I keep getting runtimes errors linking to exporer.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

:) win98/xp

Thread Starter
Joined
Oct 13, 2002
Messages
31
I keep getting runtimes errors linking to exporer.exe. I have re-installed IE to the latest version and applied all patches from wiindowsupdate.com. - I've also re-installed DirectX, (Latest version)... Not sure what to do next re-install Win98.... ;(.....

Thanks,
db

-- My system --
Operating System System Model
Windows 98 SE (build 4.10.2222) Asset Tag: 01----BC
Processor a Main Circuit Board b
900 megahertz AMD Duron
128 kilobyte primary memory cache
64 kilobyte secondary memory cache Bus Clock: 66 megahertz
BIOS: American Megatrends Inc. 062710 07/15/97
Drives Memory Modules
40.81 Gigabytes Usable Hard Drive Capacity
17.08 Gigabytes Hard Drive Free Space

Compaq CD-ROM SC-140E
Generic floppy disk drive (3.5")

Maxtor 52049U4 (20.42 GB) [Hard drive] -- drive 0 240 Megabytes Installed Memory

Slot '0' has 128 MB
Slot '1' has 128 MB
Slot '2' is Empty
Slot '3' is Empty
Media Toronto
 

Del

Joined
Aug 31, 2001
Messages
3,452
Did you change any hardware or add any new software just before this started?
 

:) win98/xp

Thread Starter
Joined
Oct 13, 2002
Messages
31
I'm hoping the error pop windows will occur, I will record it and post it.

db

Start-up List

StartupList report, 1/27/03, 1:45:29 PM
StartupList version: 1.51
Started from : C:\WINDOWS\TEMP\~~PDTEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\TWEAKNOW POWERPACK\RAM_98.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\SYNC-IT\SYNCIT.EXE
C:\PROGRAM FILES\SYSMETRIX\SYSMETRIX.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE
C:\PROGRAM FILES\ANALOGX\NETSTAT LIVE\NSL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\PROGRAM FILES\ONTRACK\POWERDESK\PDEXPLO.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ONTRACK\POWERDESK\PDEXPLO.EXE
C:\WINDOWS\TEMP\~~PDTEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\StartUp]
SysMetrix (2).lnk = C:\Program Files\SysMetrix\SysMetrix.exe
BlackICE Utility (2).lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
nsl.exe.lnk = C:\Program Files\AnalogX\NetStat Live\nsl.exe

User shell folders Startup:
[C:\WINDOWS\StartUp]
SysMetrix (2).lnk = C:\Program Files\SysMetrix\SysMetrix.exe
BlackICE Utility (2).lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
nsl.exe.lnk = C:\Program Files\AnalogX\NetStat Live\nsl.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
SiS KHooker = C:\WINDOWS\SYSTEM\khooker.exe
EASY ACCESS KEYBOARD = C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
Pop-Up Stopper = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
Virtual Drive = C:\Program Files\TweakNow PowerPack\VDRIVE.exe
RAM Idle Professional = C:\Program Files\TweakNow PowerPack\RAM_98.exe
LoadQM = loadqm.exe
SiS Tray =
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
SDaemon = C:\WINDOWS\sdaemon.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Hidserv = Hidserv.exe run
LoadBlackD = C:\Program Files\Network ICE\BlackICE\blackd.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RHSI SHS = "C:\Program Files\Rogers Hi-Speed Internet\RHSI SHS Framework\SHS.exe" /background
Sync-It = C:\PROGRAM FILES\SYNC-IT\SYNCIT.EXE -hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 27/1/2003, 11:6:58)

[Rename]
NUL=C:\WINDOWS\SYSTEM\URLMON.DLL
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\SET6393.TMP
NUL=C:\WINDOWS\SYSTEM\MSHTML.DLL
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\SET6394.TMP
NUL=C:\WINDOWS\SYSTEM\SHDOCVW.DLL
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\SET63A1.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=C:\PROGRA~1\COMMON~1\OPSESS~1\SHARED;C:\PROGRA~1\COMMON~1\OPSESS~1\VIEWER~1;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\PROGRA~1\SYMANTEC\PCANYW~1;C:\Program Files\Executive Software\DiskeeperWorkstation\
SET PATH=C:\PROGRA~1\SYMANTEC\PCANYW~1\;%PATH%

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\APPLICATION DATA\JSHSYLPRW.DLL (file missing) - {D44B5436-B3E4-4595-B0E9-106690E70A58}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
Webster Toolbar - C:\WINDOWS\DOWNLOADED PROGRAM FILES\M-WTOOLBAR.DLL - {9E1128F1-53FA-11d5-8490-0048548030CA}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
(no name) - C:\WINDOWS\SYSTEM\IEBRW.DLL - {1A98BCA2-0BD1-47DE-9710-C7665F7F1FCB}
(no name) - C:\WINDOWS\SYSTEM\HOMEPAGE.DLL - {A116A5C1-AD77-446C-992A-F56200B112DB}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
{D3CEBC45-1A86-11D7-900A-0007952B6E85}_Advisor.job
{BEC9BB24-312D-11D7-9008-0007952B6E85}_Advisor.job
2 Copernic Daily ~Default User.job
3 Copernic Weekly ~Default User.job
4 Copernic Monthly ~Default User.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37596.4006018518

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
CODEBASE = http://216.65.38.226/Download_Plugin.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/public/investor/v9/ticker.cab

[iCC Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPCONNCHECK.DLL
CODEBASE = http://www.pcpitstop.com/internet/pcpConnCheck.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security1.norton.com/SSC/SharedContent/common/bin/cabsa.cab

[Microsoft Search Settings Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SEARCHSETTINGS.OCX
CODEBASE = http://lg.home.microsoft.com/search/lobby/searchsettings.cab

[CTAdjust Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CLEARADJUST.DLL
CODEBASE = http://microsoft.com/typography/clearadj.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXISCAMCONTROL.OCX
CODEBASE = http://216.223.107.144/activex/AxisCamControl.ocx

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = http://www.symantec.com/techsupp/activedata/ActiveData.cab

[symsupportutil]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = http://www.symantec.com/techsupp/activedata/symsupportutil.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD34.OSD

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{731918D2-517A-47E2-886A-3BC1380C591D}]
CODEBASE = http://webpdp.gator.com/v3/download/pdpplugin_4094_hd3ptdm.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[IWSystemchecks Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IWSYST~1.OCX
CODEBASE = http://msfm.interwise.com/msfm/English/ActiveX/IWsystemchecks.cab

[{F798683C-FE05-436C-B0FF-35B9122E9787}]
CODEBASE = http://www.m-w.com/tools/toolbar/cabs/m-w.cab

[MSN Money Ticker]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TICKER12.OCX
CODEBASE = http://fdl.msn.com/public/investor/v12/ticker.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[SDKInstall Class]
InProcServer32 = C:\WINDOWS\SDKINST.DLL
CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

[ChartFX Internet Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CFXIEAX.OCX
CODEBASE = http://www.2ontario.com/download/CfxIEAx.cab

[Brix6ie Control]
InProcServer32 = C:\WINDOWS\BRIX6IE.OCX
CODEBASE = http://ftp.coupons.com/v6/brix6ie.cab

[FormFlow Form Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FORMCTL.DLL
CODEBASE = https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

--------------------------------------------------
End of report, 10,681 bytes
Report generated in 1.066 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
You have two browser plugins I've never seen before, and I'd really like to have a look at them for analysis.

Sometimes these can be harmless, but quite often they're not.

Would you mind terribly sending me a copy of the following files zipped up as an attachment, please?

c:\Windows\system\iebrw.dll
c:\Windows\system\homepage.dll

I'll PM you with my e-mail addie, and will keep you informed on whether they're required or not.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Additionally, one BHO (Browser plugin) is a remnant of a Lop infection and needs to be removed anyway.

Plus, there are a number of dubious ActiveX objects. PLease do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Hijack This will moreover allow us to easily delete the offending items.
 
Joined
Aug 17, 2001
Messages
7,486
I found this regarding the two dll's.

From:
http://boards.cexx.org/spyware/messages/3023.html?board=spyware

Anyone had their start page hijacked and always taking you to http://www.searchex.com/??? I used Hijackthis to remove a plugin I didn't recognise and this fixed it.

I have the same problem. This thread is the ONLY mention of www.searchex.com I found on google.
http://boards.cexx.org/spyware/messages/2987.html?board=spyware

I have no clue how this got in, but Hijackthis got rid of it. But I've also noticed a new round of klez attacks breaking in on fully up to date (according to microsoft) systems -- doing strange things like continuously downloading files from network shares & possibly trying to spread themselves on open network shares?

I'm sure it isnt a coincidence that this is showing up now, 14 days after it appears to have installed (just when most peoples internet histories will have erased themselves).

The responsible files are
c:\windows\system\homepage.dll version 1.0.0.1
created jan 7,2003 -- mod same (two minutes after iebrw.dll)
Note: http://www.searchex.com is plaintext in homepage.dll

c:\windows\system\homepage.inf
created oct 30,2002 -- mod aug 29,2002

c:\windows\system\iebrw.dll version 1.0.0.1
created jan 7,2003 -- mod same
and associed registry key URLSearchHook
{1A98BCA2-0BD1-47DE-9710-C7665F7F1FCB}
--not sure about this file, but it has the same date, version number, and lack of company info -- as the evil files.

ten minutes after iebrw appeared, this shows up in
c:\windows\application data\dw.log
"""
Microsoft Internet Explorer
Application Failure iexplore.exe 6.0.2600.0 in ole32.dll 4.71.2900.0 at offset 00046ad9
Microsoft Internet Explorer
Bucket: 02254245
Microsoft Internet Explorer
Application Failure iexplore.exe 6.0.2600.0 in comctl32.dll 5.81.4704.1100 at offset 000348c4
Microsoft Internet Explorer
Bucket: 02249102
Microsoft Internet Explorer
Application Failure iexplore.exe 6.0.2600.0 in msieftp.dll 5.0.2614.3500 at offset 000100ca
Microsoft Internet Explorer
Application Failure iexplore.exe 6.0.2800.1106 in unknown 0.0.0.0 at offset 7ac5db03
Microsoft Internet Explorer
Bucket: 22795014
Microsoft Internet Explorer
Application Failure iexplore.exe 6.0.2800.1106 in unknown 0.0.0.0 at offset 7ac5db03
"""

Also suspicious, my windows .PWL file was modified the same time iebrw.dll was installed (I would recommending deleting these files too, it will reset your win logon password, if you have one, and erase other saved passwords - which may have been added to your computer by this evilness)


Contact me if you have more info, I want to see this go down.


Netcraft says
"""
The site www.searchex.com is running Apache/1.3.27 (Unix) mod_bwlimited/1.0 PHP/4.2.3 mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.11 OpenSSL/0.9.6b on Linux.
"""

whois.net says
"""
Domain Name: SEARCHEX.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.REGISTRATIONS.COM.AU
Name Server: NS2.REGISTRATIONS.COM.AU
Updated Date: 20-jan-2003

Domain name: searchex.com

Name servers:
NS1.REGISTRATIONS.COM.AU
NS2.REGISTRATIONS.COM.AU

Creation date: 11/08/01 14:21:14
Expiration date: 11/08/05 14:21:14

Registrant Contact:
Internet Registrations Worldwide
Domain Admin ([email protected])
212 512 0543
FAX: -
1040 Avenue of the Americas
New York, NY 10018
US

"""

Theres also a searchex.net, but that seems to be unrelated (for sale for the low, low price of $488!!!)
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Thanks Mo, great research! :)

I've just PM'd SpyBot's Patrick, and detection ought to be added before soon.
 

:) win98/xp

Thread Starter
Joined
Oct 13, 2002
Messages
31
'You have two browser plugins I've never seen before, and I'd really like to have a look at them for analysis.

Sometimes these can be harmless, but quite often they're not.

Would you mind terribly sending me a copy of the following files zipped up as an attachment, please?'

c:\Windows\system\iebrw.dll
c:\Windows\system\homepage.dll

I no longer have these files on my system, since I preformed 'Highjack This!' software.

The errors seems to have calmed down. Will update on any changes that may occur.

db
 

:) win98/xp

Thread Starter
Joined
Oct 13, 2002
Messages
31
Any suggestions of software that prevents services like LOP and other from being installed on a system, before they cause all the changes and damages to Windows?

Thanks
db
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Originally posted by :) win98/xp:
I no longer have these files on my system, since I preformed 'Highjack This!' software.
No, that's not correct.

Hijack This will remove the registry entries, but not the files themselves.

You still ought to have them.

Please find them, and send them to me. Copies will go to the folks at Lavasoft, SpyBot, and others.

Thanks heaps! :)
 

:) win98/xp

Thread Starter
Joined
Oct 13, 2002
Messages
31
Tony: What address should I send the file to?

Doing a search using the find. These 2 files are gone from my system. homepage.dll cannot be found on my system. The other file: IEBrw.dll I have a copy since I made a duplicates copy yesterday.

I've enclosed the one file for investigation.

db
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top