Im the billionth person to have explorer crash, do i get a prize?

Unknown

First id like to say hi. i googled this problem and apparently this is the place to get it fixed.

This is like the 8th time ive reloaded windows and i have no clue why this problem has suddenly occured. On a completely random chance, like 40% of the time, when i access explorer through my computer or my whatever, it will crash, and dr watson will pop up to rub it in my face. Right clicking and taskmanager dont cause any problems. Ive meticulously gone through each reloading of windows and monitored the stability of windows after each program installation, careful to reset windows when it tells me to. I will get to the end of loading my programs and everything will feel fine and then boom, it all goes to hell. Because of the absolute randomness there is no way for me to tell what is causing it.

I use Nod32 and Spyware Doctor, all most recent updates, all comprehensive scans show nothing.

After reading some similar threads i used the program shexview in conjuction with the services menu in "msconfig" to disable all but the most necessary components, which still has proved useless. Im convinced that the problem lies in the heart of explorer itself.

Anyways heres my hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 12:34:12 AM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Jetico\BestCrypt\BCResident.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Programs\Diagnostic\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Program Files\Jetico\BestCrypt\BestCrypt.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162878443390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162878437015
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: hplun.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe

Crunchie

Can you re-enable everything in msconfig then do a rescan with hijackthis. Do not reboot. Once you have the log can you post it here. Recheck those entries in msconfig again.

DieDoctorWatson

Its escalated to new levels. When i try to shut down, i will get the "data execution prevention" box, and then the windows explorer crash "do you want to send this to M$" box, and refreshes explorer.

DieDoctorWatson

Ok, this is the log exactly as you directed.

Logfile of HijackThis v1.99.1
Scan saved at 12:43:22 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Programs\Diagnostic\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [SecureCleanIEClean] C:\Program Files\AccessData\SecureClean\SCIEClean.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\Admin\Desktop\muBlinder.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Program Files\Jetico\BestCrypt\BestCrypt.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162878443390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162878437015
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: hplun.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecureClean - AccessData Corp - C:\Program Files\AccessData\SecureClean\SCWatch.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

Crunchie

This may not be malware related going by your log. Do you have your XP CD available? If so, pop it in the drive then go to Start>Run and type in sfc /scannow and hit ok. Include the space.
Let us know if there are any improvements.

DieDoctorWatson

Neat function, i didnt know it even existed.

Did the scannow thing, it finished, and the problem is still there. still happening at random sessions.

DieDoctorWatson

Now its getting worse, when i try to open up video files in zoomplayer it gives me this illlogial message "access violation at 00000000. Read of address 00000000", and i was just able to play these files a few days ago.

Are you sure this isnt a variant of acebot or some driver level virus? i mean, ive never seen windows age so fast. Its like a cancer is growing inside of it.

Crunchie

You can run a few online scans to see what can be found??

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/en/start_corp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner

TrojanScan

DieDoctorWatson

Did all these scans, and btw this is the new bitdefender scanner link

http://www.bitdefender.com/scan8/ie.html

heres the log

Bitdefender found

C:\Softimage\XSI_5.0\Data\NetView_Database\L04_body\content\mcp_ui\info\send_mail\send_mail.vbs
C:\Softimage\XSI_5.0\Data\XSI_SAMPLES\Scripts\Other\SendMail.vbs
C:\System Volume Information\_restore{DB268F24-5F64-4C79-A342-AB0104E8BBEA}\RP48\A0015659.vbs
C:\System Volume Information\_restore{DB268F24-5F64-4C79-A342-AB0104E8BBEA}\RP48\A0015660.vbs

Trendmicro found

crck_ori.A
spyware_keyl_astlog HKU\S-1-5-21-1123561945-838170752-839522115-1003\SOFTWARE\NIRSOFT\
adware_bhot_iehelper HKLM\SOFTWARE\MICROSOFT\internet explorer\activex compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

DieDoctorWatson

ok, its gotten worse, now explorer is crashing without even doing anything. If you cant help me then tell me now so i can reset my system once more. I dont want whatevers causing this to happen to compromise the integrity of my drives.

is there some possible way to monitor what exactly is happening when explorer crashes? is there anything i can do or do i have computer AIDS?

DieDoctorWatson

i ghosted it back to a couple days ago, rescanned with trendmicro, this time it did not find

spyware_keyl_astlog HKU\S-1-5-21-1123561945-838170752-839522115-1003\SOFTWARE\NIRSOFT\

but it did find

adware_bhot_iehelper HKLM\SOFTWARE\MICROSOFT\internet explorer\activex compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

which makes me think the keylogger was installed on my system as of yesterday. What installed it is the question.

DieDoctorWatson

actually forget that, i just ran another spyware prog and a scanned with a friends copy of PC-cillin 2007 and i got nothing showing.

So lets assume its not virus/trojan, what else could cause explorer to behave like that?

Crunchie

The only thing I can think to do now is a system repair. If you do it you will have to re-apply all Windows Updates.

Here's how;
http://www.michaelstevenstech.com/XPrepairinstall.htm

DieDoctorWatson

All system repair does is reinstall windows over my old installation. I might as well just do a clean reinstall if im going to do that.

So thats what you computer tech's skills amount to: do a few scans and if nothing shows up reinstall windows?

wow, all i have to say is, wow.

Crunchie

Sometimes those scans reveal nothing. Windows does become corrupted you know! When that happens, all that can be done is either a repair or a reformat.
Ppl like you make me wonder why I volunteer my time!! Good luck.