Explorer hangs accessing drive after reboot 2

[colinsw]

Hi

My machine is a 1GHz PIII, 512Mb and more disk than it knows what to do with. It runs Win2k SP4 and has all critical patches applied. The m/board, RAM and disks have had diagnostics run upon them, both individually and together, outside the machine and found to be OK.

I have the problem that immediately after startup or a reboot and after waiting until all disk activity has stopped, if I then open Explorer and access the C, D or E drive, Explorer hangs and a Restart (through Task Manager) is required to get the machine going again.

The machine is virus, worm and trojan free. This problem has been happening for some many months and did not coincide with the installation of any particular software package or patch.

Has anyone seen this happen before and/or have any ideas where to start looking for the cause, please?

 

[bcastner]

1. The Explorer error is just a bad RUN entry; it is easy enough to repair:

http://support.microsoft.com/default.aspx?scid=kb;en-us;170086

2. Having dealt directly witb your issue, I honestly believe a worm or virus created the original problem. smah's FAQ includes seveal online antivirus scans, using both Trend Micro and Panda are a good idea: faq760-3862

 

[colinsw]

Thanks for the reply, but that particular KB article does not really seem to apply.

The Explorer window does not automatically open at startup, I open it manually. Also there are no bad entries on the Run keys (been there and done that, many times).

The machine has AVG installed and is kept well up to date. Currently version 7, but previously v6. I have however tried the online scans mentioned and they came back with nothing found.

 

[zoeythecat]

Colinsw,

Not sure if this applies to you or not. Check out this article

http://support.microsoft.com/default.aspx?scid=kb;en-us;319124&Product=nts40

Talks about a program installed that is incompatible with IE6 that causes an Explorer.exe error. Only problem you have to determine what program may be causing it. I know in one case someone had WS_FTP installed and once that was removed they were fine. Another case was someone in my environment had an Olympus Card Reader USB device that was causing this.

Hope this helps.

 

[bcastner]

I suspect than a WIA issue with USB devices. This article discusses the problem in an XP setting, but applies to Win2k as the possible underlying problem:

http://support.microsoft.com/default.aspx?scid=kb;en-us;819017

On a related note, make sure your USB device drivers are completely up to date.

 

[bcastner]

If you would welcome another suggestion, this too is written as an XP issue, but is perfectly true for Win2k:

http://support.microsoft.com/default.aspx?scid=kb;en-us;819101

In addition, the number of installed fonts on your system can cause the issue you raised. If possible, remove unecessary fonts through the control panel applet.

At this point you should re-examine your IDE devices for mis-jumpered, or loading the wrong device driver. You did not specify your chipset, but heading to the Intel web site and applying (if appropriate) the Intel chipset upgrade tool may help quite a bit.

 

[search66]

Is the MB by chance Intel?

 

[colinsw]

Hi

Thanks to all for the replies. I've been working through the various suggestions and I just wanted to report the results.

- Yanked IE6 out (that was a mission) and reverted to IE5.5. No change. Removed IE altogether, so that there was no browser installed. Same result.

- W2k does not seem to have an equivalent to XPs WIA.

- Uninstalled and disconnected all USB devices, an Epson inkjet and Canon scanner. Forced a hardware redetect. No change.

- There are currently 286 fonts installed. I have removed a few that are not needed, but this number appears to be well within acceptable limits.

- IDE devices are configured such that Disk0 and disk1 are on the primary controller (attached using an ATA100 cable). CD writer and DVD are on the secondary controller. Hardware profile is set for UDMA at ATA100. Removing the CD/DVD and changing the HDDs to run PIO mode slows things down awfully as you might expect, but problem still occurs. Device driver in use appear to be correct, by size and date/time, but my experience in that area prohibits me delving any deeper.

- No, sorry the motherboard is not an Intel, it's a Gigabyte GA-6VXC7-4X.

 

[1stITMAN]

Ok what are the errors in event viewer plz post them.


I would suggest run chkdsk /f and let it fix any errors, defrag the drive to.


I.T Systems Support Engineer
Bsc. (Hons).

 

[colinsw]

Hi 1stITMAN and thanks for replying.

There are no event log entries to speak of. There is one showing the event log starting followed by one showing it stopping. The latter being created when the issue had occured and the machine was being shutdown. There is nothing else between these two entriesw

 

[1stITMAN]

have u run drive check chkdsk /f

I.T Systems Support Engineer
Bsc. (Hons).

 

[bcastner]

colinsw,

Do a scan and post our Hijack This! log.

http://mjc1.com/mirror/hjt/

I still would vote for an extended RAM Test.

http://oca.microsoft.com/en/windiag.asp

But there is so much malware out there that a Hijack log would give us all a fighting chance if a bad guy on your system is the issue.

 

[colinsw]

CHKDSK and scandisk have both been run more than once.

Extensive diags have been run on the system components, both together and seperately. Including the RAM.

I really don't follow the logic behind the the malware idea. Given that the machine is clean by using Adaware and Spybot and has been scanned by AVG and two online services, I can't see anything could be resident.

I'll post the HijackThis log in a few minutes.

 

[colinsw]

Ok, here's the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 9:19:25 a.m., on 04/01/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\glidew32.exe
C:\PROGRA~1\MOTHER~1\MBM5.EXE
C:\WINNT\WDVRCtrl.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINNT\Mixer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Ontrack\SMARTDefender\smrticon.exe
C:\Program Files\WinTidy\WinTidy.exe
D:\Program Files\United Devices\UD.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\KnockOut\KnockOut.exe
C:\Program Files\SnapStream Media\Personal Video Station 3\WTLPVSApp.exe
e:\Program Files\POPFile\popfileib.exe
C:\Program Files\SnapStream Media\Personal Video Station 3\PVSLogService.exe
C:\Program Files\SnapStream Media\Personal Video Station 3\SSBatchProcessorService.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\United Devices\ud_1396140.exe
D:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Colin\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Favorites%20Home%20Page/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.210:4480
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Program%20Files/Favorites%20Home%20Page/homepage.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] C:\PROGRA~1\MOTHER~1\MBM5.EXE
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINNT\WDVRCtrl.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunServices: [Win32 Rundll Loader] Rundll32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe" /h
O4 - HKCU\..\Run: [SMARTDefender] C:\Program Files\Ontrack\SMARTDefender\smrticon.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Startup: UD Agent.lnk = D:\Program Files\United Devices\UD.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: KnockOut.lnk = C:\Program Files\KnockOut\KnockOut.exe
O4 - Startup: Run POPFile.lnk = E:\Program Files\POPFile\popfile.exe
O4 - Startup: Personal Video Station.lnk = C:\Program Files\SnapStream Media\Personal Video Station 3\WTLPVSApp.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) -

http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.8265625

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -

http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{23DF1FE4-580F-47F8-93A6-2EA0B82619E3}: NameServer = 10.10.10.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F047E3F-48FB-4375-8148-4531C93A3BB8}: NameServer = 10.10.10.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE29CCF0-668C-4E9E-A7D7-6FFC289C9102}: NameServer = 10.10.10.210

 

[bcastner]

Neither CHKDSK nor Scandisk do an extended memory test.
If your really feel (and you have made a good case) that malware is not the issue, let a RAM test run overnight.

In the alternative, do a repair installation of Win2k. You will not lose your software or settings, but you will lose your Service Pack and Hotfixes. Sometime this is the only way to resolve the issue.

http://support.microsoft.com/?kbid=292175

 

[1stITMAN]

have a look at this

http://www.davidbartosik.com/tips/tips_excrash.htm

http://www.theeldergeek.com/start_explorer_in_c_drive.htm

I.T Systems Support Engineer
Bsc. (Hons).

 

[colinsw]

CHKDSK and Scandisk were only run for completeness, because I figured sooner or later someone would ask what results they produced.

The diagnostics mentioned above were run using a commercial diagnostic package (the name escapes me right now). Sorry, there was no implication that CHKDSK/Scandisk were the programs used to test the machine.

I will try a Repair install, just as soon as I have run a image of the C drive. I don't trust MS that much and really don't want to spend the next 4 days putting the machine back together again.

1stITMAN, I don';t understand the link to the article about exchanging EXPLORER for WINFILE in the ini file. Winfile does not exist in W2k. Also the second article link points to various command link options that can be passed to Explorer to make it open is various ways. Being old and somewhat silly I fail to see the relevance of that to the situation I have here. Could you please explain?

 

[bcastner]

Your Hijack log is more than a little challenging.

In general, it is not a great idea to run two Anitvirus programs. Pick either Symantec NAV or Grisoft, but do not run both.

Have Hijack remove this entry:
O4 - HKLM\..\RunServices: [Win32 Rundll Loader] Rundll32.exe

And this might be perfectly legitimate. But, do you really need this one?
O4 - HKLM\..\Run: [Glide] glidew32.exe

 

[colinsw]

Re the challenge, we aim to please. Nothing like a good meaty problem to get your teeth into.

Not sure what you mean about having more than one AV installed. I have, and have only ever had, one virus package installed. Currently it is AVG 7. What leads you to believe that I am running more than one?

I'll remove the rundll entry and report back shortly.

The glidew32 is something to do with the driver set for my Cirque touchpad.

 

[colinsw]

Re the virus package issue. Were you querying the entries for Panda and housecall? if so then I believe these are the activex controls that the online virus scans install. I will remove them if it is thought necessary, but they were installed after the problem first occured.

I've removed the rundll entry and rebooted the machine several times. When Explorer is loaded thereafter and the C drive accessed, then in Task Manager Explorer then shows as Not Responding.