Explorer.exe crash after installing service pack 2

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
I have searched this forum (and many others) for the answer to my problem but can't find one, just similar problems.

I recently installed Service Pack 2 using a windows install cd (rather than just an upgrade patch). And now everytime i run windows i cannot open any folder or explorer window with out "explorer.exe" crashing. I have turned off DrWatson and now i just get a memory error everytime.

I can not downgrade because i used a Windows Install CD (can't find an option anywhere to remove service pack 2 now). Please could someone help me because it is highly annoying.

Thanks Bob
 
Joined
Aug 30, 2003
Messages
1,281
You should be able to remove SP2 in Add/Remove programs.

To see the service pack, you must have the box checked that says "Show Updates' in the add/remove programs window.
 

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
I have looked there. But there does not appear to be any option to that. I think because i used a windows install cd it just over wrote my old windows with a service pack 2 version. But looked at all the ways of removing it on microsoft.com and none of them apply.
 
Joined
Dec 9, 2000
Messages
45,855
If you did a "clean" install rather than an "upgrade" install, you can't remove it. If you did an "upgrade" you should have been given the option to backup the prior operating system version.

In anycase if you don't want to try a clean install, you need to troubleshoot the errors themselves.

Look for them in the Administrative Tools > Event viewer log under both System and Application. There is a copy icon the properties pages of these event log errors you can use to paste errors to a reply (see attachment).

You should also post a HijackThis Scanlog to accompany these.

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

Also, did you happen to check out this thread?

http://forums.techguy.org:80/showthread.php?p=2686347#post2686347
 

Attachments

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
Right i have done both the things you told me too.
These are the logs of event viewer for everytime explorere crashes.

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 30/06/2005
Time: 01:45:33
User: N/A
Computer: THE-DADDY
Description:
Application popup: explorer.exe - Application Error : The instruction at "0x014de9dc" referenced memory at "0x00000000". The memory could not be "written".

Click on OK to terminate the program

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 30/06/2005
Time: 01:45:43
User: N/A
Computer: THE-DADDY
Description:
The IMAPI CD-Burning COM Service service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 30/06/2005
Time: 01:45:43
User: NT AUTHORITY\SYSTEM
Computer: THE-DADDY
Description:
The IMAPI CD-Burning COM Service service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 30/06/2005
Time: 01:45:49
User: N/A
Computer: THE-DADDY
Description:
The IMAPI CD-Burning COM Service service entered the stopped state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


And here is the log from hijack this.

Logfile of HijackThis v1.99.1
Scan saved at 01:47:43, on 30/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\system32\rlvknlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Simon\Desktop\2xExplorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.metacrawler.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O4 - HKLM\..\Run: [kX Mixer] kxmixer --startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102705487749
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.238/ecwplugins/ncs.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSvcCDA.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
I hope this gives someone an idea on what my problem is.
 
Joined
Dec 9, 2000
Messages
45,855
Well you've got a virus/keylogger running there. It doesn't look too complex so I'll take a shot at it, and if it gets knarly I will move you to the Security forum for further help.

First of all what is this and why is it running? Did you manually run it?

C:\Documents and Settings\Simon\Desktop\2xExplorer.exe


Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View




Then:

1 >> Restart in Safe Mode. Instructions here if you need them:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

2 >> In Safe Mode run HijackThis and check and "fix" the following entries:

O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll

O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe

^^ http://castlecops.com/s6597-ptask_exe.html

If "Parallel Tasking" is not in Add/Remove programs, delete the "Parallel Tasking Folder" in c:\Program Files while still in Safe Mode.

O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot

^^ this appears to be a "keylogger"; you need to take extra security measures in reviewing and changing any critical passwords used while this was running.

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)



3 >> Go to Start > Run and enter cmd and a command shell will open. At the prompt carefully type and enter each line:

del C:\windows\system32\rlvknlg.exe

Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

>> Go to Add/Remove programs and look for "New.net" there and remove it.

>> Reboot and post another Scanlog.
 

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
I will try those instructions. Thanks very much.
2xExplorer.exe is the program i am using to explore my hard drives due to explorer.exe not working.
 
Joined
Dec 9, 2000
Messages
45,855
You're welcome; if you have a clean scanlog in your next post, and the "explorer" error is still occuring, I'm going to ask that you test this both in a Safe Mode boot and with a different User Profile.
 

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
i tried deletignall files whilst in safe mode but ther was one file
that could not be removed cos it was in use by a process.
This file has been there for quite some time. Tried deleting it many times.
looks dodgy to me
I am going into DOS to delete manually from outside windows.
 

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
sorry that was not very clear.
There is a file in the temp folder which will not be removed.
in dos it says i have no access to c:\documents and settings.
So how can i remove this file.
 

BobRoss

Thread Starter
Joined
Jun 29, 2005
Messages
8
That has fixed the "explorer.exe" error. Thank you so much.
But i am a bit worried about this undeletable file in the temp directory.
When not in safe mode i have 2 undeletable files
~DF9183.tmp
~DFA272.tmp

Not sure what to do about them
Any advice.

Here is my new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 18:09:58, on 30/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\kxmixer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.metacrawler.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kX Mixer] kxmixer --startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102705487749
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSvcCDA.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Also how do you get windows to stop showing security warnings in the taskbar?
It keeps telling me that windows firewall is not switched on and my virus checker is not up to date. How do i get it to stop this?
 
Joined
Dec 9, 2000
Messages
45,855
Don't worry about those temp files, I remember investigating them once and they are created by a legit Microsoft application, I forget which right now.

You still have "new.net" and while it is not malicious it is considered "junk" ware. Did you remove it while in Add/Remove programs and reboot afterwards? You cannot remove those 010 entries with HijackThis if they remain.

But you can use LSPFIX to remove them:

http://www.cexx.org/lspfix.htm


The Security Center warnings occur when you do not have a SP2 compatible antivirus installed. The same will occur for the Firewall, although SP2 should have enabled this by default when you installed it. Can you enable it manually?

I don't see an antivirus installed, so you need to get one. AVG7 is a freebee which will satisfy the Security Center.

http://free.grisoft.com/

For what it's worth you can disable these warnings by opening the Security Center and selecting "change the way Security Center alerts me".

I would not run without SOME kind of Firewall or Antivirus installed however.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top