Thread: windows explorer crashes
View Single Post
Old 10-17-2005, 12:14 PM   #5 (permalink)
RavenMind
Lazy Bum
 
RavenMind's Avatar
 
Join Date: Mar 2005
Location: Salt Lake
Posts: 1,015
OS: XP Home SP3/Vista


Hello, Michael. Thank you for being patient while I reviewed your log!

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you are unable to access Notepad during the fix. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes. It is important to close all browsers (Internet Explorer, My Computer, etc.) or windows when you are running any scans, tools, or HJT.

  1. Enable the viewing of hidden files/folders:

    Go to My Computer > Tools > Folder Options > “View” tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.



  2. Downloads:

    CleanUp!
    The Temp folders are a popular place for malware to hide out, plus installation programs tend to leave a lot of junk in there. Download and install CleanUp! to clean out your temps, but do not run it yet.

    Ewido Security Suite. Download & install Ewido, then update it's database. Do not run it yet.



  3. Reboot into Safe Mode.
    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.



  4. Suspicious Address:
    Quote:
    85.255.113.130, 85.255.112.19
    These addresses appear linked to a company called Inhoster out of the Ukraine (a hotbed for malware & spam). If you don’t recognize them then please remove them with HJT. (Next step)



  5. HiJackThis Entries:

    Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    O2 - BHO: (no name) - {93336822-F4C1-AF1D-E76D-F47A94E10EE5} - C:\WINDOWS\system32\ejk.dll (file missing)
    O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B90886-2AA6-4501-B966-B7A22D9E0A44}: NameServer = 85.255.113.130,85.255.112.19
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7E4442-574D-46F1-9A0F-1B063193247E}: NameServer = 85.255.113.130,85.255.112.19
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
    O20 - Winlogon Notify: style32 - c:\ms32.tmp

    Please make sure to close all open windows & browsers, then click Fix Checked.



  6. File Deletions:
    Delete the following FILES indicated in RED.
    C:\WINDOWS\vsnpstd3.exe
    C:\WINDOWS\system32\ejk.dll
    c:\ ms32.tmp


  7. Flush System Restore Points
    This should get rid of the last 3 entries in your Kaspersky log.

    Turn off System Restore:
    1. Right-click "My Computer"
    2. Click "Properties"
    3. Click the "System Restore" tab
    4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
    5. Click "Apply"
      When turning off System Restore, the existing restore points will be deleted.
      • Click "Yes" to proceed
    6. Click "OK"

    Reboot your System.

    Turn on System Restore
    1. Right-click "My Computer"
    2. Click "Properties"
    3. Click the "System Restore" tab
    4. Un-Check "Turn off System Restore" or "Turn off System Restore on all drives".
    5. Click "Apply"
    6. Click "OK"
    Note: It is very important to remember to turn system restore back on after reboot! If you do not, System Restore will remain deactivated & you will not have any previous points to restore back to should it become necessary to do so.

    While system is booting, please go back to Safe Mode.


  8. Run Cleanup!
    Configure the program as follows:
    1. Click Options...
    2. Move the arrow down to Custom CleanUp!
    3. Put a check next to the following:
      • Empty Recycle Bins
      • Delete Cookies
      • Delete Prefetch files
      • [X]Scan local drives for temporary files (Please uncheck this option)
      • Cleanup! All Users
    4. Click OK
    5. Press the CleanUp! button to start the program. Reboot when prompted.
    * CleanUp! will delete all the files in your temp folders without making a backup! If you have a 64 bit Operating System do NOT run CleanUp. Let me know and we will use another utility.



  9. Reboot into Normal Mode.



  10. Jotti File Submission:
    Quote:
    C:\Windows\System32\wininet.dll
    You have a suspicious file or files I would like to take a closer look at. Please upload the following files for analysis at Jotti.
    • Once at the site press the “Browse” button
    • Navigate to the first file, select, and click “Open”
      This should bring you back to the webpage.
    • Click “Submit” on the Jotti webpage
    It may take a while to upload the files & analyze them. You should then be presented with another page listing results for several different scanners. Please let me know if they found anything.
(If you are unable to find wininet.dll under C:\Windows\System32, try looking at C:\WinNT(\System32), or do a search for it: Start > Search > For Files or Folders..)




Please post the following items in your next reply:
  1. Fresh HJT log in Normal Mode
  2. If you are using dial-up
  3. Results of the Jotti submission
Last edited by RavenMind; 10-17-2005 at 12:20 PM.
RavenMind is offline