Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

More Process Crash Troubleshooting

Posted by William Diaz on March 2, 2012

A user called in and requested one of our technicians to assist in removing some annoying autorun applications. Upon opening the Control Panel and going to Add or Remove Programs in Windows XP, the rundll32.exe process was crashing. The same applied for any process that required a CPL to run:
I was asked to assist and started by going to C:\Documents and Settings\username\Application Data\Microsoft\ Dr Watson. I opened the drwtsn32.log and scrolled to the bottom, confirming that some error in rundll32.exe was being encountered:

Application exception occurred:
App: C:\WINDOWS\system32\rundll32.exe (pid=5996)
When: 2/28/2012 @ 10:47:49.473
Exception number: c0000005 (access violation)

Usually, I jump to the FAULT to look for the signs of some 3rd party component but post-mortem debugger doesn’t offer any clues in the stack:

FAULT ->00a6632d ??               ???
Error 0x00000001
00a6632f ??               ???
00a66331 ??               ???
00a66333 ??               ???
00a66335 ??               ???
00a66337 ??               ???
00a66339 ??               ???
00a6633b ??               ???
00a6633d ??               ???
00a6633f ??               ???
00a66341 ??               ???*—-> Stack Back Trace <—-*
ChildEBP RetAddr  Args to Child
0007ffa0 000a0123 00000000 00000000 000a002c 0xa6632d
0007fff0 00000000 01001bdc 00000000 78746341 0xa0123

Lets go back up and look for any suspicious 3rd party DLLs in the log under the module list:

*—-> Module List <—-*
(0000000000a30000 – 0000000000a39000: C:\Documents and Settings\username\Application Data\dplayx.dll
(0000000001000000 – 000000000100b000: C:\WINDOWS\system32\rundll32.exe
(000000005ad70000 – 000000005ada8000: C:\WINDOWS\system32\UxTheme.dll
(000000005cb70000 – 000000005cb96000: C:\WINDOWS\system32\ShimEng.dll
(000000005d090000 – 000000005d12a000: C:\WINDOWS\system32\comctl32.dll
(000000006f880000 – 000000006fa4a000: C:\WINDOWS\AppPatch\AcGenral.DLL
(0000000071aa0000 – 0000000071aa8000: C:\WINDOWS\system32\WS2HELP.dll
(0000000071ab0000 – 0000000071ac7000: C:\WINDOWS\system32\ws2_32.dll
(0000000076390000 – 00000000763ad000: C:\WINDOWS\system32\IMM32.DLL
(00000000763b0000 – 00000000763f9000: C:\WINDOWS\system32\COMDLG32.dll
(00000000769c0000 – 0000000076a74000: C:\WINDOWS\system32\USERENV.dll
(0000000076b40000 – 0000000076b6d000: C:\WINDOWS\system32\WINMM.dll
(0000000076c90000 – 0000000076cb8000: C:\WINDOWS\system32\IMAGEHLP.dll
(0000000077120000 – 00000000771ab000: C:\WINDOWS\system32\OLEAUT32.dll
(00000000773d0000 – 00000000774d3000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
(00000000774e0000 – 000000007761e000: C:\WINDOWS\system32\ole32.dll
(0000000077b40000 – 0000000077b62000: C:\WINDOWS\system32\Apphelp.dll
(0000000077be0000 – 0000000077bf5000: C:\WINDOWS\system32\MSACM32.dll

Normally, you don’t see legitimate software installing components into the root of the user’s profile Application Data folder. This is a classic sign of malware. Lets confirm the suspicion with Process Monitor by setting a filter for rundll32.exe, opening a CPL, and looking at file activity:
This suspicious DLL seems to be injecting itself into the crashing process. In addition to dplayx.dll (named after the legit Microsoft DirectPlay component in the system32 folder), there is also another system hidden file, dplaysvr.exe in the same directory, which is executed from HKCU and HKLM\Software\Microsoft\Windows\CurrentVersion\Run. This is likely not the intended action of this bit of malware, but since there is no running process for the executable we can assume it is broken. Resolving was a simple matter of manually removing the two files and rebooting. Afterwards, it good to follow up by running Autoruns and/or manually removing the registry run entries.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: