PDA

View Full Version : My windows explorer is crashing...



tromin
23-07-2008, 10:57 AM
Hey,

Sorry for any english errors, but i'm gonna do my best

My problem is that my explorer crashes everytime I close folders (any types of folders). Here's the error message:
http://img174.imageshack.us/img174/1599/36492074lx7qp0.png

I went to "Administrative Tools - Event Viewer" too and i clicked in the red cross. It says this:

Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x013616d3.

For more information, see Help and Support Center at http://go.Microsoft*.com/fwlink/events.asp.


This started happening since I installed Rapidown, I have read a lot of threads about this problem, and now I know that Rapidown is a dangerous program. I've tried many things: clean registry errors and cookies, scan for virus and spyware, I also downloaded a file (that i think it came with spyware too) to fix shells or something...

Anyway, i'm sick of this problem and i really need help here.

I'll wait for answers.

Speedy Gonzales
23-07-2008, 11:07 AM
Post a hijackthis log.

Scan it with something like this (www.malwarebytes.org)

If you know something is dangerous or installs spyware, dont install it !

tromin
23-07-2008, 12:59 PM
Post a hijackthis log.

Scan it with something like this (www.malwarebytes.org)

If you know something is dangerous or installs spyware, dont install it !

Ok, thanks, I'm doing a scan right now with the Malwarebytes, it can take long...

When the scan finish, i'm going to post the HiJackThis log here.

By the way, the first time I run Malwarebytes to update, it shown an error saying "Error loading database. Line: #10222." and everytime i ran the program it said the same thing.

I had to search for an answer to solve the problem, and i found it, but i still can't update the program. I'm only saying this cause it was a little strange.

Speedy Gonzales
23-07-2008, 01:06 PM
Get trojan remover in my sig as well..

If you cant get to the site heres the direct link (http://www.simplysup1.com/download/dl/trsetup.exe)

Install it then scan. Then select all options under the utilities menu. Then update it

tromin
23-07-2008, 01:24 PM
Ok, thanks for all, I'm gonna do all that things you said.

Tomorrow i'll put here the results of the Malwarebytes and Trojan Remover scans and the HiJackThis log too, because today I have no more time left.

One more thing before I go, it's necessary to do the scans in Safe mode?

Speedy Gonzales
23-07-2008, 02:16 PM
One more thing before I go, it's necessary to do the scans in Safe mode?

No, if you can boot into normal windows you can scan

tromin
23-07-2008, 09:31 PM
Hi again.

I did a scan with Kaspersky AV during the night, and it didn't detected anything. Then i scanned with Trojan Remover and didn't detected anything too, scanned with the Malwarebytes and it detected a trojan in a file, I deleted, and from quarantine too.

By the way, the infected file was:
C:\System Volume Information\_restore{83489493-9DEE-4402-8723-648BF0E8A0C8}\RP885\A0392566.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Then, I restarted pc and when started, the FastScan of Trojan Remover appeared and it said that there were problems with some registry shells, and I fixed them, like the program recommended.

After all this, the error keeps appearing (like I said in the beggining, appears everytime I close any type of folder) :help:

Here's the 2 messages of the problem:
--> http://img413.imageshack.us/img413/7238/99234031du1.png
--> http://img174.imageshack.us/img174/1599/36492074lx7qp0.png




HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 9:45:10 AM, on 7/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm1 2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Transferir com FDM - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Transferir todos com FDM - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Transferir vídeo com FDM - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Transferência seleccionada pelo FDM - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195066082812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195066067218
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm1 2.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

Speedy Gonzales
23-07-2008, 09:49 PM
Disable system restore (right mouse / properties) on my computer on the desktop. System restore tab.

Open my computer / go to tools / folder options / view.

Untick hide protected operating system files. Then OK.

If this is XP Pro, right mouse on the System Volume Information folder / security tab / add. Type in the name that appears in the menu (when you click on start). Then check names. If you put it in right, this will complete it. The click on OK, OK.

Then you should be able to go into the System Volume Information folder.

Once you get into the above folder, Delete everything in it. (Dont delete the folder itself though).

Then:

Tick these then tick fix checked

Close browsers

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe\

O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

Then reboot. Then enable system restore again

Did you tick everything under utilities in trojan remover as well?

Also after you reboot, open my computer, highlight c, then right mouse / scan with trojan remover (did you update it as well)??

tromin
23-07-2008, 10:08 PM
Speedy Gonzales, when I Untick "hide protected operating system files", the folder "System Volume Information folder" doesn't appear.

This is windows XP Pro

tromin
23-07-2008, 10:14 PM
I've done a search in the pc for that folder, and I found it, but when I right-click on the folder, there's no security tab.

Here's the printscreen:
http://img295.imageshack.us/img295/8795/15900844cu4.png

P.S. - The folder is empty.

I ticked all the utilities of Trojan Remover and I updated it as well.

Speedy Gonzales
23-07-2008, 10:25 PM
I've done a search in the pc for that folder, and I found it, but when I right-click on the folder, there's no security tab.

Select properties, then you'll see the security tab

tromin
23-07-2008, 10:34 PM
It's like a normal folder:
--> http://img367.imageshack.us/img367/6175/31734927oe0.png

Speedy Gonzales
23-07-2008, 10:38 PM
Open my computer, go to tools / options / view tab. Go to the bottom, untick use simple file sharing. Then OK. Then try it, you should see it

tromin
23-07-2008, 11:04 PM
There were only 2 occult files in the "System Volume Information" folder, I deleted them.

Then I fixed the entries like you said, and rebooted, I even ticked the utilities of the Trojan Remover twice. And now I'm doing the scan of the C: drive.

I'll give you an answer when it finishes scanning.



P.S. - The entries I've deleted are not gonna affect the programs, right? Like Babylon, Nero, HP printer drives, etc...

Speedy Gonzales
23-07-2008, 11:18 PM
Nope deleting the files in the system volume info wont affect anything.

Once you scan the hdd with trojan remover, reboot. Then enable system restore again

tromin
23-07-2008, 11:31 PM
No, I was asking:
- Fixing those entries from the HiJackThis affects the programs? In this case, the babylon, the HP printer drives, Nero, etc...

I've already rebooted and enabled the system restore, and now I'm scanning the C: drive, like you said.

tromin
24-07-2008, 12:28 AM
I really don't understand this, there's times that this error doesn't happen, like 5 minutes ago, I closed a lot of folders and all without any errors, but right now this started happening again...

Speedy Gonzales
24-07-2008, 09:00 AM
No, I was asking:
- Fixing those entries from the HiJackThis affects the programs? In this case, the babylon, the HP printer drives, Nero, etc...

I've already rebooted and enabled the system restore, and now I'm scanning the C: drive, like you said.

No they'll still work. If you tick them in the HJT log

tromin
24-07-2008, 09:26 AM
I'm going to do a complete scan of C: drive tonight, with Trojan Remover.

Tomorrow I'll put here the results.

Speedy Gonzales
24-07-2008, 09:27 AM
Update trojan remover again. Its just been updated to 6.71

tromin
24-07-2008, 10:22 AM
Update trojan remover again. Its just been updated to 6.71

Updated. Thanks.

By the way, everytime I run Trojan Remover, Kaspersky AV detects 2 things. Here are the printscreens:
--> http://img93.imageshack.us/img93/9276/imagem1em1.png
--> http://img93.imageshack.us/img93/1729/imagem2rl0.png

Trojan Remover hasn't any kinds of trojans or viruses, right?

And do you recommend me to use this anti-virus? Or do you know a better one?

Speedy Gonzales
24-07-2008, 10:29 AM
Add Trojan remover to the trusted zone its not a virus or trojan

I use it myself, I'm a registered user of it

Trojan remover has a feature called random filename generation. It changes it name so it cant be disabled by trojans / viruses etc

tromin
24-07-2008, 11:06 AM
Add Trojan remover to the trusted zone its not a virus or trojan

I use it myself, I'm a registered user of it

Trojan remover has a feature called random filename generation. It changes it name so it cant be disabled by trojans / viruses etc

Ok ok thanks

What about the anti-virus?

Speedy Gonzales
24-07-2008, 11:11 AM
Well I would use Avast Home (http://avast.com/eng/avast_4_home.html) its free

But you do have to register it often (for free), by going to the Avast site

Trojan remover isnt an anti virus. It deals more with rootkits / spyware / trojans.

But if you decide to use Avast, uninstall Kaspersky