Regular Explorer crashes in XP?

About every 12 minutes or so, I have the explorer crash. The symptoms are "only" a refreshing of the taskbar and the disappearance of many - but not all - of the tray icons. The logs of these crashes - about 1000 so far, for the last few days - state "The system shell stopped unexpectedly and explorer.exe was restarted". They're listed as "source: Winlogon; no category; event identifier: 1002", with nothing in the hex dump. It's beyond infuriating. I tried every fix I could find, ran windows update, sfc, Norton's regscan (I won't even mention the regular AV and spyware scans), but nothing even decreased the regularity of this. I even installed the dreaded SP2, and it fixed nothing (just slowed down the system considerably).

The crashes seem to happen for no reason at all - I could be browsing online (from Firefox, obviously), watching something, running NASA's Worldwing, writing, or just letting the PC stand and idle with nothing running, and the crashes will happen, regardless of anything else...

It does seem to happen regardless of what I'm doing. Right now, I just tried one thing; I sat down, ran Sysinternals' File Monitor and had it log every file access, waiting for the crash to happen. It logged about 3 KB of text during the 30 seconds or so when the crash and explorer restart occurred... it's below. At that moment I was only reading a cached web page, opened quite a while earlier.

Using PS Tray Factory, I can restore the icons that disappear, but the problem is with the crashes, and restoring the icons is like putting cotton under a leaking hole in the roof instead of trying to patch up the hole... unfortunately in this case I can't even see the hole.

(The KAVICHS thing is from Kaspersky's Antivirus, but I had the program many days before the crashes began)

4969 winlogon.exe:612 OPEN C:\Documents and Settings\User SUCCESS Options: Open Directory Access: Traverse
4970 winlogon.exe:612 CLOSE C:\WINDOWS\system32 SUCCESS
4971 winlogon.exe:612 OPEN C:\WINDOWS\system32\:KAVICHS NAME INVALID Options: Open Access: All
4972 winlogon.exe:612 OPEN C:\autoexec.bat SUCCESS Options: Open Access: All
4973 winlogon.exe:612 QUERY INFORMATION C:\autoexec.bat SUCCESS Length: 206
4974 winlogon.exe:612 READ C:\autoexec.bat SUCCESS Offset: 0 Length: 206
4975 winlogon.exe:612 CLOSE C:\autoexec.bat SUCCESS
4976 winlogon.exe:612 QUERY INFORMATION C:\Documents and Settings\User\Local Settings\Temp SUCCESS Attributes: D
4977 winlogon.exe:612 OPEN C:\ SUCCESS Options: Open Directory Access: All
4978 winlogon.exe:612 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Documents and Settings
4979 winlogon.exe:612 CLOSE C:\ SUCCESS
4980 winlogon.exe:612 OPEN C:\Documents and Settings\User\ SUCCESS Options: Open Directory Access: All
4981 winlogon.exe:612 DIRECTORY C:\Documents and Settings\User\ SUCCESS FileBothDirectoryInformation: Local Settings
4982 winlogon.exe:612 CLOSE C:\Documents and Settings\User\ SUCCESS
4983 winlogon.exe:612 OPEN C:\Documents and Settings\User\:KAVICHS NAME INVALID Options: Open Access: All
4984 winlogon.exe:612 QUERY INFORMATION C:\Documents and Settings\User\Local Settings\Temp SUCCESS Attributes: D
4985 winlogon.exe:612 OPEN C:\ SUCCESS Options: Open Directory Access: All
4986 winlogon.exe:612 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Documents and Settings
4987 winlogon.exe:612 CLOSE C:\ SUCCESS
4988 winlogon.exe:612 OPEN C:\Documents and Settings\User\ SUCCESS Options: Open Directory Access: All
4989 winlogon.exe:612 DIRECTORY C:\Documents and Settings\User\ SUCCESS FileBothDirectoryInformation: Local Settings
4990 winlogon.exe:612 CLOSE C:\Documents and Settings\User\ SUCCESS
4991 winlogon.exe:612 OPEN C:\Documents and Settings\User\:KAVICHS NAME INVALID Options: Open Access: All
4992 winlogon.exe:612 OPEN C:\ SUCCESS Options: Open Directory Access: All
4993 winlogon.exe:612 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: WINDOWS
4994 winlogon.exe:612 CLOSE C:\ SUCCESS
4995 winlogon.exe:612 OPEN C:\WINDOWS\ SUCCESS Options: Open Directory Access: All
4996 winlogon.exe:612 CLOSE C:\WINDOWS\ SUCCESS
4997 winlogon.exe:612 OPEN C:\WINDOWS\:KAVICHS NAME INVALID Options: Open Access: All
4998 winlogon.exe:612 OPEN C:\WINDOWS\system32 SUCCESS Options: Open Directory Access: Traverse
4999 winlogon.exe:612 CLOSE C:\Documents and Settings\User SUCCESS
5000 winlogon.exe:612 OPEN C:\Documents and Settings\User\:KAVICHS NAME INVALID Options: Open Access: All
5001 services.exe:656 WRITE C:\WINDOWS\system32\config\AppEvent.Evt SUCCESS Offset: 485036 Length: 140
5002 services.exe:656 WRITE C:\WINDOWS\system32\config\AppEvent.Evt SUCCESS Offset: 485176 Length: 40

And here is a Procexp screenshost from my typical session:http://img176.imageshack.us/img176/5775/procexp0av.gif

 

hmmm.... thats a weird one. Try doing a scandisk to the system. By the way, what is your registry cleaner? I use registry mechanic and it fixed alot of crap in my system. Make sure it is up to date and you have the latest versions installed to your system. Then scan with the registry mechanic again. oh yeah one more thing. Keep sp2 on your computer and put all the updates on. You wanna keep sp2 because it fixes alot of bugs that are in windows xp. Lemme know if this information helps.
-the new tech guy

 

I tried RMechanic... it fixed a few errors, none of which improved anything about the crashes. :\

Here's a HijackThis log, by the way, if anyone recognizes anything problematic... By the way, are there any real-time process, etc. monitors that would perhaps help in finding out and logging some specific information about the system situation at the exact moments of the crashes? (I already used tools such as Sysinternals' ones - File Monitor, etc. - and similar...)

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PS Tray Factory\PSTrayFactory.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\Program Files\DCPlus\DCPlusPlus.exe
C:\Program Files\Far\Far.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /silent
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\RunOnce: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: FAR.lnk = C:\Program Files\Far\Far.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\kavmm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Instructions Removed

 

Please follow the instructions in this thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal, it appears that you may be infected with [size=-1]dcplusplus.exe (Ogid Worm). I am going to request that this thread be moved to the spyware specific forum.[/size]

 

Dcplusplus is the, er, DC++ client that I happened to be running at the time of that scan, among other processes... though I don't doubt that there is a worm that uses its executable's name, due to its popularity.

 

Uninstall youe nVidia video drivers then reinstall them. Use Driver Cleaner Professional to remove the drivers. Sometimes the nVidia drivers can cuase problems if they get corrupted.

 

Hey shadow, you think a winxp repair will help out with explorer crashing cause that should rewrite the file right?And if we do that it will rule out a windows corruption. Only drawback is that the updates need to be reinstalled and we can reinstall the nvidia drivers in one clean shot. Lemme know if that is useful in any way.
-the new tech guy

 

XP Repair installs aren't usually necessary. Reinstall the drivers by first unistalling the drivers, reboot into safe mode run driver cleaner pro, reboot into normal mode logon, close out the new hardware found wizard, load the latest nVida drivers for the card. If that fails then repeat the process but install an older set of drivers from around the time of the video cards release.

 

More info about dcplusplus:

http://securityresponse.symantec.com/avcenter/venc/data/w32.ogid.html

 

Agree! If all else fails, then maybe a repair install. Though, in my findings, this is almost like a flip of the coin type of fix.