IE7 & Explorer keep crashing...

I've searched the net and this forum but still can't find why it's happening. I'll try and explain what's happening :-

I start IE7 and after a certain amount of time, either iexplorer.exe or explorer.exe crashes with a warning. I think its more to do with explorer as I downgraded to ie6 but it still happened. When it crashes the start bar vanishes for a few secs but ie stays open.

This has happened quite a lot and as my XP was pre-installed I don't have the cd so can't reinstall at the moment. I've even used Recovery Console for ie7 and disabled nearly all the addons but still it happens.

Downloaded Hijack this and got this log. Hope it helps :-

Please help me

Dan

 

Hi and welcome to the forum.

Did this behavior begin at any particular time, say after any Windows updates or any additions to the pc, hardware or software?

The only thing I can find on your system, which is not really malware, but it seems to be creating some problems for other users is the Kontiki software.

I guess it comes bundled with a service called Sky by Broadband, but that is in the UK and I don't see anything else showing such software.

Let us know some more particulars.

 

Hi, thanx for the reply. The problems started on 20/11/06 and I think it's due to been sent to a rogue site while searching the net. I'm sure something installed before I could stop it. My hardware and software has not been changed apart from ie7 installation but that was working fine for a few weeks before all these problems.

I've had Sky-By-Broadband installed for months and don't even use it now. What kind of problems can it cause?

 

OK, lets dig a bit deeper then.

The service from Sky has created what appears to be either removal problems or bandwidth issues is the Kontiki service. I guess it's not required and users had trouble removing.

Then go to this page, Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Then:

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

 

I'm currently re-running the Panda thing as my PC crashed again and I'm concerned that it has found 12 viruses and 27 spyware as I have Norton AV running and use Ad-aware & Spybot regularly, and none of these were picked up by any of them. How can the Panda app pick some much up that Norton etc won't?

Also I'm only a 3rd done according to the status bar with 1.4M files read but I know from my last virus scan that I only have 1.5M files so how come it's only a 3rd done? Am I missing something out?

Dan

 

You can log off the Panda site once you begin the scan. Perhaps stop a few unneeded processes from running.

As to it's findings, this all depends on the location of the infections, any cookies or findings in Volume_System Folders or Recyler\Quarantined folders can be ignored, they are no threat.

 

That's the Silent Runner text file if that helps. I'm currently deleting some of the files in the ActiveScan file. Will post it after I delete them.

What's really annoying is that WinAntiSpyware popup is still there

 

If you had mentioned that earlier, I'd have approached this at an entirely different way. That is a classic Vundo infection, which the Silent Runners log also picked out, and is hidden from HJT by the coders of the infection. And the file which is shown is already in the VundoFix database.

Please do as instructed below.

First thing I'd like you to do is to rename hijackthis.exe to <anything of your choice> .exe or similar, as long you change it's name.

Then download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

 

Ah I didn't think to mention it as it wasn't causing anything more than an annoyance. Glad it popped up then or this couldv'e gone on a while.

Curently following your instructions for using VundoFix. I just rarred the HJT folder and ran VundoFix - which is still running as we speak.

Here's what's left of the ActiveScan text file afer I removed the cookies and some of possible viruses by deleting them. This is what's left (which I think is my Outlook Express Mail Box) :-

One tiny think is that I've recently found an old backup my Outlook EXpress folder so I'm not sure if this is the one I have found or my current one? Once I figure out which one it is, how do I remove the files?

Will upload the VundoFix text file when it finishes (which is most likely be tomorrow as it's getting late tonight).

Thanx again for your help

Dan

 

Ok just finished VundoFix and got these results :-

Can you tell me what they did to my PC? Do I need to run HijackThis again?

Thanx again mate

Dan

 

Yes, all those items in the Panda scan are from emails, so those are ok, no threats.

The Vundo tool worked nicely and please do post a new HJT log.

The creators of the malware essentially stick this stuff on your pc to gain money. With each and every install some low life somewhere gets a few pennies for it. It's a long and difficult trail to follow. Esepcially since so many of the offenders are off shore in countries who have larger worries than Net criinals.

 

Ok so no need to do anything about the emails then?

Here's my new Hijackthis log file :-

 

No, they are fine.

We have a few remnants to fix.


Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O2 - BHO: (no name) - {205DDF72-6128-4DE6-A45F-A1B4CDA6CD9C} - D:\WINDOWS\system32\ssttq.dll (file missing)

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - D:\WINDOWS\system32\moptdfpd.dll



O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} -

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} -


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
D:\WINDOWS\system32\ssttq.dll<<<--this file
D:\WINDOWS\system32\moptdfpd.dll<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Please run HJT again and post a new log back into this thread please.

 

Done all the above. The last two files were already gone. Here's my new hjt log :-

 

Everything looks great, you're good to go.

We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Done the above and clearing everything out. Sadly I've turned off System Restore a long time ago and have no idea how to use it.

Thanx for all your help mate. Working ok so far (touch wood)

 

Do yourself a favor and turn it on. Could have been a very simple use of sys restore and done, if it was on, depending on how clean the restore point was.

Follow instructions in the link I gave.

Glad we could be of assistance.

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.