1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

windows explorer random crashes etc.. help please!

Discussion in 'Windows XP' started by Munki-Claus, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Munki-Claus

    Munki-Claus Thread Starter

    Joined:
    Dec 22, 2003
    Messages:
    43
    I have this problem, sometimes it says explorer has an error and then it wants me to send an error report, other times it just gets rid of everything on the desktop except the background for a few seconds then it all comes back minus a program or 2 that I may have been using, this has only been happening recently and there is no reason for it.
    I've run all the spyware removers and there are no viruses, ive also repaired the windows installation from the cd, still no joy. any ideas?

    I know i've posted this in another thread but it didnt seem to be the right topic.

    many thanks
     
  2. angelgabbby

    angelgabbby

    Joined:
    Jan 19, 2004
    Messages:
    62
    I just got mine to quit doing the same thing. I also repaired Windows, to no avail. I ran 3 extra virus scan but came up clean each time. My Hijack this log was clean too. I finally found out I had the worm nachi.b but none of the nachi.b removal tools would work either. Try this:

    1. Open "My Computer" Go to "tools", "folder options". Mark to show hidden files.
    2. Go to C:\WINDOWS\system32\config\systemprofile Click on the hidden "Local Settings" then your "temporary internet files", "content.ie5". Now look in all 4 of those 8 letter files for "WKSPATCH[1].EXE". If its there, be sure to delete it.
    3. Go to C:\WINDOWS\system32\drivers Look for "SVCHOST.EXE". If it's there, Delete it.

    If you do have either file, then you have nachi.b. You'll want to turn off "System Restore". Go to "Pandascan" & download the removal tool for nachi.b (though it didn't work on mine). Be sure to download the patch from Microsoft for blaster at http://www.microsoft.com/security/incident/blast.asp

    If you didnt have either "WKSPATCH[1].exe" nor "SVCHOST.exe" then its probably a corrupt user profile or a "Winlogon". Try going to "User accounts" and adding a new user. Run on the new user for awhile & see if it happens.

    If that doesn't work, then I'm sorry, but I tried & Good Luck!
     
  3. gacooper

    gacooper

    Joined:
    Feb 6, 2004
    Messages:
    41
    go to vil.nai.com and look under AVERT tools for STINGER. Stinger has successfully removed NACHI in all forms from a number of computers I have worked on.
     
  4. Munki-Claus

    Munki-Claus Thread Starter

    Joined:
    Dec 22, 2003
    Messages:
    43
    Thanks for that, I didn't have any of those files there luckily, ill try that new account idea and report back
     
  5. Munki-Claus

    Munki-Claus Thread Starter

    Joined:
    Dec 22, 2003
    Messages:
    43
    That didnt seem to have much affect, the crashes dont happen as often it seems but they still do happen
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  7. Munki-Claus

    Munki-Claus Thread Starter

    Joined:
    Dec 22, 2003
    Messages:
    43
    Here is a copy of the log, thanks for your help, I did all the usual spyware and anitvirus scans before running this, all negative:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:12, on 18/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Saitek\Software\Profiler.exe
    C:\Program Files\Saitek\Software\SaiSmart.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Logitech\SetPoint\kem.exe
    C:\Program Files\IMsecure\IMsecure.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\PROGRAM FILES\LOGITECH\SETPOINT\KHALMNPR.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    G:\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
    O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11515d8a826771464b22/netzip/RdxIE601.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37992.4022222222
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{80296681-C08F-4829-BB94-D4BFD032F3C9}: NameServer = 194.72.9.34 194.74.65.68
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It appears to be a "clean" scanlog, so I can't say anything there stands out as a cause of the problem.

    Is this Explorer, or Internet Explorer that is causing the problem?

    And have you looked to see what further info is in the error message? You can review old ones by going to Administrative Tools > Event Viewer > Applications.log and see what modules are faulting.
     
  9. Munki-Claus

    Munki-Claus Thread Starter

    Joined:
    Dec 22, 2003
    Messages:
    43
    Got these error msgs directly after explorer crashed:

    DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service upnphost with arguments "" in order to run the server:
    {204810B9-73B2-11D4-BF42-00B0D0118B56}

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    I got them both more than once, I dont understand what they mean though, they were both initiated by NTSYSTEMAUTHORITY
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The w32time "errors" are standard issue everytime you put the system into "standby". I just consider it a bug. The dcom errors you will see after restarting in Safe Mode, but should not be there otherwise. I don't really know anything about IPNATHLP, you will have to get more detail on that (event ID number, source).

    If it's a "warning", such as covered here, it can probably be ignored.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;255494

    However, this link indicates it might be involved in serious connectivity problems:

    http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/en/wc121401/wct121401.asp

    It appears to be used for Internet Connection Sharing
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    What you are getting sounds consistent with vulnerability by the msblaster worm or its variants. However you really should be protected if ZA is working properly. And are you up to date on recent patches?

    http://www.microsoft.com/security/

    By the way, dcom does not normally have to be enabled; in fact disabling it is one of the security measures used against the blaster worm.

    You might check the registry though and see if yours is or isn't. Info here...

    http://support.microsoft.com/support/kb/articles/Q158/5/08.asp
     
  12. Tact

    Tact

    Joined:
    Sep 8, 2002
    Messages:
    506
    you have pretty much what i have in order to stay protected. you have norton, you have za, and i think you also have spybot. did you open email attachements you weren't supposed to? -_- sigh.

    anyway. i'd do a full virus scan of the whole computer after i've updated all the virus definitions.

    then i'd update spybot and run that again.

    then i'd d/l ad-aware, update and run

    then i'd d/l tauscan, update, and run, (yes i'm paranoid)

    then i'd go to the microsoft site, and do a windows update. (actually, you might want to do this before all the scans)

    then i'd make sure zonealarm isn't giving access to something it isn't supposed to. block anything you don't recognize (well..not anything..lol) svchost i think should remain :p

    make sure the settings are correct in za (oh and i think i'd engage the internet lock and block all traffic before all the scans.

    furthermore i'd run msconfig and make sure nothing that isn't supposed to run at startup is running. i bet you have a ton of junk there. i saw it. lol

    but to me it looks like you might have played around with the services. you know if you disable the wrong one, you cna prevent other services from working which is why i think your getting the errors and crashes. did you recently edit the services from xp? did you play around with registry?
     
  13. Munki-Claus

    Munki-Claus Thread Starter

    Joined:
    Dec 22, 2003
    Messages:
    43
    I dont have any viruses or anything like that, i always keep norton and zonealarm up to date.
    as for the services I havent touched em, I have edited msconfig got rid of some of the startup stuff but only the stuff I knew what it was and didnt want starting.
    DCOM is enabled but don't understand how disabling it will help?
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Exploitation of dcom's vulnerablity was the means by which msblaster variants worked. If you have a firewall and are up to date on your patches there should be no reason to disable it. But neither should it result in a critical shutdown error unless some program is trying to use it. You could disable it for test purposes, it won't hurt.
     
  15. Tact

    Tact

    Joined:
    Sep 8, 2002
    Messages:
    506
    even with zonealarm, theres a chance that something could be getting access if he accidently permitted it too. i don't know about dcom, but if i were you, i'd check zonealarms program tab, and see if its there and has permission to acess the net. then i'd turn those permissions off. because if you accidently allowed permission at one time, then that's probably the problem. and i supposed you don't want it to.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217443

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice