Windows Explorer has stopped working

Hi,
I am a newbie and this computer is used by then entire family so I haven't been able to determine what someone may have done when this problem started. When trying to move and copy files I keep getting a message saying:

Windows Explorer has stopped working
Check online for a solution and restart the program
Restart the program

After I click on restart the program I get an error message
runtime error 216@ 076A3EDA

I did try and do a system restore to an earlier date and still had the same problem. I ran Kaspersky online virus scan and have that report if you want it. Then I followed the READ & RUN ME FIRST--still have the problem so I attached the files stated in that procedure.

Help please...............

 

Hi klbreeze,

The error you get is for Backdoor.SubSeven. I would like for you to see if you have the registry key associated with this. Please go to Start / Run and type in Regedit and click on okay. When the registry opens, look for the following key and see if the value Traylcon is there (icon is spelled not with an i, but with an l)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Traylcon

If you find it, please tell me.

Then I would like for you to do the following:


1) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

After you click fix, just close hijackthis.


5) Run CCleaner in the default setting with the Windows tab as the one on top.

abri

 

Hi abri

I do not have HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Traylcon.

I have followed all the steps---------what is next?

I really appreciate all your help.

 

If you still have the Kaspersky report, please attach it.
Thanks.
abri

 

Hi abri!

Attached is the Kaspersky report.


The sun is shining in Michigan today

 

Hi klbreeze,

Hopefully it will be Spring soon.

Please go to add/remove programs and uninstall the following:

iWin Games

You have one lone Symantec service running and I don't think you need this. Please disable it as follows:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Lic NetConnect service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now Click OK until you get back to Windows.
• Next, run analyse.exe in the MGTools folder under C by double clicking on it. This is really HijackThis. Instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste CLTNetCnService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)


Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Let me know how things are running now?

abri

 

Hi abri!

i am not sure which one? do a system scan and save logfile or do a system scan only

 

Hi abri!

oops! hit a button and it ran
I didn't see O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Attached is the mglogs.zip file

Now when I try and move or copy files I get
runtime error 77D42E7B
then same windows explorer has stopped working............

did I do something wrong?

 

Hi klbreeze,
If you're getting an error, then I would like for you to move back to the restore point just preceeding your last set of instructions. To do this, go to Start / All Programs / Accessories / System Tools / System Restore
check the box to Restore my computer to an earlier time and click on Next. You'll see a calander with highlighted dates. Choose one of the dates just preceeding these problems and allow your system to return to that date. Tell me how this goes.
abri

 

Hi abri!

I tried to do a System Restore to just before I did the last set of instructions. When the computer restarted it went to my niece's user account instead of my sister's (which is the one I used to do the system restore and my niece was not logged on at the time). That seemed odd to me. Anyway, I got this error:

System Restore did not complete successfully. Your computer's system files and settings were not changed. An unspecified error occurred during System Restore. You may want to try a different restore point.

Should I try a different restore point? :confused

 

Hi klbreeze,
Try another restore point that's earlier and tell me if you get the same error message. You can go back to a week earlier or more. The things we fixed so far can be fixed again so there is not a problem about that if the restore is successful.
abri

 

Hi abri,

I tried to restore to an earlier point but I get the same error. I clicked on the check box to show restore points earlier than 5 days. The earliest restore point is 2/27.

 

Hi klbreeze,

I would like for you to do the following:

1) Go to add/remove programs and uninstall the below:

- iWin Games (remove only)


2) Download and install Erunt. Use it to create a backup of your registry.

3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the one on top.

6) Next I would like for you to upload the C:\WINDOWS\WIN.INI and C:\WINDOWS\SYSTEM.INI files as attachments here so I can look at them.

7) And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi abri,

• 
  
  I was not sure if it worked right?-------How should I answer? Yes or No?

 

I forgot to say that the message box also says:

Warning!

Error saving file

C:\Windows\ERDNT\AutoBackup\2008-03-04\Security !
Continue with next file?
[RegCreate KeyEx:5 - Access is denied]
Yes or No

 

Hi klbreeze,
Sorry, I think I got caught between Avenger versions. Please download the following program and allow it to install over the old one. Then see if the following will work:

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

[/quote]

After you complete the above, plase run CCleaner at the default setting with the Windows tab as the one on top.

Also, did you get a success message for the registry patch (REGEDIT4) when you ran it?


abri

 

Hi abri,

Yes, I got a success message. Attached are the C:\WINDOWS\WIN.INI and C:\WINDOWS\SYSTEM.INI

 

Hi abri,

Attached is the mglogs.zip and the avenger log.

I still get the "Windows Explorer has stopped working..........." error :cry

 

Hi klbreeze,

First some questions and then some instructions:

1) Does Windows Explorer work in safe mode?

2) Do you know when the problems started - what date? There was a Windows Vista update on February 13th and we're wondering if you might have started having problems with that update.

3) Can you use your search for Windows Explorer by clicking on Start / Search?

4) What is in the following folder: (do not open any files)
C:\Program Files\Lavasoft (33)
Did you install software from Lavasoft at that time and did you give the folder this name? If so why?

And now, please do the following:

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\RunOnce: [iWinArcadeIECleanup] C:\Users\CHRIST~1\AppData\Local\Temp\iWinArcadeAutocleanup.bat

After you click fix, just close hijackthis.


6) Now Run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

8) Now run CCleaner

9) In post 8 you posted a complete set of MGlogs, but in your last post, the MGlogs look like they did not run completely. Could you rerun those and see if you can get them to run all the way through? There is a new version of the tools, so if you go to Vista Cleaning Procedure and reinstall the MGTools over the existing ones and follow the instructions, you'll get a new set of MGlogs.zip. Please attach these so I can see if all the malware has been removed.

Let me know how things are running now?

abri

 

Hi abri,

 

Oh, you're right. I get that too. So sorry! Try the download link at the Windows XP Cleaning Procedure The MGtools are the same even though some of the procedures for installation and running them are slightly different for Vista. Use the above XP link to download the MGtools, but the Vista Cleaning Procedure for the instructions on installing and running them.

If that works, please attach the MGlogs.zip which you'll find directly under C just about the superman icon.

After the above, whether you are able to get the logs or not, I would like for you to do some searches to see if you have the subseven backdoor. If you do, one or the other file must be on your computer.

To do a registry search, please proceed as follows:

Download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.)

Now one at a time, enter the following files and when the search is complete, copy the results into a .txt file. You can name each something like rs-filename where file name is the first part of the name I'll give you below without the ending. When you've completed a search for each one, please attach all the results. If there isn't anything found, just tell me.

abri

 

Hi abri,

I attached this.

Did not find:
KERNEL16.DL
RUNDLL16.COM
SYSTEMTRAYICON!.EXE
WINDOS.EXE

 

Hi klbreeze,

A few things:

1) First of all I went through your Kaspersky log and it will only detect but not get rid of what it finds. To get rid of the offender, you have to download their free 30-day trial version of the Antivirus program which can be found at http://usa.kaspersky.com/downloads/trial-versions.php

The problem about doing this is that you already have an antivirus program running. I would like for you to download and install the Kaspersky trial version, BUT in order to do this you must first uninstall your current antivirus program which is AVG 7. It is not enough to deactivate it, you have to go to add/remove programs and uninstall it.

When you go to the Kaspersky website listed above, the free trial version of the antivirus program is just below the download for the Kaspersky security suite. You don't need the security suite. You only need the Kaspersky Antivirus free trial.

2) Secondly, your hijackthis log shows that the Symatec entry is still present. In order to remove it from your system, you have to first go through the instructions to disable it which I described in post 6 where you go to Start / Run and type in services.msc and then find the Symantec entry in the list under Symantec Lic NetConnect
Two questions about this:
Were you able to disable this Symantec service?
If you were able to disable it, were you able to find this following line in HijackThis?

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

The reason I'm asking about this is because the above entry is still in your HijackThis which means that it hasn't been removed. Please look at those instructions again and see if you can get them to work. If you can't, please tell me exactly where in the instructions things are not working. Are you getting any error messages? Were you not able to find this service running?

3) You have an old version of Java. Please go to add/remove programs and uninstall the following: Java(TM) 6 Update 2

4) Reboot your computer5)Install the current version of Sun Java from: Sun Java Runtime Environment

5) When you finish with the above, please run C:\MGTools\GetLogs.bat by double clicking on it and then upload the MGlogs.zip (found directly under C just above the superman icon). Also, please attach the results of the Kaspersky scan.

Thanks!
abri

 

Hi abri,
I started working on following your last instructions I think yesterday but life happened .................

Yes I was able to disable this. When I followed the instructions in post #6--Start, Run, services.msc, Ok, etc.--when I right clicked and selected Properties it already said it was stopped. Same thing when I did it this time.

I could not find this line last time from post #6.

Then I ran analyse.exe and when I went to copy/paste CLNetCnService in the box and press OK---I get message wants to know if I am sure. Unable to delete CLNetCnService. Make sure the name is correct and the service is not running.

I did this but I don't understand why it is back when I uninstalled and installed the current version in post #2?

I am attaching the Kaspersky results, the MGlogs.zip I hope I did not miss anything. Also, I get this error when the computer starts up now:
ERU for Windows NT
Unable to create file C:\Windows\ERDNT\Autobackup\2008-03-12\ERDNT.INF
Registry backup will continue, but no restore information for the ERDNT program will be saved. This means that later restoration of the registry can only be done manually, by using another OS to copy back the files. OK button After I click on OK I get this:

Warning!
Error saving file C:\Windows\ERDNT\AutoBackup\2003-03-12\security !
Continue with next file?
[RegCreate Key Ex:5-Access is denied]
Yes or No button-----I answer No.

I don't know if this is important or not. :confused I hope I did everything right.

I have tried to upload the attachments but it won't go through---I will try again later.

 

Hi abri,

Everytime I try to upload the Kaspersky.txt file and the MGlogs.zip I get a VBulletin error: Invalid Post specified. If you followed a valid link, please notify the administrator

What should I do? :tired

 

Hi klbreeze,
Sorry. Sometimes there are problems with attachments. Please try it again. If you get an error again, please try it with a different browswer or after emptying your cache. If none of the above work, please tell me.
Thanks.
abri

 

Hi abri,
I tried a different browser and I emptied my cache--still can't upload

 

Well, that's a drag! (growl) Let me tell somebody.

 

Okey dokey
Thanks!

 

klbreeze,
it's taking too long to find out why your attachments aren't getting through. Please see if you can post the requested logs here directly. I need to see your hijackthis.log, newfiles.txt and runkeys.txt. If the kaspersky results are lengthy, please enclose your report by beginning it with

Code:

 and ending it with [ /code] (without any spaces within the brackets).  You'll find the three logs as single files in the MGTools folder under C.
Thanks.
abri

 

Hi abri,

Here is the runkeys.txt

 

This is the hijackthis.log

 

the newfiles.txt

 

Hi klbreeze,

Sorry for the trouble with the attachments.

In post 24 you mentioned you were attaching the Kaspersky results. That kind of got lost in all the attachments turmoil. If you still have that, I would like to see it.

Then, please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

After you click fix, just close hijackthis.

The newfiles log has the same date and timestamp as the last one you attached. I'm not sure why, but this is probably why it appears that the old Java was never uninstalled.

Please run CCleaner.

How are you running your MGTools if you can't use Windows Explorer? How are you carrying out my instructions?

abri

 

Hi abri,

I have been trying since yesterday to get the Kaspersky report but the computer keeps getting "stuck"----ugh! my 3 month old niece was crying, and :banghead.

So I opened this report in OpenOffice.org and it is 10,000 pages and still counting. It is like 64MB. Is this the right report?

I have always been able to go to Windows Explorer(right click on Computer\Explore) but I was not able to move or copy any files.

Did I mention that the sun is shining in Michigan once again.:clap I'm ready for Spring to get sprung!

 

Hi abri,

I ran MGtools\analyze.exe and CCleaner. Then I checked to see if I still get error message. So I was able to copy and move a couple of files and then I closed Windows Explorer and tried it again and got the error and closed and opened it again and now it works but I keep getting a

Runtime error 216 at 77182E7B(this number changes) and an OK.

 

LOL @ 10,000 pages and still counting...

Well, hmmm ... See I still don't know what you did. Originally you told me you ran the Kaspersky online scan and it found a lot of things it didn't repair. So I told you you could get it to repair them by uninstalling your antivirus and then downloading the free trial version of Kaspersky antivirus. I don't know if you ever did that? Mainly logs are that big if you tell them to list all files rather than listing only infected files. I only want to see the infected files and I would prefer seeing that they were deleted or quarantined.

pick her up - usually they either want food or human touch and either is easy to supply. Also, they are a good lap size at 3 months, offer good heating and you can still type at the same time.

Okay, as for this Runtime error 216 at 77182E7B(this number changes) and an OK. I think this is related to a software problem. I ran into one with a similar number at this forum http://www.pctools.com/forum/showthread.php?t=49187&page=3 related to PCTools and it was related to a software bug. What you may need is to have the people in the Software Forum here help you see if there is a particular program leading to you getting that error. I suggest starting a thread in Software and seeing what they have to say.

abri

 

Hi abri,

yep, I did that but obviously I am clueless when it comes to Kaspersky LOL

Anyway, I ran a scan last night and I am attaching(yep, it worked this time:clap) the events---is this what you're lookin' for?

I noticed that this Trojan it found is in a folder that my nephew made in January--so I guess I better have a talk with him

So this is a part of the first online scan I did 2/23 and I wonder why this doesn't show up on the trial version? I ran another online scan last night and it still shows up there? What do I need to do about this?

Also the online scan didn't find the Trojan program 'Trojan-PSW.Win32.Small.dv' but the trial version did? :confused
So, I guess this Trojan program 'Trojan-PSW.Win32.Small.dv' is not deleted? What should I do about this?

It is amazing what you can accomplish while holding a baby. She is sooo adorable.

Thank you so much---I will check this out.

 

Hi klbreeze,
In post 19 I asked you to delete the following folder:

C:\Program Files\iWin Games\

If the folder has been deleted, then the files in it should also be gone, including the one Kaspersky lists:

iWinGamesHookIE.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped

The bigger problem here from the start is that you are having trouble with Windows Explorer. I would like for you to run 2 rootkit scans to see if they come up with anything:

• GMER
• BitDefender RootkitUncover

Attach the results with your next post.

Please post the results when you complete them. If these don't turn up anything, I would like for you to post a new thread in the Software Forum and see if they can figure out why you can copy and move things in Explorer. It's possible you have damaged files that need to be repaired.

abri

 

Hi abri,

Yes I did uninstall iWin Games(it is no longer in my program list) but I didn't know I should delete this folder( C:\Program Files\iWin Games\)? I just checked and that folder is still there. Should I just delete the folder or uninstall the Jewel Quest game first cause it is in that iWin Games folder?

Now I'm going to follow the rest of your instructions and then I will attach the results.

 

Hi abri,

These results are attached.

When I tried to run this I got an error screen that quickly disappeared and then I got the screen to enter in safe mode--safe mode networking......so I entered in safe mode and double clicked but got another error--I forgot to write it down

Now I have this error that pops up when the computer starts:
HP Connections is unable to access its data directory. It is either invalid or unreachable, or there is another program accessing it.

I have moved and copied some files and have not gotten that "Windows has stopped working...." or Runtime error 216 at 77182E7B(this number changes) and an OK lately.

 

Hi klbreeze,
Your GMER log is okay. Please post in the Software Forum to get help with these warning messages that are coming up because they do not seem to be related to malware.
abri

 

Hi abri,
My sister and I took a trip across the country and got back yesterday. She made some cds to take with us and computer seemed fine. Turned on the computer seemed okay sometime later it turned off--no idea why. Now it powers on, dvd drives light up green, no orange light for hard drive and nothing on monitor. Is this something related to the problems she was having before or did the hard drive just die??

should I go to another forum for help with this?
She bought this at Sam's Club and her 1 year warranty will be up sometime this month and should she take it back and have them replace it?

I just want to THANK YOU so much for all your help :clap :clap :clap :clap :clap

 

Hi klbreeze,
Thank you for your thanks. Sorry the problems continue. If all the cables are plugged in solidly (check that if you can), and you have a little time on the warranty, then taking it back would be a good idea. If they replace the harddrive, be sure to tell them you want to keep the old one as well, because it may still be possible to access the data on that harddrive, whether it is you wanting it or someone you don't know wanting it. Let me know how this goes.

abri

 

Hi Abri,

Sorry I have taken so long to follow up. They ended up bringing my sister a new motherboard. It actually was pretty fast and painless according to her. Anyway, she hasn't complained any more and I have been out of town frequently so I haven't checked it out.

I think she is still getting some message about HP Connections but I think that is a software issue??

Should any of the programs I installed per your instructions be removed? Oh, one other question is now that she has a new motherboard if she needed to use the restore disk--will it work? If not, what should she do?

Again, I thank you for all your help---and my sister thanks you double!!
klbreeze