Explorer crashing

[Gram123]

Hi.
Occasionally when I'm using my PC, I get an Illegal Operation error for "Explorer".
The details from the last time it happened:

EXPLORER caused an invalid page fault in
module KERNEL32.DLL at 015f:bff7a3c2.
Registers:
EAX=00000067 CS=015f EIP=bff7a3c2 EFLGS=00010202
EBX=00434e2c SS=0167 ESP=0059f37c EBP=0059f398
ECX=0043001c DS=0167 ESI=00000018 FS=2477
EDX=0043001c ES=0167 EDI=00000018 GS=0000
Bytes at CS:EIP:
89 50 04 80 24 3b fd 83 7d f0 00 74 61 83 7d f4
Stack dump:
0043000c 00430000 00434e2c 00000000 00000000
00000434 00000435 0059f3c0 bff7a541 00430000
00434e2c 00000014 00000000 00439d22 0059f470
0059f45c

When I am running IE (through NTL World's ISP software), plus another program or two (say, Windows Media Player and/or an Office program) and then I try and do something else - using the Start/Run command line. It occured when I tried to run msconfig and also when I tried to open the autoexec.bat file in notepad.
My brother says it has also happened on occasions when he was not connected to the internet too.

My system is a 700Mhz P3, 256Mb RAM, Windows 98.

Any idea why this would be happening and how to stop it?
Explorer just stops responding - although I can still use the net, I can no longer right-click or left-click anything on the task bar (the cursor changes to an I-bar in that area). If I minimise the browser window, I can't maximize it again, and so am forced to restart.

Also, perhaps an unrelated matter, I sometimes get Illegal Operation messages from using seemingly unrelated programs and the message will not go away, no matter how many times I click OK. I can drag it out of the way and carry on with whatever I'm doing but the error window remains until I restart.

Thanks guys,

Gram

 

[TonyKlein]

Hi Gram,

It's always a good idea to check whether there's something running that shouldn't.

Try this:

Go to Start/run, and type Msinfo32, followed by OK.
Go to Software Environment/Startup Programs.
Now click Edit/'Select all', and then 'copy'
Paste the contents in your post.

Good luck,

 

[Gram123]

Tony,

ScanRegistry - Registry (Machine Run - C:\WINDOWS\scanregw.exe /autorun
SystemTray - Registry (Machine Run) - SysTray.Exe
Gearbox - Registry (Machine Run) - "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
Tweak UI - Registry (Machine Run) - RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
AVG_CC - Registry (Machine Run) -C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
internet.exe - Registry (Machine Run) - C:\WINDOWS\internet.exe
C-Media Mixer - Registry (Machine Run) - C:\Program Files\C-Media\AudioRack\Mixer.exe /startup
Machine Debug Manager - Registry (Machine Service) - C:\WINDOWS\SYSTEM\MDM.EXE
Avgserv9.exe - Registry (Machine Service) - C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

"Gearbox" and possibly "internet.exe" are the ISP software. Everything looks okay to me, although maybe I don't need C-Media Mixer running.

Gram

 

[TonyKlein]

Hi Gram,

This is without any doubt the cleanest startup list I've seen in a long time...

No nasties there. You might additionally uncheck Mdm in Msconfig/startup, and check 'disable script debugging' in Internet Options/Advanced, but it doesn't by itself bring us closer to a solution.

You could disable AVG for a while to see whether that makes a difference, but from a security standpoint that doesn't really help a lot.

No conflicts in Device Manager?

Maybe someone else has an suggestion.

Meanwhile, here are some articles on the subject: http://www.generation.net/~hleboeuf/errexplo.htm#ERRKERNEL32.DLL

Good luck,

 

[TonyKlein]

Of course it's always useful to have your system scanned on line at <A HREF="http://housecall.antivirus.com/">Trend Micro HouseCall </A>
Also run <A HREF="http://www.lavasoftusa.com/index.html">Ad-Aware</A> to check for spyware , if only so we can afford to rule these things out.

Good luck,

 

[beach51]

Hi Gram123,A damaged history folder will also cause this error.Go into dos,at the c:\prompt type,

smartdrv (hit enter)

Deltree/y history (hit enter)

Exit (hit enter)

Let us know if this works for you.

 

[Gram123]

By, this forum's busy this evening!

Okay,
I unchecked Mdm in msconfig.

'Disable script debugging' was already checked.

I ran the latest version of Ad-Aware and it found 137 spyware references. My cookies etc were cleaned out within the last 2 days, so this surprised me. I was online at the time I ran Ad-Aware - could this have something to do with it? Does Ad-Aware do something beyond selecting and removing spyware infected cookies?

I ran Housecall and it found 2 trojans:

TROJ_BACKDOOR.MI - Housecall called this "malware" and innoculated it on shutdown.

TROJ_ANAKHA.A - it said this was "Non-cleanable". The trojan is apparently in C:\WINDOWS\SYSTEM\Shellex.exe. I checked MooSoft for info on it, and although they have it listed there is no further info yet.

So, can anyone tell me what to do to get rid of Anakha?

Thanks for your help so far! I'll give beach51's suggestion a try next.

Gram

 

[TonyKlein]

Well, these trojans could certainly account for (most of) your errors.

I couldn't find anything about your trojan in a Google search.

I think you should start up in Safe Mode, and delete C:\Windows\System\Shellex.exe there.

Also do this:

Download Startup.log from this site: http://home.earthlink.net/~rmbox/Reticulated/Toys.html

It generates a text file on your desktop that will list all the applications that start in the many places when you start Windows.
We don't need to see StubPath.txt, just StartupLog.txt


Good luck,

 

[beach51]

Hi Gram,wasnt sure if being online while running ad=aware made any differance,it doesnt. i just ran it while being online,found just one (doubleclick).Looking at your startup,you dont have any of the real nasty ones like newdotnet,webhancer,etc.So thats not the problem.Just go ahead and delete what ad-aware found.Btw,thats all ad-aware does,checks for spyware componets.As for Troj.Anakha.a,i found the same thing you did.Rollin-Rog is the expert with virus stuff,am sure he'll have the ans.when he comes online.

 

[Gram123]

Is it safe to delete Shellex.exe (in safe mode)? I did a search on Goolgle to see if I could find it and all I got was:

ShellEx is a "wizard" that makes it easy to create AutoPlay CD's for use on any Windows(tm) operating system.

I have no idea where this came from - the site said it was freeware, but neither me or my brother can recall downloading such a thing.
It couldn't be part of Adaptec could it?

If you tell me it's safe, I'll delete it.
In the meantime I'll run Startup.log and post results.

I followed beach51's instructions with the Deltree thing.

Thanks again!

Gram

 

[TonyKlein]

You can rename it to Shellex.old. That renders it harmless as well.


Good luck,

 

[Gram123]

Startup.log:

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Gearbox"="\"C:\\Program Files\\Gearbox Connection Kit\\bin\\confsvr.exe\""
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"AVG_CC"="C:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
"internet.exe"="C:\\WINDOWS\\internet.exe"
"C-Media Mixer"="C:\\Program Files\\C-Media\\AudioRack\\Mixer.exe /startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

noload=C:\TBridge\Flatbed.exe

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

@Echo Off
Smartdrv
Deltree /Y C:\Windows\Tempor~1\*.* > Nul
Deltree /Y C:\Windows\Cookies\*.* > Nul

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"OldRealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldRealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================
__________________________________________________________________________

- End -


I'll rename Shellex and then if something looks for it later at least I can work out what it is. Then should I go back to Housecall and do another scan?

Thanks
Gram

 

[Mosaic1]

Here's a link to Tauscan
http://www.agnitum.com/download

It's a free trial download for Tauscan. Download, install and update it. Then run it. See if it picks up anything.

 

[TonyKlein]

Gram,

Your Startup.log looks entirely clean to me. Good for you!

Mo, any thoughts on Shellex.exe?

 

[Gram123]

Well, it's 1.30 in the morning here so I'm gonna quit for today.
I'll check back tomorrow and try Tauscan then.

Thanks for all your help so far Tony, Beach & Mo!!

Gram