Re: Bet You Can't Fix This
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 09/26/04
- Next message: Quaoar: "Re: Startup Delay 1 min"
- Previous message: bob: "invalid backweb application1940576"
- In reply to: Shenan Stanley: "Re: Bet You Can't Fix This"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 26 Sep 2004 23:02:58 +0200
On Wed, 22 Sep 2004 14:39:26 -0500, "Shenan Stanley"
>Kojak wrote:
>> Explore.exe crashes,then restores itself, and leaves the
>> following messages in event viewer:
>> Faulting application eplorer.exe version 6.0.2900.2180
>> faulting module ntdll.dll, version 5.1.2600.2180 fault
>> address 0x00011f6e.
>> Faulting application drwtsn32.exe, version 5.1.2600
>> faulting module dbghelp.dll, version5.1.2600.2180 fault
>> address 0x0001295d
Is this the only error you ever have?
If No, then do the prelim, as per...
http://cquirke.mvps.org/9x/bthink.htm
...if not the full rigor of:
http://cquirke.mvps.org/pccrisis.htm
That's because problems beneath the software level of abstraction
(i.e. hardware, and also underfootware such as malware) can be
expected to give errors wide in scope and fitting no pattern.
If Yes, then; is it 100% reproduceable?
If Yes, then suspect a "static" issue such as a corrupted file (check
C:\Scandisk.log for Win9x or Event Viewer for ChkDsk/AutoChk "fixing"
for NT, as well as whether your av "cleaned" any infected system file.
You may also have a "version soup" issue that can present in the same
way, or corrupted data, or specific issues with underfootware.
Because it's Explorer, I'd particularly suspect underfootware that
integrates into Explorer in one way or another - e.g. shell extensions
via CLSIDs. Download and use Shell Extension Viewer to tshoot those,
if the normal "Safe Mode then MSConfig suppression" approach doesn't
pin anything down - typically CLSID intrusions blow up Safe Mode too.
Let's look at the specific details...
>> eplorer.exe
Typo for Explorer.exe? Google suggests so ;-)
>> ntdll.dll
http://www.cert.org/advisories/CA-2003-09.html
It's part of Windows and it's broken and exploitable (unchecked
buffer), according to that CERT advisory. Not sure if XP is
succeptable, as the 2003 advisory just lists NT 4.0 and Win2000.
>> drwtsn32.exe
Dr Watson? Google says yep.
>> dbghelp.dll
http://msdn.microsoft.com/msdnmag/issues/02/03/hood/default.aspx
Also part of Windows. My guess is that this and Dr Watson are
side-effects of debugging being enabled, and that the base cause is an
inadvertent or vertent "attack" on NTDLL.DLL
>There really is not enough information given to accurately diagnose and give
>you a solution to your problem
Can sharpen guesses, tho ;-)
>...happening after installing anything in particular?
>Have you tried restoring your system to a point before the error?
Done a formal virus check?
>Have you gone through your Add/Remove Programs control panel and removed
>software you do not use/do not even recognize to insure nothing has been
>installed that could be causing this that you did not authorize?
Rather use MSConfig, ShellExView, LSPFix etc. to reversably disable
underfootware, after doing av scan, and scans for commercial malware
via AdAware and Spybot.
DON'T defrag until the system is stable !!!
Defragging is NEVER a troubleshooting tool, and unsafe on a flaky PC.
>When was the last time you upgraded your hardware drivers?
Nah, that's also just muddying the waters. Why should drivers that
used to work fine, suddenly stop working?
>It is also possible that your particular user profile is corrupt in some
>fashion. Have you tried creating an alternate user and logging in as that
>user and trying some of the same things that cause this error to occur?
That's a good idea, but I'd do the other things first (i.e. Safe Mode,
MSConfig, malware scans, ShellExView etc.)
>In addition, you may want to update your Operating System with the latest
>patches from http://windowsupdate.microsoft.com/ - avoiding (as I said
>earlier) the hardware updates available there
I'd do that only after the system is known to be clean, and a clean
baseline is set.
>You should periodically defragment your hard drives as well as check them
>for errors.
See earlier comments. Defrag makes a healthy PC run faster, but can
completely stuff up an unhealthy PC. When a PC is flaky, the word
"defrag" should appear only when preceded by "DON'T" :-)
>Empty your Temporary Internet Files and shrink the
>size it stores to a size between 120MB and 480MB..
I'd say 20M is fine, 40M more than enough. Do your av and cm scans
first, as purging TIF may also purge valuable clues.
>FIREWALL
Yep; worth leaving re-quoted for emphasis ;-)
Google is your friend - and I'm not talking about the toolbar (I
prefer to kill all BHOs via IE 6's Tools, Options, Advanced) by the
search engine itself. I Googled on each of the files mentioned in
your error message, and got what looked like a hot pointer or two.
>--------------- ----- ---- --- -- - - -
Tech Support: The guys who follow the
'Parade of New Products' with a shovel.
>--------------- ----- ---- --- -- - - -
- Next message: Quaoar: "Re: Startup Delay 1 min"
- Previous message: bob: "invalid backweb application1940576"
- In reply to: Shenan Stanley: "Re: Bet You Can't Fix This"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
