A chkimg check of explorer.exe comes up with an image that doesn't checksum, because the VA in the process space has been corrupted (which is causing the failure):
Code:
0:005> !chkimg -lo 50 -d !explorer
ff41cbb0-ff41cbb2 3 bytes - explorer!CTrayNotify::_CanShowBalloon
[ ff f3 48:60 8b ec ]
ff41cbb4-ff41cbb9 6 bytes - explorer!CTrayNotify::_CanShowBalloon+4 (+0x04)
[ ec 20 83 b9 68 04:c4 f0 64 8b 1d 30 ]
ff41cbbd-ff41cbd1 21 bytes - explorer!CTrayNotify::_CanShowBalloon+d (+0x09)
[ 48 8b da 0f 84 1b 35 03:8b 43 0c 8b 40 14 8b 00 ]
ff41cbd3-ff41cbd7 5 bytes - explorer!CTrayNotify::_CanShowBalloon+1b (+0x16)
[ 83 b9 5c 04 00:00 68 00 00 01 ]
ff41cbd9-ff41cbdb 3 bytes - explorer!CTrayNotify::_CanShowBalloon+21 (+0x06)
[ 00 0f 85:6a 00 05 ]
ff41cbdd-ff41cbde 2 bytes - explorer!CTrayNotify::_CanShowBalloon+25 (+0x04)
[ 35 03:18 01 ]
ff41cbe0-ff41cbe5 6 bytes - explorer!CTrayNotify::_CanShowBalloon+24 (+0x03)
[ 48 8d 0d 99 ba 0b:ff d0 89 45 fc e8 ]
ff41cbe7-ff41cbf1 11 bytes - explorer!CTrayNotify::_CanShowBalloon+2b (+0x07)
[ e8 04 01 00 00 b9 01 00:00 00 00 5b 89 5d f0 81 ]
ff41cbf3-ff41cc00 14 bytes - explorer!CTrayNotify::_CanShowBalloon+37 (+0x0c)
[ 0f 84 e5 34 03 00 83 f8:02 00 81 eb fa 67 2a 00 ]
ff41cc02-ff41cc1d 28 bytes - explorer!CTrayNotify::_CanShowBalloon+3e (+0x0f)
[ 83 f8 03 0f 84 ce 34 03:50 b8 7e 68 2a 00 03 c3 ]
ff41cc1f-ff41cc56 56 bytes - explorer!CTrayNotify::_CanShowBalloon+65 (+0x1d)
[ 8b c1 48 83 c4 20 5b c3:00 8b 4d fc 81 c1 00 10 ]
ff41cc58-ff41cc75 30 bytes - explorer!CTrayNotify::_ShowInfoTip+1a7 (+0x39)
[ 45 85 e4 0f 84 ce 59 ff:00 8b 55 f4 81 c2 ec 34 ]
185 errors : !explorer (ff41cbb0-ff41cc75)
Further, the base pointer address (stored in rbp), which tells the process where this thread's start info is, has been corrupted (note it's 0x0 - impossible):
Code:
0:005> r
rax=0000000007b14750 rbx=0000000000000000 rcx=0000000076d6a08a
rdx=0000000000000000 rsi=0000000007b14750 rdi=00000000ff4d8738
rip=00000000ff41cc2b rsp=00000000023beca0 rbp=0000000000000000
r8=00000000023beb68 r9=00000000003106b4 r10=0000000000000000
r11=0000000000000206 r12=0000000000000001 r13=0000000000000001
r14=0000000000000000 r15=00000000ff4d8a60
Capt. Jack is probably right when he suggests you disable all of the non-Microsoft add-on extensions loaded in explorer and see if it reproduces at that point. Here are the extensions you have loaded according to your dump:
Code:
0:005> lmivm RarExt
start end module name
000007fe`f7a60000 000007fe`f7a93000 RarExt (deferred)
Symbol file: RarExt.dll
Image path: C:\Program Files\WinRAR\RarExt.dll
Image name: RarExt.dll
Timestamp: Sat Dec 12 05:12:02 2009 (4B236C72)
CheckSum: 0002C711
ImageSize: 00033000
File version: 3.91.0.0
Product version: 3.91.0.0
File flags: 0 (Mask 0)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:005> lmivm shlext64
start end module name
00000001`80000000 00000001`80055000 shlext64 (deferred)
Symbol file: shlext64.dll
Image path: C:\Program Files (x86)\Avira\AntiVir Desktop\shlext64.dll
Image name: shlext64.dll
Timestamp: Mon Feb 01 09:43:15 2010 (4B66E883)
CheckSum: 00050844
ImageSize: 00055000
File version: 10.0.0.3
Product version: 10.0.0.3
File flags: 28 (Mask 3F) Private Special
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:005> lmivm 7_zip
start end module name
00000000`10000000 00000000`1001c000 7_zip (deferred)
Symbol file: 7-zip.dll
Image path: C:\Program Files\7-Zip\7-zip.dll
Image name: 7-zip.dll
Timestamp: Tue Feb 03 02:10:19 2009 (4987EDDB)
CheckSum: 00000000
ImageSize: 0001C000
File version: 4.65.0.0
Product version: 4.65.0.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4