Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Regular Explorer crashes in XP? :-\


  • Please log in to reply

#1
Wells

Wells

    New Member

  • Member
  • Pip
  • 4 posts
About every 12 minutes or so, I have the explorer crash. The symptoms are "only" a refreshing of the taskbar and the disappearance of many - but not all - of the tray icons. The logs of these crashes - about 1000 so far, for the last few days - state "The system shell stopped unexpectedly and explorer.exe was restarted". They're listed as "source: Winlogon; no category; event identifier: 1002", with nothing in the hex dump. It's beyond infuriating. I tried every fix I could find, ran windows update, sfc, Norton's regscan (I won't even mention the regular AV and spyware scans), but nothing even decreased the regularity of this. I even installed the dreaded SP2, and it fixed nothing (just slowed down the system considerably).

The crashes seem to happen for no reason at all - I could be browsing online (from Firefox, obviously), watching something, running NASA's Worldwing, writing, or just letting the PC stand and idle with nothing running, and the crashes will happen, regardless of anything else...

It does seem to happen regardless of what I'm doing. Right now, I just tried one thing; I sat down, ran Sysinternals' File Monitor and had it log every file access, waiting for the crash to happen. It logged about 3 KB of text during the 30 seconds or so when the crash and explorer restart occurred... it's below. At that moment I was only reading a cached web page, opened quite a while earlier.

Using PS Tray Factory, I can restore the icons that disappear, but the problem is with the crashes, and restoring the icons is like putting cotton under a leaking hole in the roof instead of trying to patch up the hole... unfortunately in this case I can't even see the hole.

(The KAVICHS thing is from Kaspersky's Antivirus, but I had the program many days before the crashes began)

4969 winlogon.exe:612 OPEN C:\Documents and Settings\User SUCCESS Options: Open Directory Access: Traverse
4970 winlogon.exe:612 CLOSE C:\WINDOWS\system32 SUCCESS
4971 winlogon.exe:612 OPEN C:\WINDOWS\system32\:KAVICHS NAME INVALID Options: Open Access: All
4972 winlogon.exe:612 OPEN C:\autoexec.bat SUCCESS Options: Open Access: All
4973 winlogon.exe:612 QUERY INFORMATION C:\autoexec.bat SUCCESS Length: 206
4974 winlogon.exe:612 READ C:\autoexec.bat SUCCESS Offset: 0 Length: 206
4975 winlogon.exe:612 CLOSE C:\autoexec.bat SUCCESS
4976 winlogon.exe:612 QUERY INFORMATION C:\Documents and Settings\User\Local Settings\Temp SUCCESS Attributes: D
4977 winlogon.exe:612 OPEN C:\ SUCCESS Options: Open Directory Access: All
4978 winlogon.exe:612 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Documents and Settings
4979 winlogon.exe:612 CLOSE C:\ SUCCESS
4980 winlogon.exe:612 OPEN C:\Documents and Settings\User\ SUCCESS Options: Open Directory Access: All
4981 winlogon.exe:612 DIRECTORY C:\Documents and Settings\User\ SUCCESS FileBothDirectoryInformation: Local Settings
4982 winlogon.exe:612 CLOSE C:\Documents and Settings\User\ SUCCESS
4983 winlogon.exe:612 OPEN C:\Documents and Settings\User\:KAVICHS NAME INVALID Options: Open Access: All
4984 winlogon.exe:612 QUERY INFORMATION C:\Documents and Settings\User\Local Settings\Temp SUCCESS Attributes: D
4985 winlogon.exe:612 OPEN C:\ SUCCESS Options: Open Directory Access: All
4986 winlogon.exe:612 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Documents and Settings
4987 winlogon.exe:612 CLOSE C:\ SUCCESS
4988 winlogon.exe:612 OPEN C:\Documents and Settings\User\ SUCCESS Options: Open Directory Access: All
4989 winlogon.exe:612 DIRECTORY C:\Documents and Settings\User\ SUCCESS FileBothDirectoryInformation: Local Settings
4990 winlogon.exe:612 CLOSE C:\Documents and Settings\User\ SUCCESS
4991 winlogon.exe:612 OPEN C:\Documents and Settings\User\:KAVICHS NAME INVALID Options: Open Access: All
4992 winlogon.exe:612 OPEN C:\ SUCCESS Options: Open Directory Access: All
4993 winlogon.exe:612 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: WINDOWS
4994 winlogon.exe:612 CLOSE C:\ SUCCESS
4995 winlogon.exe:612 OPEN C:\WINDOWS\ SUCCESS Options: Open Directory Access: All
4996 winlogon.exe:612 CLOSE C:\WINDOWS\ SUCCESS
4997 winlogon.exe:612 OPEN C:\WINDOWS\:KAVICHS NAME INVALID Options: Open Access: All
4998 winlogon.exe:612 OPEN C:\WINDOWS\system32 SUCCESS Options: Open Directory Access: Traverse
4999 winlogon.exe:612 CLOSE C:\Documents and Settings\User SUCCESS
5000 winlogon.exe:612 OPEN C:\Documents and Settings\User\:KAVICHS NAME INVALID Options: Open Access: All
5001 services.exe:656 WRITE C:\WINDOWS\system32\config\AppEvent.Evt SUCCESS Offset: 485036 Length: 140
5002 services.exe:656 WRITE C:\WINDOWS\system32\config\AppEvent.Evt SUCCESS Offset: 485176 Length: 40

And here is a Procexp screenshost from my typical session:
http://img176.images.../procexp0av.gif

Edited by Wells, 24 July 2005 - 10:39 AM.

  • 0

Advertisements


#2
Wells

Wells

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hijack's log...

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PS Tray Factory\PSTrayFactory.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Far\Far.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /silent
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\RunOnce: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: FAR.lnk = C:\Program Files\Far\Far.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\kavmm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#3
GeneralAres

GeneralAres

    Member

  • Banned
  • PipPipPip
  • 244 posts
Removed -- spam!

Edited by admin, 29 November 2005 - 11:01 PM.

  • 0

#4
Wells

Wells

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I've done it all... MT shows perfect memory state, too. It's a new system, not even a month old.
  • 0

#5
GeneralAres

GeneralAres

    Member

  • Banned
  • PipPipPip
  • 244 posts
You have done it all as in you ran them all in SAFE MODE? Including Sysclean with the latest Control Pattern File? And have you run the Trend Micro online scan?

I am not familiar with these:

C:\Program Files\Far\Far.exe
O4 - Global Startup: FAR.lnk = C:\Program Files\Far\Far.exe

Do you know what program this is?

Before scanning go to Windows Explorer, Tools Menu, Folder Options,
select show hidden files and folders
uncheck Hide protected operating system files

Are you overclocking anything?

Edited by GeneralAres, 26 July 2005 - 12:48 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP