Windows Explorer Runtime Error on Performing Search

By bobcat
Jan 27, 2009
Topic Status:
Not open for further replies.
  1. When I perform a search for a file in Windows Explorer (start > Search), all starts normally, but after a few minutes WE crashes and I get the message:

    “Runtime Error!
    Program: C:\WINDOWS\Explorer.EXE
    This application has requested the Runtime to terminate it in an unusual way.”

    There is no minidump, but I attach all messages & report contents.
    My System: XP Pro SP3. Thanks in advance.

    [​IMG][​IMG][​IMG]
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Do the below steps in order presented!

    Uninstall from Add/Remove Programs any A2 malware/virus programs.
    -----------------------------------------------------------------------------------------------------------------------------------------------------
    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Before Temp cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.
    -----------------------------------------------------------------------------------------------------------------------------------------------------

    Download and install CCleaner: http://www.ccleaner.com/download/builds
    Get the one on the bottom SLIM! Run both Temp and Registry repeatedly until no more found.

    Download install and run KCleaner: ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe

    Reboot to Safe Mode and run all CCleaner and KCleaner again as above.

    Reboot back to normal mode test for issue!

    Report back the status!

    Mike
  3. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Thanks for a thorough multi-step response mflynn, your interest is fully appreciated.

    I’ll see what I can do with following your instructions. I already had CCleaner without the Toolbar, which I suppose is the same as the SLIM version you specified.

    In the meantime, I have found that the error code I am getting (0x40000015) is described as “unknown software exception”. I suppose it has to do with a new program I installed. Is this so?

    And regarding your mention of specialized back up programs, I recently installed Acronis True Image 11. So it may be an idea to uninstall that first. What do you think?
  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    No! No need to uninstall Acronis True Image!

    Just uninstall all A2 programs in Add/Remove.

    The specialized backups will be recreated so just do the steps.

    Mike
  5. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Thanks. Just another clarification about "A2 programs". I am using the anti-malware “a-squared Free” from www.emsisoft.com/en/software/free/ which I’ve had for a long time without complications. I assume that is what you mean, but to avoid possible unnecessary uninstallation, please confirm.
  6. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yes that was one of the errors in your screens!

    After we confirm this fixes your problem then you can reinstall in a few days.

    No problem with A2 (asquared) but the installation may be corrupted!

    Mike
  7. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    I return with some info.

    So far I have done the following:
    Uninstalled a-squared
    Created new System Restore point
    Ran Windows Disk Cleanup
    Deleted all System Restore points except the last
    Ran CCleaner clean-up
    Ran CCleaner registry fix repeatedly (not in safe mode, but with all apps closed)
    Rebooted
    Tested the Search function and problem was still present.

    The trouble is that now, having deleted System Restore points, I can’t go back in time!

    I can repeat the cleaning/fixing in safe mode and also use KCleaner, but somehow I don’t expect a solution, while I am a little apprehensive about interfering too much with the registry just in hope.

    But after further trials, I have a new discovery:
    When I start the Search function, it asks for an outbound connection. I normally don’t allow it, as it’s nobody’s business what I am searching for. Searching still starts, but after a while Windows Explorer crashes due to C++ Runtime Error.

    However, if I allow the outbound connection, the search goes through without crashing. This is something new, because in the past I never allowed outbound connection and there was no WE crashing.

    Does this mean something?
  8. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK we have a SR of a working OS so we are Safe.

    To be even safer a redundant registry backup will give you peace of mind so..

    Get ERUNT
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    ERUNT http://www.larshederer.homepage.t-online.de/erunt/
    Yes! Even if you use system restore and other backups Registry and Images.

    Now I believe you have Malware so do the following to prove me wrong!

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner or Firewall if you already have one).

    Most importantly update MalwareBytes and SuperAntiSptware!

    Before you scan with SuperAntiSpyWare do the below:

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and attach their logs.

    Mike
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'd like to offer three suggestions- any one of which might resolve the problem:

    1. Runtime errors are frequently caused by add-on in the browser:
    Open IE> Tools> Manage add-ons> Disable ALL of the add-ons> Check the system systus.
    If doing this resolves the Runtime error, try adding back one at a time until you find which add-on caused the problem.

    2. Unexplained crashes can also occur if you have Folder options set to view 'hidden files and folders'. To check this:
    Open IE> Tools> Folder options> View tab> UNCHECK 'show hidden files and folders'> Apply> OK.

    3. Check the Event Viewer for corresponding Error at time of the crash. It will be similar to but different from the image you posted about a2freecontentmenu.dll

    Start> Run> type in eventvwr
    You may not need to do all three of these. And if you have uninstalled a squared, you will need to disable the Service if still present:
    Start> Run> services.msc> right click on a-squared Free Service (a2free)> Properties> Change the Startup to Disabled> Stop the Service.

    NOTE: if you reinstall a squared, change the Service back to Manual.

    If none of these suggestions resolves the crash, go ahead with the malware cleaning steps.
  10. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Again, your answer is both comprehensive and comprehensible, which is uncommon!

    Though I never find any malware on scanning (by AntiVir, Spybot S&D and Ad-Aware), I shall follow your instructions and do the TechSpot 8 steps. Re Step 3: Temporarily Disable Real Time Monitoring Programs, I suppose I shall have to disable my AntiVir and Agnitum f/w.

    But here I have a comment. I believe Step 3, i.e. disabling all protection, should come later, after downloading and updating all tools involved. Then one should disconnect from the internet, disable protection and subsequently run the tools. Otherwise one would run the risk of catching malware while doing the 8 steps against it!

    As regards ERUNT, I did not use it in the past, because it says in the FAQ’s (http://www.larshederer.homepage.t-online.de/erunt/faq.htm) that you should disable Windows XP’s System Restore function when using ERUNT. I am not sure that’s a good idea, as the SR does more than registry backup.
  11. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Good! Your logic is good on the disabling so do it that way!

    Your Logic is good also to do the 8 Steps and you will likely be surprised.

    Your Logic is good also not to turn off SR. But do get ERUNT and run it (Run as Administrator) both to install and run. The author did not say it has a problem with SR just that it may not be needed with ERUNT. I have it running on many Vista systems with SR!

    This is what I have found about SR!
    When you really need it, it (A). finds no restore point and (B). if it does it can not restore it!:(

    A redundant ERUNT backup is a good idea.

    So continue with the 8 Steps! Your way! As your way is a good way!:D

    Bobbye made some good suggestions in his post #9.

    Mike
  12. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    @Bobbye

    Many thanks for your valuable advice, which I had not noticed immediately because I was preparing my answer to mflynn.

    I have gone thru all points you mentioned:

    I unchecked “show hidden files and folders” but no change.

    Strangely, the Event Viewer does not show the errors corresponding to the numerous WE crashes! It only shows some other, irrelevant errors.

    I then disabled all IE add-ons (24 of them!), which seems to have solved the problem. :)
    This is subject to confirmation and to further action of trying to identify the culprit.

    @ mflynn

    Thanks for the additional info, especially about ERUNT.

    So far, I’ve run AntiVir and Spybot S&D with nothing found.

    @ both advisors

    I am already wiser as a result of your advice and glad I’ve started the thread, even if the problem is not finally solved.

    I’ll get back when I have more to report.
  13. mflynn

    mflynn Newcomer, in training Posts: 2,793

    SpyBot is OK but the 8 Steps especially SAS and MBAM will be the killer!

    But do run the Immunize function of SpyBot!

    Mike
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    24 add-ons is a lot! I am not surprised that disabling them resolved the Runtime problem. With that many, it is difficult to tell if one add-on caused the problem or if there was a conflict between some add-ons.

    When the system is stable, put them back, one at a time, checking the system in between.
  15. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Unfortunately, its bad news. I later found that disabling all IE add-ons doesn’t solve the problem. It just made it occur much later, which misled me at first. I don’t know if this gives a clue. Furthermore, after all 8 steps and more, the problem persists. :(

    And now TechSpot 8 Steps Against Malware results.

    Java: I had the latest version 6 Update 11, but also version 6 Update 7 which I uninstalled.
    CCleaner: I ran the cleaner with everything ticked except most selections under the Advanced tab (as I hate surprises and complications).
    I also ran the tool’s registry cleaner.
    AntiVir PE and Spybot S&D scans found nothing.
    Ad-Aware Anniversary Edition (lastest): log attached.
    Malwarebytes' Anti-Malware: log attached.
    SuperAntiSpyware HE: log attached.
    And now a surprise! As I clicked next to remove the item found, I got an error popup. Nevertheless, when I checked the Quarantine contents, the item seems to have been quarantined. See images below:
    [​IMG][​IMG]

    HijackThis: I ran it without renaming it. Log attached.

    Do you think there is still hope of solving the problem?
  16. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK

    Do the below and I think we will get some where.

    Update then run SAS
    Click Preferences-Repairs

    Then counting down from top do the following entries
    Numbers 6, ,8 11, 12, 13, 15, 18, 19 and 24!

    Download SD Fix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    --------------------------------------------------------------------------------------------------------
    Next

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    From Mbam:
    DAccordPersonalGuitaristv12_Crack.exe>> Trojan found in this file:

    If you're going to use file sharing downloads, you are going to get malware

    Here is the script error problem:
    This may also be causing a problem:
    Also suggest you change Startup Type for these Services to Manual instead of automatic:
    To access: Start> Run> services.msc> right click on each Service> Properties> change startup to Manual.

    This one was puzzling:
    The following is considered Real Time Protection and should be disabled while you're scanning:
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe (found in the AdAware scan)
    ppmemcheck.exe is an application from PestPatrol which disables SpyWare and MalWare on your system. It also does not need to be on the Startup menu.

    Disable Acronis while you're scanning:
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

    In my opinion, you have many highly customizable processes running. They are all on the Start menu or in the Registry and start on boot, run in the background. Although the processes may actually be legitimate, the potential for conflict with other processes is great.
  18. CAMusing

    CAMusing TechSpot Enthusiast Posts: 328

    I wouldn't be surprised if the new Ad-ware Anniverserity Edition is causing the conflict you are experiencing.

    correction, Ad-Aware Anniversary Edition.
  19. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    @ CAMusing

    I’ve had the problem before upgrading Ad-Aware. But the Anniversary Edition is faster and found objects missed by the previous version.

    @ mflynn & Bobbye

    Thanks for the deep analysis and the specific advice. I shall do everything you recommend. I started with Bobbye’s suggestions because they seemed easier to apply at my level.

    HJT: I’ve fixed everything you said and attach the latest log.
    If you think there are further useless items, please advise.

    O23 - Service: SiSoftware Database Agent Service & O23 - Service: SiSoftware Sandra Agent Service: Strangely, I found both items in manual Startup Type!
    Is there any other check or action I can do?

    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe: I have disabled all PestPatrol monitoring activity, as I consider it useless. If anything, I’ll use that of Spybot S&D or SuperAS. Which one, if any, would you recommend?

    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe: I have similarly disabled all Acronis True Image startup activity, as I don’t use its scheduler etc.
    Should I re-enable something?

    Trojan.Security Toolbar: C:\Documents and Settings\Thespis\Favorites\Antivirus Test Online.url: I couldn’t find this item, it has probably been removed by SuperAS.

    It's now disappointing that the problem still persists regardless all measures so far, but it occurs much later than it used to, e.g. when I search for non-existent items for which it runs a long time. Nevertheless, my system is now cleaner and more stable thanks to your advice.

    As regards file sharing, I used to be active when I had less experience in avoiding malware but have since got wiser. However, I’ve had these items for a long time without apparent consequences.

    And now I shall proceed with mflynn’s instructions.
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Bob

    Are you saying SiSoftware is no loner installed check Add/Remove programs?
    Your choice I don't use any but I regularly every few days do MBAM and SAS scans. But if I did I would use SAS. And I agree to the disabling TrueImage if you use Acronis only manually when you want!

    This is a Malware Startup that the program is missing. Removal instructions below.

    Look carefully at Add/Remove programs uninstall any unused useless or outdated programs look for SiSoftware and decide what to do with it if there.

    Then..

    Download install and runAutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
    Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

    Type in the find box file not found and hit enter and delete all lines that have file not found.

    There are a bunch of old stuff that M$ thought you might or would need that no longer exist or for computers that are assumed to have SCSI or AMD processors but do not!

    After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for Trojan delete any entries related to Trojan.Security Toolbar.

    Back to top click 1st entry and repeat Find for SiSoftware if you are removing it.

    Then look carefully through all the other entries and delete anything that you may have had but uninstalled and thought was gone. If you are sure delete these also.

    Next

    Then get install and run:
    RunScanner http://www.runscanner.net/download.aspx
    Click Scan computer
    Double click all Red lines to select, then click Item fixer and remove them.

    Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

    Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

    None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

    Reboot and recheck with both AutoRuns and RunScanner.
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    This may fix your search issue

    This is a fantastic program for what it does, but because of what and how it does it job it is the best way I know to find a missing or corrupted DLL. usually done by Malware.

    Basically it finds all DLL's and unregisters then then re registers them, and in the process will find the missing or corrupt ones

    Download Dial-A-Fix (DAF)

    http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Flush DNS
    Process Idle Tasks
    Repair Permissions
    Reset WMI/WBEM (not reinstall)

    Watch for any File not found or other errors and make note as this may lead to the fix!

    Reboot retest! Report!

    Mike
  21. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Here is my report on mflynn’s previous recommendations.

    Did SAS repairs, without really knowing what they do.

    Ran SDFix under Safe Mode – log attached.

    Ran ComboFix – log attached.

    HJT – latest log attached.

    Finally, as usual, the problem still persists.
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Bob you are being reinfected as evidenced by older CombFix log files being clean and now look at the last Combofix log and the SDFix log.

    It is coming from a Internet site or a Video or Audio file or some program, likely your P2P file sharing.

    Did you install a new Firewall?

    I'm not there so I can't see what is happening. The Search problem is secondary to but likely related to your Malware.

    So I am going a somewhat different route.

    Do no P2P downloads visit music game social networking (myspace etc) play any videos or music until we are clean.
    --------------------------------------------------------------------------------------------------------
    Download these but don't run, after downloaded boot to Safe mode only and run

    But first thing in Safe Mode run Combofix to confirm that the last run of Malware found is really gone.

    Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

    Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

    Enter folder double click RootRepeal.exe.
    Click the Report tab, then click Scan

    It will ask what to include in the scan.

    Check the following
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Then click OK

    It will ask which drive to scan.

    Check C: (or your windows drive, if not C)
    Click OK
    The scan will begin will take a while.

    When scan completes, click Save Report .

    Name the log RRepeal.txt save it to your Documents folder (it should default there).

    Attach log here..

    Then

    Download Trojan Remover http://www.simplysup.com/tremover/download.html
    This is a full 30 day trial!

    Install Scan, Quarintine all found and attach log.

    Mike
  23. bobcat

    bobcat TechSpot Paladin Topic Starter Posts: 688   +67

    Just a few preliminary remarks before I proceed.

    But I had not submitted any older ComboFix log files, only HJT and other antimalware tool files.

    No, I always use Agnitum Outpost.

    Why use further tools when I already have several of them?
    Spybot S&D
    Ad-Aware
    MBAM
    SAS
    SDFix
    ComboFix
    PestPatrol
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    1. You are right I was looking at an MBAM log!

    2. You are correct also this was the first Combofix and SDfix runs, again I may have had another Poster in my tiny mind!

    3. Yes since this the first runs of SDFix and Combofix and they found issues run them again to confirm they are clean and find no more.

    4. On the more tools unless the above clears the issues then these have proven not to work, correct?

    5. Did you do the Dial-A-Fix? AutoRus and RunScanner?

    Do not do the RootReveal or Trojan scanner until the above is complete and I have parsed the logs.

    Mike
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Bob, I just noticed this entry in the HijackThis log:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-choice.com.cy/

    This Domain , i-choice.com, is show as being open and for sale. Some of the selections on the page that comes up leaves much doubt as to the validity of the page. The Country Code that appears in the URL is CY - Cyprus.

    Regarding this:
    This does NOT mean they are safe and it give a road for malware to travel.

    Unless you are willing to remove some of the highly customized entries you have, you are not going to find the source of the malware.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.