raynertj

It started doing it 2 nights ago. Here's what came up. When the computer rebooted I would get an error while the desktop is loading. "this program (explorer) has preformed an illegal operation and will be shut down" None of the desktop icon will load. If I close the warning I lose access to the start bar. When I click on details I get" Explorer caused an invalid page fault in module SHELL32.dll at 0187:66869ad4. Registers: KAX=00439a24 CS=0187 KIP=66869ad4 EFLGS=00010246 KBX=00015e3 SS=018f ESP=0059dea8 KBP=0059dec0 ECX=00439b6d DS=018f ESI=00439b65 FS=227f KDX=00003535 KS=018f EDI=0043d0a2

Here's the hijack log Logfile of HijackThis v1.99.1 Scan saved at 5:34:04 PM, on 2/22/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\LINKSYS WIRELESS-G PCI ADAPTER\WMP54GV4.EXE C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WI

Thanks for your assistance. I already had Spybot with Tea timer enabled, Spywareblaster, Spywareguard and Ad-Aware SE installed on the computer at the time that the Trojan was acquired. I use Window Washer to clean the temp files regularly. Spybot has again picked up the coolwwwsearch.feat2installer. This is the 2nd time. The first time it was "fixed" using Spybot. I'll certainly download the other 3 suggestions that you made. Thanks again.

Logfile of HijackThis v1.99.1 Scan saved at 10:54:17 PM, on 02/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\PROGRA~1\TRENDM~1\INTERN~

Ran a number of scans tonight to check for anything going on. Spybot has again come up with the windows.activedesktop as well as coolwwwsearch.feat2installer. What's this latter one that was picked up.

Thanks, is there anything I can do about the recurring windows'activedesktop that Spybot keeps picking up.

Looks like it did get the browsela.dll. The one that Microsoft antispyware is now blocking is browseui.dll. There are two others in the same file; browselc.dll and browser.dll. Neither of these two have been "caught" but the Microsoft antispyware. The windows.activedesktop keeps returning and was found by spybot in: Windows.ActiveDesktop: User settings (Registry change, nothing done) HKEY_USERS\S-1-5-21-567416861-3535958025-259666730-1008\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1

As some additional info: Pest Patrol picked up: Trojan.win32.dialer.ay and Spybot keeps picking up: windows.activedesktop

Here's the updated hijack. One other question: Microsoft antispyware keeps coming up with an advisory that Microsoft Shell Browser UI Library browsela.dll has been blocked. This occurs whenever browsing on the Internet. Should this be allowed to load. Logfile of HijackThis v1.99.1 Scan saved at 11:28:03 AM, on 01/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WIND

Here's the contents of the logfile I still get a warning from Microsoft antispyware that it has stopped Microsoft shell browser UI Library browsela.dll located in c:\windows\system32\browsela.dll ************************ * WIN32DELFKIL LOGFILE * ************************ BEFORE RUNNING WIN32DELFKIL *************************** File(s) found in Windows directory ---------------------------------- File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 H

A family member downloaded the backdoor.fivsec trojan. I used a variety of antispyware to remove including all of: Microsoft antispyware, ad-aware SE, Pest Patrol, Xoftspy, Spybot, spywareblaster and Norton. Norton still kepps coming up with warnings about a download.trojan with 2 files that are locked and that I can't get at even in Safe Mode. Thye are: browsela.dll and alt.exe. Another called adsldpbf.dll keeps returning even though I can delete it. Trojan remover showed the registry file that was generating the browsela.dll but I'm not sure whether to delete it or not. Pls look at the hi-ja