When I perform a search for a file in Windows Explorer (start > Search), all starts normally, but after a few minutes WE crashes and I get the message:

“Runtime Error!
Program: C:\WINDOWS\Explorer.EXE
This application has requested the Runtime to terminate it in an unusual way.”

There is no minidump, but I attach all messages & report contents.
My System: XP Pro SP3. Thanks in advance.

Do the below steps in order presented!

Uninstall from Add/Remove Programs any A2 malware/virus programs.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Before Temp cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.
-----------------------------------------------------------------------------------------------------------------------------------------------------

Download and install CCleaner: http://www.ccleaner.com/download/builds
Get the one on the bottom SLIM! Run both Temp and Registry repeatedly until no more found.

Download install and run KCleaner: ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe

Reboot to Safe Mode and run all CCleaner and KCleaner again as above.

Reboot back to normal mode test for issue!

Report back the status!

Mike

Thanks for a thorough multi-step response mflynn, your interest is fully appreciated.

I’ll see what I can do with following your instructions. I already had CCleaner without the Toolbar, which I suppose is the same as the SLIM version you specified.

In the meantime, I have found that the error code I am getting (0x40000015) is described as “unknown software exception”. I suppose it has to do with a new program I installed. Is this so?

And regarding your mention of specialized back up programs, I recently installed Acronis True Image 11. So it may be an idea to uninstall that first. What do you think?

No! No need to uninstall Acronis True Image!

Just uninstall all A2 programs in Add/Remove.

The specialized backups will be recreated so just do the steps.

Mike

Thanks. Just another clarification about "A2 programs". I am using the anti-malware “a-squared Free” from www.emsisoft.com/en/software/free/ which I’ve had for a long time without complications. I assume that is what you mean, but to avoid possible unnecessary uninstallation, please confirm.

Yes that was one of the errors in your screens!

After we confirm this fixes your problem then you can reinstall in a few days.

No problem with A2 (asquared) but the installation may be corrupted!

Mike

I return with some info.

So far I have done the following:
Uninstalled a-squared
Created new System Restore point
Ran Windows Disk Cleanup
Deleted all System Restore points except the last
Ran CCleaner clean-up
Ran CCleaner registry fix repeatedly (not in safe mode, but with all apps closed)
Rebooted
Tested the Search function and problem was still present.

The trouble is that now, having deleted System Restore points, I can’t go back in time!

I can repeat the cleaning/fixing in safe mode and also use KCleaner, but somehow I don’t expect a solution, while I am a little apprehensive about interfering too much with the registry just in hope.

But after further trials, I have a new discovery:
When I start the Search function, it asks for an outbound connection. I normally don’t allow it, as it’s nobody’s business what I am searching for. Searching still starts, but after a while Windows Explorer crashes due to C++ Runtime Error.

However, if I allow the outbound connection, the search goes through without crashing. This is something new, because in the past I never allowed outbound connection and there was no WE crashing.

Does this mean something?

OK we have a SR of a working OS so we are Safe.

To be even safer a redundant registry backup will give you peace of mind so..

Get ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.

Now I believe you have Malware so do the following to prove me wrong!

Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

Skip no steps (do not install another virus scanner or Firewall if you already have one).

Most importantly update MalwareBytes and SuperAntiSptware!

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Mike

Again, your answer is both comprehensive and comprehensible, which is uncommon!

Though I never find any malware on scanning (by AntiVir, Spybot S&D and Ad-Aware), I shall follow your instructions and do the TechSpot 8 steps. Re Step 3: Temporarily Disable Real Time Monitoring Programs, I suppose I shall have to disable my AntiVir and Agnitum f/w.

But here I have a comment. I believe Step 3, i.e. disabling all protection, should come later, after downloading and updating all tools involved. Then one should disconnect from the internet, disable protection and subsequently run the tools. Otherwise one would run the risk of catching malware while doing the 8 steps against it!

As regards ERUNT, I did not use it in the past, because it says in the FAQ’s (http://www.larshederer.homepage.t-online.de/erunt/faq.htm) that you should disable Windows XP’s System Restore function when using ERUNT. I am not sure that’s a good idea, as the SR does more than registry backup.

Good! Your logic is good on the disabling so do it that way!

Your Logic is good also to do the 8 Steps and you will likely be surprised.

Your Logic is good also not to turn off SR. But do get ERUNT and run it (Run as Administrator) both to install and run. The author did not say it has a problem with SR just that it may not be needed with ERUNT. I have it running on many Vista systems with SR!

This is what I have found about SR!
When you really need it, it (A). finds no restore point and (B). if it does it can not restore it!

A redundant ERUNT backup is a good idea.

So continue with the 8 Steps! Your way! As your way is a good way!

Bobbye made some good suggestions in his post #9.

Mike

@Bobbye

Many thanks for your valuable advice, which I had not noticed immediately because I was preparing my answer to mflynn.

I have gone thru all points you mentioned:

I unchecked “show hidden files and folders” but no change.

Strangely, the Event Viewer does not show the errors corresponding to the numerous WE crashes! It only shows some other, irrelevant errors.

I then disabled all IE add-ons (24 of them!), which seems to have solved the problem.
This is subject to confirmation and to further action of trying to identify the culprit.

@ mflynn

Thanks for the additional info, especially about ERUNT.

So far, I’ve run AntiVir and Spybot S&D with nothing found.

@ both advisors

I am already wiser as a result of your advice and glad I’ve started the thread, even if the problem is not finally solved.

I’ll get back when I have more to report.

SpyBot is OK but the 8 Steps especially SAS and MBAM will be the killer!

But do run the Immunize function of SpyBot!

Mike

Unfortunately, its bad news. I later found that disabling all IE add-ons doesn’t solve the problem. It just made it occur much later, which misled me at first. I don’t know if this gives a clue. Furthermore, after all 8 steps and more, the problem persists.

And now TechSpot 8 Steps Against Malware results.

Java: I had the latest version 6 Update 11, but also version 6 Update 7 which I uninstalled.
CCleaner: I ran the cleaner with everything ticked except most selections under the Advanced tab (as I hate surprises and complications).
I also ran the tool’s registry cleaner.
AntiVir PE and Spybot S&D scans found nothing.
Ad-Aware Anniversary Edition (lastest): log attached.
Malwarebytes' Anti-Malware: log attached.
SuperAntiSpyware HE: log attached.
And now a surprise! As I clicked next to remove the item found, I got an error popup. Nevertheless, when I checked the Quarantine contents, the item seems to have been quarantined. See images below:


HijackThis: I ran it without renaming it. Log attached.

Do you think there is still hope of solving the problem?

OK

Do the below and I think we will get some where.

Update then run SAS
Click Preferences-Repairs

Then counting down from top do the following entries
Numbers 6, ,8 11, 12, 13, 15, 18, 19 and 24!

Download SD Fix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
--------------------------------------------------------------------------------------------------------
Next

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

I wouldn't be surprised if the new Ad-ware Anniverserity Edition is causing the conflict you are experiencing.

correction, Ad-Aware Anniversary Edition.

@ CAMusing

I’ve had the problem before upgrading Ad-Aware. But the Anniversary Edition is faster and found objects missed by the previous version.

@ mflynn & Bobbye

Thanks for the deep analysis and the specific advice. I shall do everything you recommend. I started with Bobbye’s suggestions because they seemed easier to apply at my level.

HJT: I’ve fixed everything you said and attach the latest log.
If you think there are further useless items, please advise.

O23 - Service: SiSoftware Database Agent Service & O23 - Service: SiSoftware Sandra Agent Service: Strangely, I found both items in manual Startup Type!
Is there any other check or action I can do?

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe: I have disabled all PestPatrol monitoring activity, as I consider it useless. If anything, I’ll use that of Spybot S&D or SuperAS. Which one, if any, would you recommend?

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe: I have similarly disabled all Acronis True Image startup activity, as I don’t use its scheduler etc.
Should I re-enable something?

Trojan.Security Toolbar: C:\Documents and Settings\Thespis\Favorites\Antivirus Test Online.url: I couldn’t find this item, it has probably been removed by SuperAS.

It's now disappointing that the problem still persists regardless all measures so far, but it occurs much later than it used to, e.g. when I search for non-existent items for which it runs a long time. Nevertheless, my system is now cleaner and more stable thanks to your advice.

As regards file sharing, I used to be active when I had less experience in avoiding malware but have since got wiser. However, I’ve had these items for a long time without apparent consequences.

And now I shall proceed with mflynn’s instructions.

Hi Bob

Are you saying SiSoftware is no loner installed check Add/Remove programs?

Your choice I don't use any but I regularly every few days do MBAM and SAS scans. But if I did I would use SAS. And I agree to the disabling TrueImage if you use Acronis only manually when you want!

This is a Malware Startup that the program is missing. Removal instructions below.

Look carefully at Add/Remove programs uninstall any unused useless or outdated programs look for SiSoftware and decide what to do with it if there.

Then..

Download install and runAutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

There are a bunch of old stuff that M$ thought you might or would need that no longer exist or for computers that are assumed to have SCSI or AMD processors but do not!

After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for Trojan delete any entries related to Trojan.Security Toolbar.

Back to top click 1st entry and repeat Find for SiSoftware if you are removing it.

Then look carefully through all the other entries and delete anything that you may have had but uninstalled and thought was gone. If you are sure delete these also.

Next

Then get install and run:
RunScanner http://www.runscanner.net/download.aspx
Click Scan computer
Double click all Red lines to select, then click Item fixer and remove them.

Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

Reboot and recheck with both AutoRuns and RunScanner.
----------------------------------------------------------------------------------------------------------------------------------------------------

This may fix your search issue

This is a fantastic program for what it does, but because of what and how it does it job it is the best way I know to find a missing or corrupted DLL. usually done by Malware.

Basically it finds all DLL's and unregisters then then re registers them, and in the process will find the missing or corrupt ones

Download Dial-A-Fix (DAF)

http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Process Idle Tasks
Repair Permissions
Reset WMI/WBEM (not reinstall)

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest! Report!

Mike