windows explorer random crashes etc.. help please!

[Munki-Claus]

I have this problem, sometimes it says explorer has an error and then it wants me to send an error report, other times it just gets rid of everything on the desktop except the background for a few seconds then it all comes back minus a program or 2 that I may have been using, this has only been happening recently and there is no reason for it.
I've run all the spyware removers and there are no viruses, ive also repaired the windows installation from the cd, still no joy. any ideas?

I know i've posted this in another thread but it didnt seem to be the right topic.

many thanks

 

[angelgabbby]

I just got mine to quit doing the same thing. I also repaired Windows, to no avail. I ran 3 extra virus scan but came up clean each time. My Hijack this log was clean too. I finally found out I had the worm nachi.b but none of the nachi.b removal tools would work either. Try this:

1. Open "My Computer" Go to "tools", "folder options". Mark to show hidden files.
2. Go to C:\WINDOWS\system32\config\systemprofile Click on the hidden "Local Settings" then your "temporary internet files", "content.ie5". Now look in all 4 of those 8 letter files for "WKSPATCH[1].EXE". If its there, be sure to delete it.
3. Go to C:\WINDOWS\system32\drivers Look for "SVCHOST.EXE". If it's there, Delete it.

If you do have either file, then you have nachi.b. You'll want to turn off "System Restore". Go to "Pandascan" & download the removal tool for nachi.b (though it didn't work on mine). Be sure to download the patch from Microsoft for blaster at http://www.microsoft.com/security/incident/blast.asp

If you didnt have either "WKSPATCH[1].exe" nor "SVCHOST.exe" then its probably a corrupt user profile or a "Winlogon". Try going to "User accounts" and adding a new user. Run on the new user for awhile & see if it happens.

If that doesn't work, then I'm sorry, but I tried & Good Luck!

 

[gacooper]

go to vil.nai.com and look under AVERT tools for STINGER. Stinger has successfully removed NACHI in all forms from a number of computers I have worked on.

 

[Munki-Claus]

Thanks for that, I didn't have any of those files there luckily, ill try that new account idea and report back

 

[Munki-Claus]

That didnt seem to have much affect, the crashes dont happen as often it seems but they still do happen

 

[Rollin' Rog]

Obtain a copy of HijackThis from the site below. Unzip it to a permanent folder and then run it and select Scan. Save the Scanlog and copy/paste the results to a reply here.

http://www.spywareinfo.com/~merijn/downloads.html

 

[Munki-Claus]

Here is a copy of the log, thanks for your help, I did all the usual spyware and anitvirus scans before running this, all negative:

Logfile of HijackThis v1.97.7
Scan saved at 11:26:12, on 18/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\IMsecure\IMsecure.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRAM FILES\LOGITECH\SETPOINT\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11515d8a826771464b22/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37992.4022222222
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80296681-C08F-4829-BB94-D4BFD032F3C9}: NameServer = 194.72.9.34 194.74.65.68

 

[Rollin' Rog]

It appears to be a "clean" scanlog, so I can't say anything there stands out as a cause of the problem.

Is this Explorer, or Internet Explorer that is causing the problem?

And have you looked to see what further info is in the error message? You can review old ones by going to Administrative Tools > Event Viewer > Applications.log and see what modules are faulting.

 

[Munki-Claus]

Got these error msgs directly after explorer crashed:

DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service upnphost with arguments "" in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I got them both more than once, I dont understand what they mean though, they were both initiated by NTSYSTEMAUTHORITY

 

[Rollin' Rog]

The w32time "errors" are standard issue everytime you put the system into "standby". I just consider it a bug. The dcom errors you will see after restarting in Safe Mode, but should not be there otherwise. I don't really know anything about IPNATHLP, you will have to get more detail on that (event ID number, source).

If it's a "warning", such as covered here, it can probably be ignored.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;255494

However, this link indicates it might be involved in serious connectivity problems:

http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/en/wc121401/wct121401.asp

It appears to be used for Internet Connection Sharing

 

[Rollin' Rog]

What you are getting sounds consistent with vulnerability by the msblaster worm or its variants. However you really should be protected if ZA is working properly. And are you up to date on recent patches?

http://www.microsoft.com/security/

By the way, dcom does not normally have to be enabled; in fact disabling it is one of the security measures used against the blaster worm.

You might check the registry though and see if yours is or isn't. Info here...

http://support.microsoft.com/support/kb/articles/Q158/5/08.asp

 

[Tact]

you have pretty much what i have in order to stay protected. you have norton, you have za, and i think you also have spybot. did you open email attachements you weren't supposed to? -_- sigh.

anyway. i'd do a full virus scan of the whole computer after i've updated all the virus definitions.

then i'd update spybot and run that again.

then i'd d/l ad-aware, update and run

then i'd d/l tauscan, update, and run, (yes i'm paranoid)

then i'd go to the microsoft site, and do a windows update. (actually, you might want to do this before all the scans)

then i'd make sure zonealarm isn't giving access to something it isn't supposed to. block anything you don't recognize (well..not anything..lol) svchost i think should remain

make sure the settings are correct in za (oh and i think i'd engage the internet lock and block all traffic before all the scans.

furthermore i'd run msconfig and make sure nothing that isn't supposed to run at startup is running. i bet you have a ton of junk there. i saw it. lol

but to me it looks like you might have played around with the services. you know if you disable the wrong one, you cna prevent other services from working which is why i think your getting the errors and crashes. did you recently edit the services from xp? did you play around with registry?

 

[Munki-Claus]

I dont have any viruses or anything like that, i always keep norton and zonealarm up to date.
as for the services I havent touched em, I have edited msconfig got rid of some of the startup stuff but only the stuff I knew what it was and didnt want starting.
DCOM is enabled but don't understand how disabling it will help?

 

[Rollin' Rog]

Exploitation of dcom's vulnerablity was the means by which msblaster variants worked. If you have a firewall and are up to date on your patches there should be no reason to disable it. But neither should it result in a critical shutdown error unless some program is trying to use it. You could disable it for test purposes, it won't hurt.

 

[Tact]

even with zonealarm, theres a chance that something could be getting access if he accidently permitted it too. i don't know about dcom, but if i were you, i'd check zonealarms program tab, and see if its there and has permission to acess the net. then i'd turn those permissions off. because if you accidently allowed permission at one time, then that's probably the problem. and i supposed you don't want it to.