UserDump File Debug for WinXP SP3?

[neowillendit]

Hi everyone...

Would an expert be kind enough to debug this user.dmp files for me?

http://rapidshare.com/files/142459722/user.dmp.html

I suspect bad RAM but I've run Mem86 and the Microsoft Memory Tester and both came back with no errors.

The problem is VERY random explorer.exe crashes all the time with random "Offsets" and I've tried everything to find the answer by myself but I'm so beaten here...please help me.

If someone also needs a MiniDump too, please let me know...

Thank you in advance.

[cluberti]

Well, I can't make heads or tails of the culprit, but I can tell you why it's crashing:

// The stack - eip points to an invalid memory address, so we crash with an access violation:
0:014> kb
ChildEBP RetAddr  Args to Child			  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00fcfba4 7e418734 002c0272 00000218 0000000a 0x35b23ac
00fcfbd0 7e418816 011c0fef 002c0272 00000218 user32!InternalCallWinProc+0x28
00fcfc38 7e4189cd 00000000 011c0fef 002c0272 user32!UserCallWinProcCheckWow+0x150
00fcfc98 7e418a10 00fcfcd8 00000000 00fcfcc0 user32!DispatchMessageWorker+0x306
00fcfca8 75f9d875 00fcfcd8 00000000 021c6548 user32!DispatchMessageW+0xf
00fcfcc0 75fa5218 00fcfcd8 0007dfe0 00000000 browseui!TimedDispatchMessage+0x33
00fcff20 75fa5389 00123aa8 0007dfe0 774fd9dd browseui!BrowserThreadProc+0x336
00fcffb4 7c80b713 00123aa8 0007dfe0 774fd9dd browseui!BrowserProtectedThreadProc+0x50
00fcffec 00000000 75fa5339 00123aa8 00000000 kernel32!BaseThreadStart+0x37

0:014> dc eip L1
035b23ac  ????????							 ????

// In looking at the return value in EAX, I can see that it is likely supposed to be
// the base address of the module that is needing to be called back - 7ffa7000:
0:014> r
eax=7ffa7000 ebx=00000000 ecx=011c0ff4 edx=00000043 esi=011c0fef edi=00fcfc0c
eip=035b23ac esp=00fcfba8 ebp=00fcfbd0 iopl=0		 nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000			 efl=00000202
035b23ac ??			  ???

// However, this address is no longer occupied by a loaded module:
0:017> dc 7ffa7000 L1
7ffa7000  ????????							 ????

// In looking around the running threads in the dump, I can see some module called
// the endthreadex function to terminate a thread (likely during it's dll unload routine):
0:017> kb
ChildEBP RetAddr  Args to Child			  
0113fdbc 7c90df2c 7c809574 00000002 0113fde8 ntdll!KiFastSystemCallRet
0113fdc0 7c809574 00000002 0113fde8 00000001 ntdll!NtWaitForMultipleObjects+0xc
0113fe5c 7e4195f9 00000002 0113fe84 00000000 kernel32!WaitForMultipleObjectsEx+0x12c
0113feb8 6c1e4b52 00000001 0113feec ffffffff user32!RealMsgWaitForMultipleObjectsEx+0x13e
0113fed8 6c1e4d9c 000004ff ffffffff 00000001 duser!CoreSC::Wait+0x3a
0113ff0c 6c1de344 0113ff4c 00000000 00000000 duser!CoreSC::xwProcessNL+0xab
0113ff2c 6c1da73d 0113ff4c 00000000 00000000 duser!GetMessageExA+0x44
0113ff80 77c3a3b0 00000000 7c910000 7c912cae duser!ResourceManager::SharedThreadProc+0xb6
0113ffb4 7c80b713 04911cc0 7c910000 7c912cae msvcrt!_endthreadex+0xa9
0113ffec 00000000 77c3a341 04911cc0 00000000 kernel32!BaseThreadStart+0x37

// Note that there are two other duser threads in a wait that this thread is waiting on,
// but I cannot tell what the wait is on due to the fact that this is a dr watson dump,
// rather than something useful like an adplus dump or a userdump dump.  However,
// I am suspecting that the wait is on the offending thread I listed first:
0:014> kb
ChildEBP RetAddr  Args to Child			  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00fcfba4 7e418734 002c0272 00000218 0000000a 0x35b23ac
00fcfbd0 7e418816 011c0fef 002c0272 00000218 user32!InternalCallWinProc+0x28
00fcfc38 7e4189cd 00000000 011c0fef 002c0272 user32!UserCallWinProcCheckWow+0x150
00fcfc98 7e418a10 00fcfcd8 00000000 00fcfcc0 user32!DispatchMessageWorker+0x306
00fcfca8 75f9d875 00fcfcd8 00000000 021c6548 user32!DispatchMessageW+0xf
00fcfcc0 75fa5218 00fcfcd8 0007dfe0 00000000 browseui!TimedDispatchMessage+0x33
00fcff20 75fa5389 00123aa8 0007dfe0 774fd9dd browseui!BrowserThreadProc+0x336
00fcffb4 7c80b713 00123aa8 0007dfe0 774fd9dd browseui!BrowserProtectedThreadProc+0x50
00fcffec 00000000 75fa5339 00123aa8 00000000 kernel32!BaseThreadStart+0x37

The reason I believe this to be the case is because the process would only be running a thread going through user32!InternalCallWinProc if it was going to report back to an unloading module before finishing up the dll unload cleanup. What it looks like is that the module just unloaded itself after calling it's unload routine, without waiting for the cleanup and callback to finish (which it is supposed to do). What I can suggest is installing userdump and create a new crash rule for explorer.exe, and only monitoring for "access violation" or "c0000005" in the rule. Dr Watson will not break in fast enough to show us the 3rd party module that is causing this, but userdump is likely to do so.

One thing you can try to do though, is see if you can remember installing anything before you noticed the symptoms occurring. Otherwise, try userdump.

[neowillendit]

Thank you SO much for everything thus far "cluberti"!!

Would you say that the problem could be because my RAM is corrupted and that possible dll file that explorer.exe is looking for is supposed to be there in RAM?

Or would you say that one of my security programs running in the background could be more likely?

-NOD32 AntiVirus v.3

-Outpost Firewall Pro v.6

-Spy Sweeper v.5

Thank you again cluberti...

[neowillendit]

Also cluberti,

I feel stupid, but I can't get UserDump to work after I install it and restart. Everytime I try to go into the control panel and click the Icon, it says something about how the program isn't installed. I tried to install it by BOTH enabling and disabling the "Dump on Process Termination" feature and neither way works...I'm running Windows XP SP3.

Thank you again...

[cluberti]

No, I don't think it's RAM related at all, and I'm not sure I know enough yet to say your antivirus has anything to do with it. As to userdump, if it doesn't work, just follow my instructions here for adplus on gathering a dump from a process that is crashing. It might take awhile and a few tries, but it should work.

[neowillendit]

I'll use the Debugging Tools for Windows like you said, and wait until the error happens again.

Thank you kindly, cluberti!! Peace be unto you my Brother...

[neowillendit]

Hey cluberti, B)

Before I even got a chance to install the Debugging Tools for Windows, I got the error again. The error dialog box had all the same info as any other time, except the "Offset" which is what is always random and different. So, this time it's "04025b90".

Here is the link to the Dr. Watson Dump that was in my user profile's "Local Settings" "Temp" folder.

http://rapidshare.com/files/142920140/1620FA.dmp.html

I hope this MiniDump is more informative than my "User.dmp" file

Please help me...I am so desperate here. Thank you for everything.

[cluberti]

A little bit different dump - obviously it's the same exception, due to an invalid address, but here it is again just for reference:

// The exception showing the A/V:
0:012> .exr 0xffffffffffffffff
ExceptionAddress: 04025b90
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 04025b90
Attempt to read from address 04025b90

// The stack - Dr Watson appears to have caught the exception handler:
0:012> k
ChildEBP RetAddr  
0262da6c 7c90df2c ntdll!KiFastSystemCallRet
0262da70 7c809574 ntdll!NtWaitForMultipleObjects+0xc
0262db0c 7c80a105 kernel32!WaitForMultipleObjectsEx+0x12c
0262db28 6945763c kernel32!WaitForMultipleObjects+0x18
0262e4bc 694582b1 faultrep!StartDWException+0x5df
0262f530 7c8643c6 faultrep!ReportFault+0x533
0262f7a4 75fa53af kernel32!UnhandledExceptionFilter+0x55b
0262f7ac 77c35cf5 BROWSEUI!BrowserProtectedThreadProc+0x71
0262f7d4 7c9032a8 msvcrt!_except_handler3+0x61
0262f7f8 7c90327a ntdll!ExecuteHandler2+0x26
0262f8a8 7c90e46a ntdll!ExecuteHandler+0x24
0262f8a8 04025b90 ntdll!KiUserExceptionDispatcher+0xe
WARNING: Frame IP not in any known module. Following frames may be wrong.
0262fba4 7e418734 0x4025b90
0262fbd0 7e418816 USER32!InternalCallWinProc+0x28
0262fc38 7e4189cd USER32!UserCallWinProcCheckWow+0x150
0262fc98 7e418a10 USER32!DispatchMessageWorker+0x306
0262fca8 75f9d875 USER32!DispatchMessageW+0xf
0262fcc0 75fa5218 BROWSEUI!TimedDispatchMessage+0x33
0262ff20 75fa5389 BROWSEUI!BrowserThreadProc+0x336
0262ffb4 7c80b713 BROWSEUI!BrowserProtectedThreadProc+0x50
0262ffec 00000000 kernel32!BaseThreadStart+0x37

// The address is indeed invalid:
0:012> dc 04025b90 L1
04025b90  ????????							 ????

// Knowing this is likely an unloaded module causing the error, I decided
// to look at the unloaded and loaded module list to see what is actually
// being unloaded, if that list was captured (it was this time).  Make sure
// to notice the address range that SSCtxMnu.dll is using - it overlapped
// with TaskManDll:
0:012> lm
Loaded modules:
02830000 02873000   TaskManDll T (no symbols) 
...
Unloaded modules:
027e0000 0285d000   SSCtxMnu.dll

Knowing that this is a bad instruction pointer, and since this is likely a .dll that is hooking Windows Explorer (explorer.exe - otherwise, why else would it load), I can make a relatively safe assumption that this is a bad window hook instruction hence the callback to the unloaded module causing a crash in the shell. I do not know if SSCtxMnu is responsible, if TaskManDLL loaded up and caused the SSCtxMnu dll to unload (I don't know which module grabbed that load address range first, so it's hard to say which is causing it), but I'd say they're both at least suspect at the moment.

I believe TaskManDll to be a part of your FineCrypt package:

0:012> lmivm TaskManDll
start	end		module name
02830000 02873000   TaskManDll T (no symbols)		   
	Symbol file: TaskManDll.dll
	Image path: C:\Program Files\FineCrypt\TaskManDll.dll
	Image name: TaskManDll.dll
	Timestamp:		Tue Jan 08 15:09:56 2008 (4783D894)
	CheckSum:		 00052A77
	ImageSize:		00043000
	File version:	 10.1.0.1
	Product version:  10.1.0.0
	File flags:	   0 (Mask 3F)
	File OS:		  4 Unknown Win32
	File type:		2.0 Dll
	File date:		00000000.00000000
	Translations:	 0000.04b0 0000.04e4 0409.04b0 0409.04e4

And SSCtxMnu is a part of SpySweeper:

0:012> lmivm SSCtxMnu
start	end		module name
02630000 026ad000   SSCtxMnu T (no symbols)		   
	Symbol file: SSCtxMnu.dll
	Image path: C:\PROGRA~1\SPYSWE~1\SSCtxMnu.dll
	Image name: SSCtxMnu.dll
	Timestamp:		Fri Jun 19 18:22:17 1992 (2A425E19)
	CheckSum:		 00078464
	ImageSize:		0007D000
	File version:	 5.5.7.124
	Product version:  5.5.0.0
	File flags:	   8 (Mask 3F) Private
	File OS:		  0 Unknown Base
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Honestly, once you've done a spyware and virus scan (to make sure the computer is clean), I'd uninstall both and see if the problem continues. If not, reinstall one or the other and see what happens. Also, I'd consider contacting the support groups of both FineCrypt and WebRoot to see if they know of any incompatibilities of their products when installed on the same machine as the other, just in case. No module should try to load over another, and module load ranges shouldn't overlap - usually this puts a module into a deferred state to try and load again in a different location, but the above looks suspicious.

Note that I'd still prefer an adplus dump, because this may be a separate problem and may not have caused this issue at all, and I cannot be sure from a Dr Watson dump due to how much data it is actually missing compared to a full adplus.

[neowillendit]

Thank you so much cluberti!!

I'm still going to install the Debugging Tools as you requested...I'm not using that computer right this moment because it's so unstable. I've LONG suspected Spy Sweeper to be very poorly written software...and it's not the only problem I have with Webroot as a whole...you say that one shouldn't ever overwrite the other, so are you certain that that is definitely one problem I'm having...(even though it MAY not be THE problem? If this is one problem, I'm going to uninstall this Spy Sweeper once and for all.

Thank you again cluberti...your time means SO much to me!!

[CharlotteTheHarlot]

I'm going to uninstall this Spy Sweeper once and for all.

As I bow to the superior XP debugging skills of cluberti I cannot add anything of substance to this thread, but I can say this: WebRoot SpySweeper is IMHO the only example of software worse than modern Symantec/Norton crap. McAfee Suites come in a distant 3rd.

I have only had one client PC that drove me so mad that I gave up and went to a clean XP install out of frustration. That installation had Spy Sweeper actively running, blocking setups, killing USB devices and most Microsoft fixes. It defeated all attempts to reclaim ownership of registry keys and folders. It behaved like the worse virus imaginable, with stealth techniques that I could not completely understand.

I cannot remember if I tried System Internals RootkitRevealer or not, but I would be very interested in the results if you would run it before you uninstall the beast! BTW, Good luck with Uninstall, as the Add/Remove entry was not working on mine. Nor was the Uninstall EXE file. Please write back with any interesting details if possible!

[neowillendit]

Thank you for the input CharlotteTheHarlot.

I'm still trying to debug this random error I'm getting, and figure out if I can copy the Spy Sweeper folder to put it on a USB drive to use on occasion instead of having it installed and actively protecting (because I paid for this horrible software...and I'd like to use the subscription out somehow).

In the end I AM going to uninstall it because it's such junk, so I'll be glad to let you know how this all goes.

[neowillendit]

OK CharlotteTheHarlott, got the results for the RootkitRevealer.

I had one Rootkit for BioShock, and two Rootkits for Window's Password.

Nothing for Spy Sweeper yet, haven't tried to uninstall yet...can't get it to do the freakin' error again with the debugger monitoring it...this sucks!!

[neowillendit]

Hi again cluberti!!

Well, ever since I installed the Debugging Tools for Windows, no matter WHAT I do, I can't get the error again...I used to get it within every half hour of being on...I SHOULD be happy...but I've had the error SO LONG that I got used to it before I asked for help. I've clean-installed XP many times and always has the error each time...so I'm quite certain that I'll have the problem next time I re-install...this sucks SO bad but I wanted to sat that I appreciate your help for now.

Thank you again cluberti...

[cluberti]

Since it's a timing issue, and having a debugger actively attached to a process will slow it down, I'm not entirely surprised. Remove Spysweeper, and you'll probably not have any further incursions. Close the debugger and uninstall spysweeper, reboot, and see if you aren't "cured" .

[kingsc]

Hrmm.. Are you familiar with the concept of K.I.S.S???

Have you tried the simple things first? Like running IE with no add-ons or completely resetting it? Trying to debugg code for your RAM, which would cause a global problem, not just IE(More then likely), seems like skipping quite a few steps. Alot of times, 3rd party programs and malware can install add-ons/toolbars that can cause IE to crash.

I must say though, I am completely overwhelmed with the amazing talent of the previous fellow being able to read that code, I wish I had half that skill. That's all completely greek to me.