Windows 2000Pro explorer.exe - Application Error

Explorer.exe basically is Windows isn't it? Yep, it's the pretty UI that you usually use to start pgms from and navigate about your files.
The blank blue screen is what you see when explorer stops running - no desktop icons, task bar, backgound etc. It does look like some bad software is killing explorer.... and bad software is most often malware.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
We'll go from there. And you can rarely give too much info....

Hi gerbil thanks for the advice.

I downloaded and ran both programs per your instructions. I looked over the log files myself. Mostly I noted that at the end of the combofix.txt file it showed pre-run and post-run free bytes. Apparently it had freed up or IE deleted over 350MB's of whatever. It should be noted that I ran Several different spyware/malware removal programs as well as anti-virus and then Regcure a registry checker before running either of these. Of course updated all these programs before running them. They found nothing as far as a virus or any major spyware/malware, two low risk items of spyware(tracking cookies) were removed. Then I ran both of the applications you gave me links and instructions for. I also went into my Firewall rules after running your programs and had it clean up rules for applications that didn't exist. It cleaned out 1 rule for something that I had blocked.

Anyway, I will attach both files to this thread reply.

Thanks again for your help!

Hi gerbil, I posted my reply after doing what you said a few days ago and haven't seen any further reply from you. The problem hasn't gone away. Any further suggestions? Thanks

I'll gt back to you tonight. Sorry, but I actually missed your post...

No problem. By the way it seems to mostly happen when I'm closing anything to do with Windows its self. Such as having My Documents open and then closing it and it will happen sometimes. Or having My computer open and then closing it and it will happen sometimes. It's intermittent. I also noticed that when it gives the explorer.exe - application error it does reference the same instruction at "0x7ce82a8c" but does not reference the same ref mem address each time. If that's of any help?

I guess I missed your post because for a while Opera was not working with this site, and so I did not look in much. Anyway.... you will notice that I have turned on your windows updates in one of the registry lines - if you do not want that just delete these two lines from the block before you run it with Combofix...
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= -

Heh.... I still like playing Diablo II also... okay, let's get down to it.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

File::
C:\WINNT\eraseme_18043.exe
C:\WINNT\eraseme_18536.exe
C:\WINNT\eraseme_24270.exe
C:\WINNT\eraseme_25226.exe
C:\WINNT\eraseme_27280.exe
C:\WINNT\eraseme_27710.exe
C:\WINNT\eraseme_28350.exe
C:\WINNT\eraseme_28884.exe
C:\WINNT\eraseme_41588.exe
C:\WINNT\eraseme_51842.exe
C:\WINNT\eraseme_55717.exe
C:\WINNT\eraseme_61051.exe
C:\WINNT\eraseme_68082.exe
C:\WINNT\eraseme_70626.exe
C:\WINNT\eraseme_74404.exe
C:\WINNT\eraseme_84170.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msci"=-

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= -

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FCKK"= -

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

352 Megs gone? That will be your most precious photos smoked... :)

By the way, if you look into your Combofix log you will note that you have had that erasme_*****.exe /winbin worm for over a year - that has given it ample time to make many copies of itself, and also to trot out into networked computers. It infects Explorer.exe as well....
To make sure it is gone...
==Run a BitDefender online scan: http://www.bitdefender.com/scan8/ie.html - and post the results, please.

=Check your hosts file, it may have been modified to block some security sites.
If you wish to clear your hosts file manually [C:\Windows\system32\drivers\etc\hosts] you may not be able to save the changed/corrected file. This is because some security applications, possibly also various malware, will lock your Hosts file [make it read-only] as a protection.
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window and try to save the file again.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS

Drag HOSTS into a notepad and make any changes, then save it.
Or just use this tool:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click the top button Make Writable if it is available
-click Restore MS Hosts File button.

Thanks for the new info. Also, make that diffenent about what I said earlier. If it is just a windows compatible application no errors when closing or using. If it is a folder of part of windows its self such as My computer, My Documents, Windows Help etc... when you are using them it is fine. When you close them that's when I get the original error.

Anyway, just finished doing everything you said. However, I ran the online virus scan first on both this computer and my wireless notebook with win98se. It found 2 viruses on the win98se and 5 on this win2000Pro plus 1 that it guessed was a virus and it deleted them all. Saved the log file, but it would only save as HTML file so hope I can attach that or whatever.

Did the Hijack thing and that seemed to run ok.

Did the combofix.exe script file you gave me, but it said it wasn't a real reg edit script file or something like that, but I clicked ok to that error message and then it ran the script anyway, because I watched it delete the items you had listed.

Downloaded the tool on the Hosts file part. However it did not have the Make writeable button instead it was a Make readonly button, which I did not choose, but I did choose the "Restore MS Hosts File button" and then closed the window.

Will have to reboot and see if the original problem still exists, but if nothing else we have killed yet some more viruses/malware etc... Amazing considering I have always been one to keep my virus database updated, or spyware or whatever and use more than one and it seems it does not matter how many of all these you use a new different one always seems to find something else the others missed. Sometimes I miss the days of CP/M and DOS sure they were simple, but we didn't know that back then and I never got a virus on my computer for the first 25 years I used them. Now it's going on 31 years and it seems I spend 80% of my time doing system maintenance to kill security issues and keep Windows from crashing. Oh well, I guess I must be a glutton for punishment or I wouldn't still be using these things. :-)

Will attach all the various log files below, but not sure if the HTML one will be allowed. I had to zip the html file, but it's attached.

Thanks again for all your expert advice!

Back in the days of DOS it was a brave new world, the settlers were gazing enthusiastically out into the wilderness and Microsoft was loved as one of the guides who brought them face to face with it.. But then Microsoft rounded them all up and herded them out into it, some against their will, and now the wolves are circling.
Do you see in the BDF log the .dbx file? That is probably the source - an email.
"However it did not have the Make writeable button instead it was a Make readonly button"... yeah, that means it was already writable, so it gave you the option of making it read-only to stop simply written scripts altering it.
Everything happened correctly with combofix.
=Delete this file:
C:\WINNT\d3dx.dat
There seems to be a problem with your C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ folder. I do not know if it is simply to do with the AShampoo file ASFWHide in there.... I suggest you disconnect from the net, shutdown AShampoo, close any browsers, readers, applications and delete the Temp folder itselfthen recreate it. Restart your firewall.
As far as the error goes, well, there could be sys file corruption still. It can get tedious to scan your system, but I would run this last one [cclean first!]:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeusers/solutions/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Post the log it produces here.
and follow up with system file checker. Go start, run, paste in:
sfc /scannow ....insert your cd when requested.

Any easy way to get ur program running again is to delete your old explorer.exe file which might be infected. If you have a friend with the same operating system, search for his explorer.exe file and copy it. Paste that into your old folder where your previous explorer.exe file was. If this problem occurs....... dont know......contact your computer configure person.
.:Peace:.
- Purvansh

OK did what you said on everything. Thanks for the reminder about SFC I forgot about that little utility. However, I don't have A Windows 2000PRO SP4 installation CD. This Refurbished computer that I bought from www.computer-show.com came with it preinstalled with COA, but no CD. I ran the SFC /scannow anyway hoping I could redirect it to CABs files or something. It said it needed to copy DLL's to a cache folder.

Anyway, I will attach the online virus scan results .txt file. It found some things but I don't think it removed any of it even though I did register. The part I don't understand is the "VULNERABILITIES" which are all Windows/IE patches etc. The reason I don't understand that is that just before running all these new instructions I did my Windows critical updates 19Meg's of them. So not sure why I still need more? At any rate how do I fix all of those?

Is there anyway to get SFC to restore from CAB files etc?

Well anyway I appreciate all the help and links. Oh also it said the combofix.exe was one of the problems the virus scanner you sent me to. Maybe it's been infected. I'm guessing I should delete that also?

Thanks again! :)

Panda only deletes viruses and worms in this free scan, but points out adware and trojans etc.
This one is adware, delete it...c:\winnt\system32\unppc.exe
This one is part of a telnet service from Sysinternals. If you do not use telnet, did not install that service, then delete it [can be used by hackers]...C:\WINNT\PSEXESVC.EXE
I must admit I have no idea why the scan shows those critical updates as vulnerabilities - they were only released in Dec last year... are they actually installed?
SFC should work with cab files. It sounds as if your dllcache directory is corrupted. You can change this registry key so that sourcepath points to the DIRECTORY the cab files are in [don't point it at the cab files themselves]:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\whatever directory contains cab files..."
Or you could try to borrow a cd and copy the I386 folder to the C:root, [eg C:\i386] and point sfc at that...
Combofix infected? Nah, Panda dislikes it... but yes, you can delete it if you wish [or just leave it there for a week and it will timeout and when you try to start it it will remove itself.. :), or you can paste into the run window...
C:\Documents and Settings\Administrator\My Documents\downloads\ComboFix.exe /u
Come back if you need help with sfc....

unPPC6000 right next to unPPC delete it too?

Deleted Telnet service. Don't think even in my Bulletin Board days before the Internet I didn't use Telnet then either, I don't think.

"I must admit I have no idea why the scan shows those critical updates as vulnerabilities - they were only released in Dec last year... are they actually installed?"

I hate to admit it, but I'm not sure how to check and see if they are installed. I went to Add/Remove programs and looked at the list of "Hotfixes" there's a couple dozen or so of those, but don't know how to find out if "MS07-069" etc is installed or not?

Regedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\CABS\9519160_XP_2K"

Already had a key named "Installation Sources" with paths listed under the Data column of "D:\Drivers\PTPDriver D:\WIN2K_XP C:\CABS\9519160_XP_2K D:\"

Haven't done a manual regedit in a while, but anyway I went to the above mentioned tree in Regedit then right clicked and selected new string value then added Value name: SourcePath= and Value data: C:\CABS\9519160_XP_2K

Exported the Registry first to a file in My Documents.

Made sure the new RegEdit was in place. Rebooted computer and ran SFC /Scannow still same thing wants a W2KPro CD.

So I had already thought to borrowed one, but it was Windows 2000 Pro with Service pack 2 not Service pack 4. So I said whatever and ran SFC /scannow again anyway and inserted this CD when it asked for the CD. It seem to like it and showed the progress bar going across until it finished. When it finished it just closed, didn't give any report or anything, it just closed. So I don't know if it actually did any copying of files or what, but I took out the CD and rebooted the computer and then tested to see if the Original error that I started this Post on still happened. It does :-( I opened my computer browsed my internal and external hard drives just fine then closed the My Computer window and up pops that same error Explorer.exe - Application Error The Instruction at "0x7ce82a8c" etc... :-(

You can use any created folder or any application without the error popping up, but anything associated with being an integral part of Windows and only when you close the applications window does it the error pop up. With the exception of Internet Explorer. It's happened with the search feature, Windows Help, My Computer, the My Documents folder to name a few.

When it does the blank blue screen for a few seconds and comes back up you can go right on doing whatever you were doing it will even have your applications windows still open and working properly, but I have noticed two of the Icons on the system tray by the clock disappear when that happens? I can only get those back by doing a reboot.

Maybe this is a 3rd party software conflict issue?

Here's my icons in the system tray by the clock from left to right:
1) Unplug or Eject Hardware
2) Volume
3) Local area connection 2
4) Norton Ghost 2003
5) itouch (this is for my wireless Logitech keyboard)
6) Mouse (this is for my wireless Logitech Mouse)
7) Spyware Terminator (Real-Time Shield Enabled)
8) SmartRAM
9) Ashampoo FireWall
10) IObit SmartDefrag
11) SpywareGuard
12) AVG Free Edition - Control Center
13) Clock

Now I made the error happen again and it came back up with the icons in the system tray resorted as far as order from left to right and two of them are now gone.

New order from left to right:
1) Ashampoo FireWall
2) SmartRAM
3) AVG Free Edition - Control Center
4) Norton Ghost 2003
5) IObit SmartDefrag
6) iTouch
7) Spyware Terminator (Real-Time Shield Enabled)
8) Unplug or Eject Hardware
9) Volume
10) Local area connection 2
11) Clock

Missing Icons:
Mouse
SpywareGuard

All of the 13 items where in there before this error started occuring EXCEPT:
IObit SmartDefrag
SmartRAM

Not sure if SpywareGuard was there before the error started to occur, possibly not, because it was a fairly new installation.

Also, I made the error occur a 2nd time without rebooting with the 2 missing icons. It blue screened then came back up reshuffled the same 10 icons yet another sort order and this time I had to click on "Restore my active desktop" button to restore my background.

Going to Try to see if I can make this error occur in SafeMode.

Ok, Safemode it's solid as a rock. Opened and closed and did everything I knew had ever forced the error to occur, but no error.

Now going to try msconfig on the Startup tab and unselect things and reboot until I see if I can make the error go away.

Started by unselecting SpywareGuard and rebooted, but error still occured.

Then I left spywareguard off and also unselected spyware terminator, IObit Smart defrag as well as IObit Ramcleaner.

Error still occurs.

Will now disable firewall and antivirus. (Yes I disconnected the DSL before any of this).

Error still occurs.

Will now disable everything with the disable all button in msconfig on the Startup tab.

Error still occurs.

NOTE: However, noticed upon reboot that even though I had disabled all. One item rechecked itself upon reboot which was:

mobsync.exe /long HKLM\SOFTWARE\microsoft\windows\currentversion\run

Don't know what that is or how it rechecked itself in msconfig?

Now going to go to the General tab on msconfig and use "Diagnostic Startup - load basic devices and services only".

Ok, before I test to see if the error still occurs I want to make a note:
Upon reboot msconfig always comes up on the screen which is normal. However, diagnostic mode was not selected on the General tab even though that is what I had selected. Instead it was on Selective Startup with Load startup items selected and again mobsynce.exe /logon had reselected itself. Also under the services tab all services were deselected except "Remote Procedure Call (RPC) Locator" although this one said it was stopped. Also, "Remote Procedure Call (RPC)" this one was running.

Now going to test for the error with the above mentioned settings.

Well that was quick. Error occured as soon as I closed the msconfig window.

Right now I have nothing but a blue screen up with this notepad window that I'm typing all these notes in. Not sure if I will be able to save this file from here? Going to try anyway. Blue screen not going away as it normally does. Just blank blue screen with this notepad window open on it. This is just plain weird.

Well it did save the notepad file, but when I closed the notepad it just stayed on the blank blue screen and even Ctrl+Alt+Delete would not bring anything up so I had to power off the computer and power it back on again.

Not sure what to do at this point. I guess I will reseach online and see what mobsync.exe /logon is for one thing???

I remember when I was doing tech. support at a call center for a computer manufacturer and the w32.blasterworm hit and crashed everyone with Windows XP it seemed like it was using that RPC service or something? Anyway, on to some research and then I will post all this stuff I tried.

It should be noted that I basically used the same sequence to get the error to occur each time with the exception of it occuring just from closing msconfig.

It should also be noted that while I had unplugged the power to my DSL modem which is hooked into my Wireless broadband router and then via the router through a cable from the back of the router's #1 port to my NIC port on this computer. The router was still on and connected the whole time, but just no Internet access. Maybe that had something to do with it not staying in diagnostics mode on msconfig?

Found this about mobsync.exe /logon
http://www.softwaretipsandtricks.com/useless_files/111-mobsyncexe%20/logon.html

Do you think I should follow this sites suggested procedure?

small excerpt from above link about mobsync:
"This is because it is set by default to synchronise your home page at log-on."

What does it mean to synchronize my home page at log-on? Synchronise it with what?

By the way what does this "C:\Documents and Settings\Administrator\My Documents\downloads\ComboFix.exe /u" do cause combofix.exe to update? I didn't remove it since it's not an issue.

Help!!!!!!!!!!!! :)

However, this all turns out I really appreciate all your patient help and teaching me some more ways to get rid of viruses and other malware. Not to mention reminding about the SFC utility and lots of other things I either didn't know or had forgot. At this stage of the game of computers I've forgotten more things than I can remember. I've been through 30 years of it just about every OS except Vista and win2003. Including CP/M (precursor to DOS) all versions of DOS, All versions of Windows, Unix and unix copies, LInux(various versions), Beos, some others I can't remember the name of. Loads of programming languages, more applications than I can remember, CAD/CAM, NC and CNC programming, even messed around with a mac or two. I like Mac's would probably switch to one if I could afford the one I would like. ;-) Anyway, enough about my life's history. I guess I was just pointing out to anyone else that reads this, that no matter how long you've been working on computers or how much you know there is always ALWAYS more things you can learn.

Thanks again!
PS Check out www.slacker.com it's a new kind of online music site. Pretty cool.

sfc only takes what it needs to restore corrupted files, and it knows which versions to take in original form from a folder or cd, and which to take from the updates.
The Security bulletins:
MS07-069 [= KB942615] replaced MS07-057 which repl. MS07-045 which repl MS07-033 which repl MS07-027.
Aaaannnd: The latest bulletin, MS08-010 KB944533, replaced MS07-069 !!
MS07-043 and MS05-055 were separate issues.
Now you could google for the KB articles which represent those... but I have a feeling that Panda picked up those old bulletins from the Windows directory. If you expand C:\Windows almost the first entries are blue $NtUninstallKB****** folders - these are the files which have been replaced by updates along with an app and a batch file which run if you wish to reinstall the old files over the top of the newer [via Add/Remove pgms!].
Which you might be tempted to do if the update in question caused problems. Well, they [blue $NtUninstallKB****** folders] build up, and if all is sweeet I tend to delete em. Do that.
unPPC6000? Delete it. It's PeoplePC or CoolWebSearch.
C:\CABS\9519160_XP_2K is just one driver. Were there no .cab files in C:\CABS ? [C:\CABS would be the sourcepath if there were, but .cabs tend to be drivers...]. No matter anyway, sfc completed happily, found what it wanted. It does just close when successful, no bells or whistles.
"When it does the blank blue screen for a few seconds and comes back up you can go right on doing whatever you were doing it will even have your applications windows still open and working properly"... yeah, apps run independently of explorer, which is just your UI. It seems to be only explorer which is closing then restarting.
"Instead it was on Selective Startup with Load startup items selected " .... yep, it does that.
Not much happens without Remote Procedure calls. RPC.
"Also under the services tab all services were deselected except "Remote Procedure Call (RPC) Locator" ...and DCOM.
Notepad.exe runs indept of explorer. Most stuff does.
That combofix command I gave uninstalls it.
mobsync just synchronises the webpages you have set to View Offline... it updates them, in other words.
"no matter how long you've been working on computers or how much you know there is always ALWAYS more things you can learn" Ahh... this is the distillation of the beauty of Windows - it FORCES you to learn more about it. Non-stop.

Try removing your active desktop... man, but they can cause problems. All sorts.

Found this possible solution for the error I get on Cnet forums and tried it. Start>Run regsvr32 vbscript.dll <enter> Seemed to help because I could not force the error like I had been able to, but then the error came back just while working. I thought it might apply to me because I was getting a lot of errors about scripting and the discussion had to do with explorer.exe application error being due to Visual Basic issues which I was learning about a year ago until I figured out the Programming language would not do what I was trying to create. Anyway, just thought I would mention that as well.

"Well, they [blue $NtUninstallKB****** folders] build up, and if all is sweeet I tend to delete em. Do that."

Done.

"unPPC6000? Delete it. It's PeoplePC or CoolWebSearch."

Done. It was peoplepc, because that was my old dial-up connection until recent last few months upgrade to DSL.

"Were there no .cab files in C:\CABS ?"

No there was only the subfolder for the driver you are talking about. No .cab files.

"No matter anyway, sfc completed happily, found what it wanted. It does just close when successful, no bells or whistles."

I was accustomed to SFC in Windows 98SE which gives you nothing but reports and things to do all while it is checking the system files. So was not use to the Windows 2000 Pro version of SFC.

"That combofix command I gave uninstalls it."

I didn't use it since you said it wasn't infected.

"mobsync just synchronises the webpages you have set to View Offline... it updates them, in other words."

Interesting, thanks for the info.

"Try removing your active desktop... man, but they can cause problems. All sorts."

Not sure if I removed it, but I just pulled up Active Desktop in Windows Help and did what it said to turn it off and use standard Windows desktop. Made my background picture go away because it only seems to work with .jpg format graphic files if you are using active desktop. So I converted my .jpg background picture to .bmp and stored it in the standard directory for background pictures. Hate .bmp though, because they take up too much space, but oh well.

Anyway, why does active desktop cause so many problems if you care to expand on that?

Error is still occurring. :-( I tried looking up a price on a new copy of Windows 2000 Pro with SP4 and they were so high it was ridiculous. Windows XP Pro was actually cheaper even one deal I found included Office 2007. I'm thinking of changing to Windows XP Pro, but I don't know if it will work on this desktop that currently has Windows 2000 Pro. I know it will work on my old Windows 98SE Notebook, because I've seen my same exact model used for sell with Windows XP Pro installed on it. Just not sure about drivers for the Desktop. It's a Dell Optiplex GX150, but some of the hardware in it is not original stuff, but some upgrades I added. Anyway, I think XP Pro would work, probably can find any driver I don't have on Driverguide.com.

At any rate for the mean time I would like to know exactly what the deal is with this error:

"Explorer.exe - Application Error"
"The Instruction at "ox7ce82a8c" ref mem blah "The memory could not be "read".

Is it just the program file explorer.exe is corrupt itself and needs to be replaced like whoever it was posted in here a few pages back?

Just out of curiosity I did a search of the whole C: drive for explorer.exe it was found twice in C:\WINNT and C:\WINNT\ServicePackFiles\i386.

Both files the same size and creation date, but the one in i386 folder had an few days older last accessed date.

I'm glad though we got rid of all those blasted viruses and crap with all the various online scanners and such you sent me to.

My AVG Free edition virus software is going to expire by the end of May. I always use to run McAfee Internet suite. Do you have a recommend on a commercial one besides Norton? Maybe subscribe to one or more of those Online ones you sent me to besides one installed on my computer?

Well thanks again for your help. Sorry so long on a reply, just needed a couple of days away from computers in general. :-)

WinNT\ServicePackFiles\i386 exists if you did an upgrade by download as against an installation with the servicepack included [or slipstreamed]. That folder is your cache for running sfc - put it in sourcepath as "SourcePath" = "C:\WINNT\ServicePackFiles"
sfc would ensure that the correct version was in place, and if you change that sourcepath it will use the file from that i386 folder. You could rerun sfc, this time using the servicepackfiles directory. But I doubt that the error originates from explorer.exe itself.
My point with Combofix deletion was that it times out after a week - it won't run after that time, if you try it will delete itself.
This is a succinct explanation of Active desktop.... http://www.microsoft.com/technet/archive/ie/reskit/ie4/Part3/part3c.mspx?mfr=true -but if you remove it and the error continues, then put it back.
A few words fell out of a line I edited in a previous post:
""Instead it was on Selective Startup with Load startup items selected " .... yep, it does that." ... "if you have items unchecked in the startup list." Those words were meant to be there; that is why msconfig switched from diagnostic to selective mode.
Does the event viewer not show any listing for the error? I just monitored my machine's activity while closing an explorer window - explorer.exe was the only process involved with about 750 dealings with the registry in the 0.10sec it took to complete. Four system dlls were involved, but no third party sware, AV scanners etc.
And because you brought up the matter of scripting, ensure that you have only one version of .net framework and its hotfix installed [add/rmv pgms].
The error not occurring in safe mode points to a driver issue? Or account issue...? [since you've rather ruled out 3rd party sware].
Does it occur in Normal Mode under another account [admin type]?
I have no recommendations to give re comm AV services, there is too much personal preference involved and not enough difference between them. Okay, avoid Norton.

That folder is your cache for running sfc - put it in sourcepath as "SourcePath" = "C:\WINNT\ServicePackFiles"

Done Ran SFC /SCANNOW again still asked for the CD which I put in and let it run through again.

Problem still existed.

After that I got involved in buying McAfee 12-in-1 Internet security suite. Before I installed that I uninstalled almost everything that runs down in the systray. AVG 7.5 free edition, Ashampoo firewall, and a whole list of others that are listed above in this thread.

To get down to the point. The issue is no longer happening. The first time I noticed it was no longer happening is when I got really sick of a spyware prevention program down in the systray called "Spyware Terminator" so I uninstalled it before uninstalling anything else or before the install of McAfee. I then noticed it wasn't happening anymore. However, as persistant as it had been I just waited for a while before coming here to post. I now have the McAfee 12-in-1 installed and doing all of what all those other programs where doing and maybe more. I have not had that particular error message in days and it is FANTASTIC!!! I don't know if it was just the spyware terminator needing to be uninstalled, maybe it was corrupt or something, but after that I had like one error when installing McAfee that was somewhat similar except it had nothing to do with Explorer.exe I forgot what the program or dll was, but I think it was print spooler or spooler something. Only had that error once and I have not had anymore errors since.

I've even finally managed to get my Win2000PRO and my Win98SE computers fully talking over my wireless network. ha ha

Just to answer some of the last things you posted. I only have one account as administrator. I don't log onto windows in other words.

I only have one installation of the .net framework.

"Does the event viewer not show any listing for the error?" Not sure what the event viewer is unless that's Task manager?

I kept wondering where this log file was that it was always saying it was creating also.

Anyway the issue is resolved thanks to your very capable assistance!

How do I make sure everyone on this forum knows you know what you are doing or give you a good rating or whatever to try and repay you for all your time at least in some small way? I don't usually get into forums, but this one has been a good experience.

Thanks for all your help!!!

Wheeee...!
Takes me back to my first post.... bad software causing explorer.exe to crash. We focussed a bit on malware being the issue, but we did clean out your worm along the way.
So it merely turned out to be a bad installation of something legit... well, it happens. :). A full-time guard, no less.
You've been quite forensic in tracking this down, well done.
Event Viewer you reach via CP, Admin Tools; you'll see also Performance in that menu, it's where logs are created [if logging is enabled].
I'm sure you realise that being in an Administrator ac all the time means that you give those privileges to any malware you pick up whilst on the web...
I'm not chasing kudos... as I told someone else, this is my version of crossword puzzles. I pick the problems where I think I can help, or those which present a good opportunity to extend my knowledge.
It's been fun. Cheers, bear.

Thanks for the compliment about being forensic.

Yes believe it or not I did know it isn't the smartest thing to do running in Administrative all the time. I just really really hate dealing with well administration of various accounts, but I suppose it is adding waaay too much complication to my life now not to use some other type of account.
I understand about the not looking for kudos and this is like crossword puzzles to you, but none the less I did found the thing to at least add to gerbils reputation. Not sure I understand CP, Admin tools, but I'll figure it out.
Have fun, gerbil!

Control Panel.... :)