[RYU81]

Have WINXP Home w/SP2. When I choose user to log in, the desktop starts to
launch then explorer crashes and restarts and keeps doing over and over.

[cluberti]

If you can get your box to work in safe mode, consider running ShellExView and Autoruns to disable all non-Microsoft shell extensions and startup items, then reboot regularly and see if that fixes it (almost always does). Then, if you need something you disabled, re-enable things one at a time or in small bunches until the problem returns, and you can then pinpoint what you enabled that caused the problem.

[RYU81]

I disable all non-Microsoft shell extensions and startup items and is still show me same error.also I disable all Microsoft shell extensions only "shell rebar bandsite" but my Explorer.exe not working.

[MikeyHunt]

...you did check for viruses and bad bugs ?? yes?

[cluberti]

A dump of explorer.exe crashing would be nice too - also, if it worked in safe mode but not regularly, something else is amiss .

[mara-]

Try with disabling Dr. Watson. I know that while running XP I had problem with it.

Cheers

[RYU81]

MikeyHunt, on Mar 8 2008, 11:50 PM, said:

...you did check for viruses and bad bugs ?? yes?

yes.nothing there.

cluberti, on Mar 9 2008, 01:59 AM, said:

A dump of explorer.exe crashing would be nice too - also, if it worked in safe mode but not regularly, something else is amiss .

how to do it?

mara-, on Mar 9 2008, 07:27 AM, said:

Try with disabling Dr. Watson. I know that while running XP I had problem with it.
i disable Dr. Watson but error still show.
Cheers

[cluberti]

RYU81, on Mar 9 2008, 10:28 AM, said:

cluberti, on Mar 9 2008, 01:59 AM, said:

A dump of explorer.exe crashing would be nice too - also, if it worked in safe mode but not regularly, something else is amiss .

how to do it?

http://www.msfn.org/...mps-t90244.html

[RYU81]

which file need to upload it?or all files?

[cluberti]

RYU81, on Mar 9 2008, 07:09 PM, said:

which file need to upload it?or all files?

If you got a dump of explorer.exe, upload the whole "crash-mode-xxx...." folder after you compress it into a zip or a rar.

[RYU81]

cluberti, on Mar 9 2008, 07:27 PM, said:

RYU81, on Mar 9 2008, 07:09 PM, said:

which file need to upload it?or all files?

If you got a dump of explorer.exe, upload the whole "crash-mode-xxx...." folder after you compress it into a zip or a rar.

http://www.sendspace.com/file/d4swty

[cluberti]

Well, I hate to sound ornery, but you didn't accomplish disabling shell extensions or startup items as previously suggested. Your explorer "crashed" (and I use this lightly, because it wasn't actually a crash!) due to something using the FindAtom function to find a string, and then calling ExitProcess to kill explorer.exe after it failed - note that this is NOT a call to TerminateProcess, which would forcefully tear it down, but ExitProcess, a graceful exit (similar to clicking the X on a running Window to close it - a graceful process shutdown). Something on your machine is actually calling explorer.exe to crash. I looked at the loaded module list, and found that you have quite a few non-Microsoft modules loaded that I would consider unnecessary for operation, and should be disabled. I did find very interesting that part of the crash is indeed an exception in a binary (not explorer.exe, though) right before the crash. The eax register shows us this (eax is used as the register to store the return of a call to some function), and it looks like we're hitting an except block in something:

// The registers at the time of the crash, some of which are very important:
0:000> r
eax=77c280e4 ebx=00000000 ecx=77c112b0 edx=77c61a70 esi=7c90e88e edi=c0000005
eip=7c90eb94 esp=0119fea4 ebp=0119ffa0 iopl=0		 nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000			 efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3			  ret

// Not good to see us doing this:
0:000> u 77c280e4 
msvcrt!__CxxRestoreUnhandledExceptionFilter:
77c280e4 ff35fc17c677	push	dword ptr [msvcrt!UnDecorator::fGetTemplateArgumentList+0x3 (77c617fc)]
77c280ea ff15b810c177	call	dword ptr [msvcrt!_imp__SetUnhandledExceptionFilter (77c110b8)]
77c280f0 c3			  ret
77c280f1 cc			  int	 3
77c280f2 cc			  int	 3
77c280f3 cc			  int	 3
77c280f4 cc			  int	 3
77c280f5 cc			  int	 3

// This is definitely coming from the C runtimes, so we know someone linked this:
0:000> !object 77c280e4 
No export object found
0:000> !address 77c280e4 
	77c10000 : 77c11000 - 0004c000
					Type	 01000000 MEM_IMAGE
					Protect  00000020 PAGE_EXECUTE_READ
					State	00001000 MEM_COMMIT
					Usage	RegionUsageImage
					FullPath C:\WINDOWS\system32\msvcrt.dll

// We can see the exit itself in edx:
0:000> u 77c61a70 
msvcrt!_C_Exit_Done+0x1c:
77c61a70 e0c8			loopne  msvcrt!__initenv+0x2 (77c61a3a)
77c61a72 97			  xchg	eax,edi
77c61a73 7cff			jl	  msvcrt!_C_Exit_Done+0x20 (77c61a74)
...

// esi should point to the NtTerminateProcess function, which it does:
0:000> u 7c90e88e 
ntdll!NtTerminateProcess:
7c90e88e b801010000	  mov	 eax,101h
7c90e893 ba0003fe7f	  mov	 edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c90e898 ff12			call	dword ptr [edx]
7c90e89a c20800		  ret	 8
...

// edi should have the error code, c0000005:
0:000> !error c0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

So we know the FindAtomW function that was called by something inside explorer.exe tried to read the string from an invalid location (and thus excepted, causing explorer to crash - but we still don't know who caused this, however, we do now know why.

// Looking at the stack pointer (esp), we can get an idea of what happened,
// hopefully - there's the call, btw, and likely populated eax (the exception):
0:000> u 0119fea4 
0119fea4 9ae8907c5eca81  call	81CA:5E7C90E8
0119feab 7cff			jl	  0119feac
0119fead ff			  ???
0119feae ff			  ???
0119feaf ff050000c000	inc	 dword ptr ds:[0C00000h]
0119feb5 0000			add	 byte ptr [eax],al
0119feb7 0000			add	 byte ptr [eax],al
0119feb9 0000			add	 byte ptr [eax],al

// Looking at the memory structure of the stack, it looks like this wasn't
// explorer.exe; rpc and remote threads usually mean something else is amiss:

// stack pointer:
0:000> dds 0119fea4 
0119fea4  7c90e89a ntdll!ZwTerminateProcess+0xc
0119fea8  7c81ca5e kernel32!_ExitProcess+0x62
0119feac  ffffffff
0119feb0  c0000005
0119feb4  00000000
0119feb8  00000000
0119febc  00000000
0119fec0  00000000
0119fec4  00300014
0119fec8  00000002
0119fecc  00000a64
0119fed0  00000f84
0119fed4  0008088a
0119fed8  00000000
0119fedc  00000000
0119fee0  00010003
0119fee4  00000000
0119fee8  000d8590
0119feec  c0000005
0119fef0  77f6952b shlwapi!ExecuteWorkItem
0119fef4  00000000
0119fef8  0119ff40
0119fefc  7c927545 ntdll!RtlpWorkerCallout+0x70
0119ff00  000dd0d0
0119ff04  7c97c3a0 ntdll!NumExecutingWorkerThreads
0119ff08  000dd0e8
0119ff0c  00000000
0119ff10  00000014
0119ff14  00000001
0119ff18  00000000
0119ff1c  00000000
0119ff20  00000010

// base pointer:
0:000> dds 0119ffa0 
0119ffa0  0119ffb4
0119ffa4  7c81cab6 kernel32!ExitProcess+0x14
0119ffa8  c0000005
0119ffac  77e8f3b0 rpcrt4!SECURITY_CONTEXT::InitializeThirdLeg+0x18f
0119ffb0  ffffffff
0119ffb4  0119ffec
0119ffb8  7c83aa89 kernel32!CreateRemoteThread+0x56
0119ffbc  c0000005
0119ffc0  00f8fce4
0119ffc4  00f8fce8
0119ffc8  00000000
0119ffcc  7ffd9000
0119ffd0  c0000005
0119ffd4  0119ffc0
0119ffd8  0119ef3c
0119ffdc  ffffffff
0119ffe0  7c8399f3 kernel32!_except_handler3
0119ffe4  7c80b518 kernel32!`string'+0x88
0119ffe8  ffffffff
0119ffec  00000000
0119fff0  00000000
0119fff4  7c910760 ntdll!RtlpWorkerThread
0119fff8  00000000
0119fffc  00000000
011a0000  ????????
011a0004  ????????
011a0008  ????????
011a000c  ????????
011a0010  ????????
011a0014  ????????
011a0018  ????????
011a001c  ????????


So it's not obvious what's going on, other than it looks like something outside of explorer.exe's code doing it.  Here's the non-Microsoft modules loaded or unloaded at the time of the dump:

0:000> lm
module name
RarExt.dll
TRshell.dll
JetFlExt.dll
Jccatch.dll
pdfshell.dll
NeroDigitalExt.dll
WZSHLSTB.DLL
NavShExt.dll
ccL60U.dll
ccVrTrst.dll

Unloaded modules:
WZCAB3.DLL
wzshlex1.dll

0:000> lmvm rarext
start	end		module name
018a0000 018cb000   RarExt	 (export symbols)	   RarExt.dll
	Loaded symbol image file: RarExt.dll
	Image path: C:\Program Files\WinRAR\RarExt.dll
	Image name: RarExt.dll
	Timestamp:		Sun Dec 26 10:34:37 2004 (41CEDA0D)
	CheckSum:		 00021AC9
	ImageSize:		0002B000
	File version:	 0.0.0.0
	Product version:  0.0.0.0
	File flags:	   0 (Mask 0)
	File OS:		  0 Unknown Base
	File type:		0.0 Unknown
	File date:		00000000.00000000
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

0:000> lmvm trshell
start	end		module name
01cd0000 01cf8000   TRshell	(export symbols)	   TRshell.dll
	Loaded symbol image file: TRshell.dll
	Image path: C:\Program Files\TagRename\TRshell.dll
	Image name: TRshell.dll
	Timestamp:		Fri Jun 19 18:22:17 1992 (2A425E19)
	CheckSum:		 0002D0CA
	ImageSize:		00028000
	File version:	 3.5.7.19
	Product version:  3.5.7.19
	File flags:	   0 (Mask 3F)
	File OS:		  4 Unknown Win32
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0409.04e4
	CompanyName:	  Softpointer Inc
	ProductName:	  
	InternalName:	 TRShell.dll
	OriginalFilename: 
	ProductVersion:   
	FileVersion:	  3.5.7.19
	FileDescription:  Tag&Rename shell extension
	LegalCopyright:   
	LegalTrademarks:  
	Comments:		 

0:000> lmvm JetFlExt
start	end		module name
01f00000 01f29000   JetFlExt C (export symbols)	   JetFlExt.dll
	Loaded symbol image file: JetFlExt.dll
	Image path: C:\Program Files\JetAudio\JetFlExt.dll
	Image name: JetFlExt.dll
	Timestamp:		Wed May 09 15:52:42 2007 (4642268A)
	CheckSum:		 00000000
	ImageSize:		00029000
	File version:	 6.0.0.9751
	Product version:  6.0.0.0
	File flags:	   0 (Mask 3F)
	File OS:		  4 Unknown Win32
	File type:		2.0 Dll
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  COWON America
	ProductName:	  JetFlExt Module
	InternalName:	 JetFlExt
	OriginalFilename: JetFlExt.DLL
	ProductVersion:   6, 0, 0, 0
	FileVersion:	  6, 0, 0, 9751
	PrivateBuild:	 6, 0, 0, 9751
	SpecialBuild:	 6, 0, 0, 9751
	FileDescription:  Shell Extension for jetAudio
	LegalCopyright:   Copyright 2005-2006, All rights reserved.
	LegalTrademarks:  Copyright 2005-2006, All rights reserved.
	Comments:		 Copyright 2005-2006, All rights reserved.

0:000> lmvm jccatch
start	end		module name
02630000 02645000   Jccatch  C (export symbols)	   Jccatch.dll
	Loaded symbol image file: Jccatch.dll
	Image path: C:\Program Files\FlashGet\Jccatch.dll
	Image name: Jccatch.dll
	Timestamp:		Tue May 16 03:19:40 2006 (44697D0C)
	CheckSum:		 00000000
	ImageSize:		00015000
	File version:	 1.1.5.0
	Product version:  1.1.5.0
	File flags:	   0 (Mask 3F)
	File OS:		  4 Unknown Win32
	File type:		2.0 Dll
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  FlashGet
	ProductName:	  jccatch Module
	InternalName:	 jccatch
	OriginalFilename: jccatch.DLL
	ProductVersion:   1, 1, 5, 0
	FileVersion:	  1, 1, 5, 0
	PrivateBuild:	 1, 1, 5, 0
	SpecialBuild:	 1, 1, 5, 0
	FileDescription:  jccatch Module
	LegalCopyright:   Copyright 1999 by FlashGet
	LegalTrademarks:  Copyright 1999 by FlashGet
	Comments:		 Copyright 1999 by FlashGet

0:000> lmvm pdfshell
start	end		module name
03060000 030bb000   pdfshell   (export symbols)	   pdfshell.dll
	Loaded symbol image file: pdfshell.dll
	Image path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll
	Image name: pdfshell.dll
	Timestamp:		Mon Oct 23 03:28:04 2006 (453C6F04)
	CheckSum:		 0005D45D
	ImageSize:		0005B000
	File version:	 8.0.0.0
	Product version:  8.0.0.0
	File flags:	   0 (Mask 3F)
	File OS:		  40004 NT Win32
	File type:		2.0 Dll
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  Adobe Systems, Inc.
	ProductName:	  Adobe PDF Shell Extension
	InternalName:	 PDFShell
	OriginalFilename: PDFShell.dll
	ProductVersion:   8.0.0.0
	FileVersion:	  8.0.0.0
	FileDescription:  PDF Shell Extension
	LegalCopyright:   Copyright 2000-2006 Adobe Systems, Inc.

0:000> lmvm NeroDigitalExt
start	end		module name
030f0000 032a8000   NeroDigitalExt   (export symbols)	   NeroDigitalExt.dll
	Loaded symbol image file: NeroDigitalExt.dll
	Image path: C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
	Image name: NeroDigitalExt.dll
	Timestamp:		Fri Jul 20 05:26:38 2007 (46A07FCE)
	CheckSum:		 001C3D6D
	ImageSize:		001B8000
	File version:	 3.1.0.8
	Product version:  3.1.0.8
	File flags:	   0 (Mask 1F)
	File OS:		  4 Unknown Win32
	File type:		2.0 Dll
	File date:		00000000.00000000
	Translations:	 0409.04e4
	CompanyName:	  Nero AG
	ProductName:	  Nero Digital Tools
	InternalName:	 NeroDigitalExt.dll
	OriginalFilename: NeroDigitalExt.dll
	ProductVersion:   3, 1, 0, 8
	FileVersion:	  3, 1, 0, 8
	FileDescription:  Nero Digital Shell Extension
	LegalCopyright:   Copyright (c) 1995-2005 Nero AG and its licensors.

0:000> lmvm WZSHLSTB
start	end		module name
16200000 16206000   WZSHLSTB C (export symbols)	   WZSHLSTB.DLL
	Loaded symbol image file: WZSHLSTB.DLL
	Image path: C:\Program Files\WinZip\WZSHLSTB.DLL
	Image name: WZSHLSTB.DLL
	Timestamp:		Fri Nov 10 00:49:26 2006 (455412E6)
	CheckSum:		 00000000
	ImageSize:		00006000
	File version:	 4.1.0.0
	Product version:  11.0.0.0
	File flags:	   0 (Mask 3F)
	File OS:		  4 Unknown Win32
	File type:		2.0 Dll
	File date:		00000000.00000000
	Translations:	 0409.04e4
	CompanyName:	  WinZip Computing LP
	ProductName:	  WinZip
	InternalName:	 WZSTUBSE.DLL
	OriginalFilename: WZSTUBSE.DLL
	ProductVersion:   11.0  (6595)
	FileVersion:	  4.1 (32-bit)
	FileDescription:  WinZip Shell Extension DLL
	LegalCopyright:   Copyright (c) WinZip International LLC 1991-2006 - All Rights Reserved
	LegalTrademarks:  WinZip is a registered trademark of WinZip International LLC
	Comments:		 StringFileInfo: U.S. English

0:000> lmvm NavShExt
start	end		module name
6a090000 6a0b9000   NavShExt   (export symbols)	   NavShExt.dll
	Loaded symbol image file: NavShExt.dll
	Image path: C:\Program Files\Norton AntiVirus\NavShExt.dll
	Image name: NavShExt.dll
	Timestamp:		Sun Jan 14 04:08:04 2007 (45A9F2F4)
	CheckSum:		 0002D7B5
	ImageSize:		00029000
	File version:	 14.2.0.29
	Product version:  14.2.0.0
	File flags:	   0 (Mask 3F)
	File OS:		  40004 NT Win32
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  Symantec Corporation
	ProductName:	  Norton AntiVirus
	InternalName:	 NavShExt
	OriginalFilename: NavShExt.dll
	ProductVersion:   14.2.0
	FileVersion:	  14.2.0.29
	FileDescription:  Norton AntiVirus Shell Extension Module
	LegalCopyright:   Copyright © 2006 Symantec Corporation. All rights reserved.

0:000> lmvm ccL60U
start	end		module name
6ae80000 6af05000   ccL60U	 (export symbols)	   ccL60U.dll
	Loaded symbol image file: ccL60U.dll
	Image path: C:\Program Files\Common Files\Symantec Shared\ccL60U.dll
	Image name: ccL60U.dll
	Timestamp:		Wed Jan 10 00:56:27 2007 (45A4800B)
	CheckSum:		 00089671
	ImageSize:		00085000
	File version:	 106.2.0.21
	Product version:  106.2.0.21
	File flags:	   0 (Mask 3F)
	File OS:		  40004 NT Win32
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  Symantec Corporation
	ProductName:	  Symantec Security Technologies
	InternalName:	 ccLib
	OriginalFilename: ccL60.dll
	ProductVersion:   106.2.0.21
	FileVersion:	  106.2.0.21
	FileDescription:  Symantec Library
	LegalCopyright:   Copyright (c) 2000-2006 Symantec Corporation. All rights reserved.

0:000> lmvm ccVrTrst
start	end		module name
6b790000 6b7af000   ccVrTrst   (export symbols)	   ccVrTrst.dll
	Loaded symbol image file: ccVrTrst.dll
	Image path: C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll
	Image name: ccVrTrst.dll
	Timestamp:		Wed Jan 10 00:56:52 2007 (45A48024)
	CheckSum:		 0002A0D1
	ImageSize:		0001F000
	File version:	 106.2.0.21
	Product version:  106.2.0.21
	File flags:	   0 (Mask 3F)
	File OS:		  40004 NT Win32
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  Symantec Corporation
	ProductName:	  Symantec Security Technologies
	InternalName:	 ccVrTrst
	OriginalFilename: ccVrTrst.dll
	ProductVersion:   106.2.0.21
	FileVersion:	  106.2.0.21
	FileDescription:  Symantec Trust Validation Engine
	LegalCopyright:   Copyright (c) 2000-2006 Symantec Corporation. All rights reserved.

I also noticed you had Windows Media, DRM, and Messenger .dll files in the unloaded modules list as well. Seems odd, if explorer is just starting, to have Windows Media indexer and DRM files loaded. What exactly did you do just before this started? I see what you were running, and I do suspect something multimedia-related or MSN messenger related:

 0 32	0 System Process  
	 Command Line: 
 0 32	4 System		  
	 Command Line: 
 0 32  444 smss.exe		
	 Command Line: \SystemRoot\System32\smss.exe
 0 32  508 csrss.exe	   Title: 
	 Command Line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
 0 32  532 winlogon.exe	
	 Command Line: winlogon.exe
 0 32  576 services.exe	Svcs:  Eventlog,PlugPlay
	 Command Line: C:\WINDOWS\system32\services.exe
 0 32  588 lsass.exe	   Svcs:  ProtectedStorage,SamSs
	 Command Line: C:\WINDOWS\system32\lsass.exe
 0 32  740 svchost.exe	 Svcs:  DcomLaunch,TermService
	 Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch
 0 32  788 svchost.exe	 Svcs:  RpcSs
	 Command Line: C:\WINDOWS\system32\svchost -k rpcss
 0 32  856 svchost.exe	 Svcs:  AudioSrv,CryptSvc,Dhcp,dmserver,EventSystem,FastUserSwitchingCompatibility,helpsvc,lanmanworkst
ation,Netman,Nla,RasMan,Schedule,ShellHWDetection,TapiSrv,Themes,TrkWks,winmgmt,WZCSVC
	 Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs
 0 32  908 svchost.exe	 Svcs:  Dnscache
	 Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService
 0 32 1040 ccSvcHst.exe	Svcs:  ccEvtMgr,ccSetMgr,LiveUpdate Notice Ex
	 Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
 0 32 1172 AppSvc32.exe	Svcs:  SymAppCore
	 Command Line: "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
 0 32 1444 svchost.exe	 Svcs:  Alerter,WebClient
	 Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService
 0 32 1524 AluSchedulerSvc.exe Svcs:  Automatic LiveUpdate Scheduler
	 Command Line: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
 0 32 1900 ccSvcHst.exe	Svcs:  CLTNetCnService
	 Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon
 0 32  360 AHQTbU.exe	  Title: 
	 Command Line: "C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE" 
 0 32  368 zlclient.exe	Title: ZoneAlarm Security Alert
	 Command Line: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" 
 0 32  376 ccApp.exe	   Title: 
	 Command Line: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 
 0 32  976 iemaximizer.exe Title: IE New Window Maximizer
	 Command Line: "C:\Program Files\IE New Window Maximizer\iemaximizer.exe" 
 0 32 1044 USBSafelyRemove.exe Title: 
	 Command Line: "C:\Program Files\USB Safely Remove\USBSafelyRemove.exe" /startup
 0 32 1108 MsnMsgr.Exe	 Title: Le MoNsTrE HuSsAiNoOoOoO - Conversation
	 Command Line: "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
 0 32 1204 ctfmon.exe	  Title: 
	 Command Line: "C:\WINDOWS\system32\ctfmon.exe" 
 0 32 1240 vsmon.exe	   Title: 
	 Command Line: vsmon.exe -status
 0 32 2784 winamp.exe	  Title: 1. Keith Power - Dark Sector Theme - Winamp [Stopped]
	 Command Line: "C:\Program Files\Winamp\winamp.exe" 
 0 32  928 symlcsvc.exe	Svcs:  Symantec Core LC
	 Command Line: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
 0 32 4004 FIREFOX.EXE	 Title: Where is tlist.exe in Windows XP? - Mozilla Firefox
	 Command Line: "C:\PROGRA~1\MOZILL~1\FIREFOX.EXE" -requestPending -osint -url "http://www.youtube.com/watch?v=QWs9EvZhrwU"
 0 32 3100 cmd.exe		 Title: C:\WINDOWS\system32\cmd.exe - cscript adplus.vbs -crash -pn explorer.exe -quiet -o c:\adplus
	 Command Line: "C:\WINDOWS\system32\cmd.exe" 
 0 32 2064 dllhost.exe	 Svcs:  COMSysApp  Mts:   System Application
	 Command Line: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
 0 32 3584 rsvp.exe		Svcs:  RSVP
	 Command Line: C:\WINDOWS\system32\rsvp.exe
 0 32 2660 Explorer.EXE	Title: Program Manager
	 Command Line: C:\WINDOWS\explorer.exe
 0 32 2556 dwwin.exe	   Title: OfficeWatson
	 Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 896
 0 32 3232 cscript.exe	 Title: 
	 Command Line: cscript adplus.vbs -crash -pn explorer.exe -quiet -o c:\adplus
 0 32 1368 cmd.exe		 Title: C:\WINDOWS\system32\cmd.exe
	 Command Line: "C:\WINDOWS\system32\cmd.exe" /c tlist.exe -v >"c:\adplus\Crash_Mode__Date_03-10-2008__Time_03-05-47AM\Process_List.txt"
 0 32 2484 tlist.exe	   
	 Command Line: tlist.exe -v

Ultimately, I need you to disable things with shellextview and autoruns if you don't see anything obvious here that jogs your memory. Oh:

Quote

Title: Where is tlist.exe in Windows XP? - Mozilla Firefox

Try tasklist.exe -v.

[RYU81]

no,I try to disable all non-Microsoft shell extensions and startup items but nothing change.I'll try again.
about tlist.exe i saw it in log file when i made dump.then i try to find what is it in google.

[RYU81]

anyway I disable at most everything and still show there error but i try scan with Windows File Protection,than fix my error.thanks anyway to try help me.