Explorer won't start

[Guest]

When i load windows i have no desktop icons and no taskbar. I can access
just about all my programs through task manager and then running them, but
explorer refuses to open. When i try to open it, a window opens for a few
seconds and then it closes again. Please help! Thankyou!

 

[George Hester]

You have another program which is attached to your shell. Likely in the
registry. Try safe mode and use HijackThis to find the entry in the
registry and get rid of it.

 

[Guest]

Hi George, thanks for your quick reply, but I'm afraid I hav no idea how to
use HijackThis or to edit my registry... don't suppose you could give me some
sort of guidance? Cheers.

 

[George Hester]

Well what you are looking for and HijackThis will find is an entry in the
registry that will show the executable explorer.exe with a switch like this
explorer.exe yourmalware.exe. It should be clear from what is returned by
HijackThis where this is. When the shell starts (explorer.exe) it is firing
up another executable namely your malware. That is interfering with
explorer and hence your shell is crashing. You will see this in the Event
Viewer.

What you can do is run HijackThis and post the report back here. I can tell
you then where the issue may be.

http://www.spywareinfo.com/~merijn/downloads.html

 

[Guest]

I hope i've done the right thing... this is the notepad file that hijackthis
produced after i'd run it... hope this helps. Thanks again for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 19:16:35, on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\USER\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton
AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -c
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\RunOnce: [NAVCFG] "C:\Program Files\Norton SystemWorks\Norton
AntiVirus\CfgWiz.exe"
O4 - HKCU\..\RunOnce: [NSWCfg.exe] "C:\Program Files\Norton
SystemWorks\NSWCfg.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124199937730
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link -
C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

 

[George Hester]

Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot

is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?

O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if you
can.

I do not like this:

O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in Task
Manager and tell me what happens. If nothing try a New task there type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase you have
Norton installed it will always be full of stuff. But as little as possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And actually
what is that? Messenger is free why do you need a plus?

--

George Hester
_________________________________

I hope i've done the right thing... this is the notepad file that hijackthis
produced after i'd run it... hope this helps. Thanks again for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 19:16:35, on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\USER\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton
AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -c
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\RunOnce: [NAVCFG] "C:\Program Files\Norton SystemWorks\Norton
AntiVirus\CfgWiz.exe"
O4 - HKCU\..\RunOnce: [NSWCfg.exe] "C:\Program Files\Norton
SystemWorks\NSWCfg.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_
site.cab?1124199937730
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link -
C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Well what you are looking for and HijackThis will find is an entry in the
registry that will show the executable explorer.exe with a switch like this
explorer.exe yourmalware.exe. It should be clear from what is returned by
HijackThis where this is. When the shell starts (explorer.exe) it is firing
up another executable namely your malware. That is interfering with
explorer and hence your shell is crashing. You will see this in the Event
Viewer.

What you can do is run HijackThis and post the report back here. I can tell
you then where the issue may be.

http://www.spywareinfo.com/~merijn/downloads.html

 

[beb]

Turn off one of the Anti Virus programs.

Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot

is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?

O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if you
can.

I do not like this:

O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in Task
Manager and tell me what happens. If nothing try a New task there type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And actually
what is that? Messenger is free why do you need a plus?

--

George Hester
_________________________________

I hope i've done the right thing... this is the notepad file that hijackthis
produced after i'd run it... hope this helps. Thanks again for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 19:16:35, on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\USER\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe
/R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton
AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [*Restore]
C:\WINDOWS\system32\restore\rstrui.exe -c
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\RunOnce: [NAVCFG] "C:\Program Files\Norton
SystemWorks\Norton
AntiVirus\CfgWiz.exe"
O4 - HKCU\..\RunOnce: [NSWCfg.exe] "C:\Program Files\Norton
SystemWorks\NSWCfg.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_
site.cab?1124199937730
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link -
C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Well what you are looking for and HijackThis will find is an entry in the
registry that will show the executable explorer.exe with a switch like this
explorer.exe yourmalware.exe. It should be clear from what is returned by
HijackThis where this is. When the shell starts (explorer.exe) it is firing
up another executable namely your malware. That is interfering with
explorer and hence your shell is crashing. You will see this in the Event
Viewer.

What you can do is run HijackThis and post the report back here. I can tell
you then where the issue may be.

http://www.spywareinfo.com/~merijn/downloads.html

 

[Guest]

Yeah, i was running media player when i made the log - should i not have done
that? Messenger plus is an add-on for messenger, just gives a lot of extra
features. I've had that installed for ages, has never caused me any problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

Turn off one of the Anti Virus programs.

Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot

is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?

O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if you
can.

I do not like this:

O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in Task
Manager and tell me what happens. If nothing try a New task there type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And actually
what is that? Messenger is free why do you need a plus?

 

[George Hester]

If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________

Yeah, i was running media player when i made the log - should i not have done
that? Messenger plus is an add-on for messenger, just gives a lot of extra
features. I've had that installed for ages, has never caused me any problems

before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

Turn off one of the Anti Virus programs.

Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in Task
Manager and tell me what happens. If nothing try a New task there type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And actually
what is that? Messenger is free why do you need a plus?

 

[David Candy]

Try typing in a command prompt

ntsd explorer


After it loads it will break before running - type g (for go) to start it.

This may (and may means may not will) give a hint.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________

Yeah, i was running media player when i made the log - should i not have done
that? Messenger plus is an add-on for messenger, just gives a lot of extra
features. I've had that installed for ages, has never caused me any problems

before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in Task
Manager and tell me what happens. If nothing try a New task there type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And actually
what is that? Messenger is free why do you need a plus?

 

[Guest]

Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll


Thanks everyone.

Try typing in a command prompt

ntsd explorer


After it loads it will break before running - type g (for go) to start it.

This may (and may means may not will) give a hint.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________

Yeah, i was running media player when i made the log - should i not have done
that? Messenger plus is an add-on for messenger, just gives a lot of extra
features. I've had that installed for ages, has never caused me any problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in Task
Manager and tell me what happens. If nothing try a New task there type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And actually
what is that? Messenger is free why do you need a plus?

 

[David Candy]

One of the files is corrupted. Was there a filename mentioned before the message Program Too Big To Fit In Memory?

If not, leave the ntsd running (to keep explorer in memory) and type (hope you have pro)

tasklist /m /fi "imagename eq explorer.exe"

Hopefully the module will be shown as loaded.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll


Thanks everyone.

Try typing in a command prompt

ntsd explorer


After it loads it will break before running - type g (for go) to start it.

This may (and may means may not will) give a hint.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?

 

[David Candy]

And type in run

sfc /scannow

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll


Thanks everyone.

Try typing in a command prompt

ntsd explorer


After it loads it will break before running - type g (for go) to start it.

This may (and may means may not will) give a hint.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?

 

[Guest]

Don't have XP Pro, so i think that's why the 1st method didn't work, and when
it try sfc/scannow it says it cant find it. Just typing sfc brings up the
explorer window for a second, before it closes again... this is exactly what
happens when i type 'explorer' into run. Just an extra thing, the icon for
'my computer' seems to have disappeared - its been replaced by the icon that
means the computer doesn't know what type of file it is. This is obviously
not on my desktop, as there are no icons there, but when i browse to run an
application using task manager.

Thanks, hope this gave u an extra idea!

And type in run

sfc /scannow

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll


Thanks everyone.

Try typing in a command prompt

ntsd explorer


After it loads it will break before running - type g (for go) to start it.

This may (and may means may not will) give a hint.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================
If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?

 

[Guest]

Had a look at some of the other posts and someone suggested installing
another version of explorer from someone else's computer... and it worked!
Thanks very much for all your help: George Hester, beb and David Candy, all
much appreciated.

Don't have XP Pro, so i think that's why the 1st method didn't work, and when
it try sfc/scannow it says it cant find it. Just typing sfc brings up the
explorer window for a second, before it closes again... this is exactly what
happens when i type 'explorer' into run. Just an extra thing, the icon for
'my computer' seems to have disappeared - its been replaced by the icon that
means the computer doesn't know what type of file it is. This is obviously
not on my desktop, as there are no icons there, but when i browse to run an
application using task manager.

Thanks, hope this gave u an extra idea!

And type in run

sfc /scannow

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================

Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll


Thanks everyone.


:

Try typing in a command prompt

ntsd explorer


After it loads it will break before running - type g (for go) to start it.

This may (and may means may not will) give a hint.

--
--------------------------------------------------------------------------------------------------
Read David defending the concept of violence.
http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.html#more
=================================================
If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?

 

[George Hester]

By rights that should not have worked. So it sounds like David had it right
when he said something was "corrupted." How explorer got corrupted is
another issue I'd be surprised if it doesn't happen again.

--

George Hester
_________________________________

Had a look at some of the other posts and someone suggested installing
another version of explorer from someone else's computer... and it worked!
Thanks very much for all your help: George Hester, beb and David Candy, all
much appreciated.

Don't have XP Pro, so i think that's why the 1st method didn't work, and when
it try sfc/scannow it says it cant find it. Just typing sfc brings up the
explorer window for a second, before it closes again... this is exactly what
happens when i type 'explorer' into run. Just an extra thing, the icon for
'my computer' seems to have disappeared - its been replaced by the icon that
means the computer doesn't know what type of file it is. This is obviously
not on my desktop, as there are no icons there, but when i browse to run an
application using task manager.

Thanks, hope this gave u an extra idea!


-------------------------------------------------------------------------- ------------------------

http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.htm
l#more

=================================================
Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
\Catalog_Entries\

------------------------------------------------------------------------- -------------------------

http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.htm
l#more

=================================================
If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?

 

[George Hester]

I wonder if this might have helped:

http://support.microsoft.com/default.aspx?scid=kb;en-us;883791

--

George Hester
_________________________________

Had a look at some of the other posts and someone suggested installing
another version of explorer from someone else's computer... and it worked!
Thanks very much for all your help: George Hester, beb and David Candy, all
much appreciated.

Don't have XP Pro, so i think that's why the 1st method didn't work, and when
it try sfc/scannow it says it cant find it. Just typing sfc brings up the
explorer window for a second, before it closes again... this is exactly what
happens when i type 'explorer' into run. Just an extra thing, the icon for
'my computer' seems to have disappeared - its been replaced by the icon that
means the computer doesn't know what type of file it is. This is obviously
not on my desktop, as there are no icons there, but when i browse to run an
application using task manager.

Thanks, hope this gave u an extra idea!


-------------------------------------------------------------------------- ------------------------

http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.htm
l#more

=================================================
Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
\Catalog_Entries\

------------------------------------------------------------------------- -------------------------

http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.htm
l#more

=================================================
If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?

 

[George Hester]

Here's another and is similar to what I thought the issue might be:

http://support.microsoft.com/default.aspx?scid=kb;en-us;822797

--

George Hester
_________________________________

Had a look at some of the other posts and someone suggested installing
another version of explorer from someone else's computer... and it worked!
Thanks very much for all your help: George Hester, beb and David Candy, all
much appreciated.

Don't have XP Pro, so i think that's why the 1st method didn't work, and when
it try sfc/scannow it says it cant find it. Just typing sfc brings up the
explorer window for a second, before it closes again... this is exactly what
happens when i type 'explorer' into run. Just an extra thing, the icon for
'my computer' seems to have disappeared - its been replaced by the icon that
means the computer doesn't know what type of file it is. This is obviously
not on my desktop, as there are no icons there, but when i browse to run an
application using task manager.

Thanks, hope this gave u an extra idea!


-------------------------------------------------------------------------- ------------------------

http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.htm
l#more

=================================================
Hi, tried both methods. The command prompt route gave me a load of error
messages after i typed ntsd explorer, including:

Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access

The same for "LoadLibrary(uext)"

and then:

Symbol search path is: ***Invalid*** : Verify _NT_SYMBOL_PATH setting
followed by a lot of numbers.


after hitting 'g' it did came up with a lot of numbers and text and then the
final message:

Program too big to fit in memory


I also tried asviewer and it gave me the following results:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for USER@SANJ,
10-30-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\system32\sspipes.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BootWarn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Restore
C:\WINDOWS\system32\restore\rstrui.exe -c
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAVCFG
C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\NSWCfg.exe
C:\Program Files\Norton SystemWorks\NSWCfg.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\system32\CTFMON.EXE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\stobject.dll
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
\Catalog_Entries\

------------------------------------------------------------------------- -------------------------

http://margokingston.typepad.com/harry_version_2/2005/10/entering_the_ga.htm
l#more

=================================================
If starting in Safe Mode made no difference then we definitely have a
problem. Because booting in that manner should not have allowed anything to
start that was not necessary for Windows to run. That means our issue is
not in the HKLM\...\Run key but in another place likely under the WinLogon
key in the registry. Safe Mode should not have allowed any thing started
with the shell to run except that which is necessary for Windows to start.

So you need a different app:

http://www.diamondcs.com.au/index.php?page=asviewer

File | Save it after you run it and post the result here.

--

George Hester
_________________________________
Yeah, i was running media player when i made the log - should i not have
done
that? Messenger plus is an add-on for messenger, just gives a lot of
extra
features. I've had that installed for ages, has never caused me any
problems
before.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
This is a programme for moving files between my phone and computer using
bluetooth.

Couldn't find rundll32.exe in my task manager, but have noticed it in the
past.

I only installed the norton antivirus after this problem started, so i'm
not
sure if that could be causing the problem.

I will also stop running limewire and itunes on booting up.

I tried to run things on safemode, but it didn't make a difference
unfortunately.

Is there anything else i need to be doing?

Cheers...

:

Turn off one of the Anti Virus programs.


Were you running Windows Media Player when you made this log?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
is Real Player but you should be OK. You caanot remove this.

Stop LimeWire from starting at boot

What is this?
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Oh Ok that is your Acrobat plugin. That's fine.

What is this?
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent

You do NOT need to run a cpl at every boot.. If you do that is bad
engineering and the application which is doing it should be removed if
you
can.

I do not like this:
O23 - Service: SmartLinkService (SLService) - Smart Link -

Try booting in Safe Mode and tell me if you get the same behavior.

rundll32.exe should not always be running. Try shutting that down in
Task
Manager and tell me what happens. If nothing try a New task there
type in
explorer and say OK.

Why do you need iTunes firing at every boot.

What you want is as little as possible in HKLM\..\Run key. Becuase
you
have
Norton installed it will always be full of stuff. But as little as
possible
in there is what you want to shoot for.

Please answer my very first question that could be most important.

Did you have this issue before you installed Messenger Plus? And
actually
what is that? Messenger is free why do you need a plus?