Windows Explorer Runtime Error on Performing Search

Status
Not open for further replies.

bobcat

Posts: 678   +69
When I perform a search for a file in Windows Explorer (start > Search), all starts normally, but after a few minutes WE crashes and I get the message:

“Runtime Error!
Program: C:\WINDOWS\Explorer.EXE
This application has requested the Runtime to terminate it in an unusual way.”

There is no minidump, but I attach all messages & report contents.
My System: XP Pro SP3. Thanks in advance.

 
Do the below steps in order presented!

Uninstall from Add/Remove Programs any A2 malware/virus programs.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Before Temp cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.
-----------------------------------------------------------------------------------------------------------------------------------------------------

Download and install CCleaner: http://www.ccleaner.com/download/builds
Get the one on the bottom SLIM! Run both Temp and Registry repeatedly until no more found.

Download install and run KCleaner: ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe

Reboot to Safe Mode and run all CCleaner and KCleaner again as above.

Reboot back to normal mode test for issue!

Report back the status!

Mike
 
Thanks for a thorough multi-step response mflynn, your interest is fully appreciated.

I’ll see what I can do with following your instructions. I already had CCleaner without the Toolbar, which I suppose is the same as the SLIM version you specified.

In the meantime, I have found that the error code I am getting (0x40000015) is described as “unknown software exception”. I suppose it has to do with a new program I installed. Is this so?

And regarding your mention of specialized back up programs, I recently installed Acronis True Image 11. So it may be an idea to uninstall that first. What do you think?
 
No! No need to uninstall Acronis True Image!

Just uninstall all A2 programs in Add/Remove.

The specialized backups will be recreated so just do the steps.

Mike
 
Thanks. Just another clarification about "A2 programs". I am using the anti-malware “a-squared Free” from www.emsisoft.com/en/software/free/ which I’ve had for a long time without complications. I assume that is what you mean, but to avoid possible unnecessary uninstallation, please confirm.
 
Yes that was one of the errors in your screens!

After we confirm this fixes your problem then you can reinstall in a few days.

No problem with A2 (asquared) but the installation may be corrupted!

Mike
 
I return with some info.

So far I have done the following:
Uninstalled a-squared
Created new System Restore point
Ran Windows Disk Cleanup
Deleted all System Restore points except the last
Ran CCleaner clean-up
Ran CCleaner registry fix repeatedly (not in safe mode, but with all apps closed)
Rebooted
Tested the Search function and problem was still present.

The trouble is that now, having deleted System Restore points, I can’t go back in time!

I can repeat the cleaning/fixing in safe mode and also use KCleaner, but somehow I don’t expect a solution, while I am a little apprehensive about interfering too much with the registry just in hope.

But after further trials, I have a new discovery:
When I start the Search function, it asks for an outbound connection. I normally don’t allow it, as it’s nobody’s business what I am searching for. Searching still starts, but after a while Windows Explorer crashes due to C++ Runtime Error.

However, if I allow the outbound connection, the search goes through without crashing. This is something new, because in the past I never allowed outbound connection and there was no WE crashing.

Does this mean something?
 
OK we have a SR of a working OS so we are Safe.

To be even safer a redundant registry backup will give you peace of mind so..

Get ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.

Now I believe you have Malware so do the following to prove me wrong!

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner or Firewall if you already have one).

Most importantly update MalwareBytes and SuperAntiSptware!

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Mike
 
I'd like to offer three suggestions- any one of which might resolve the problem:

1. Runtime errors are frequently caused by add-on in the browser:
Open IE> Tools> Manage add-ons> Disable ALL of the add-ons> Check the system systus.
If doing this resolves the Runtime error, try adding back one at a time until you find which add-on caused the problem.

2. Unexplained crashes can also occur if you have Folder options set to view 'hidden files and folders'. To check this:
Open IE> Tools> Folder options> View tab> UNCHECK 'show hidden files and folders'> Apply> OK.

3. Check the Event Viewer for corresponding Error at time of the crash. It will be similar to but different from the image you posted about a2freecontentmenu.dll

Start> Run> type in eventvwr
Do this on each the System and the Applications logs:
1. Click to open the log>
2. Look for the Error>
3 .Right click on the Error> Properties>
4. Click on Copy button, top right, below the down arrow
5. Paste here (Ctrl V)
Ignore Warnings. You do not need to include lines of code-if any- in the box below the Description.

You may not need to do all three of these. And if you have uninstalled a squared, you will need to disable the Service if still present:
Start> Run> services.msc> right click on a-squared Free Service (a2free)> Properties> Change the Startup to Disabled> Stop the Service.

NOTE: if you reinstall a squared, change the Service back to Manual.

If none of these suggestions resolves the crash, go ahead with the malware cleaning steps.
 
Again, your answer is both comprehensive and comprehensible, which is uncommon!

Though I never find any malware on scanning (by AntiVir, Spybot S&D and Ad-Aware), I shall follow your instructions and do the TechSpot 8 steps. Re Step 3: Temporarily Disable Real Time Monitoring Programs, I suppose I shall have to disable my AntiVir and Agnitum f/w.

But here I have a comment. I believe Step 3, i.e. disabling all protection, should come later, after downloading and updating all tools involved. Then one should disconnect from the internet, disable protection and subsequently run the tools. Otherwise one would run the risk of catching malware while doing the 8 steps against it!

As regards ERUNT, I did not use it in the past, because it says in the FAQ’s (http://www.larshederer.homepage.t-online.de/erunt/faq.htm) that you should disable Windows XP’s System Restore function when using ERUNT. I am not sure that’s a good idea, as the SR does more than registry backup.
 
Good! Your logic is good on the disabling so do it that way!

Your Logic is good also to do the 8 Steps and you will likely be surprised.

Your Logic is good also not to turn off SR. But do get ERUNT and run it (Run as Administrator) both to install and run. The author did not say it has a problem with SR just that it may not be needed with ERUNT. I have it running on many Vista systems with SR!

This is what I have found about SR!
When you really need it, it (A). finds no restore point and (B). if it does it can not restore it!:(

A redundant ERUNT backup is a good idea.

So continue with the 8 Steps! Your way! As your way is a good way!:D

Bobbye made some good suggestions in his post #9.

Mike
 
@Bobbye

Many thanks for your valuable advice, which I had not noticed immediately because I was preparing my answer to mflynn.

I have gone thru all points you mentioned:

I unchecked “show hidden files and folders” but no change.

Strangely, the Event Viewer does not show the errors corresponding to the numerous WE crashes! It only shows some other, irrelevant errors.

I then disabled all IE add-ons (24 of them!), which seems to have solved the problem. :)
This is subject to confirmation and to further action of trying to identify the culprit.

@ mflynn

Thanks for the additional info, especially about ERUNT.

So far, I’ve run AntiVir and Spybot S&D with nothing found.

@ both advisors

I am already wiser as a result of your advice and glad I’ve started the thread, even if the problem is not finally solved.

I’ll get back when I have more to report.
 
SpyBot is OK but the 8 Steps especially SAS and MBAM will be the killer!

But do run the Immunize function of SpyBot!

Mike
 
24 add-ons is a lot! I am not surprised that disabling them resolved the Runtime problem. With that many, it is difficult to tell if one add-on caused the problem or if there was a conflict between some add-ons.

When the system is stable, put them back, one at a time, checking the system in between.
 
Unfortunately, its bad news. I later found that disabling all IE add-ons doesn’t solve the problem. It just made it occur much later, which misled me at first. I don’t know if this gives a clue. Furthermore, after all 8 steps and more, the problem persists. :(

And now TechSpot 8 Steps Against Malware results.

Java: I had the latest version 6 Update 11, but also version 6 Update 7 which I uninstalled.
CCleaner: I ran the cleaner with everything ticked except most selections under the Advanced tab (as I hate surprises and complications).
I also ran the tool’s registry cleaner.
AntiVir PE and Spybot S&D scans found nothing.
Ad-Aware Anniversary Edition (lastest): log attached.
Malwarebytes' Anti-Malware: log attached.
SuperAntiSpyware HE: log attached.
And now a surprise! As I clicked next to remove the item found, I got an error popup. Nevertheless, when I checked the Quarantine contents, the item seems to have been quarantined. See images below:


HijackThis: I ran it without renaming it. Log attached.

Do you think there is still hope of solving the problem?
 
OK

Do the below and I think we will get some where.

Update then run SAS
Click Preferences-Repairs

Then counting down from top do the following entries
Numbers 6, ,8 11, 12, 13, 15, 18, 19 and 24!

Download SD Fix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
--------------------------------------------------------------------------------------------------------
Next

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
From Mbam:
DAccordPersonalGuitaristv12_Crack.exe>> Trojan found in this file:

If you're going to use file sharing downloads, you are going to get malware

Here is the script error problem:
Internet Explorer experiences a script error if Avaya Webdialer is installed:
http://support.microsoft.com/kb/953796

You have the following entry in the Hijackthis log:
O3 - Toolbar: &DownloadStudio - {CB789373-04D5-4ef4-9C16-871463FD0830} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O9 - Extra button: DownloadStudio - {7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll

WebDLBar is the Avasya Webdialer Toolbar:

This may also be causing a problem:
Pcwband2.dll file information
Suche/Filter für Explorer und IE - IDG Magazine Verlag GmbH
Pcwband2.dll file description
Productname: Unknown
Description: Suche/Filter für Explorer und IE
Company: IDG Magazine Verlag GmbH
File size: Various
This file is unsigned by the author.
The entry you have in the HijackThis log is:
O3 - Toolbar: &PC-WELT - {42DFCA97-ED3F-4984-99BB-9C6E67B737A8} - C:\PROGRA~1\PC-WELT\pcwBand2\pcwBand2.dll
Also suggest you change Startup Type for these Services to Manual instead of automatic:
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
To access: Start> Run> services.msc> right click on each Service> Properties> change startup to Manual.

This one was puzzling:
Trojan.Security Toolbar
C:\Documents and Settings\Thespis\Favorites\Antivirus Test Online.url

I tried to track it down, but most site were not in English. If you have this saved, Delete it.

The following is considered Real Time Protection and should be disabled while you're scanning:
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe (found in the AdAware scan)
ppmemcheck.exe is an application from PestPatrol which disables SpyWare and MalWare on your system. It also does not need to be on the Startup menu.

Disable Acronis while you're scanning:
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

In my opinion, you have many highly customizable processes running. They are all on the Start menu or in the Registry and start on boot, run in the background. Although the processes may actually be legitimate, the potential for conflict with other processes is great.
 
I wouldn't be surprised if the new Ad-ware Anniverserity Edition is causing the conflict you are experiencing.

correction, Ad-Aware Anniversary Edition.
 
@ CAMusing

I’ve had the problem before upgrading Ad-Aware. But the Anniversary Edition is faster and found objects missed by the previous version.

@ mflynn & Bobbye

Thanks for the deep analysis and the specific advice. I shall do everything you recommend. I started with Bobbye’s suggestions because they seemed easier to apply at my level.

HJT: I’ve fixed everything you said and attach the latest log.
If you think there are further useless items, please advise.

O23 - Service: SiSoftware Database Agent Service & O23 - Service: SiSoftware Sandra Agent Service: Strangely, I found both items in manual Startup Type!
Is there any other check or action I can do?

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe: I have disabled all PestPatrol monitoring activity, as I consider it useless. If anything, I’ll use that of Spybot S&D or SuperAS. Which one, if any, would you recommend?

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe: I have similarly disabled all Acronis True Image startup activity, as I don’t use its scheduler etc.
Should I re-enable something?

Trojan.Security Toolbar: C:\Documents and Settings\Thespis\Favorites\Antivirus Test Online.url: I couldn’t find this item, it has probably been removed by SuperAS.

It's now disappointing that the problem still persists regardless all measures so far, but it occurs much later than it used to, e.g. when I search for non-existent items for which it runs a long time. Nevertheless, my system is now cleaner and more stable thanks to your advice.

As regards file sharing, I used to be active when I had less experience in avoiding malware but have since got wiser. However, I’ve had these items for a long time without apparent consequences.

And now I shall proceed with mflynn’s instructions.
 
Hi Bob

O23 - Service: SiSoftware Database Agent Service & O23 - Service: SiSoftware Sandra Agent Service: Strangely, I found both items in manual Startup Type!
Is there any other check or action I can do?
Are you saying SiSoftware is no loner installed check Add/Remove programs?
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe: I have disabled all PestPatrol monitoring activity, as I consider it useless. If anything, I’ll use that of Spybot S&D or SuperAS. Which one, if any, would you recommend?

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe: I have similarly disabled all Acronis True Image startup activity, as I don’t use its scheduler etc.
Should I re-enable something?
Your choice I don't use any but I regularly every few days do MBAM and SAS scans. But if I did I would use SAS. And I agree to the disabling TrueImage if you use Acronis only manually when you want!

Trojan.Security Toolbar: C:\Documents and Settings\Thespis\Favorites\Antivirus Test Online.url: I couldn’t find this item, it has probably been removed by SuperAS.

This is a Malware Startup that the program is missing. Removal instructions below.

Look carefully at Add/Remove programs uninstall any unused useless or outdated programs look for SiSoftware and decide what to do with it if there.

Then..

Download install and runAutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

There are a bunch of old stuff that M$ thought you might or would need that no longer exist or for computers that are assumed to have SCSI or AMD processors but do not!

After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for Trojan delete any entries related to Trojan.Security Toolbar.

Back to top click 1st entry and repeat Find for SiSoftware if you are removing it.

Then look carefully through all the other entries and delete anything that you may have had but uninstalled and thought was gone. If you are sure delete these also.

Next

Then get install and run:
RunScanner http://www.runscanner.net/download.aspx
Click Scan computer
Double click all Red lines to select, then click Item fixer and remove them.

Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

Reboot and recheck with both AutoRuns and RunScanner.
----------------------------------------------------------------------------------------------------------------------------------------------------

This may fix your search issue

This is a fantastic program for what it does, but because of what and how it does it job it is the best way I know to find a missing or corrupted DLL. usually done by Malware.

Basically it finds all DLL's and unregisters then then re registers them, and in the process will find the missing or corrupt ones

Download Dial-A-Fix (DAF)

http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Process Idle Tasks
Repair Permissions
Reset WMI/WBEM (not reinstall)

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest! Report!

Mike
 
Here is my report on mflynn’s previous recommendations.

Did SAS repairs, without really knowing what they do.

Ran SDFix under Safe Mode – log attached.

Ran ComboFix – log attached.

HJT – latest log attached.

Finally, as usual, the problem still persists.
 
Bob you are being reinfected as evidenced by older CombFix log files being clean and now look at the last Combofix log and the SDFix log.

It is coming from a Internet site or a Video or Audio file or some program, likely your P2P file sharing.

Did you install a new Firewall?

I'm not there so I can't see what is happening. The Search problem is secondary to but likely related to your Malware.

So I am going a somewhat different route.

Do no P2P downloads visit music game social networking (myspace etc) play any videos or music until we are clean.
--------------------------------------------------------------------------------------------------------
Download these but don't run, after downloaded boot to Safe mode only and run

But first thing in Safe Mode run Combofix to confirm that the last run of Malware found is really gone.

Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

Enter folder double click RootRepeal.exe.
Click the Report tab, then click Scan

It will ask what to include in the scan.

Check the following
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Then click OK

It will ask which drive to scan.

Check C: (or your windows drive, if not C)
Click OK
The scan will begin will take a while.

When scan completes, click Save Report .

Name the log RRepeal.txt save it to your Documents folder (it should default there).

Attach log here..

Then

Download Trojan Remover http://www.simplysup.com/tremover/download.html
This is a full 30 day trial!

Install Scan, Quarintine all found and attach log.

Mike
 
Just a few preliminary remarks before I proceed.

Bob you are being reinfected as evidenced by older CombFix log files being clean and now look at the last Combofix log and the SDFix log.
But I had not submitted any older ComboFix log files, only HJT and other antimalware tool files.

Did you install a new Firewall?
No, I always use Agnitum Outpost.

Download these ...
Why use further tools when I already have several of them?
Spybot S&D
Ad-Aware
MBAM
SAS
SDFix
ComboFix
PestPatrol
 
1. You are right I was looking at an MBAM log!

2. You are correct also this was the first Combofix and SDfix runs, again I may have had another Poster in my tiny mind!

3. Yes since this the first runs of SDFix and Combofix and they found issues run them again to confirm they are clean and find no more.

4. On the more tools unless the above clears the issues then these have proven not to work, correct?

5. Did you do the Dial-A-Fix? AutoRus and RunScanner?

Do not do the RootReveal or Trojan scanner until the above is complete and I have parsed the logs.

Mike
 
Bob, I just noticed this entry in the HijackThis log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-choice.com.cy/

This Domain , i-choice.com, is show as being open and for sale. Some of the selections on the page that comes up leaves much doubt as to the validity of the page. The Country Code that appears in the URL is CY - Cyprus.

Regarding this:
As regards file sharing, I used to be active when I had less experience in avoiding malware but have since got wiser. However, I’ve had these items for a long time without apparent consequences.
This does NOT mean they are safe and it give a road for malware to travel.

Unless you are willing to remove some of the highly customized entries you have, you are not going to find the source of the malware.
 
Status
Not open for further replies.
Back