[ZedU54]

...This horse has probably already been flogged to death, because it seems that almost anything and everything can cause this error, but I need some help. I've had this error on my desktop for about a year and a half; it's been more of a nuisance than anything else. And I don't know at this point if it's any kind of malware that's causing it or if it's simply a case of a Windows component that got corrupted, so I'm starting this under the Windows XP topic. If it does indeed turn out to be a malware issue, please feel free to move to the appropriate topic with my sincerest apologies.
...Now. This error comes up under any of the following conditions:
1. During log-on to Windows (either after boot-up or after changing user accounts). It will come up while the different icons are appearing in the Taskbar.
2. When starting IE (currently using IE7).
3. When going to browse the local drives (after right-clicking 'Start' and selecting 'Explore'). The Start Menu window will open and some of the contents of the computer will appear in the left pane, but then the error comes up. If I click on 'Don't Send', the error message disappears, and after a delay, the rest of the contents appear in the left pane and I can browse apparently without further incident.
...The 'Error signature' I get is this:
szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dll
szModVer : 5.1.2600.5512 offset : 0000100b
...If I click to 'view technical information about the error report', I get this:
'The following files will be included in this error report:
I:\DOCUME~1\Todd\LOCALS~1\Temp\WER982b.dir00\svchost.exe.mdmp
I:\DOCUME~1\Todd\LOCALS~1\Temp\WER982b.dir00\appcompat.txt'
...actually locating those files is somewhat difficult; otherwise I would copy and paste them in here.
...Anyway, I have done the first steps outlined in your malware and spyware removal, and still get the error. So, here is the MBAM log:

[Advertisements]

It appears you may have a malware problem. Please go to the "Malware Forum" link in my signature below and follow the instructions at the top
Especially the "You Must Read This Before Posting A HijackThis Log".

That will give you several steps that will help you clean up 70 percent of all problems by yourself.
If at the end of the process you are still having difficulty start a topic and post the requested logs in THAT forum.
Once the malware technicians have cleared out any infection and given you a clean bill of health, if the problem continues then feel free to post back here and we can investigate the problem even more.

[rshaffer61]

It appears you may have a malware problem. Please go to the "Malware Forum" link in my signature below and follow the instructions at the top
Especially the "You Must Read This Before Posting A HijackThis Log".

That will give you several steps that will help you clean up 70 percent of all problems by yourself.
If at the end of the process you are still having difficulty start a topic and post the requested logs in THAT forum.
Once the malware technicians have cleared out any infection and given you a clean bill of health, if the problem continues then feel free to post back here and we can investigate the problem even more.

[ZedU54]

...my apologies; I should have said that I have already been to the Malware Forum and to that particular topic. I actually printed out the topic and collected the programs it calls for onto a 'G2G PC Cleanup' disc. I thought I followed the directions in the topic exactly, but perhaps I didn't do something or did something wrong?

[rshaffer61]

Did a tech help you clean the system?
I'm not a malware expert but looking at the log as I was scolling by it there is a entry that says two infected files were detected. I pasted the entry below.

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

As you ran this scan this morning then I would say you need to go back to the malware forum. Start a topic there and wait for a technician to assist you in cleaning your system. Then when they are done and have given you a clean bill of health and if the problem is still happening, then come back here and we can assist you even more. Malware is tricky and the techs in that forum have been trained to deal with it and they will do it until it is cleaned or explain to you what needs to be done.

Edited by rshaffer61, 02 April 2009 - 12:03 PM.

[ZedU54]

...will do. I haven't had a tech help me yet; I just took the actions that were outlined in that particular thread. What you are referring to was part of my MBAM scan. I'll start a new topic in the Malware forum, copy and paste my info into it, and see what they have to say. Thank you very much.
...Moving to the malware forum...

[rshaffer61]

You are welcome. I will wait for your return. Please let me know if they get you fixed up or if you need more help

Edited by rshaffer61, 03 April 2009 - 09:47 AM.

[ZedU54]

...I'm back. After running several diagnostics (thanx, Jimmy2012!! ), we have ruled out malware as a cause of this problem. The computer is clean. So it looks like we're back to something being amiss with my XP itself. Now, I've already read a few threads where other people have had this or a similar issue, and even tried replacing my ntdll.dll file in Safe Mode as suggested in one of those threads. Perhaps I wasn't doing something right, but when I tried that, I got an error saying that that file was currently being used by another program and couldn't be copied. Anyway, I still need some ideas on how to straighten this out...

[usasma]

Can you locate the I:\DOCUME~1\Todd\LOCALS~1\Temp\WER982b.dir00\svchost.exe.mdmp file, zip it up and post it here? Analyzing crash dumps from user level processes is a bit different than kernel level analysis - but the procedure for generating the analysis is basically the same. If present a stack trace may give further information about what caused ntdll.dll to fault.

Also, if you're able to identify which of the svchost.exe processes is faulting (by PID maybe?), you can then check to see what's running within that process.

Finally, I'd also check in your Event Viewer to see if there's any errors around the time of the error. To do this, go to Start...Run...and type in "eventvwr.msc" (without the quotes) and press Enter. Check both the Application and the System log files for errors.

[ZedU54]

...OK. First, the Event Viewer. Under Applications, from the current startup, I got two errors:

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 6e 74 64 6c 6c 2e n ntdll.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 35 35 31 2600.551
0048: 32 20 61 74 20 6f 66 66 2 at off
0050: 73 65 74 20 30 30 30 30 set 0000
0058: 31 30 30 62 100b

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 6e 74 64 6c 6c 2e n ntdll.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 35 35 31 2600.551
0048: 32 20 61 74 20 6f 66 66 2 at off
0050: 73 65 74 20 30 30 30 30 set 0000
0058: 31 30 30 62 100b

...this appears to be two instances of the same error.

...And under System:

Source: Service Control Manager 'The Windows Image Acquisition (WIA) Service hung on starting.' (No dump)

Source: Service Control Manager 'The Windows Image Acquisition (WIA) Service terminated unexpectedly. This has happened 1 time(s).' (No dump)

...Now: I don't know what you mean by 'identifying by PID'...

...And now, to try to find that svchost.exe.mdmp file. I have to use the Command Prompt to try to locate it, because I recognize the old MS-DOS conventions in the path name (nothing can be over eight characters long). And my MS-DOS has gotten a little rusty. Also I note that that 'WERxxxx' identifier changes each time the error occurs...
...but, I finally managed to capture the contents of one of the 'WERxxxx.dir00' directories, including four files: appcompat.txt, manifest.txt, svchost.exe.hdmp and svchost.exe.mdmp, and zip them. They will be in the attached 'Memory dumps.zip' file. You have to capture the files while the error message is on the screen; once you remove the error message, the files are automatically deleted... ...it took me several tries to get it...

 Memory_dumps.zip   153.13KB   128 downloads

...btw, I used to work in electronics as a debug/repair tech. For nearly 40 years. I understand how important it is to have as much information about a problem as you can when you're trying to troubleshoot it...

Edited by ZedU54, 12 April 2009 - 06:29 PM.

[usasma]

Gotta run, but wanted to post the analysis for others to have a look at. I suspect that pmicro.dll is at fault here, but haven't fully reviewed the dump file or done any research on it.:

Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\Downloads\Memory_dumps\svchost.exe.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Debug session time: Sun Apr 12 20:07:09.000 2009 (GMT-4)
System Uptime: not available
Process Uptime: not available
..........................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(6a0.524): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=80070000 ecx=00340650 edx=7c90e4f4 esi=000001ec edi=00000000
eip=7c90e4f4 esp=006699d8 ebp=00669a3c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret
0:001> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

Unable to load image I:\WINDOWS\system32\pmicro.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for pmicro.dll
*** ERROR: Module load completed but symbols could not be loaded for pmicro.dll
Unable to load image I:\WINDOWS\system32\xpsp2res.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for xpsp2res.dll
*** ERROR: Module load completed but symbols could not be loaded for xpsp2res.dll
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

FAULTING_IP:
ntdll!RtlEnterCriticalSection+b
7c90100b 837a1400 cmp dword ptr [edx+14h],0

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c90100b (ntdll!RtlEnterCriticalSection+0x0000000b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000034
Attempt to read from address 00000034

DEFAULT_BUCKET_ID: STATUS_ACCESS_VIOLATION

PROCESS_NAME: svchost.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

READ_ADDRESS: 00000034

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000524

PRIMARY_PROBLEM_CLASS: STATUS_ACCESS_VIOLATION

BUGCHECK_STR: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION

LAST_CONTROL_TRANSFER: from 77c3b90d to 7c90100b

STACK_TEXT:
0066f5f8 77c3b90d 00000020 0066f640 77c40e2b ntdll!RtlEnterCriticalSection+0xb
0066f604 77c40e2b 00000000 0066fcc4 00367378 msvcrt!_lock_file+0x33
0066f640 10003289 00000000 0066f658 00000000 msvcrt!fprintf+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0066fa58 100019f8 100046cc 00000001 00000000 pmicro+0x3289
0066fa74 5a5dece1 00000065 0066fb9c 00000000 pmicro+0x19f8
0066fcc4 5a5da5e9 00000000 00367238 5a5d9264 wiafbdrv!CMicroDriverAPI::UnInitialize+0x4b
0066fcd0 5a5d9264 00367240 5a5d92c5 00000001 wiafbdrv!CWIAScannerDevice::~CWIAScannerDevice+0x29
0066fcd8 5a5d92c5 00000001 00000000 000ced3c wiafbdrv!CWIAScannerDevice::`scalar deleting destructor'+0x8
0066fce8 75aba966 00367240 00367240 000ced3c wiafbdrv!CWIAScannerDevice::NonDelegatingRelease+0x24
0066fcf8 75abb09d 000ced3c 000ced08 000ce9e8 wiaservc!CDrvWrap::UnLoadDriver+0x35
0066fd20 75ac781f 000001c8 00000000 000ced08 wiaservc!CDrvWrap::LoadInitDriver+0x288
0066fd3c 75ac7b76 00000000 000b01e0 00000000 wiaservc!ACTIVE_DEVICE::LoadDriver+0xe8
0066fd5c 75ab8fbc 000cea80 000ce9e8 000b01e0 wiaservc!ACTIVE_DEVICE::ACTIVE_DEVICE+0x148
0066fd8c 75ab99cb 00000005 000ce9e8 00000fa0 wiaservc!CWiaDevMan::AddDevice+0x45
0066fee8 75aba7ca 00000005 00000040 7c809a1d wiaservc!CWiaDevMan::EnumDevNodeDevices+0x33d
0066ff10 75ac7e2b 00000004 00096bd4 00098750 wiaservc!CWiaDevMan::ReEnumerateDevices+0xa9
0066ff54 75ac8340 00000001 00096bd0 75aabc84 wiaservc!DoGlobalInit+0x1f0
0066ff6c 010011cc 00000001 00096bd0 00000000 wiaservc!ServiceMain+0x28
0066ffa0 77df352b 00000001 00096bd0 0007e898 svchost!ServiceStarter+0x9e
0066ffb4 7c80b713 00096bc8 00000000 0007e898 advapi32!ScSvcctrlThreadA+0x12
0066ffec 00000000 77df3519 00096bc8 00000000 kernel32!BaseThreadStart+0x37


STACK_COMMAND: ~1s; .ecxr ; kb

FOLLOWUP_IP:
msvcrt!_lock_file+33
77c3b90d 5d pop ebp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: msvcrt!_lock_file+33

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: msvcrt

IMAGE_NAME: msvcrt.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4802a188

FAILURE_BUCKET_ID: STATUS_ACCESS_VIOLATION_c0000005_msvcrt.dll!_lock_file

BUCKET_ID: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION_msvcrt!_lock_file+33

Followup: MachineOwner
---------

[usasma]

It seems (from the stack trace) that it's the pmicro.dll file that's the problem. It's associated with the Visioneer scanner - do you have that sort of scanner (or any scanner) installed on your system?

If so, try uninstalling it to see if it stops the errors. If so, then download a fresh set of drivers from the Scanner manufacturer's website and install that.

[ZedU54]

...I do indeed have a Visioneer One Touch 8600 scanner on that system! I will definitely give this a try...

[ZedU54]

...that was it. And it looks like I won't be able to use this scanner without further problems. As soon as I removed the scanner from Device Manager, I stopped getting the error. I then found the Visioneer website and got tools and instructions for a complete uninstall and reinstall of the scanner, along with three tools for performing this and a fresh copy of the driver (it's an older scanner; the latest version of the driver was still a few years old). But even after following this procedure and reinstalling the fresh driver, the problem reappeared. So I have uninstalled the scanner and completely removed it from the system. I'll need to find another scanner with less-troublesome software...
...however, many thanks for the help!...I need to learn some of this stuff...

[usasma]

Multifunction printers that include a scanner are very cheap these days. And they work well with Windows XP and Vista!

Printers and scanners are becoming " throw-away" items. They're cheaper to replace than they are to repair.

Edited by usasma, 14 April 2009 - 07:01 AM.

[ZedU54]

...true. And it wasn't like the scanner wasn't working; it was. And it was supposedly compatible with XP. But for whatever reason its driver and that dmicro.dll file gave my XP trouble. That procedure I got for reinstalling the driver also asked me to uninstall IE7 and then reinstall it after reinstalling the driver...but how are you supposed to do that, since uninstalling IE is not possible to begin with?...(or it is possible, but more trouble than it's worth...)
...anyway, replacing the scanner is not high on my list of priorities; I don't use one all that often...