internet explorer has encountered a problem [HJT Log]

error message when i open inter explorer>>>>internet explorer has encountered a problem and needs to close. we are sorry for the inconvenience.


appname>>iexplore
modname>>>unknown


I have checked the web sites, and downloaded all updates, none have corrected the error, made change in in IE tools, nothing have worked jet.

 

Almost always when I see this it is caused by adware or spyware where a the nasty tells windows it is an important part of internet explorer.
It is trying to access a file or part of the windows registry which IE does not have legitimate access to and thus windows is blocking the access. When it insists, windows closes IE to stop it.
Run Spybot search and destroy and Lavasoft Ad-Aware free version and then post a hijackthis log .
SPybot

http://www.lavasoftusa.com/software/adaware/

Hijackthis
(Install to C:\Programfiles\Hijackthis\hijackthis.exe
run and choose scan and save log file
copy the contents of the notepad window which opens.

 

Logfile of HijackThis v1.99.0
Scan saved at 3:37:15 PM, on 8/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\cGhpbGxpc2EuY29ubmVy\command.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\UTLite33.exe
C:\Stinger256.exe
C:\Program Files\atce\trdb.exe
H:\reg-fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32/left.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\lx4lsk.exe reg_run
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\lx4lsk.exe reg_run
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = doh.miss.gov
O17 - HKLM\System\CCS\Services\Tcpip\..\{B990F612-4276-4012-BD9B-AAEDC3901ACC}: NameServer = 10.7.20.21,10.7.20.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = doh.miss.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = doh.miss.gov
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Command Service - Unknown - C:\WINNT\cGhpbGxpc2EuY29ubmVy\command.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

 

Yes, you have a look2me infestation; and it will cause just the symptoms you have.
There are several variations, so we will have to try a couple of approaches to see if there is a hidden component.
(You may need to show hidden files to do this, seehttp://www.xtra.co.nz/help/0,,4155-1916458,00.html for instructions)


STEP ONE
Download and Install the free version of Ad-aware - Software - Lavasoft:
After installation-CHECK FOR UPDATES
run this later

Next would you please download the VX2 plugin for Ad-Aware after you have updated
http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml

Reboot PC
After Reboot Open Ad-Aware
Go to "Plug-insâ€
Select the VX2 Cleaner plug-in and click "Run Pluginâ€
If your computer isn’t infected, click "Closeâ€.

If your computer is infected

Select "Clean Systemâ€
Reboot your computer
Scan your computer with Ad-Aware
Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal "

Scanning > activate these: "Scan within archives ", "Scan active processes ", "Scan registry ", "Deep scan registry ", "Scan my IE Favorites for banned sites" and "Scan my Hosts file "

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning. "
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot. "

Click "Proceed" to save your settings, then click "Start ", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next ". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue? ".
RESTART your computer



STEP TWO
If it does not have this variant please launch IE (if possible) and paste the following in the address bar
You can be offline when you do this.
javascript:navigator.userAgent
If it mentions a dll file or is more than one line, post what it says.

STEP Three
Please do the following
Download L2mfix from here
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

STEP FOUR
Download and run the removal tool
CWS 2.15 as of May,2005
Click on the download stand alone version of coolwebshredder
Download, run and choose fix.

STEP FIVE
You also have adware shopnav
Please follow the manual removal instructions here
http://securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html

STEP SIX
Reboot to safe mode
How to boot to safe mode
Make sure you are disconnected from the internet . Run Hijackthis and select the following and choose fix.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32/left.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
(note the _ preceeding the clsid is designed to prevent removal with automated tools. You may need to do this one manually, let me know if you need tools or instructions)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\lx4lsk.exe reg_run
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\lx4lsk.exe reg_run
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O23 - Service: Command Service - Unknown - C:\WINNT\cGhpbGxpc2EuY29ubmVy\command.exe
(Note you may have to go to your services control panel and disable this first)

Delete IE temp internet files and clear history.

Reboot to normal mode and run hijackthis and post a new log.

 

problem fixed>>>>>>>

I have been looking at the problem all the time, but was'nt sure to uninstall it.

there was a program in add/remove named>>>COMMAND>>>>, and when I went into the process to uninstall it, rebooted the pc, retested IE,,all ok...

thanks>>>for all the help

 

donald plummer--Glad to hear the good news.
You may want to consider running scans with AdAware/SpybotS&D and then HiJackThis (posting the log per these instructions
http://www.windowsbbs.com/showthread.php?t=37074) again. Removing a spyware program through Add/Remove often leaves some pieces behind. Some might even be enough to reinstall the spyware. And maybe you still have other spyware like Look2Me which were not associated with the Command program.
FWIW--I ran a Google search for "Command spyware" and found no references to such a program. When I ran a search on "Command program" I found a reference to a program which prevents spyware!
http://www.transaction-one.com/stores/product_family_view.do?pubID=1329&familyID=49547
Concerning Look2Me you may want to wait for review of your new HJT file, but, if you have it, there are some automatic ways of deleting it
http://www.pchell.com/support/look2me.shtml
See near the bottom.

 

there was a program in add/remove named>>>COMMAND>>>>,
Just doing that did not remove what is still infecting you, it just went underground.

 

Yep, sorry I missed one so obvious


C:\WINNT\cGhpbGxpc2EuY29ubmVy\command.exe

I normally double check running processes before I even think of starting the log. Somehow I slipped up this time.