PDA

View Full Version : Windows explorer search problem...



RiceCracker
2008-09-17, 23:41
I don't know much about computers, so if you can, can you please be basic with me. I don't know if its a virus or what, but whenever i start up XP, a couple windows pop up tryng to search for something, when i close out of them they just keep re-oening. The only way i can make it stop for a little while is if i open up Task manager, and then close them out. My husband has tried running virus scans and nothing seems to show up. If someone could help me out, i'd appreciate it. Thanks in advance.

I hope im doing this right.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:56 PM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 4637 bytes

pskelley
2008-09-21, 21:58
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Nothing showing in the HJT log and though you tried to provide some it does not help, so I am not sure if I can help or not.

The only way i can make it stop for a little while is if i open up Task manager, and then close them out.
Can you tell me what "them" is?

Let's start like this.

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Picture: http://www.bleepingcomputer.com/tutorials/tutorial42.html#uniman

2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks

RiceCracker
2008-09-24, 07:27
Sorry, this has taken me a couple days to reply, but Thank you for trying to help. What i meant by "them" stopping in task manager, was the search explorer windows that won't stop popping up.

Here is the uninstall log file.

Adobe Flash Player ActiveX
AppCore
ccCommon
Component Framework
Driver Detective
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HSP56 Modem Drivers
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton Protection Center
SPBBC 32bit
Spybot - Search & Destroy
Symantec Real Time Storage Protection Component
ubCore
Update for Windows XP (KB951072-v2)
VIA Platform Device Manager
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar


And here is the Malwarebytes' Anti-Malware log file after the removal.

Malwarebytes' Anti-Malware 1.28
Database version: 1200
Windows 5.1.2600 Service Pack 3

9/23/2008 9:20:53 PM
mbam-log-2008-09-23 (21-20-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140748
Time elapsed: 1 hour(s), 23 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

pskelley
2008-09-24, 14:57
Thanks for returning your information and the feedback, still not sure I undstand what "them" is.

Uninstall list <<< I see nothing I recognize as a problem.

You have cut off the MBAM list, I need to see these:
Folders Infected: 3
Files Infected: 8

I also can not see if you removed the infected items.

I need a report on how the computer is running after MBAM's scan.

NOTEPAD: Click Edit then Select All. Copy and paste the highlited infomation.

Thanks

RiceCracker
2008-09-24, 23:44
Sorry, didn't notice that it doesn't show the infected files. It doesn't seem to have did anything different. I still have the problem
Im trying my best to explain the problem without confusing you, but its almost as if there is a search key that is constantly being pressed. If i click on the start menu, a window opens up, trying to search for something, and if i try and close out of the window, it re-opens, until i "end task" the window, on the task manager, then it stops for awhile. If i have internet explorer open while it does this, the 'find' window opens up (ctrl+f). I hope this helps out, and again, thank you for your help.

Malwarebytes' Anti-Malware 1.28
Database version: 1200
Windows 5.1.2600 Service Pack 3

9/23/2008 9:20:53 PM
mbam-log-2008-09-23 (21-20-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140748
Time elapsed: 1 hour(s), 23 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Spybot - Search & Destroy (Rogue.XLG) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus\Help and Support.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus\LiveUpdate.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus\More Symantec Solutions.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus\Norton AntiVirus 2005.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus\Quarantine.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Norton AntiVirus\ReadMe.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Spybot - Search & Destroy\Spybot - Search & Destroy.lnk (Rogue.XLG) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection\Spybot - Search & Destroy\Uninstall Spybot - Search & Destroy.lnk (Rogue.XLG) -> Quarantined and deleted successfully.

pskelley
2008-09-24, 23:54
Exactly what malware problems are you having now?

Thanks

RiceCracker
2008-09-25, 03:55
None, that i know of.
I don't really see any problems, except for the search window that keeps popping up. Before this website, i tried google to see if anyone had any similar problems and i didn't find any, so im not sure im not sure if its even a virus, but instead just something wrong with my windows xp.

pskelley
2008-09-25, 13:28
except for the search window that keeps popping up.
Could you tell me if this search window is still opening after you ran MBAM? What the "search" window is, or does it direct you anywhere. If there is not a lot of information in the windows perhaps you could type it in your post.
Provide that information and a new HJT log. I have no idea what I am dealing with at this point.

Thanks

RiceCracker
2008-09-25, 22:15
Yes, the windows are still popping up after i ran the MBAM scan. It doesn't show anything, or take me anywhere, It just wants to search for something. Anytime i open a new folder, lets say My Computer, it just trys to search for something. Sorry, nothing i write is helping out, but thats all i know about it. Thank You

Here is the HJT log file again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:17 PM, on 9/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5081 bytes

And i tried taking a screenshot of the desktop, so you can kind of get a hint of what it looks like.
http://img131.imageshack.us/img131/5438/screenshotoi3.th.jpg (http://img131.imageshack.us/my.php?image=screenshotoi3.jpg)http://img131.imageshack.us/images/thpix.gif (http://g.imageshack.us/thpix.php)

pskelley
2008-09-25, 22:29
The screenshot is of Search Companion which is a valid part of Windows. You can access and see it like this:

Start > Search

Have a look at this information:
http://windowsxp.mvps.org/searchwindow.htm

Thanks

RiceCracker
2008-09-26, 00:14
Thats what i thought was the problem when i first looked it up, but i followed all the steps and it didn't change anything. But i hate to waste your time. So i think i may just reboot xp on here. But Thank you so much for your help.

pskelley
2008-09-26, 00:40
Since it is a Windows XP issue, you can get help here:
http://support.microsoft.com/

Thanks