21:36:35 2001 (3B6B5FB3)
f8556000 f8562180 cdrom cdrom.sys Wed Aug 04 00:59:52 2004 (41107B58)
f8566000 f8574080 redbook redbook.sys Wed Aug 04 00:59:34 2004 (41107B46)
f8576000 f8585d80 serial serial.sys Wed Aug 04 01:15:51 2004 (41107F17)
f8586000 f8592e00 i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f8596000 f85a2880 rasl2tp rasl2tp.sys Wed Aug 04 01:14:21 2004 (41107EBD)
f85a6000 f85b0200 raspppoe raspppoe.sys Wed Aug 04 01:05:06 2004 (41107C92)
f85b6000 f85c1d00 raspptp raspptp.sys Wed Aug 04 01:14:26 2004 (41107EC2)
f85c6000 f85ce900 msgpc msgpc.sys Wed Aug 04 01:04:11 2004 (41107C5B)
f85d6000 f85dff00 termdd termdd.sys Wed Aug 04 00:58:52 2004 (41107B1C)
f85e6000 f85ef480 NDProxy NDProxy.SYS Fri Aug 17 15:55:30 2001 (3B7D84C2)
f85f6000 f8604100 usbhub usbhub.sys Wed Aug 04 01:08:40 2004 (41107D68)
f8616000 f861e700 netbios netbios.sys Wed Aug 04 01:03:19 2004 (41107C27)
f8636000 f863e880 Fips Fips.SYS Fri Aug 17 20:31:49 2001 (3B7DC585)
f8646000 f864e700 wanarp wanarp.sys Wed Aug 04 01:04:57 2004 (41107C89)
f8666000 f866ed80 HIDCLASS HIDCLASS.SYS Wed Aug 04 01:08:18 2004 (41107D52)
f8686000 f8694d80 sysaudio sysaudio.sys Wed Aug 04 01:15:54 2004 (41107F1A)
f86c6000 f86d5900 Cdfs Cdfs.SYS Wed Aug 04 01:14:09 2004 (41107EB1)
f8716000 f871ea00 processr processr.sys Wed Aug 04 00:59:14 2004 (41107B32)
f8736000 f873c200 PCIIDEX PCIIDEX.SYS Wed Aug 04 00:59:40 2004 (41107B4C)
f873e000 f8742900 PartMgr PartMgr.sys Fri Aug 17 20:32:23 2001 (3B7DC5A7)
f8746000 f874cc00 amdagp amdagp.sys Fri Aug 17 15:58:00 2001 (3B7D8558)
f874e000 f8754e40 iomdisk iomdisk.sys Wed Sep 04 15:09:59 2002 (3D766897)
f876e000 f8773a00 mouclass mouclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f8776000 f877b000 flpydisk flpydisk.sys Wed Aug 04 00:59:24 2004 (41107B3C)
f8786000 f878b200 vga vga.sys Wed Aug 04 01:07:06 2004 (41107D0A)
f878e000 f8792a80 Msfs Msfs.SYS Wed Aug 04 01:00:37 2004 (41107B85)
f8796000 f879d880 Npfs Npfs.SYS Wed Aug 04 01:00:38 2004 (41107B86)
f879e000 f87a4180 HIDPARSE HIDPARSE.SYS Wed Aug 04 01:08:15 2004 (41107D4F)
f87ce000 f87d2500 watchdog watchdog.sys Wed Aug 04 01:07:32 2004 (41107D24)
f87de000 f87e3500 TDTCP TDTCP.SYS Wed Aug 04 00:58:52 2004 (41107B1C)
f880e000 f8813180 Tmpreflt Tmpreflt.sys Tue Mar 30 03:35:08 2004 (40693F4C)
f8866000 f886c6c0 secdrv secdrv.sys Fri Feb 09 10:51:30 2001 (3A842012)
f887e000 f8885000 GEARAspiWDM GEARAspiWDM.sys Mon Apr 05 17:37:14 2004 (4071DF9A)
f8886000 f888b000 usbuhci usbuhci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f888e000 f8894800 usbehci usbehci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f8896000 f889ca00 fetnd5 fetnd5.sys Fri Jul 20 06:40:24 2001 (3B5818A8)
f889e000 f889f000 fdc fdc.sys unavailable (00000000)
f88a6000 f88ac000 kbdclass kbdclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f88ae000 f88b2880 TDI TDI.SYS Wed Aug 04 01:07:47 2004 (41107D33)
f88b6000 f88ba580 ptilink ptilink.sys Fri Aug 17 15:49:53 2001 (3B7D8371)
f88be000 f88c2080 raspti raspti.sys Fri Aug 17 15:55:32 2001 (3B7D84C4)
f88c6000 f88c9000 BOOTVID BOOTVID.dll Fri Aug 17 15:49:09 2001 (3B7D8345)
f88ca000 f88cda80 WinIK WinIK.sys Sun Jan 23 10:49:38 2005 (41F3D5A2)
f895e000 f8960980 gameenum gameenum.sys Wed Aug 04 01:08:20 2004 (41107D54)
f896a000 f896c900 Dxapi Dxapi.sys Fri Aug 17 15:53:19 2001 (3B7D843F)
f8996000 f8998280 rasacd rasacd.sys Fri Aug 17 15:55:39 2001 (3B7D84CB)
f89b6000 f89b7b80 kdcom kdcom.dll Fri Aug 17 15:49:10 2001 (3B7D8346)
f89b8000 f89b9100 WMILIB WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f89ba000 f89bb500 viaide viaide.sys Wed Aug 04 00:59:42 2004 (41107B4E)
f89bc000 f89bd700 dmload dmload.sys Fri Aug 17 15:58:15 2001 (3B7D8567)
f8a30000 f8a31600 EPoXUSDM EPoXUSDM.SYS Wed Oct 20 22:16:29 2004 (41772A0D)
f8a32000 f8a33b00 ctlfacem ctlfacem.sys Fri Aug 03 21:36:32 2001 (3B6B5FB0)
f8a34000 f8a35100 swenum swenum.sys Wed Aug 04 00:58:41 2004 (41107B11)
f8a3a000 f8a3ba80 ParVdm ParVdm.SYS Fri Aug 17 15:49:49 2001 (3B7D836D)
f8a3c000 f8a3d2c0 TBPanel TBPanel.SYS Fri Jul 26 18:01:04 2002 (3D41D4B0)
f8a3e000 f8a3f280 USBD USBD.SYS Fri Aug 17 16:02:58 2001 (3B7D8682)
f8a40000 f8a41f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 15:49:37 2001 (3B7D8361)
f8a42000 f8a43080 Beep Beep.SYS Fri Aug 17 15:47:33 2001 (3B7D82E5)
f8a44000 f8a45080 mnmdd mnmdd.SYS Fri Aug 17 15:57:28 2001 (3B7D8538)
f8a46000 f8a47080 RDPCDD RDPCDD.sys Fri Aug 17 15:46:56 2001 (3B7D82C0)
f8a48000 f8a49100 PfModNT PfModNT.sys Wed Dec 15 22:14:08 1999 (38586710)
f8a4c000 f8a4d100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f8acc000 f8acce80 ctljystk ctljystk.sys Thu Jul 19 17:28:02 2001 (3B575EF2)
f8ad0000 f8ad0b80 msmpu401 msmpu401.sys Fri Aug 17 15:59:59 2001 (3B7D85CF)
f8ad1000 f8ad1c00 audstub audstub.sys Fri Aug 17 15:59:40 2001 (3B7D85BC)
f8b00000 f8b00b80 Null Null.SYS Fri Aug 17 15:47:39 2001 (3B7D82EB)
f8bec000 f8becd00 dxgthk dxgthk.sys Fri Aug 17 15:53:12 2001 (3B7D8438)

Unloaded modules:
f8b28000 f8b29000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f41b4000 f41c1000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f433c000 f434a000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f3757000 f377a000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8a22000 f8a24000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8626000 f8631000 imapi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f877e000 f8783000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f8992000 f8995000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

----------------------------------------------------------------------

 

This is a Bluescreen dump, not an IE crash. Look for verbage as below

 

alright, I spotted those lines.

So now what's the next step? Now that we've identified the problem, what do I do to correct it?

 

i wasnt clear. the DMP file you ran that tool against was the crash report of a bluescreen, not an application crash. You need to go find a DMP that is for user mode IEXPLORE.

 

Alright folks, none of the .dmp files in the Minidump or Dr. Watson folders generated anything related to iexplore.exe. In fact, only about 3 .dmp files were actually created in 2005. The rest were previous years. These errors all occurred within the last month.

Here is a copy of the information recorded in the b768_appcompat.txt file that get's temporarily created in the Local Settings/Temp folder. I notice Kernel32.dll is shown several times. Perhaps there is something wrong with my kernel32.dll file? Tell me if this helps any:

----------------------------------------------------
b758_appcompat.txt

<?xml version= "1.0" encoding= "UTF-16 "?>
<DATABASE>
<EXE NAME= "iexplore.exe" FILTER= "GRABMI_FILTER_PRIVACY ">
<MATCHING_FILE NAME= "hmmapi.dll" SIZE= "38912" CHECKSUM= "0xD85D870C" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Microsoft HTTP Mail Simple MAPI" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "HMMAPI.DLL" INTERNAL_NAME= "HMMAPI" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x1667F" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 07:56:15" UPTO_LINK_DATE= "08/04/2004 07:56:15" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "iedw.exe" SIZE= "18432" CHECKSUM= "0x88F1640" BIN_FILE_VERSION= "5.1.2600.2180" BIN_PRODUCT_VERSION= "5.1.2600.2180" PRODUCT_VERSION= "5.1.2600.2180" FILE_DESCRIPTION= "IE Crash Detection" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "iedw.exe" INTERNAL_NAME= "iedw.exe" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x67D2" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION= "5.1.2600.2180" LINK_DATE= "08/04/2004 06:02:35" UPTO_LINK_DATE= "08/04/2004 06:02:35" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "iexplore.exe" SIZE= "93184" CHECKSUM= "0xE187626E" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Explorer" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "IEXPLORE.EXE" INTERNAL_NAME= "iexplore" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x23C72" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 06:00:33" UPTO_LINK_DATE= "08/04/2004 06:00:33" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwconn.dll" SIZE= "61440" CHECKSUM= "0xDD04DAB" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "icwconn.dll" INTERNAL_NAME= "icwconn" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x11BD7" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 07:56:14" UPTO_LINK_DATE= "08/04/2004 07:56:14" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwconn1.exe" SIZE= "214528" CHECKSUM= "0xC9B5555" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "icwconn1.exe" INTERNAL_NAME= "icwconn1" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x3C746" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 05:59:19" UPTO_LINK_DATE= "08/04/2004 05:59:19" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwconn2.exe" SIZE= "86016" CHECKSUM= "0x7DE2AFFE" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "ICWCONN2.EXE" INTERNAL_NAME= "ICWCONN2" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x1DDE9" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 05:59:22" UPTO_LINK_DATE= "08/04/2004 05:59:22" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwdl.dll" SIZE= "32768" CHECKSUM= "0xF4CC9266" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Service MIME Mutlipart Download" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "ICWDL.DLL" INTERNAL_NAME= "ICWDL" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x174A9" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 07:56:16" UPTO_LINK_DATE= "08/04/2004 07:56:16" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwhelp.dll" SIZE= "172032" CHECKSUM= "0xCBAB0AC0" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard Helper functions" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "icwhelp.dll" INTERNAL_NAME= "icwhelp" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x33E62" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 07:56:17" UPTO_LINK_DATE= "08/04/2004 07:56:17" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwres.dll" SIZE= "61440" CHECKSUM= "0xA488AA92" BIN_FILE_VERSION= "6.0.2600.0" BIN_PRODUCT_VERSION= "6.0.2600.0" PRODUCT_VERSION= "6.00.2600.0000" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2600.0000 (xpclient.010817-1148)" ORIGINAL_FILENAME= "icwres.dll" INTERNAL_NAME= "icwres" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x1AA60" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2600.0" UPTO_BIN_PRODUCT_VERSION= "6.0.2600.0" LINK_DATE= "08/18/2001 05:35:05" UPTO_LINK_DATE= "08/18/2001 05:35:05" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwrmind.exe" SIZE= "24576" CHECKSUM= "0x70643FDC" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard Reminder" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "ICWRMIND.EXE" INTERNAL_NAME= "ICWRMIND" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x13447" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 05:59:09" UPTO_LINK_DATE= "08/04/2004 05:59:09" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwtutor.exe" SIZE= "73728" CHECKSUM= "0xF945F7EB" BIN_FILE_VERSION= "6.0.2600.0" BIN_PRODUCT_VERSION= "6.0.2600.0" PRODUCT_VERSION= "6.00.2600.0000" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2600.0000 (xpclient.010817-1148)" ORIGINAL_FILENAME= "icwtutor.exe" INTERNAL_NAME= "icwtutor" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x16B27" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2600.0" UPTO_BIN_PRODUCT_VERSION= "6.0.2600.0" LINK_DATE= "08/17/2001 20:49:08" UPTO_LINK_DATE= "08/17/2001 20:49:08" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\icwutil.dll" SIZE= "49152" CHECKSUM= "0xB9156DF5" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "icwutil.dll" INTERNAL_NAME= "icwutil" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0xF816" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 07:56:19" UPTO_LINK_DATE= "08/04/2004 07:56:19" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\inetwiz.exe" SIZE= "20480" CHECKSUM= "0x3D8A325B" BIN_FILE_VERSION= "6.0.2900.2180" BIN_PRODUCT_VERSION= "6.0.2900.2180" PRODUCT_VERSION= "6.00.2900.2180" FILE_DESCRIPTION= "Internet Connection Wizard" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "INETWIZ.EXE" INTERNAL_NAME= "INETWIZ" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0xE297" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2900.2180" UPTO_BIN_PRODUCT_VERSION= "6.0.2900.2180" LINK_DATE= "08/04/2004 05:59:25" UPTO_LINK_DATE= "08/04/2004 05:59:25" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\isignup.exe" SIZE= "16384" CHECKSUM= "0xF8AB8D6E" BIN_FILE_VERSION= "6.0.2600.0" BIN_PRODUCT_VERSION= "6.0.2600.0" PRODUCT_VERSION= "6.00.2600.0000" FILE_DESCRIPTION= "Internet Signup" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2600.0000 (xpclient.010817-1148)" ORIGINAL_FILENAME= "ISIGNUP.EXE" INTERNAL_NAME= "ISIGNUP" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x443C" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2600.0" UPTO_BIN_PRODUCT_VERSION= "6.0.2600.0" LINK_DATE= "08/17/2001 20:48:46" UPTO_LINK_DATE= "08/17/2001 20:48:46" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "Connection Wizard\trialoc.dll" SIZE= "40960" CHECKSUM= "0x68F70073" BIN_FILE_VERSION= "6.0.2600.0" BIN_PRODUCT_VERSION= "6.0.2600.0" PRODUCT_VERSION= "6.00.2600.0000" FILE_DESCRIPTION= "Internet Connection Wizard Trial Reminder Helper" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "6.00.2600.0000 (xpclient.010817-1148)" ORIGINAL_FILENAME= "trialoc.dll" INTERNAL_NAME= "trialoc" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x1" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x198FE" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "6.0.2600.0" UPTO_BIN_PRODUCT_VERSION= "6.0.2600.0" LINK_DATE= "08/18/2001 05:36:03" UPTO_LINK_DATE= "08/18/2001 05:36:03" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "MUI\0409\mscorier.dll" SIZE= "16896" CHECKSUM= "0x4AABD360" BIN_FILE_VERSION= "1.1.4322.2032" BIN_PRODUCT_VERSION= "1.1.4322.2032" PRODUCT_VERSION= "1.1.4322.2032" FILE_DESCRIPTION= "Microsoft .NET Runtime IE resources" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft .NET Framework" FILE_VERSION= "1.1.4322.2032" ORIGINAL_FILENAME= "mscorier.dll" INTERNAL_NAME= "MSCORIER.DLL" LEGAL_COPYRIGHT= "Copyright © Microsoft Corporation 1998-2002. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x4" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x131F3" LINKER_VERSION= "0x50000" UPTO_BIN_FILE_VERSION= "1.1.4322.2032" UPTO_BIN_PRODUCT_VERSION= "1.1.4322.2032" LINK_DATE= "07/15/2004 06:34:05" UPTO_LINK_DATE= "07/15/2004 06:34:05" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "PLUGINS\NPDocBox.dll" SIZE= "225280" CHECKSUM= "0x37ED28B7" BIN_FILE_VERSION= "1.0.30.95" BIN_PRODUCT_VERSION= "1.0.30.95" PRODUCT_VERSION= "1.0.30.95" FILE_DESCRIPTION= "InterTrust Redemption Wizard" COMPANY_NAME= "InterTrust Technologies Corporation, Inc." PRODUCT_NAME= "InterTrust Redemption Wizard" FILE_VERSION= "1.0.30.95" ORIGINAL_FILENAME= "NPDocBox.dll" INTERNAL_NAME= "WIZPLUGIN" LEGAL_COPYRIGHT= "Copyright © 2000, 2001 InterTrust Technologies Corporation, Inc., Santa Clara, CA." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x4" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x0" LINKER_VERSION= "0x0" UPTO_BIN_FILE_VERSION= "1.0.30.95" UPTO_BIN_PRODUCT_VERSION= "1.0.30.95" LINK_DATE= "01/30/2001 21:10:00" UPTO_LINK_DATE= "01/30/2001 21:10:00" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "PLUGINS\nppdf32.dll" SIZE= "103312" CHECKSUM= "0xF6E8C293" BIN_FILE_VERSION= "5.0.0.327" BIN_PRODUCT_VERSION= "5.0.0.0" PRODUCT_VERSION= "5.0.0.0" FILE_DESCRIPTION= "Adobe Acrobat Plug-In Version 5.00 for Netscape" COMPANY_NAME= "Adobe Systems Inc." PRODUCT_NAME= "Adobe Acrobat" FILE_VERSION= "5.0.0.2001031500" ORIGINAL_FILENAME= "NPPDF32.DLL" LEGAL_COPYRIGHT= "Copyright 1984-2001 Adobe Systems Incorporated and its licensors. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x10001" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x1D8EA" LINKER_VERSION= "0x0" UPTO_BIN_FILE_VERSION= "5.0.0.327" UPTO_BIN_PRODUCT_VERSION= "5.0.0.0" LINK_DATE= "03/15/2001 12:56:07" UPTO_LINK_DATE= "03/15/2001 12:56:07" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "PLUGINS\npqtplugin.dll" SIZE= "106496" CHECKSUM= "0xF503DAC2" BIN_FILE_VERSION= "6.5.1.17" BIN_PRODUCT_VERSION= "6.5.1.17" PRODUCT_VERSION= "QuickTime 6.5.1" FILE_DESCRIPTION= "The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the &lt;A HREF=http://www.apple.com/quicktime/&gt;QuickTime&lt;/A&gt; Web site." COMPANY_NAME= "Apple Computer, Inc." PRODUCT_NAME= "QuickTime Plug-in 6.5.1" FILE_VERSION= "6.5.1" ORIGINAL_FILENAME= "npqtplugin.dll" INTERNAL_NAME= "QuickTime Plug-In" LEGAL_COPYRIGHT= "© Apple Computer, Inc. 1992-2004" VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x4" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x0" LINKER_VERSION= "0x0" UPTO_BIN_FILE_VERSION= "6.5.1.17" UPTO_BIN_PRODUCT_VERSION= "6.5.1.17" LINK_DATE= "04/08/2004 20:13:34" UPTO_LINK_DATE= "04/08/2004 20:13:34" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "PLUGINS\npqtplugin2.dll" SIZE= "106496" CHECKSUM= "0xF503DAC2" BIN_FILE_VERSION= "6.5.1.17" BIN_PRODUCT_VERSION= "6.5.1.17" PRODUCT_VERSION= "QuickTime 6.5.1" FILE_DESCRIPTION= "The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the &lt;A HREF=http://www.apple.com/quicktime/&gt;QuickTime&lt;/A&gt; Web site." COMPANY_NAME= "Apple Computer, Inc." PRODUCT_NAME= "QuickTime Plug-in 6.5.1" FILE_VERSION= "6.5.1" ORIGINAL_FILENAME= "npqtplugin.dll" INTERNAL_NAME= "QuickTime Plug-In" LEGAL_COPYRIGHT= "© Apple Computer, Inc. 1992-2004" VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x4" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x0" LINKER_VERSION= "0x0" UPTO_BIN_FILE_VERSION= "6.5.1.17" UPTO_BIN_PRODUCT_VERSION= "6.5.1.17" LINK_DATE= "04/08/2004 20:13:34" UPTO_LINK_DATE= "04/08/2004 20:13:34" VER_LANGUAGE= "English (United States) [0x409]" />
<MATCHING_FILE NAME= "PLUGINS\RichFX\Player\nprfxins.dll" SIZE= "569397" CHECKSUM= "0x79C10EAB" BIN_FILE_VERSION= "3.31.659.0" BIN_PRODUCT_VERSION= "3.31.659.0" PRODUCT_VERSION= "3.31.0659" FILE_DESCRIPTION= "RichFX Basic Player" COMPANY_NAME= "RichFX Inc." PRODUCT_NAME= "RichFX Basic Player 3.31.0659" FILE_VERSION= "3.31.0659" ORIGINAL_FILENAME= "nprfxins.dll" INTERNAL_NAME= "nprfxins" LEGAL_COPYRIGHT= "Copyright © RichFX Inc. 2001" VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x4" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0x0" LINKER_VERSION= "0x0" UPTO_BIN_FILE_VERSION= "3.31.659.0" UPTO_BIN_PRODUCT_VERSION= "3.31.659.0" LINK_DATE= "11/11/2002 15:56:38" UPTO_LINK_DATE= "11/11/2002 15:56:38" VER_LANGUAGE= "English (United States) [0x409]" />
</EXE>
<EXE NAME= "kernel32.dll" FILTER= "GRABMI_FILTER_THISFILEONLY ">
<MATCHING_FILE NAME= "kernel32.dll" SIZE= "983552" CHECKSUM= "0x4CE79457" BIN_FILE_VERSION= "5.1.2600.2180" BIN_PRODUCT_VERSION= "5.1.2600.2180" PRODUCT_VERSION= "5.1.2600.2180" FILE_DESCRIPTION= "Windows NT BASE API Client DLL" COMPANY_NAME= "Microsoft Corporation" PRODUCT_NAME= "Microsoft® Windows® Operating System" FILE_VERSION= "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME= "kernel32" INTERNAL_NAME= "kernel32" LEGAL_COPYRIGHT= "© Microsoft Corporation. All rights reserved." VERFILEDATEHI= "0x0" VERFILEDATELO= "0x0" VERFILEOS= "0x40004" VERFILETYPE= "0x2" MODULE_TYPE= "WIN32" PE_CHECKSUM= "0xFF848" LINKER_VERSION= "0x50001" UPTO_BIN_FILE_VERSION= "5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION= "5.1.2600.2180" LINK_DATE= "08/04/2004 07:56:36" UPTO_LINK_DATE= "08/04/2004 07:56:36" VER_LANGUAGE= "English (United States) [0x409]" />
</EXE>
</DATABASE>
------------------------------------------------------------------------

 

You have development tools on this machine. "Click on CANCEL to debug the program. " That means that DrWatson is not going to get a swing at the data to generate a dump for you, since your debugging package is doing it (like visual studio).

I dont know what tools you have, so before doing this, go backup the regkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ AeDebug

drwtsn32 -i will reregister the good doctor as your debugger. Go repro the problem and get a new dump.

 

Please explain...

I backed up the AeDebug key, now what do you mean by the above quote? Am I supposed to download drwtsn32 -i? Is that a key I'm supposed reset? Please, next time, tell me step-by-step. I'm not a software guru. I work more with hardware.

And yes, I do have Visual Studio .Net. And also downloaded all those Microsoft Debugging Tools that the DebugWiz made me download.

 

Ok, tell me, which key do I exactly type drwtsn32 -i in? Do I type that in the "Value data:" text box of the "Debugger" key, the "PreVisualStudio7Debugger" key, or what?

 

start run -> drwtsn32 -i

you will get a popup notifying that it was installed successfully.

 

Ok, I think I got it working. Thanks for the tips. It took me quite a bit of playing around however. I hope I did this right, but for some reason, Dr. Watson does not generate dumps in the Minidump folder, but always in: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

When I selected "user.dmp" using DebugWiz, it DID generate NEW DUMP DATA in the C:\debuglog.txt ! Take a look below and tell me what you see or interpret:


------------------------------------------------------------------------

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Comment: 'Dr. Watson generated MiniDump'
Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
Debug session time: Thu Feb 10 19:13:50.000 2005 (GMT-6)
System Uptime: not available
Process Uptime: 0 days 0:00:44.000
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
.............................................................................................................
(258.38c): Access violation - code c0000005 (!!! second chance !!!)
eax=0003c5a1 ebx=00000000 ecx=00040000 edx=0003c5a1 esi=0003aba0 edi=77c4aea3
eip=42363838 esp=0013d4ac ebp=33424338 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
42363838 ?? ???
0:000> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** WARNING: Unable to verify checksum for dYQAfwhN.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for dYQAfwhN.dll -

FAULTING_IP:
+42363838
42363838 ?? ???

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
.exr ffffffffffffffff
ExceptionAddress: 42363838
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 42363838
Attempt to read from address 42363838

DEFAULT_BUCKET_ID: APPLICATION_FAULT

PROCESS_NAME: iexplore.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

READ_ADDRESS: 42363838

BUGCHECK_STR: ACCESS_VIOLATION

THREAD_ATTRIBUTES:
LAST_CONTROL_TRANSFER: from 0003aba0 to 42363838

SYMBOL_ON_RAW_STACK: 1

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013d4a8 0003aba0 00aaa2d8 03589818 77c4aea3 0x42363838
33424338 00000000 00000000 00000000 00000000 0x3aba0


STACK_COMMAND: .ecxr; dds @$csp ; kb

FAILED_INSTRUCTION_ADDRESS:
+42363838
42363838 ?? ???

FOLLOWUP_IP:
dYQAfwhN!DllGetVersion+57d9
00aaa2d8 84c0 test al,al

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: dYQAfwhN!DllGetVersion+57d9

MODULE_NAME: dYQAfwhN

IMAGE_NAME: dYQAfwhN.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 41f6ce90

FAILURE_BUCKET_ID: ACCESS_VIOLATION_BAD_IP_dYQAfwhN!DllGetVersion+57d9

BUCKET_ID: ACCESS_VIOLATION_BAD_IP_dYQAfwhN!DllGetVersion+57d9

Followup: MachineOwner
---------

eax=0003c5a1 ebx=00000000 ecx=00040000 edx=0003c5a1 esi=0003aba0 edi=77c4aea3
eip=42363838 esp=0013d4ac ebp=33424338 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
42363838 ?? ???
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013d4a8 0003aba0 00aaa2d8 03589818 77c4aea3 0x42363838
33424338 00000000 00000000 00000000 00000000 0x3aba0
start end module name
00400000 00419000 iexplore iexplore.exe Wed Aug 04 01:00:33 2004 (41107B81)
00aa0000 00ac4000 dYQAfwhN dYQAfwhN.dll Tue Jan 25 16:56:16 2005 (41F6CE90)
01f20000 01fa8000 shdoclc shdoclc.dll Wed Aug 04 02:56:37 2004 (411096B5)
01fb0000 02275000 xpsp2res xpsp2res.dll Wed Aug 04 02:56:41 2004 (411096B9)
03120000 03131000 spgrmr spgrmr.dll Wed Aug 04 02:57:15 2004 (411096DB)
03140000 0319b000 SKCHUI SKCHUI.DLL Wed Feb 07 03:09:58 2001 (3A8110E6)
03300000 03372000 jscript jscript.dll Mon Aug 09 23:26:38 2004 (41184E7E)
03b00000 03ca7000 Flash Flash.ocx Mon Dec 08 16:01:56 2003 (3FD4F4D4)
04c90000 04ca7000 odbcint odbcint.dll Wed Aug 04 02:57:25 2004 (411096E5)
070d0000 0710b000 wmasf wmasf.dll Wed Aug 11 02:28:24 2004 (4119CA98)
086c0000 08904000 wmvcore wmvcore.dll Wed Aug 11 03:37:17 2004 (4119DABD)
092d0000 09349000 Audiodev Audiodev.dll Wed Aug 11 02:45:17 2004 (4119CE8D)
0ffd0000 0fff8000 rsaenh rsaenh.dll Tue Jul 06 21:17:12 2004 (40EB5D28)
10000000 1014e000 MsgPlusH MsgPlusH.dll Wed Oct 20 16:27:20 2004 (4176D838)
20000000 20012000 browselc browselc.dll Wed Aug 04 02:56:07 2004 (41109697)
30000000 30047000 Imghook Imghook.dll Tue Jul 30 17:38:31 2002 (3D471567)
32520000 32532000 MSOHEV MSOHEV.DLL Mon Feb 12 19:42:31 2001 (3A889107)
5ad70000 5ada8000 uxtheme uxtheme.dll Wed Aug 04 02:56:43 2004 (411096BB)
5b860000 5b8b4000 netapi32 netapi32.dll Wed Aug 04 02:56:28 2004 (411096AC)
5c2c0000 5c300000 sptip sptip.dll Wed Aug 04 02:59:01 2004 (41109745)
5d090000 5d127000 comctl32_5d090000 comctl32.dll Wed Aug 04 02:56:31 2004 (411096AF)
605d0000 605d9000 mslbui mslbui.dll Wed Aug 04 02:58:39 2004 (4110972F)
61210000 6121f000 point32 point32.dll Thu Apr 11 13:47:35 2002 (3CB5DA47)
61220000 61232000 Msh_zwf Msh_zwf.dll Thu Apr 11 13:47:35 2002 (3CB5DA47)
662b0000 66308000 hnetcfg hnetcfg.dll Wed Aug 04 02:56:16 2004 (411096A0)
66e50000 66e8f000 iepeers iepeers.dll Thu Jan 27 11:13:16 2005 (41F9212C)
68100000 68124000 dssenh dssenh.dll Fri May 14 20:06:23 2004 (40A56D0F)
69000000 69042000 msgsc msgsc.dll Fri May 28 17:22:02 2004 (40B7BB8A)
6d430000 6d43a000 ddrawex ddrawex.dll Wed Aug 04 02:56:17 2004 (411096A1)
71a50000 71a8f000 mswsock mswsock.dll Wed Aug 04 02:59:20 2004 (41109758)
71a90000 71a98000 wshtcpip wshtcpip.dll Wed Aug 04 02:57:49 2004 (411096FD)
71aa0000 71aa8000 ws2help ws2help.dll Wed Aug 04 02:57:39 2004 (411096F3)
71ab0000 71ac7000 ws2_32 ws2_32.dll Wed Aug 04 02:57:38 2004 (411096F2)
71ad0000 71ad9000 wsock32 wsock32.dll Wed Aug 04 02:57:51 2004 (411096FF)
71b20000 71b32000 mpr mpr.dll Wed Aug 04 02:56:46 2004 (411096BE)
71bf0000 71c03000 samlib samlib.dll Wed Aug 04 02:56:29 2004 (411096AD)
71c10000 71c1e000 ntlanman ntlanman.dll Wed Aug 04 02:57:00 2004 (411096CC)
71c80000 71c87000 netrap netrap.dll Wed Aug 04 02:56:35 2004 (411096B3)
71c90000 71cd0000 netui1 netui1.dll Wed Aug 04 02:56:39 2004 (411096B7)
71cd0000 71ce7000 netui0 netui0.dll Wed Aug 04 02:56:38 2004 (411096B6)
722b0000 722b5000 sensapi sensapi.dll Wed Aug 04 02:56:28 2004 (411096AC)
72d10000 72d18000 msacm32 msacm32.drv Sat Aug 18 00:33:30 2001 (3B7DFE2A)
72d20000 72d29000 wdmaud wdmaud.drv Wed Aug 04 02:56:54 2004 (411096C6)
73000000 73026000 winspool winspool.drv Wed Aug 04 02:56:38 2004 (411096B6)
73460000 734cb000 vbscript vbscript.dll Mon Aug 09 23:26:34 2004 (41184E7A)
73760000 737a9000 ddraw ddraw.dll Wed Aug 04 02:56:16 2004 (411096A0)
73bc0000 73bc6000 dciman32 dciman32.dll Wed Aug 04 02:56:15 2004 (4110969F)
73d70000 73d83000 shgina shgina.dll Wed Aug 04 02:56:41 2004 (411096B9)
73dd0000 73ece000 mfc42 mfc42.dll Wed Aug 04 02:56:21 2004 (411096A5)
74320000 7435d000 odbc32 odbc32.dll Wed Aug 04 02:57:17 2004 (411096DD)
746c0000 746e7000 msls31 msls31.dll Sat Aug 18 00:33:22 2001 (3B7DFE22)
746f0000 7471a000 msimtf msimtf.dll Wed Aug 04 02:58:33 2004 (41109729)
74720000 7476b000 msctf msctf.dll Wed Aug 04 02:57:30 2004 (411096EA)
74c80000 74cac000 oleacc oleacc.dll Sat Aug 18 00:33:18 2001 (3B7DFE1E)
754d0000 75550000 cryptui cryptui.dll Wed Aug 04 02:56:06 2004 (41109696)
75970000 75a67000 msgina msgina.dll Wed Aug 04 02:58:01 2004 (41109709)
75cf0000 75d81000 mlang mlang.dll Wed Aug 04 02:56:29 2004 (411096AD)
75e90000 75f40000 sxs sxs.dll Wed Aug 04 01:14:57 2004 (41107EE1)
75f60000 75f67000 drprov drprov.dll Wed Aug 04 02:57:02 2004 (411096CE)
75f70000 75f79000 davclnt davclnt.dll Wed Aug 04 02:56:08 2004 (41109698)
75f80000 7607c000 browseui browseui.dll Thu Jan 27 11:13:16 2005 (41F9212C)
76080000 760e5000 msvcp60 msvcp60.dll Wed Aug 04 02:59:13 2004 (41109751)
76200000 76271000 mshtmled mshtmled.dll Wed Aug 04 02:58:10 2004 (41109712)
76360000 76370000 winsta winsta.dll Wed Aug 04 02:56:40 2004 (411096B8)
763b0000 763f9000 comdlg32 comdlg32.dll Wed Aug 04 02:56:32 2004 (411096B0)
76600000 7661d000 cscdll cscdll.dll Wed Aug 04 02:56:07 2004 (41109697)
767f0000 76817000 schannel schannel.dll Wed Aug 04 02:56:39 2004 (411096B7)
769c0000 76a73000 userenv userenv.dll Wed Aug 04 02:56:41 2004 (411096B9)
76b40000 76b6d000 winmm winmm.dll Wed Aug 04 02:57:10 2004 (411096D6)
76c30000 76c5e000 wintrust wintrust.dll Wed Aug 04 02:56:41 2004 (411096B9)
76c90000 76cb8000 imagehlp imagehlp.dll Wed Aug 04 02:56:25 2004 (411096A9)
76d60000 76d79000 iphlpapi iphlpapi.dll Wed Aug 04 02:56:10 2004 (4110969A)
76e80000 76e8e000 rtutils rtutils.dll Wed Aug 04 02:56:36 2004 (411096B4)
76e90000 76ea2000 rasman rasman.dll Wed Aug 04 02:56:29 2004 (411096AD)
76eb0000 76edf000 tapi32 tapi32.dll Wed Aug 04 02:56:38 2004 (411096B6)
76ee0000 76f1c000 rasapi32 rasapi32.dll Wed Aug 04 02:56:25 2004 (411096A9)
76f20000 76f47000 dnsapi dnsapi.dll Wed Aug 04 02:56:45 2004 (411096BD)
76f60000 76f8c000 wldap32 wldap32.dll Wed Aug 04 02:56:43 2004 (411096BB)
76fb0000 76fb8000 winrnr winrnr.dll Wed Aug 04 02:56:35 2004 (411096B3)
76fc0000 76fc6000 rasadhlp rasadhlp.dll Wed Aug 04 02:56:24 2004 (411096A8)
76fd0000 7704f000 clbcatq clbcatq.dll Wed Aug 04 02:56:18 2004 (411096A2)
77050000 77115000 comres comres.dll Wed Aug 04 02:56:36 2004 (411096B4)
77120000 771ac000 oleaut32 oleaut32.dll Wed Aug 04 02:57:39 2004 (411096F3)
771b0000 77256000 wininet wininet.dll Thu Jan 27 11:13:17 2005 (41F9212D)
77260000 772fe000 urlmon urlmon.dll Thu Jan 27 11:13:17 2005 (41F9212D)
773d0000 774d2000 comctl32 comctl32.dll Wed Aug 04 02:55:56 2004 (4110968C)
774e0000 7761d000 ole32 ole32.dll Fri Jan 14 02:55:50 2005 (41E78916)
77760000 778cc000 shdocvw shdocvw.dll Thu Jan 27 11:13:17 2005 (41F9212D)
77920000 77a13000 setupapi setupapi.dll Wed Aug 04 02:56:32 2004 (411096B0)
77a20000 77a74000 cscui cscui.dll Wed Aug 04 02:56:08 2004 (41109698)
77a80000 77b14000 crypt32 crypt32.dll Wed Aug 04 02:56:01 2004 (41109691)
77b20000 77b32000 msasn1 msasn1.dll Wed Aug 04 02:57:23 2004 (411096E3)
77b40000 77b62000 apphelp apphelp.dll Wed Aug 04 02:56:36 2004 (411096B4)
77bd0000 77bd7000 midimap midimap.dll Wed Aug 04 02:56:25 2004 (411096A9)
77be0000 77bf5000 msacm32_77be0000 msacm32.dll Wed Aug 04 02:57:03 2004 (411096CF)
77c00000 77c08000 version version.dll Wed Aug 04 02:56:39 2004 (411096B7)
77c10000 77c68000 msvcrt msvcrt.dll Wed Aug 04 02:59:14 2004 (41109752)
77c70000 77c93000 msv1_0 msv1_0.dll Wed Aug 04 02:59:11 2004 (4110974F)
77d40000 77dd0000 user32 user32.dll Wed Aug 04 02:56:40 2004 (411096B8)
77dd0000 77e6b000 advapi32 advapi32.dll Wed Aug 04 02:56:23 2004 (411096A7)
77e70000 77f01000 rpcrt4 rpcrt4.dll Wed Aug 04 02:56:30 2004 (411096AE)
77f10000 77f56000 gdi32 gdi32.dll Wed Aug 04 02:56:07 2004 (41109697)
77f60000 77fd6000 shlwapi shlwapi.dll Thu Jan 27 11:13:17 2005 (41F9212D)
77fe0000 77ff1000 secur32 secur32.dll Wed Aug 04 02:56:49 2004 (411096C1)
7c800000 7c8f4000 kernel32 kernel32.dll Wed Aug 04 02:56:36 2004 (411096B4)
7c900000 7c9b0000 ntdll ntdll.dll Wed Aug 04 02:56:36 2004 (411096B4)
7c9c0000 7d1d4000 shell32 shell32.dll Tue Dec 21 14:49:36 2004 (41C88C60)
7d1e0000 7d492000 msi msi.dll Wed Aug 04 02:58:26 2004 (41109722)
7d4a0000 7d783000 mshtml mshtml.dll Thu Jan 27 11:13:16 2005 (41F9212C)
Closing open log file c:\debuglog.txt

 

Ok, good data set.

Uhm.... That sure looks like malware to me. Methinks you did not clean this machine as well as you think you did. One of the favorite tricks nowadays is to randomly generate a filename, so that people cant hit a search engine for removal instructions.

I doubt its as simple as just deleting that file, because something put it there, and something is going to put it right back with a new name until you find the source of the problem (perhaps the trojans you found before?).

Go into safe mode, try renaming the file, reboot and then see if you still crash. Look to see if you get a new gibberish name. You might want to explicitly scan that file with several different virus scanners in the hopes of identifying the type of malware it is, with the 'brand name' of the nasty, its usually easy enough to find removal instructions.

 

Hmm...interesting. I'm not sure how I could have scanned for spyware anymore thorough than I did. I performed thorough spyware like 3 times for each of the three completely updated programs I have: Spybot Search & Destroy, Ad-Aware SE Personal, and Microsoft AntiSpyware. It's a shame that none of them picked it up. I really don't like this AVG Virus scanner...it doesn't seem as thorough as my expired Trend-Micro PC-Cillin 2002 and 2004 was. I have a copy of my Trend-Micro on my second comp, but the moment I attempt to use the key they gave me for virus definitions, it will allow me to update here but not there. Do you know of any other free Virus Scanning software that has been proven?

BTW, I located that dYQAfwhN.dll file. It's located in C:\Program Files\wvpsxtwv

And I have NO IDEA what "wvpsxtwv" means.

All the files listed in the C:\Program Files\wvpsxtwv folder are thus:

babe.dat
bQgCGsRM.dll
bQgCGsRM.exe
cMQDB4BN.dll
cMQDB4BN.exe
cnml.exe
dfs.dat
dyQAfwhN.dll <----------- the file that's causing the errors
dYQAfwhN.exe
exit.dat
MRsGCgQb.exe
NhwfAQYd.exe
obj.dat
profile.dat
url1.dat
url2.dat
url8.dat
url9.dat
urlx.dat
WINIK.SYS

Strange....I'm still going to try Safe Mode, etc. but would you have any idea what this could be, or seems to indicate based on the names of those files? Of course, my AVG Virus scanning software detects no viruses on any of them...:{

 

Zip up(to save a copy in case you need to submit it to someone), then nuke that whole directory, its all garbage. Looks like its probably a botnet, might be something one of the local security guys wants to play with, probable this is a VX2 variant.

 

Lysimachus - lets treat this as malware/spyware until we find out for sure it isn't and at that point, we can hand things back to Joe.

Quicklinks in my signature and download Hijackthis. You need the latest version so if you have an older one, you will need to replace it.

Unzip hijackthis to a normal folder (not a temp folder and not directly to the desktop). I have one named c:\hjt and that's a good option.

Run HJT, click the button to scan and create a log. When the log opens in notepad, copy and paste the whole thing here. We'll take a look.

Note that many of the spyware critters do an excellent job of hiding from all the automated general scanning tools like spybot, ad-aware, the new Microsoft antispyware critter, and any others you can name. It is very possible for a malware infestation to hide itself from them.

Moving this thread to the spyware removal section.

 

Alright folks, here's some info I gathered. Before I continue, I want to thank you all for your devoted assistance.

I am going to go ahead and try what Newt said, but first, here's what I discovered regarding that one folder:

As you'll notice, there is a file called "WINIK.SYS ". According to this forum: http://www.wilderssecurity.com/showthread.php?t=64316 "winik.sys" is a BAD malware that cannot be easily deleted. READ WHAT THE GUY SAYS!

I did a Windows Search and found TWO winik.sys files! One was in capital letters ( "WINIK.SYS" found in the C:\Program Files\wvpsxtwv directory)--(This is the same folder where the "dYQAfwhN.dll" file is located!). The second file was all in lowercase as "winik.sys" and found in C:\WINDOWS\System32\drivers, just like what the guy said in the link!

Now here's what's interesting:

The WINIK.SYS file in C:\Program Files\wvpsxtwv directory CAN be deleted or renamed!

The dYQAfwhN.dll file in C:\Program Files\wvpsxtwv CANNOT be deleted or renamed EVEN IN SAFE MODE.

The winik.sys in C:\WINDOWS\System32\drivers CANNOT be deleted or renamed EVEN IN SAFE MODE.

Looks like I'm going to need some step-by-step procedures to nuke not only everything in the "wvpsxtwv" directory, but also the "winik.sys" file residing in the System32/drivers directory. Seems like the guy in the link was able to do it through booting with the windows cd into the recovery console, but he doesn't explain how he did it. Do you recommend doing it his way? or do you have a better way? Cannot HijackThis delete these files on reboot?


Quoted by JacobSteelsmith from the above link:

 

Ok, here is the hijackthis log file that was created after clicking "Do a system scan and save a logfile ":

-------------------------------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 8:34:16 AM, on 2/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\wvpsxtwv\dYQAfwhN.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\wvpsxtwv\NhwfAQYd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = DiBananaRi@hotmail.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;windowsupdate.micr...date.microsoft.com;download.windowsupdate.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - blank (file missing)
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000 "
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0003949E-06B6-4261-88F0-F9C06506D8E6}: NameServer = 4.2.2.4,4.2.2.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

---------------------------------------------------------------------------

 

Heh, I noticed the logfile picked up this: C:\PROGRA~1\wvpsxtwv\dYQAfwhN.exe I wonder if hijackthis could delete it...