Can't open Control Panel. Explorer.exe Application Error

Strange things are going on on my computer.  I use Mozilla Firefox web browser version 1.0.2.  I first noticed this error when trying to download ANY kind of attachement via Hotmail.

firefox.exe - No Disk
There is no disk in the drive.  Please insert a disk into drive \Device\Harddisk2\DR15

I thought I'd uninstall and reinstall Mozilla Firefox, but have a second problem to solve before I do that.

I am getting the following error when I try to open the Control Panel on a Windows XP Professional PC.

Explorer.exe Application Error
The instruction at "0x02e89e56" referenced memory at "0x00000000". The memory could not be "written".
Click OK to terminate the program.
Click CANCEL to debug the program.

I have tried the patch in KB Article Q329692.  I have followed instructions KB Article 883791.  No luck.  Still have same symptoms.  I scanned the computer for viruses and Spyware using Microsoft Anti Spyware, Spybot Search and Destroy, and Ad Aware.  I was able to successfully remove all spyware.

What else can I do?  Please help!
Who is Participating?
briancassinConnect With a Mentor Commented:
You have not removed all the pests I have seen this error many times before on xp machines the method below has a 96% success rate.... the only downfall right now is that the first thing that should be done is going into control panel and uninstalling any applications that look odd or unfamilar or asking someone here first because some of the spyware and malware are better off being removed by their uninstallers rather then being ripped out by adaware and spybot s&d... I would still do this first before you proceed with the instructions below...

or you can take the short root and format and reinstall.,...

if by the end of this you are still having problems then please post your last logfile created as per instructions below....  if nothing is found then a non destructive install may have to be done to repair windows.

most likely you have several conditions

a. Internet Explorer is damaged
b. You still have pests in the system
c. you still have viruses in the system
d. you probably have Coolweb or VX2 in your system and possibly memwatch.b

follow this


First and foremost clear out the temporary caches in Firefox if you can...

and right click on internet explorer on the desktop select properties then where it says temporary internet files select delete files then select delete all offline content, the go to settings, view objects anything that does not say microsoft get rid of it by right clicking and selecting remove.... in addition if a file has no name right click on it and select properties on it if the url does not go to then most likely it is a malicious active x control especially if you do not recognize it  

1. go to

download unzip it and run select scan and save a logfile to your desktop don't do anything else yet with HIJACK THIS. ...

2. go to run the anti virus scan if you have any anti virus scanners running on your machine you may want to disable them before doing this.

3. go to  and select scan my pc make sure use hureustics is selected and where it says what to scan select "My Computer"


Go to

download webroot spysweeper select to save it to your desktop once the download completes it is a 30 day free trial.... we are going to uninstall it after it does its job...

download it install it update it and run it.

4. go to here   download save it to the desktop Double click on the then click on the Run
Make sure Windows\System32 is in the box. (Windows\System for 9X).
Then wait until the blue text says it has "completed the scan"
Click the "Compare" button to start the next process.
The results will appear in two planes.
Files in the upper plane are verified to exist.
Files in the lower plane were "not able to be accessed"
There should be very few files in the lower plane.
Click on each file in the lower plane to select it then right click on the file and choose "Rescan"
This will recheck to see if the file does exist, if it does it will be removed from the list.
Not all the files remaining are bad. GOOGLE them to see what they are.

5. go to this site download save to desktop and run coolweb shredder

6. go to this site  download and run vx2 finder see if it finds anything.

7. If you have not loaded SP2 yet then this will work if you have and you are still getting errors you will need to uninstall SP2 and run this

go to start run and enter this command below and hit enter a box should come up select repair

rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"

8. Uninstall Mozilla firefox reboot and reinstall it most likely imported junk from I.E. if you selected to import.

9. Run the SFC / SCANNOW as stated before

10. Check your c:\windows directory and your c:\windows\system32 directory for any odd named files. if you find any right click on them and then select properties see who the file is made by and pay attention to the dates usually a spyware virus infection happens over the course of 3 - 4 months before the system becomes unstable i.e. you probably got infected around december in your machine if you find an odd file with no name of the company on the properties and googling it doesn't turn up anything saying it is a system file and it has an odd name such as xys98wqn8.exe or .dll, .RB0 etc... then it is a fake file used by a virus trojan, worm, malware spyware etc... delete the file but make a note of the date it was created too.... most windows system files are not going to have recent dates on them some will but most will be older so if you come across a sleu of files that were created all between november / december and now then chances are they are bad files also look for ones with 0KB in size....

once you discover these files it will give you a "range to work within" you can then use the start find files or folders go to the advanced tab and select to search by date created and then put the date range say november up until yesterday. if it comes up with too many files it will complain that it can only display 10000 at a time and to narrow your search if that happens start looking at the file size if you see hundreds of 0kb sized files start deleting them   This means your system was setup as a zombie which means you have a bad anti virus that is doing you no good, you have no firewall software running or you are using windows firewall, and you are directly connected to the internet through a cable modem instead of a router.

*** see preventative maitenance at the bottom

Finally you will need to reboot the system go into safe mode and delete the following things

go under c:\temp and delete all files & folders in there but do not delete temp folder itself... check c:\windows\temp (if their is one do the same thing)
go to C:\Documents and Settings\your user name\Local Settings\Temp
C:\Documents and Settings\Default User\Local Settings\Temp & temporary internet files
 then under each account name i.e. "all users" "your username"  
do the same thing

***********you can delete stuff easily in the directories by going click in the area where the files are then going to the menu at the top and selecting edit - select all then - delete.

also C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files  (delete the content.ie5 folder)

then local settings then temp and temporary internet settings delete everything under these directories if it errors you can usually see what file it stops on delete the rest of them and make a note of this file, if it cannot be deleted it may still be an active spyware, malware or virus  that was not caught.

If the system is now running good and a lot of stuff was deleted it is highly advised you defrag your drive at this point.

Once that is done you can go to the following sites to get software to prevent this problem from reoccuring on the right hand side their is a download for free version of zone alarm download that   avg free link is on the lower left corner... this is a free anti virus and it works better then norton   download spyware blaster update it and run it, it will protect internet explorer and firefox. you will probably never have spyware again with this running

if you are using file sharing networks do not use them, that is where all the latest greatest viruses are being released and spyware.  You are only setting up your computer as part of a zombie network.

If any viruses are found at any point during any of your virus scans that are listed as backdoor trojans or keyloggers and you bought things online seriously check your billing statements and change all and any passwords you have used online lately otherwise you could be a victim of ID theft or worse.

In addition make sure you save the logfile from panda because if panda cannot clean something you need to make sure the other programs do otherwise you will have to manually do it and if you do not keep this you will not know where to look
after you are done with all this run hijack this again and save a second logfile named logfile 2 then post it up here so we can verify all the pests are gone.
If youre up for it i suggest you try a "SFC/Scannow".. That might correct the problem since it did for me last time i saw something similar.
If you dont know the SFC command, feel free to ask for more info.
Check your RAM with Memtest:
Memtest CD Image:
Memtest Floppy Disk Creator: h

Check your HardDrive with Drive Fitness Test (DFT):
DFT CD Image:
DFT Floppy Disck Creator:

NOTE: Run an advanced test in DFT - a Red background is BAD
You can lookup the error code in the manual:

If both of those pass fine, then do the following:
- download, run hijackthis and post your logfile up here for us to see:
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

sorry if some of my info. repeated everyone elses it took awhile to type all this.... :)
mb2010Author Commented:
Wow!  Thanks for the detailed write ups!  The Pandora software found some stuff, two things that were marked Possible Virus and 4 things marked Adware.  I was able to manually delete them all.  The Spysweeper found a few things that it got rid of automatically.  Other than that, all the other programs you mentioned had negative results.

Here are the results of the HiJackThis scan.

Logfile of HijackThis v1.99.1
Scan saved at 10:02:35 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\"user"\My Documents\Download\HiJackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iws_cleanup.exe] C:\WINDOWS\System32\iws_cleanup.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\PC Guardian\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [LiveState Recovery 3.0] C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\WINMPM\pvsw\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://dsrprotect/officescan/console/html/
O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://dsrprotect/officescan/console/html/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://caah01-file01/tsweb/
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://dsrentah/tsweb/
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://dsrprotect/officescan/console/html/
O16 - DPF: {BA00165E-C903-11D3-BD27-0050048A82BF} (eShare Technologies NetAgent Customer ActiveX Control) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://"company"
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "maindomain".com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "olddomain".com
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: SymcEventMonitors - C:\WINDOWS\SYSTEM32\EventMonitors.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: EphdXlatService - Unknown owner - C:\Program Files\PC Guardian\EP Hard Disk\User\DISrv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PCG Protect - PC Guardian - C:\Program Files\PC Guardian\EP Hard Disk\User\PCGProt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec LiveState Recovery - Symantec Corporation - C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

mb2010Author Commented:
I forgot to mention, I ran "SFC/Scannow" and it did not find or fix anything.
is it the same in Safe mode ?
mb2010Author Commented:
When I try to run "SFC/Scannow" from safe mode, I get the following error:

Windows File Protection could not initiate a scan of protected system files.
The specific error code is 0x000006ba [The RPC server is unavailable.]
mb2010Author Commented:
In addition, I get the same "Explorer.exe Application Error" when I try to access the Control Panel from safe mode.
Did you play around with MSconfig a little too much maybe?

You can start the RPC by commandline with the command: "Net Start RPCss", then you should be able to run the SFC...
mb2010Author Commented:
No playing with MSconfig here.  "Net Start RPCss" results in "The requested service has already been started.  More help is available by typing NET HELPMSG 2182."

Tried to run "SFC /Scannow" again, and still got the "Windows File Protection" error above.
If this was my case.. i would run a inplace upgrade.. Seems like there is serious stuff going on with your OS. Specially when the SFC can not cooperate with a started RPC!

I ran your hijackthis file through the analyzer: have some bugs that might be a problem, but i really dont have the time to check them out..
Okay I have looked over your hijack this logfile a lot of odd things still going on


this file DNTUS26.EXE located in your hijack this file above can be one of several things...
see the url below for more information... If you did not install a remote administration tool named Dameware then get this off the system immediately. This can also be part of the

here is the explicit removal instructions

DNTUS26.exe program is part of DameWare Mini Remote Control.  A lightweight remote control intended primarily for administrators and help desks for quick and easy deployment without external dependencies and machine reboot.

How to remove the Mini Remote and/or NT Utilities Client Agent Service:
Please note that if the DWRCS.exe and/or DNTUS26.exe files are not located in the system32 folder, then please search for them and perform the following steps from that folder instead of the system32 folder.

Go to a command prompt.
Type cd %systemroot%\system32 and press Enter.
Type DWRCS.exe -remove and press Enter.
Type DNTUS26.exe -remove and press Enter.
After the service removal you can delete the following files, however this may require a re-boot before you can delete them.
DWRCSET.DLL (v 3.6x and later)
DWRCSHELL.DLL (v 3.6x and later)
If you cannot delete the DWRCShell.dll, then more than likely the Windows Explorer Shell must have already loaded it.  Reboot the machine and do not right-click on anything.  Click on the Start button and then select run.  Type CMD and press ENTER. Once you have the DOS prompt, type: CD %systemroot%\system32 and press Enter.   Now delete the DWRCShell.dll file.

MORE INFORMATION: DNTU26.EXE also suspected infection of W32/Deloder.worm.

DWRCS.EXE: Part of the above file


this is odd

O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll

O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) -

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

I am assuming you are doing some sort of programming with all the experimental tools and protocols ???

Name: Remote Packet Capture Protocol v.0 (experimental)
Filename: rpcapd.exe
Description: Service name is rpcapd. "WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2)." File is found at this location: %ProgramFiles%\WinPcap\rpcapd.exe

I see Trend Micro PC Cillin Zone Alarm and Symantec   what exact version of these softwares do you have ???

PC Cillin I know is AV and a firewall

Symantec - are you running System works Symantec AV , Firewall ????

Zone Alarm - Pro, Free or the anti virus security firewall suite ?

Whatever that whale client file is it may have damaged your winsock .... follow the instructions here to check your winsock

if that is no help google  "winsock fix xp" their are several free utilities but make sure you make a system restore point before doing this....

Also have you followed everything step by step as I stated above ??? such as turning off system restore in my first post along with running CoolWebShredder and also running the I.E. Repair TOOL VX2 finder etc... ???

as far as the error in safe mode this could be for several reasons....

1. When in safe mode is the rpc service running ?

2. If so then their is corruption try the following  this says windows 2000 but may also work for xp... check to see if you have the certificate installed by using the instructions but do not export. If the certificate is missing go to another XP machine and export the certificate.

see this
these are the trusted root certificates for windows to run properly

What errors are you getting now and what have you tried please let me know if their are any steps you skipped at any point please tell me because they could make a world of difference....

Your final option if all else fails:
 Do a non destructive reinstall of the O.S. put in the CD and select repair install providing it is not an OEM boot and nuke type cd.
Providing you have at least SP1 loaded you should not loose anything. Some programs may not work anymore but that is very unlikely and only if they are not mainstream programs that adhere to general windows application programming guidelines.
mb2010Author Commented:
All else failed!!  

I ran the Windows Repair option from the bootable Windows XP Professional CD.  After it was done, it kicked my PC into an endless reboot cycle.  I have a Winternals ERD Commander boot disk that I used to get the data to a removable hard disk.  Then, I reimaged the drive.  Now I am restoring files and programs.

Even though my problem was not resolved I have decided to reward points to briancassin for a wonderful writeup.  I learned about some utilities that I was not aware of before.  

thank you, sorry to hear that you ended up reimaging the drive.:(
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.