1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Explorer crashing

Discussion in 'Earlier Versions of Windows' started by Gram123, Dec 4, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Hi.
    Occasionally when I'm using my PC, I get an Illegal Operation error for "Explorer".
    The details from the last time it happened:

    EXPLORER caused an invalid page fault in
    module KERNEL32.DLL at 015f:bff7a3c2.
    Registers:
    EAX=00000067 CS=015f EIP=bff7a3c2 EFLGS=00010202
    EBX=00434e2c SS=0167 ESP=0059f37c EBP=0059f398
    ECX=0043001c DS=0167 ESI=00000018 FS=2477
    EDX=0043001c ES=0167 EDI=00000018 GS=0000
    Bytes at CS:EIP:
    89 50 04 80 24 3b fd 83 7d f0 00 74 61 83 7d f4
    Stack dump:
    0043000c 00430000 00434e2c 00000000 00000000
    00000434 00000435 0059f3c0 bff7a541 00430000
    00434e2c 00000014 00000000 00439d22 0059f470
    0059f45c

    When I am running IE (through NTL World's ISP software), plus another program or two (say, Windows Media Player and/or an Office program) and then I try and do something else - using the Start/Run command line. It occured when I tried to run msconfig and also when I tried to open the autoexec.bat file in notepad.
    My brother says it has also happened on occasions when he was not connected to the internet too.

    My system is a 700Mhz P3, 256Mb RAM, Windows 98.

    Any idea why this would be happening and how to stop it?
    Explorer just stops responding - although I can still use the net, I can no longer right-click or left-click anything on the task bar (the cursor changes to an I-bar in that area). If I minimise the browser window, I can't maximize it again, and so am forced to restart.

    Also, perhaps an unrelated matter, I sometimes get Illegal Operation messages from using seemingly unrelated programs and the message will not go away, no matter how many times I click OK. I can drag it out of the way and carry on with whatever I'm doing but the error window remains until I restart.

    Thanks guys,

    Gram
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi Gram,

    It's always a good idea to check whether there's something running that shouldn't.

    Try this:

    Go to Start/run, and type Msinfo32, followed by OK.
    Go to Software Environment/Startup Programs.
    Now click Edit/'Select all', and then 'copy'
    Paste the contents in your post.

    Good luck,
     
  3. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Tony,

    ScanRegistry - Registry (Machine Run - C:\WINDOWS\scanregw.exe /autorun
    SystemTray - Registry (Machine Run) - SysTray.Exe
    Gearbox - Registry (Machine Run) - "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    Tweak UI - Registry (Machine Run) - RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    AVG_CC - Registry (Machine Run) -C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    internet.exe - Registry (Machine Run) - C:\WINDOWS\internet.exe
    C-Media Mixer - Registry (Machine Run) - C:\Program Files\C-Media\AudioRack\Mixer.exe /startup
    Machine Debug Manager - Registry (Machine Service) - C:\WINDOWS\SYSTEM\MDM.EXE
    Avgserv9.exe - Registry (Machine Service) - C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

    "Gearbox" and possibly "internet.exe" are the ISP software. Everything looks okay to me, although maybe I don't need C-Media Mixer running.

    Gram
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi Gram,

    This is without any doubt the cleanest startup list I've seen in a long time...

    No nasties there. You might additionally uncheck Mdm in Msconfig/startup, and check 'disable script debugging' in Internet Options/Advanced, but it doesn't by itself bring us closer to a solution.

    You could disable AVG for a while to see whether that makes a difference, but from a security standpoint that doesn't really help a lot.

    No conflicts in Device Manager?

    Maybe someone else has an suggestion.

    Meanwhile, here are some articles on the subject: http://www.generation.net/~hleboeuf/errexplo.htm#ERRKERNEL32.DLL

    Good luck,
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Of course it's always useful to have your system scanned on line at <A HREF="http://housecall.antivirus.com/">Trend Micro HouseCall </A>
    Also run <A HREF="http://www.lavasoftusa.com/index.html">Ad-Aware</A> to check for spyware , if only so we can afford to rule these things out.

    Good luck,
     
  6. beach51

    beach51

    Joined:
    May 18, 2001
    Messages:
    1,199
    Hi Gram123,A damaged history folder will also cause this error.Go into dos,at the c:\prompt type,

    smartdrv (hit enter)

    Deltree/y history (hit enter)

    Exit (hit enter)

    Let us know if this works for you.
     
  7. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    By, this forum's busy this evening!

    Okay,
    I unchecked Mdm in msconfig.

    'Disable script debugging' was already checked.

    I ran the latest version of Ad-Aware and it found 137 spyware references. My cookies etc were cleaned out within the last 2 days, so this surprised me. I was online at the time I ran Ad-Aware - could this have something to do with it? Does Ad-Aware do something beyond selecting and removing spyware infected cookies?

    I ran Housecall and it found 2 trojans:

    TROJ_BACKDOOR.MI - Housecall called this "malware" and innoculated it on shutdown.

    TROJ_ANAKHA.A - it said this was "Non-cleanable". The trojan is apparently in C:\WINDOWS\SYSTEM\Shellex.exe. I checked MooSoft for info on it, and although they have it listed there is no further info yet.

    So, can anyone tell me what to do to get rid of Anakha?

    Thanks for your help so far! I'll give beach51's suggestion a try next.

    Gram :rolleyes: :rolleyes: :rolleyes:
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Well, these trojans could certainly account for (most of) your errors.

    I couldn't find anything about your trojan in a Google search.

    I think you should start up in Safe Mode, and delete C:\Windows\System\Shellex.exe there.

    Also do this:

    Download Startup.log from this site: http://home.earthlink.net/~rmbox/Reticulated/Toys.html

    It generates a text file on your desktop that will list all the applications that start in the many places when you start Windows.
    We don't need to see StubPath.txt, just StartupLog.txt


    Good luck,
     
  9. beach51

    beach51

    Joined:
    May 18, 2001
    Messages:
    1,199
    Hi Gram,wasnt sure if being online while running ad=aware made any differance,it doesnt. i just ran it while being online,found just one (doubleclick).Looking at your startup,you dont have any of the real nasty ones like newdotnet,webhancer,etc.So thats not the problem.Just go ahead and delete what ad-aware found.Btw,thats all ad-aware does,checks for spyware componets.As for Troj.Anakha.a,i found the same thing you did.Rollin-Rog is the expert with virus stuff,am sure he'll have the ans.when he comes online.
     
  10. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Is it safe to delete Shellex.exe (in safe mode)? I did a search on Goolgle to see if I could find it and all I got was:
    I have no idea where this came from - the site said it was freeware, but neither me or my brother can recall downloading such a thing.
    It couldn't be part of Adaptec could it?

    If you tell me it's safe, I'll delete it.
    In the meantime I'll run Startup.log and post results.

    I followed beach51's instructions with the Deltree thing.

    Thanks again!

    Gram
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You can rename it to Shellex.old. That renders it harmless as well.


    Good luck,
     
  12. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Startup.log:

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "SystemTray"="SysTray.Exe"
    "Gearbox"="\"C:\\Program Files\\Gearbox Connection Kit\\bin\\confsvr.exe\""
    "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
    "AVG_CC"="C:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
    "internet.exe"="C:\\WINDOWS\\internet.exe"
    "C-Media Mixer"="C:\\Program Files\\C-Media\\AudioRack\\Mixer.exe /startup"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    noload=C:\TBridge\Flatbed.exe

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    @Echo Off
    Smartdrv
    Deltree /Y C:\Windows\Tempor~1\*.* > Nul
    Deltree /Y C:\Windows\Cookies\*.* > Nul

    C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "OldRealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "OldRealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"=""
    "OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS


    ==========================================================================
    __________________________________________________________________________

    - End -


    I'll rename Shellex and then if something looks for it later at least I can work out what it is. Then should I go back to Housecall and do another scan?

    Thanks
    Gram
     
  13. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Here's a link to Tauscan
    http://www.agnitum.com/download

    It's a free trial download for Tauscan. Download, install and update it. Then run it. See if it picks up anything.
     
  14. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Gram,

    Your Startup.log looks entirely clean to me. Good for you! :)

    Mo, any thoughts on Shellex.exe?
     
  15. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Well, it's 1.30 in the morning here so I'm gonna quit for today.
    I'll check back tomorrow and try Tauscan then.

    Thanks for all your help so far Tony, Beach & Mo!!

    Gram
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/60715

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice