Need Help numerous: iexplore.exe's running along with dllhost.exe's

[B-boy/StyLe/]

Hello Brownie,

 

To confirm that you installed the correct drivers please open the Device Manager (Press the WinKey + R > type devmgmt.msc into the open run box > enter) and see if there are any with any red or yellow warning triangles for any entries there > if so, follow the troubleshooting procedures for the entries delete the driver, reboot and allow it to re-install, see if that resolves the issue or install the corresponding driver from the CD.

 

It doesn't matter for me in what order you will perform the steps above so don't worry.

 

As for the file path you forgot to mention the folder name. Also C:\ or C:\Windows are different file paths. Can you be more concrete, please?

 

 

Regards,

Georgi

[Brownie]

Gosh Georgi,

 

I'm sorry as heck.. I said it reads "C:\Windows" when in fact, I meant to say:  It reads: "C:\Documents" (without the quotes)  Now I think it will make more sense. Hopefully.  Yes I know that C:\  is quite different than C:\Windows... lol  Sorry, for that mistake.  And I thought I'd Proof read it... lol

 

So yes, that folder itself, is definitely located in: C:\    When you're at C:\ , the folder's name is simply: "Documents" (Not My Documents) Just "Documents", so naturally if you were to click on it (which I don't) it would then show: C:\Documents.  The same as it shows when it comes up on the Desktop.

 

Does that now make more sense?

 

Thanks so very much, I honestly don't know how I made that error in thought. I think the heat here has gotten to me. Suppose to go up to 100 Degrees F. today... Yesterday I had no air conditioning and was nearly an Ink spot by the time we got the Air conditioner installed late last night.

 

Hopefully that will cool my brain down a bit so it will work 1/2 was right. lol

 

I  am terribly sorry, as that sure confused me too after re-reading what I'd written out for you.

 

Thanks and again, I'm sorry for the confusion on my part.

 

My Best

Brownie 

[Brownie]

Hi Georgi,

 

Here are the CMD Reports you requested:  Don't know if I attached them right but I'm sure you'll let me know if you can't open them

 

report1.txt

report2.txt

report3.txt

report4.txt

 

 

Best Regards,

 

Brownie

[B-boy/StyLe/]

Hi Brownie,

 

The logs above look good to me. Volume Shadow Copy seems to operates as it should.

 

Maybe there is a conflict between Volume Shadow Copy and some of the following programs you have currently installed:

 

McAfee Online Backup (Version:  - McAfee, Inc.) Hidden
McAfee Online Backup (Version: 1.16.4.0 - McAfee, Inc.) Hidden
Memeo AutoSync (HKLM\...\{75B7F766-7998-44d8-A202-F1EC76A121BA}) (Version:  - Memeo Inc.)
Memeo Instant Backup (HKLM\...\{8E666407-AC41-46a2-9692-6C7BFCBFDD37}) (Version: 4.60.0.7923 - Memeo Inc.)

 

If the third-party programs work normally and you didn't get any errors related to VSS during the registry backup with Tweaking.com registry Backup used in post 29 then you can ignore these messages in the Event Viewer.

 

Error: (06/06/2014 10:01:08 AM) (Source: VSS) (EventID: 12302) (User: )
Description: Volume Shadow Copy Service error: An internal inconsistency was detected in trying
to contact shadow copy service writers.  Please check to see that the Event Service
and Volume Shadow Copy Service are operating properly.

 

 

Otherwise you can try the following articles to see if they will resolve the VSS issues:

 

http://support.microsoft.com/kb/907574

 

http://insan4it.blogspot.com/2013/11/how-to-fix-vss-errors-in-windows-xp-and.html

 

As for the other event:

 

Error: (06/06/2014 02:37:45 PM) (Source: DCOM) (EventID: 10005) (User: DONNY-8E17D58B6)
Description: DCOM got error "%%1058" attempting to start the service WSearch with arguments ""
in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

You can try to uninstall Windows Search 4.0 from the Control Panel to see if that will help.

 

Let me see the log from Autoruns to see if we can resolve the other issue with the mystery folder and then if you don't have any other issues I'll give you my final recommendations.

 

 

Regards,

Georgi

[Brownie]

Hi Georgi,
 
Concerning:  "AutoRuns"  I downloaded it, and followed your instructions. It all went well, until I tried to save it. I can't get it to save. Thanks for anything you can give me that will help in my dilemma.

 

PS: I would have had it for you last night.  If you don't mind, type it out and I'll copy what you type and paste it in, and then see if it will save.

 

Thanks,

Brownie

[B-boy/StyLe/]

Hi Brownie,

 

This is odd...make sure that the scan has ended before you try to save the log from Autoruns.

You will see the message "Ready" in the down left corner of the program. Next click Ctrl + S at the same time and try to save the log (AutoRuns.arn) to a folder of your wish.

Let me know how it went.

 

 

Regards,

Georgi

[Brownie]

Hi George,

 

I had to run the program again and this time there was no problem saving it.  I'll download WinZip since my son doesn't have any zip program on here.

 

PS: The file should soon be on Zippyshare, and the Link to it posted here, if all goes well. "Hopefully" 

 

Thanks,

Brownie

[B-boy/StyLe/]

Hello Brownie,

 

It seems that you forgot to paste the link to the archive.

 

 

Regards,

Georgi

[Brownie]

Hi George,

 

Once again, I'm sorry for the long delay, but I'm really having some Major problems trying to get that damn file to upload to Zippyshare.  I even downloaded their new "Auto Upload" and the same thing takes place. The file gets there but it shows ZERO bytes.  The file was originally 1.68 MB.  And I honestly don't know if it's really zipped right.  I had to use my son's 7-zip, and I don't think that's really working as it should. When it uploaded it gave me a link to it, but I couldn't get the link. It was not scrollable, to get it all, and it would not let me select the link to copy it.

 

So I finally attempted to download (recommended by "PC World") a small zipping program called: "Hampster".  It was installing and then it popped up a window saying:  The procedure entry point "RegGetValueA" could not be located in the dynamic Link Library ADVAPI32.dll.

 

It seems everything is going to go smooth and then this kind of thing takes place. Thanks for anything you can tell me on how to handle this, in order to get that file to you.

 

Regards

 

Brownie

[B-boy/StyLe/]

Hello Brownie,

 

You don't need to download anything to upload the file lol. It's not needed even to zip it (but doing so will compress the file size for faster upload).

Winzip is a shareware program. There are so many freeware alternatives out there like HaoZip, 7-zip, PeaZip etc. You can replace WinZip with one of them if you want.

 

I had to use my son's 7-zip, and I don't think that's really working as it should. When it uploaded it gave me a link to it, but I couldn't get the link. It was not scrollable, to get it all, and it would not let me select the link to copy it.

 

I don't know what you are talking about. 7-zip is not an online service and there are no links...

 

Simple navigate to your desktop and select the Autoruns.arn file

Right click on it and select "7-zip", then "Add to archive.."




Leave all settings to default, and click OK.

New file with .zip or .7z extension will be created in very same folder.

Next try to upload the archive here

 

Also if you are having issues uploading the file at zippyshare or at BleepingComputer you can use similar services like http://luckyshare.net/ or http://www.filedropper.com/.

 

 

Regards,

Georgi

[Brownie]

Thanks Georgi,

 

Guess you can tell I've never had reason to have to zip any file in years and years, and when it was called for my emailing program/s took care of that. My old mind was telling me that 7-Zip must only be good for compressing large amounts of files, in order to make more room on the drive/s, or for Unzipping.

 

I'll follow your directions and get the file uploaded to one of those sites and post the url to it here.

 

PS: For the record, there is a (new) Zippyshare Program (on ZippyShare site to download) that will automate the uploads to Zippyshare, as well as provide the url link, without ever having to leave your desktop. It's definitely new since I last used Zippyshare 3 or 4 years back. That was the only way I could upload the file. The Upload button on their site wouldn't work.

 

OK, I'll be sure to convert it right this time.

 

Thanks,

Brownie

 

 

 

 

[B-boy/StyLe/]

Hi Brownie,

 

I prefer to use the old method (with the browse and start upload buttons) and always try to avoid installing of unnecessary stuff when possible.

 

 

Regards,

Georgi

[Brownie]

Hi Georgi,

 

I don't like anything to get me down, so I put it on Zippyshare using your instructions for 7-zip. Also of note, the new tool for uploading files is located under "uploading tools".  And yes, I know you're not suppose to have to do that. But otherwise a message came up saying: "C:\fakepath\AutoRuns.7z" with a red oblong box that simply said: "Remove".

 

Regardless, here is the link and I hope you get the file ok:  http://www12.zippyshare.com/v/66414339/file.html

 

Please let me know if it worked for you.

 

Thanks again,

Brownie

[B-boy/StyLe/]

Hello Brownie,

 

I got it, thanks!

 

Please open Autoruns.exe (not the report but the main program instead) and untick the item below.

 

DellSystemDetect

 

Reboot the computer and let me know if the issue with the folder disappeared.

 

 

Regards,

Georgi

[Brownie]

Hey Georgi,

 

I did what you said, and you're right!  When I rebooted that window did not come up. lol

 

Ok I'll wait for the next step.

 

Thanks

Brownie

[B-boy/StyLe/]

Hello Brownie,

 

I am glad to see that worked for you.

 

Please download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Also please open the folder C:\FRST\Quarantine and press Ctrl + F. Type in kolwlrk.dll and then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so I can examine the files and submit to antivirus companies if needed.

 

 

Before I let you go let's make sure that there are no more potentially unwanted applications on your system.

 

First please create a new restore point just in case:

 

How to set a system restore point in Windows XP

 

 

 

STEP 1

 

 

• Please download RKill by Grinler from the link below and save it to your desktop.
  
  Rkill
• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• If nothing happens or if the tool does not run, please let me know in your next reply.
• A log pops up at the end of the run. This log file is located at C:\rkill.log.
• Please post the log in your next reply.

 

 

STEP 2

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator.
• Click on the Scan button.
• AdwCleaner will begin to scan your computer.
• After the scan has finished click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

STEP 3

 

 

  Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

 

 

STEP 4

 

 

1.Please download HitmanPro.

• For 32-bit Operating System - click here
• This is the mirror - click here
• For 64-bit Operating System - click here
• This is the mirror - click here

2.Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\Documents and Settings\All Users\Application Data\HitmanPro\Logs (for Windows XP) or to C:\ProgramData\HitmanPro\Logs (for Windows Vista/7) open the report and copy and paste it to your next reply.

 

 

STEP 5

 

 

I'd like us to scan your machine with ESET OnlineScan

 

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the Run ESET Online Scanner button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

 

 

 

STEP 6

 

 

And finally let's check for outdated and vulnerable software on your pc.

 

Download Security Check by screen317 from here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations.

 

 

Regards,

Georgi

[Brownie]

Hi Georgi,

 

Quite a list.  lol   Ok, I'll start on it and don't think I'm lost if you don't hear back from me for a day or so. I'll follow your steps to the Letter. Right on down the list... Posting the results as per your request/s.

 

Thanks, that was no easy deal to post... lol  Quite a long list of to do's...

 

Thanks for sticking with me.  It's really appreciated. You're super!

 

Best Regards,

Brownie

[Brownie]

Hi Georgi,

 

Here is the Fixlog.txt Report you requested.  Note: If you should need the FRST scan report/s I have them saved in a folder just in case they're needed:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:25-06-2014
Ran by Donny at 2014-06-26 03:32:38 Run:5
Running from C:\Documents and Settings\Donny\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
URLSearchHook: HKCU - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
SearchScopes: HKLM - DefaultScope value is missing.
BHO: No Name - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -  No File
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll No File
2014-05-16 14:04 - 2014-05-23 00:37 - 00000000 _____ () C:\prefs.js
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\00512310.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\34865341.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\00512310.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\34865341.sys => ""="Driver"
C:\Documents and Settings\Donny\Local Settings\Temp
end

*****************

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => value deleted successfully.
'HKCR\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}' => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}' => Key deleted successfully.
'HKCR\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}' => Key deleted successfully.
'HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}' => Key deleted successfully.
'HKCR\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}' => Key deleted successfully.
C:\prefs.js => Moved successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => Moved successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => Moved successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\00512310.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\34865341.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Network\00512310.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Network\34865341.sys' => Key deleted successfully.
C:\Documents and Settings\Donny\Local Settings\Temp => Moved successfully.

==== End of Fixlog ====

 

Going now to upload the: "Kolwirk.dll" to Bleeping for you.

 

Thanks,

Brownie

[Brownie]

Hi Georgi,

 

The outcome of my search found nothing by the name you provided:  "kolwirk.dll" (without the quotes).  Could you check that name again to make sure it's spelled the way you intended it to be?  And I'll do another search in that "C" (without the quotes) folder.  Of Note: I didn't open that folder, just did as you said and searched. 

 

Here's exactly what took place. I went to C:\FRST\Quarantine and there was one folder a plain  C  folder.  After doing the Ctrl + F, the search engine came up and said: Search will not work because current folder is not Indexed.  Use the Search Companion to search this folder. (Which I did).  After getting File Not Found, I changed the search to include: System + Hidden files, and still found nothing.  I then placed an * before the file name as in: *kolwirk.dll  and it still found nothing.  I then Removed the:  .dll  and searched for the file name itself and again nothing.

 

Whoa!!!!  A bomb shell just hit me:  Remember that plain folder that you just got rid of that kept poping up on Boot and/or Restart?  Well, the name on that Folder was simply: C  also.  Don't know if it was any relation, but felt I'd mention it to you?

 

BTW: That Quarantime folder is: 8.47 GB in size.  Here is what showed up when mousing over it:  Folders: Documents & Settings, WINDOWS Files: prefs.js.xBAD

 

PS: Sorry I couldn't find what you need...  I made certain I had spelled the name right, etc.,

 

I'll await your reply on what to do (at this point) because I want to follow your steps in order.

 

Sorry I had no results other than the above.

 

Brownie

 

 

 

 

[B-boy/StyLe/]

Hi Brownie,

 

You entered a wrong name in the search field

 

It's kolwlrk.dll and not kolwirk.dll

 

Whoa!!!!  A bomb shell just hit me:  Remember that plain folder that you just got rid of that kept poping up on Boot and/or Restart?  Well, the name on that Folder was simply: C  also.  Don't know if it was any relation, but felt I'd mention it to you?

 

Nope...the folder name and path is

 

C:\Documents and Settings\Donny\Local Settings\Apps\2.0\63498J4G.OPT\9AQAPGQO.QBA\dell..tion_0f612f649c4a10af_0005.0007_59de4fd2458fcaec\DellSystemDetect.exe 

 

BTW: That Quarantime folder is: 8.47 GB in size.

 

This is normal...we removed a lot of temporaty files and they are all quarantined by FRST. We will delete them at the end of the cleaning process.

 

Regards,

Georgi

[Brownie]

Hey Georgi,

 

You young people with the excellent vision, have it all....    Darn, I printed it out and it looked just like an i (small eye) then I asked my wife (who's on her first day of retirement at (70) looked at it with her NEW GLASSES and said, yes it's a small (eye) then right after she says, well, it looks like both.... lol

 

Ok, I'm going back and apologizing for being not just old but blind as well.. My implants aren't as good as they use to be..

 

Sorry and thanks a whole lot,

 

I'll get it right this time

 

Brownie

[Brownie]

Hi Georgi,

 

The file should now be available for you.  The upload went well.  I'll now move on with making the new: System Restore Point.

 

Thanks again

 

Brownie

[Brownie]

Hi Georgi,

 

I'd have been done but I first wanted to have that "New Restore Point: created before doing the RKill, etc., (as you suggested) and this isn't my first time at creating a new restore point on Windows XP machines.  It is however, the first time I've ever had a message come up saying:  "System restore is not able to create a restore point.  Please restart the Computer and then run System Restore again.

 

I've rebooted and attempted again, and again and to no avail. I checked to make sure there was enough space on the HD, and there is plenty of free space.  Donny has his slider set all the way to the Right, in order to allow the most amount of restore points, at the maximum. 

 

I've not attempted doing anything more without first getting your permission. However, it's been on my mind to try moving that slider back to about 1/2 way and then rebooting and seeing what takes place.  I've also thought about putting a check in the box to turn off system restore, of which I know that would also remove any and all Restore Points, and I don't want to do that without your permission either.

 

I'll await your reply back to see what you suggest.

 

Thanks,

Brownie

[B-boy/StyLe/]

Hi Brownie,

 

We discussed this before.

Check the suggestions in post 54 to see if you will be able to fix the VSS issue.

 

 

Regards,

Georgi

[B-boy/StyLe/]

Hi Brownie,

 

Are you still around? Btw you can skip System Restore for now (if you can fix the VSS issues) and continue with the rest of the steps. We are almost done here.

 

 

Regards,

Georgi