Jump to content


Photo

Windows Explorer shutdown


  • This topic is locked This topic is locked
5 replies to this topic

#1 exnocte

exnocte

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 May 2004 - 11:34 AM

Everytime I open Internet Explorer, a window pops up saying: "Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

If I click "close" on the window, then my start bar appears to reload.

This message continues appearing until I shut Internet Explorer down.

Since this only occurs with IE, I thought this might be spyware.

Here's my logfile:
Logfile of HijackThis v1.97.7
Scan saved at 12:29:14 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\svchost.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System\taskman.exe
C:\Documents and Settings\Michael Shonebarger\Application Data\amee.exe
C:\WINDOWS\System32\wnsintcc.exe
C:\Documents and Settings\Michael Shonebarger\Local Settings\Temp\Temporary Directory 51 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dwwin.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\taskman.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Michael Shonebarger\Application Data\amee.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - Startup: Microsoft Data Helper.lnk = ?
O9 - Extra button: AIM (HKLM)

#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 25 May 2004 - 11:44 AM

Hi there. One of the experts will be with you shortly to determine what needs to be done.

In the meantime, create a new folder/directory called C:\HJT and move HijackThis to it. Temp folders aren't good places for it.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#3 exnocte

exnocte

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 May 2004 - 10:30 AM

anybody?

#4 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 28 May 2004 - 10:59 AM

I'm looking over your log right now. I'll get back to you once I've determined what needs to go.

In the meantime, run a full virus scan and report back with the names of viruses found and infected files. I noticed you have at least one.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#5 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 28 May 2004 - 04:14 PM

Close all browser windows, go back into HijackThis and remove the following items:

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Michael Shonebarger\Application Data\amee.exe


Then delete the following files:

C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\wnsintcc.exe
C:\Documents and Settings\Michael Shonebarger\Application Data\amee.exe


You may have to show hidden files and boot into safe mode to delete these files.

One very important note on deleting svchost.exe: Only delete the one in C:\WINDOWS. The one located in C:\WINDOWS\System32 is a legit file. Make sure you don't delete that one by mistake.

Reboot and post a new log.

-- LB

Edited by VashonDude, 28 May 2004 - 04:16 PM.

Want to help in the fight against malware? Join the SWI boot camp.

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 12 October 2004 - 05:14 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button