Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Access Violation


  • Please log in to reply
16 replies to this topic

#1 clive1

clive1

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 05 June 2007 - 03:22 AM

Hi and Good Morning

I have an issue with a file/folder that refuses to delete and continually crashes windows explorer.

The operating system is windows xp 2nd edition home.

BACKGROUND

I use Limewire for music and sometimes music videofiles.
A couple of weeks ago I downloaded a file ,with others, which i now suspect is not what it was supposed to be.

Limewire downloads initially into an 'incomplete' folder and when files finish downloading the program automatically moves them into a completed folder called Limewire.

PROBLEM

When I tried to open the Limewire folder I got an error message saying windows explorer had encountered a problem and needs to close followed by a second saying Dr watson postmortem debugger had also encountered a problem and needed to close.

Closing those windows resulted in windows explorer closing and restarting again.

I then found that I didn't need to even open the file, if the mouse pointer went any where near the folder the error messages would appear.


SOLUTIONS

I then ran several different spyware and malware removal tools and these either stopped as soon as they reached this folder or I got an access violation warning with the relevant address.

I tried to delete the folder but would always get the windows explorer shut down

I downloaded a tool called unlocker which did allow me to move the whole folder to an emptyfolder which I then tried to delete but still the error messages appear.

I tried to move the whole folder to a disc but again the windows explorer error messages prohibited this.

I ran Hijackthis but found nothing untoward

I ran Microsofts Malicious software tool nothing there either

REQUEST

I am out of ideas now and wonder whether anyone recognises the symptoms or knows the cause

Hope someone can help

Many thanks

Clive

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 05 June 2007 - 03:27 AM

Have you tried to delete the file/folder in safe mode?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 05 June 2007 - 05:49 AM

OK Have just tried safe mode as administrator, Exactly the same error .

Tried unlocker but that crashed too !

Clive

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:48 PM

Posted 05 June 2007 - 05:57 AM

I'd suggest using BartPE (free) to remove it. If it asks you to load registry hives when starting it, tell it no - then you should be able to use one of the tools in Bart PE to locate and remove the file. http://www.nu2.nu/pebuilder/
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 05 June 2007 - 05:58 AM

I would suspect you have some kind of nasty infection. Perhaps you should post your HijackThis log in the HijackThis forum and let the experts take a look. Another thing you could try is a system restore back to a point before this problem occurred.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 05 June 2007 - 06:36 AM

Hi Thanks for that

I tried pebuilder however when I tried to run it, it crashed with the following log--


<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="pebuilder.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="bartpe.exe" SIZE="22016" CHECKSUM="0x346805CF" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="12/03/2004 12:17:41" UPTO_LINK_DATE="12/03/2004 12:17:41" />
<MATCHING_FILE NAME="cdrecord.exe" SIZE="198399" CHECKSUM="0x5CBCFB9A" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x10000" LINK_DATE="09/10/2004 09:14:13" UPTO_LINK_DATE="09/10/2004 09:14:13" />
<MATCHING_FILE NAME="mkisofs.exe" SIZE="220508" CHECKSUM="0x86335413" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x10000" LINK_DATE="09/10/2004 09:14:40" UPTO_LINK_DATE="09/10/2004 09:14:40" />
<MATCHING_FILE NAME="pebuilder.exe" SIZE="197632" CHECKSUM="0xD864D49C" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="3,1,2,0" FILE_DESCRIPTION="Builder to create Bart PE bootable Windows CD/DVD" COMPANY_NAME="Nu2 Productions" PRODUCT_NAME="PE Builder" FILE_VERSION="" ORIGINAL_FILENAME="pebuilder.exe" INTERNAL_NAME="PE Builder" LEGAL_COPYRIGHT="Copyright © 2003-2004 Bart Lagerweij. All rights Reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="02/17/2006 11:44:28" UPTO_LINK_DATE="02/17/2006 11:44:28" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="StarBurn.dll" SIZE="411648" CHECKSUM="0xBD9CADE8" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6FF65" LINKER_VERSION="0x50000" LINK_DATE="11/29/2005 06:55:34" UPTO_LINK_DATE="11/29/2005 06:55:34" />
<MATCHING_FILE NAME="unins000.exe" SIZE="673610" CHECKSUM="0x2FB03751" BIN_FILE_VERSION="51.42.0.0" BIN_PRODUCT_VERSION="51.42.0.0" PRODUCT_VERSION="" FILE_DESCRIPTION="Setup/Uninstall" COMPANY_NAME="" PRODUCT_NAME="Inno Setup" FILE_VERSION="51.42.0.0" ORIGINAL_FILENAME="" INTERNAL_NAME="" LEGAL_COPYRIGHT="Copyright © 1997-2005 Jordan Russell. Portions Copyright © 2000-2005 Martijn Laan." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="51.42.0.0" UPTO_BIN_PRODUCT_VERSION="51.42.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\a43\files\a43.exe" SIZE="623104" CHECKSUM="0xB2935AD8" BIN_FILE_VERSION="2.3.7.0" BIN_PRODUCT_VERSION="2.3.7.0" PRODUCT_VERSION="2.37" FILE_DESCRIPTION="A43 File Management Utility" COMPANY_NAME="B. G. Miller" PRODUCT_NAME="A43 File Management Utility" FILE_VERSION="2.3.7.0" ORIGINAL_FILENAME="A43.exe" INTERNAL_NAME="" LEGAL_COPYRIGHT="Copyright 2001-2004 B. G. Miller, all rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.3.7.0" UPTO_BIN_PRODUCT_VERSION="2.3.7.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\a43\files\unrar.dll" SIZE="73216" CHECKSUM="0x4B7A626D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="02/02/2003 16:06:02" UPTO_LINK_DATE="02/02/2003 16:06:02" />
<MATCHING_FILE NAME="plugin\autorun\keydown.exe" SIZE="19456" CHECKSUM="0x5B8D43B2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="02/17/2004 14:46:15" UPTO_LINK_DATE="02/17/2004 14:46:15" />
<MATCHING_FILE NAME="plugin\bartpe\netconfig.exe" SIZE="79360" CHECKSUM="0x3797071D" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="1, 0, 0, 1" FILE_DESCRIPTION="netconfig MFC Application" COMPANY_NAME="" PRODUCT_NAME="netconfig Application" FILE_VERSION="1, 0, 0, 1" ORIGINAL_FILENAME="netconfig.EXE" INTERNAL_NAME="netconfig" LEGAL_COPYRIGHT="Copyright © 2004" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="01/10/2006 11:09:43" UPTO_LINK_DATE="01/10/2006 11:09:43" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\bst5\bst5.exe" SIZE="94208" CHECKSUM="0xCE29187A" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="5.0.0 BETA" FILE_DESCRIPTION="Bart Stuff Test v5" COMPANY_NAME="Nu2 Productions" PRODUCT_NAME="Bart Stuff Test v5" FILE_VERSION="5.0.0" ORIGINAL_FILENAME="bst5.exe" INTERNAL_NAME="bst5" LEGAL_COPYRIGHT="Copyright © 2003 Bart Lagerweij. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="04/17/2003 08:58:36" UPTO_LINK_DATE="04/17/2003 08:58:36" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\keyboard\keyboard.exe" SIZE="46592" CHECKSUM="0xAF3753DE" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="plugin\mcafee\scangui.exe" SIZE="72704" CHECKSUM="0xDE74DC7E" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="01/06/2004 11:49:24" UPTO_LINK_DATE="01/06/2004 11:49:24" />
<MATCHING_FILE NAME="plugin\nu2menu\nu2menu.exe" SIZE="84992" CHECKSUM="0x3B4D92AD" BIN_FILE_VERSION="0.3.5.2" BIN_PRODUCT_VERSION="0.3.5.2" PRODUCT_VERSION="0, 3, 5, 2" FILE_DESCRIPTION="Nu2Menu Dynamic shell / menu" COMPANY_NAME="Nu2 Productions" PRODUCT_NAME="Nu2Menu Dynamic shell / menu" FILE_VERSION="0, 3, 5, 2" ORIGINAL_FILENAME="Nu2menu.exe" INTERNAL_NAME="Nu2menu" LEGAL_COPYRIGHT="Copyright © 2003-2004 Henk de Jong" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.3.5.2" UPTO_BIN_PRODUCT_VERSION="0.3.5.2" LINK_DATE="02/07/2006 12:00:47" UPTO_LINK_DATE="02/07/2006 12:00:47" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\nu2menu\nu2menumsg.exe" SIZE="59392" CHECKSUM="0x9152F6E3" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="03/17/2004 19:34:33" UPTO_LINK_DATE="03/17/2004 19:34:33" />
<MATCHING_FILE NAME="plugin\nu2menu\setres.exe" SIZE="49152" CHECKSUM="0x7526DECE" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="04/23/2002 14:55:40" UPTO_LINK_DATE="04/23/2002 14:55:40" />
<MATCHING_FILE NAME="plugin\peinst\mkbt.exe" SIZE="26624" CHECKSUM="0x7FBCB41C" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="12/12/2003 09:17:31" UPTO_LINK_DATE="12/12/2003 09:17:31" />
<MATCHING_FILE NAME="plugin\peinst\nt2peldr.exe" SIZE="16384" CHECKSUM="0x6771961A" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="12/04/2003 14:28:36" UPTO_LINK_DATE="12/04/2003 14:28:36" />
<MATCHING_FILE NAME="plugin\penetcfg\penetcfg.exe" SIZE="407040" CHECKSUM="0xC8641549" BIN_FILE_VERSION="2.2.0.0" BIN_PRODUCT_VERSION="2.2.0.0" PRODUCT_VERSION="2.20" FILE_DESCRIPTION="A Network Configuration Tool for WinPE" COMPANY_NAME="Home made :thumbsup:" PRODUCT_NAME="PE Network Configurator" FILE_VERSION="2.2.0.0" ORIGINAL_FILENAME="PENetCfg.exe" INTERNAL_NAME="PENetCfg" LEGAL_COPYRIGHT="Copyright © 2003-2004 by Pierre Mounir (TheTruth)" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.2.0.0" UPTO_BIN_PRODUCT_VERSION="2.2.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\snapshot\snapshot.exe" SIZE="162304" CHECKSUM="0x171015FD" BIN_FILE_VERSION="1.36.0.1" BIN_PRODUCT_VERSION="1.36.0.1" PRODUCT_VERSION="1.36" FILE_DESCRIPTION="Drive Snapshot - Diskimaging for WindowsNT" COMPANY_NAME="Tom Ehlert Software" PRODUCT_NAME="Drive Snapshot for WindowsNT" FILE_VERSION="1.36" ORIGINAL_FILENAME="snapshot.exe" INTERNAL_NAME="Snapshot" LEGAL_COPYRIGHT="Copyright © 2001-2005 by tom ehlert" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.36.0.1" UPTO_BIN_PRODUCT_VERSION="1.36.0.1" LINK_DATE="10/10/2005 18:31:59" UPTO_LINK_DATE="10/10/2005 18:31:59" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\StarWind\files\StarWindService.exe" SIZE="227328" CHECKSUM="0xFA003D1A" BIN_FILE_VERSION="2.6.0.1025" BIN_PRODUCT_VERSION="2.6.0.1025" PRODUCT_VERSION="2.6.0 Build 0x20050401" FILE_DESCRIPTION="StarWind iSCSI Target (BartPE Edition)" COMPANY_NAME="Rocket Division Software" PRODUCT_NAME="StarWind" FILE_VERSION="2.6.0 Build 0x20050401" ORIGINAL_FILENAME="StarWind" INTERNAL_NAME="StarWind" LEGAL_COPYRIGHT="Copyright © Rocket Division Software 2003-2005. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x10004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x41722" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="2.6.0.1025" UPTO_BIN_PRODUCT_VERSION="2.6.0.1025" LINK_DATE="04/01/2005 15:00:50" UPTO_LINK_DATE="04/01/2005 15:00:50" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\zz5\nu2shell\nu2shell.exe" SIZE="76800" CHECKSUM="0x1B5022BF" BIN_FILE_VERSION="1.0.3.0" BIN_PRODUCT_VERSION="1.0.3.0" PRODUCT_VERSION="1, 0, 3, 0" FILE_DESCRIPTION="Nu2 Shell for BartPE" COMPANY_NAME="" PRODUCT_NAME="nu2shell" FILE_VERSION="1, 0, 3, 0" ORIGINAL_FILENAME="nu2shell.exe" INTERNAL_NAME="nu2shell" LEGAL_COPYRIGHT="Copyright © 2005-2006 by Bart Lagerweij" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.3.0" UPTO_BIN_PRODUCT_VERSION="1.0.3.0" LINK_DATE="01/27/2006 12:48:49" UPTO_LINK_DATE="01/27/2006 12:48:49" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="plugin\zz5\nu2shell\nu2shellcfg.exe" SIZE="71168" CHECKSUM="0xF7E5F35" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="1,0,0,0" FILE_DESCRIPTION="Nu2Shell Configuration Program" COMPANY_NAME="" PRODUCT_NAME="Nu2Shell Configuration Program" FILE_VERSION="1,0,0,0" ORIGINAL_FILENAME="nu2shellcfg.exe" INTERNAL_NAME="nu2shellcfg" LEGAL_COPYRIGHT="Copyright © 2005 Bart Lagerweij. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="01/24/2005 12:48:55" UPTO_LINK_DATE="01/24/2005 12:48:55" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="984064" CHECKSUM="0xF12E1D4A" BIN_FILE_VERSION="5.1.2600.2945" BIN_PRODUCT_VERSION="5.1.2600.2945" PRODUCT_VERSION="5.1.2600.2945" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2945 (xpsp_sp2_gdr.060704-2349)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF724D" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2945" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2945" LINK_DATE="07/05/2006 10:55:00" UPTO_LINK_DATE="07/05/2006 10:55:00" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


as suggested here is Hijack log file



Logfile of HijackThis v1.99.1
Scan saved at 12:29:26, on 05/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SiteAdvisor\5248\SAService.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/portal/site/skybb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5248\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: VersionTracker Pro.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: http://www.skybroadband.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5248\SAService.exe

Hope these mean something to someone !!

Clive

#7 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 13 June 2007 - 07:01 AM

Well still no further on

The Hijack log was clean.

The latest program I've tried is called delete invalid file. that shows the folder but is also unable to delete it.

Trying to delete in safe mode does't work either, explorer just crashes.

I've searched for invalid file names, there are none.

As long as i am nowhere near that folder everything works normally. go near it explorer crashes to desktop



Any ideas, anyone please


Clive

#8 Nikas

Nikas

  • Members
  • 650 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Singapore
  • Local time:05:48 AM

Posted 13 June 2007 - 07:31 AM

When the explorer.exe crashes, a window will popup and tell you that it crashes. And there will be a word (blue words with link) that ask you to click here to see more information. (can't remember much). Click that and see what is the file that makes you crashes all the time, better still with a screenshot.

#9 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 14 June 2007 - 01:54 AM

this is the text generated by win ex when it crashes hope it meens something!!

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="SYSTEM INFO" FILTER="GRABMI_FILTER_SYSTEM">
<MATCHING_FILE NAME="advapi32.dll" SIZE="616960" CHECKSUM="0x8E9BCF02" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Advanced Windows 32 Base API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="advapi32.dll" INTERNAL_NAME="advapi32.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA0DE4" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:23" UPTO_LINK_DATE="08/04/2004 07:56:23" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="gdi32.dll" SIZE="281600" CHECKSUM="0x7B698D53" BIN_FILE_VERSION="5.1.2600.3099" BIN_PRODUCT_VERSION="5.1.2600.3099" PRODUCT_VERSION="5.1.2600.3099" FILE_DESCRIPTION="GDI Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)" ORIGINAL_FILENAME="gdi32" INTERNAL_NAME="gdi32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x47DA0" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.3099" UPTO_BIN_PRODUCT_VERSION="5.1.2600.3099" LINK_DATE="03/08/2007 15:36:28" UPTO_LINK_DATE="03/08/2007 15:36:28" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="kernel32.dll" SIZE="984576" CHECKSUM="0xF0B331F6" BIN_FILE_VERSION="5.1.2600.3119" BIN_PRODUCT_VERSION="5.1.2600.3119" PRODUCT_VERSION="5.1.2600.3119" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.3119 (xpsp_sp2_gdr.070416-1301)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF9293" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.3119" UPTO_BIN_PRODUCT_VERSION="5.1.2600.3119" LINK_DATE="04/16/2007 15:52:53" UPTO_LINK_DATE="04/16/2007 15:52:53" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="ntdll.dll" SIZE="708096" CHECKSUM="0x9D20568" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="NT Layer DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xAF2F7" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="ole32.dll" SIZE="1285120" CHECKSUM="0xA38DDD0E" BIN_FILE_VERSION="5.1.2600.2726" BIN_PRODUCT_VERSION="5.1.2600.2726" PRODUCT_VERSION="5.1.2600.2726" FILE_DESCRIPTION="Microsoft OLE for Windows" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2726 (xpsp_sp2_gdr.050725-1528)" ORIGINAL_FILENAME="OLE32.DLL" INTERNAL_NAME="OLE32.DLL" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DC6B" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2726" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2726" LINK_DATE="07/26/2005 04:39:47" UPTO_LINK_DATE="07/26/2005 04:39:47" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="oleaut32.dll" SIZE="553472" CHECKSUM="0x4155D7D" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" COMPANY_NAME="Microsoft Corporation" FILE_VERSION="5.1.2600.2180" INTERNAL_NAME="OLEAUT32.DLL" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1993-2001." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x96957" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:57:39" UPTO_LINK_DATE="08/04/2004 07:57:39" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="shell32.dll" SIZE="8453632" CHECKSUM="0x77D7C763" BIN_FILE_VERSION="6.0.2900.3051" BIN_PRODUCT_VERSION="6.0.2900.3051" PRODUCT_VERSION="6.00.2900.3051" FILE_DESCRIPTION="Windows Shell Common Dll" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.00.2900.3051 (xpsp_sp2_gdr.061219-0316)" ORIGINAL_FILENAME="SHELL32.DLL" INTERNAL_NAME="SHELL32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x817025" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.0.2900.3051" UPTO_BIN_PRODUCT_VERSION="6.0.2900.3051" LINK_DATE="12/19/2006 21:52:11" UPTO_LINK_DATE="12/19/2006 21:52:11" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="user32.dll" SIZE="577536" CHECKSUM="0x1AB40203" BIN_FILE_VERSION="5.1.2600.3099" BIN_PRODUCT_VERSION="5.1.2600.3099" PRODUCT_VERSION="5.1.2600.3099" FILE_DESCRIPTION="Windows XP USER API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)" ORIGINAL_FILENAME="user32" INTERNAL_NAME="user32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x940E1" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.3099" UPTO_BIN_PRODUCT_VERSION="5.1.2600.3099" LINK_DATE="03/08/2007 15:36:28" UPTO_LINK_DATE="03/08/2007 15:36:28" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="wininet.dll" SIZE="822784" CHECKSUM="0xEB941461" BIN_FILE_VERSION="7.0.6000.16473" BIN_PRODUCT_VERSION="7.0.6000.16473" PRODUCT_VERSION="7.00.6000.16473" FILE_DESCRIPTION="Internet Extensions for Win32" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Windows® Internet Explorer" FILE_VERSION="7.00.6000.16473 (vista_gdr.070420-1500)" ORIGINAL_FILENAME="wininet.dll" INTERNAL_NAME="wininet.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xD0840" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="7.0.6000.16473" UPTO_BIN_PRODUCT_VERSION="7.0.6000.16473" LINK_DATE="04/25/2007 08:41:16" UPTO_LINK_DATE="04/25/2007 08:41:16" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="winsock.dll" SIZE="2864" CHECKSUM="0x73AE8088" BIN_FILE_VERSION="3.10.0.103" BIN_PRODUCT_VERSION="3.10.0.103" PRODUCT_VERSION="3.10" FILE_DESCRIPTION="Windows Socket 16-Bit DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows™ Operating System" FILE_VERSION="3.10" ORIGINAL_FILENAME="WINSOCK.DLL" INTERNAL_NAME="WINSOCK" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1981-1996" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x10001" VERFILETYPE="0x2" MODULE_TYPE="WIN16" S16BIT_DESCRIPTION="BSD Socket API for Windows" S16BIT_MODULE_NAME="WINSOCK" UPTO_BIN_FILE_VERSION="3.10.0.103" UPTO_BIN_PRODUCT_VERSION="3.10.0.103" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

#10 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:48 PM

Posted 14 June 2007 - 08:09 AM

Sorry, but I can't make anything out of the logfiles - way too long for my eyes to sit throug (I'm visually handicapped). But, all the files mentioned in the logs are Windows core files. I'd suggest looking for these errors in the Event Viewer (Start...Run...type in "eventvwr.msc" (without the quotes) and press Enter). Check both the Application and System logs for errors. When you find the errors, double click on them to get the information about them and post it here.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#11 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 14 June 2007 - 11:14 AM

ok as requested several of these al the same !!




0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 36 35 36 fset 656
0050: 35 37 34 36 35 0d 0a 57465..

#12 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:48 PM

Posted 14 June 2007 - 07:28 PM

Sorry, but that's not the complete information from the Event Viewer

We'll need the Source, Category, and Event ID

Also, it appears that explorer.exe crashed (from what you've included) - so I suggest the you search your hard drive for memory dumps from this process. Search for files that end in .dmp and .mdmp. When you locate them, please analyze them using this procedure ( http://forums.majorgeeks.com/showthread.php?t=35246 ) and post the results here for us to have a look at.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#13 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 16 June 2007 - 04:50 AM

Hi again

Ok, I think I did this right sohere is the log. Every time I try to search anything on c drive explorer crashes and doesn't let me search.

This is the log from the minidump in windows/minidump


Microsoft ® Windows Debugger Version 6.7.0005.0
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini060607-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols


Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Wed Jun 6 22:58:41.812 2007 (GMT+1)
System Uptime: 0 days 0:03:58.453
Loading Kernel Symbols
....................................................................................................................
Loading User Symbols
Loading unloaded module list
........
Unable to load image system32:xpdt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for xpdt.sys
*** ERROR: Module load completed but symbols could not be loaded for xpdt.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, f5da75a3, b981ba20, 0}

Probably caused by : xpdt.sys ( xpdt+25a3 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f5da75a3, The address that the exception occurred at
Arg3: b981ba20, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
xpdt+25a3
f5da75a3 8a1401 mov dl,byte ptr [ecx+eax]

TRAP_FRAME: b981ba20 -- (.trap 0xffffffffb981ba20)
ErrCode = 00000000
eax=00000000 ebx=f5dacb53 ecx=0101d000 edx=804dd28e esi=00001000 edi=0101c000
eip=f5da75a3 esp=b981ba94 ebp=b981baa0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
xpdt+0x25a3:
f5da75a3 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: mpas-d.exe

LAST_CONTROL_TRANSFER: from f5da9271 to f5da75a3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b981baa0 f5da9271 0101c000 0000001e f5dacb53 xpdt+0x25a3
b981baf4 f5da9381 828d2658 01000000 01000210 xpdt+0x4271
b981bb58 f5da947a 828d2658 e100d9d8 82926020 xpdt+0x4381
b981bb78 805f9529 00000e18 828d2658 00000001 xpdt+0x447a
b981bcc4 8057c57f 010be45c 001f03ff 00000000 nt!PspCreateThread+0x3e3
b981bd3c 804de7ec 010be45c 001f03ff 00000000 nt!NtCreateThread+0x118
b981bd3c 7c90eb94 010be45c 001f03ff 00000000 nt!KiFastCallEntry+0xf8
010be08c 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
xpdt+25a3
f5da75a3 8a1401 mov dl,byte ptr [ecx+eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: xpdt

IMAGE_NAME: xpdt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 46532710

SYMBOL_NAME: xpdt+25a3

FAILURE_BUCKET_ID: 0x8E_xpdt+25a3

BUCKET_ID: 0x8E_xpdt+25a3

Followup: MachineOwner
---------

#14 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:48 PM

Posted 17 June 2007 - 08:07 AM

Hi Clive! I'm suspecting that there's a hidden rootkit here that isn't detected by HiJackThis. I'd suggest that you post your log back in the HJT forum and include the information that an XPDT.SYS rootkit is suspected (based on the memory dump). Without the information about the rootkit it's likely that your HJT logfile will appear to be clean.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#15 clive1

clive1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:herts uk
  • Local time:10:48 PM

Posted 17 June 2007 - 11:30 AM

Hi John

Well I am pleased to report success!!!

In desperation I have been trying several things as you know. I tried safe mode, deleting the file in DOS, various file and folder removal software utilities and programs.

Everytime these applications would try to read or access the location where the problem was located ,up would come the microsoft box telling me the application had encountered an error and would have to close.

The error logs (accomp txts) all referred to the same location with some shall we say unsavoury file name that I would rather not post. What is sure is that no waydid I downloadthe file on purpose!!

Anyway thefirst glimmer of hope came when I ran a program called regrun, this isavailable as a fullyworking 30 day trial.

This indicated a system32 file XPDT.sys however file was missing.

I tried removal but nothing happened the file would reappear on reboot.

I sent a request to their tech support and got the following reply

Hello clive,

Saturday, June 16, 2007, 5:20:36 PM, you wrote:

cpsc> I need support
cpsc> name: clive pugh
cpsc> email:
cpsc> S1: C:\WINDOWS\SYSTEM32:XPDT.SYS

cpsc> Any ideas what this is please
cpsc> B1: Send now!

Status: Dangerous.
XPDT.SYS is Troj/Rustok-Q.
Read more: http://www.sophos.com/security/analyses/trojrustokq.html
Kill the file XPDT.SYS and remove XPDT.SYS from Windows startup using RegRun Reanimator.
http://www.regrun.com

Removal: xpdt.sys is removed by RegRun.


If you have any other questions, please don't hesitate to contact me.

---
Best regards,
Catty
Support Expert mailto:catty@greatissoftware.com
Greatis Software http://www.greatis.com


I tried what she said but to no avail.

I then found a utility called Sophos Threat Detection Test which I downloaded and ran.

Hey Presto the program ran and got through the bad file which it identified along with the xpdt.sys and one other called kdcrj.exe.

It allowed me to kill both and on reboot all problems gone!!!

Am I a happy bunny or what!!!

Many thanks to all who read and responded

Best Regards
Clive




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users